In early March, the Federal Trade Commission (FTC) announced that the company LifeLock agreed to pay $11 million to it and $1 million to a group of 35 state attorney generals to settle charges that the company used false claims to promote its identity theft protection services, which it widely advertised by displaying the CEO’s Social Security number on the side of a truck.
The FTC press release went on to say that,
"LifeLock and its principals will be barred from making deceptive claims and required to take more stringent measures to safeguard the personal information they collect from customers."
FTC Chairman Jon Leibowitz was quoted saying, "While LifeLock promised consumers complete protection against all types of identity theft, in truth, the protection it actually provided left enough holes that you could drive a truck through it."
Since 2006, LifeLock's ad had claimed that it could prevent id theft for consumers willing to pay it $10 per month.
According to the FTC’s complaint, LifeLock claimed that:
- "By now you've heard about individuals whose identities have been stolen by identity thieves . . LifeLock protects against this ever happening to you. Guaranteed."
- "Please know that we are the first company to prevent identity theft from occurring."
- "Do you ever worry about identity theft? If so, it’s time you got to know LifeLock. We work to stop identity theft before it happens."
The press release went on to say that the,
"FTC’s complaint charged that the fraud alerts that LifeLock placed on customers’ credit files protected only against certain forms of identity theft and gave them no protection against the misuse of existing accounts, the most common type of identity theft. It also allegedly provided no protection against medical identity theft or employment identity theft, in which thieves use personal information to get medical care or apply for jobs. And even for types of identity theft for which fraud alerts are most effective, they do not provide absolute protection. They alert creditors opening new accounts to take reasonable measures to verify that the individual applying for credit actually is who he or she claims to be, but in some instances, identity thieves can thwart even reasonable precautions."
"New account fraud, the type of identity theft for which fraud alerts are most effective, comprised only 17 percent of identity theft incidents, according to an FTC survey released in 2007."
The FTC also said that LifeLock claimed to constantly monitor a person's credit reports, which it said was not true. Furthermore, LifeLock claimed that it highly protected its customers' data, but that also was not true the FTC said.
The FTC said at the time that it would use the $11 million to provide refunds to customers.
All very interesting, but why do I bring it up now, almost two months later?
Well, for one, there has been a recent proposed from LifeLock about a proposed class action settlement in currently pending in the United States District Court, District of Arizona, that is related to the FTC action. The case is called In re LifeLock, Inc. Marketing and Sales Practice Litigation, MDL Docket No. 08-1977-MHM-PHX.
The proposed settlement does nothing for individuals who enrolled in LifeLock, but basically reaffirms the FTC agreement about false advertising. The lawyers suing LifeLock apparently will walk away with $1.9 million - par for the course, I suppose.
Interestingly, LifeLock claims that it doesn't believe it has done anything wrong."In fact, LifeLock denies any and all liability for the claims alleged in the lawsuit," the company says.
The FTC indicates that it will be contacting LifeLock members by letter about how to get refunds from the $11 million settlement, but it doesn't say when.
Part of the reason may be that many companies andorganizations, the IEEE included, offered enrollment in LifeLock as a new employee benefit last November. For instance, instead of paying $120 per year, an IEEE employee (BTW, I am not one) could subscribe to LifeLock for only $60 per year. Whether the companies who offered LifeLock as a benefit are going to get the refunds which they will then distribute to their employees or whether employees will get refunds directly from the FTC isn't clear.
Another reason for bringing this up now is that the CEO of LifeLock, Todd Davis, has now admitted that his id has been stolen at least 13 times (after for a long time claiming it had only been stolen once). There is a great story about this at (correction) The Phoenix New Times published earlier this month.
Mr. Davis, in this interview with ComputerWorld last week - which wins an award for hubris if nothing else - insists that having his id stolen 13 times is a good thing, since it raises people's awareness of their own vulnerability to id theft.
Mr. Davis also insists that LifeLock never promised to prevent id theft, just to protect people from id theft. LifeLock can't help it if people don't understand the difference.
If you want a really good chuckle, read the ComputerWorld interview.
And if you are a company that offers LifeLock to your employees as a "benefit", you need to read both the (correction) The Phoenix New Times and Computer World articles as well. If the FTC action alone wasn't enough to make you reconsider, these stories ought to convince you to at least think very hard about it.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.