LifeLock will pay $11m to the Federal Trade Commission, along with $1m to a group of 35 state attorneys general. The payment will settle charges that it used false claims to promote its identity theft protection services.
According to an FTC statement on the LifeLock case, LifeLock was wrong to guarantee that its customers would never be subject to identity theft. The fraud alerts that it put on customers' credit files only protected against certain forms of identity theft, the Commission alleged. Account misuse, which the FTC said was the most common type of identity theft, was not protected against. Seventeen percent of identity theft incidents comprised new account fraud according to an FTC survey released in 2007.
The FTC alleged that the service failed to protect against medical or employment identity theft. Claims that customers would receive a telephone call from a potential creditor before a new account was opened were false, the FTC said, as were claims that LifeLock could prevent unauthorized changes to customers' address information.
"While LifeLock promised consumers complete protection against all types of identity theft, in truth, the protection it actually provided left enough holes that you could drive a truck through it," commented FTC chairman Jon Leibowitz.
The FTC said that LifeLock's data was not encrypted, and that the company falsely claimed that only authorized employees would have access to the information, on a need-to-know basis.
LifeLock put a positive spin on the situation. "LifeLock is pleased with this agreement, which, for the very first time, works to set advertising guidelines for the entire industry," said LifeLock chairman and CEO Todd Davis. "We welcome federal and state efforts to regulate our industry, because doing so helps to protect consumers from the risks of identity theft."
Under the settlement, Davis was personally barred from making the same misrepresentations as LifeLock had previously, along with its cofounder Robert J. Maynard Jr, the FTC said.