LifeLock, Inc. has agreed to pay $11 million to the Federal Trade Commission and $1 million to a group of 35 state attorneys general to settle charges that the company used false claims to promote its identity theft protection services, which it widely advertised by displaying the CEO’s Social Security number on the side of a truck.
In one of the largest FTC-state coordinated settlements on record, LifeLock and its principals will be barred from making deceptive claims and required to take more stringent measures to safeguard the personal information they collect from customers.
“While LifeLock promised consumers complete protection against all types of identity theft, in truth, the protection it actually provided left enough holes that you could drive a truck through it,” said FTC Chairman Jon Leibowitz.
“This agreement effectively prevents LifeLock from misrepresenting that its services offer absolute prevention against identity theft because there is unfortunately no foolproof way to avoid ID theft,” Illinois Attorney General Lisa Madigan said. “Consumers can take definitive steps to minimize the chances of having their personal information stolen, and this settlement will help them make more informed decisions about whether to enroll in ID theft protection services.”
Since 2006, LifeLock’s ads have claimed that it could prevent identity theft for consumers willing to sign up for its $10-a-month service.
According to the FTC’s complaint, LifeLock has claimed: ? “By now you’ve heard about individuals whose identities have been stolen by identity thieves . . . LifeLock protects against this ever happening to you. Guaranteed.” ? “Please know that we are the first company to prevent identity theft from occurring.” ? “Do you ever worry about identity theft? If so, it’s time you got to know LifeLock. We work to stop identity theft before it happens.”
The FTC’s complaint charged that the fraud alerts that LifeLock placed on customers’ credit files protected only against certain forms of identity theft and gave them no protection against the misuse of existing accounts, the most common type of identity theft. It also allegedly provided no protection against medical identity theft or employment identity theft, in which thieves use personal information to get medical care or apply for jobs.
Even for types of identity theft for which fraud alerts are most effective, LifeLock does not provide absolute protection. They alert creditors opening new accounts to take reasonable measures to verify that the individual applying for credit actually is who he or she claims to be, but in some instances, identity thieves can thwart even reasonable precautions.
New account fraud, the type of identity theft for which fraud alerts are most effective, comprised only 17 percent of identity theft incidents, according to an FTC survey released in 2007.
The FTC’s complaint further alleged that LifeLock also claimed that it would prevent unauthorized changes to customers’ address information, that it constantly monitored activity on customer credit reports, and that it would ensure that a customer always would receive a telephone call from a potential creditor before a new account was opened. The FTC charged that those claims were false.
In addition to its deceptive identity theft protection claims, LifeLock allegedly made claims about its own data security that were not true. According to the FTC, LifeLock routinely collected sensitive information from its customers, including their social security numbers and credit card numbers. The company claimed: ? “Only authorized employees of LifeLock will have access to the data that you provide to us, and that access is granted only on a ‘need to know’ basis.” ? “All stored personal data is electronically encrypted.” ? “LifeLock uses highly secure physical, electronic, and managerial procedures to safeguard the confidentiality and security of the data you provide to us.” ? The FTC charged that LifeLock’s data was not encrypted, and sensitive consumer information was not shared only on a “need to know” basis. In fact, the agency charged, the company’s data system was vulnerable and could have been exploited by those seeking access to customer information.
"LifeLock sold Californians a false sense of security against identity theft with advertisements that were chock full of inflated claims and promises," California Attorney General Edmund G. Brown Jr. Brown said. "Today's settlement prevents the company from misrepresenting and overstating its services and reimburses LifeLock subscribers who were misled."
The Attorneys General of Alaska, Arizona, California, Delaware, Florida, Hawaii, Idaho, Illinois, Indiana, Iowa, Kentucky, Maine, Maryland, Massachusetts, Michigan, Missouri, Mississippi, Montana, Nebraska, Nevada, New Mexico, New York, North Carolina, North Dakota, Ohio, Oregon, Pennsylvania, South Carolina, South Dakota, Tennessee, Texas, Vermont, Virginia, Washington, and West Virginia participated in the settlement.
LifeLock has been the target of consumer complaints, class action lawsuits and criticism from consumer and privacy activists for years.
LifeLock's co-founder and chief executive officer, Todd Davis, is so confident in the product that he shares his own Social Security number in the company's many TV, radio and print ads.
But consumer advocates and two class action lawsuits claim that LifeLock actually provides very little protection. LifeLock, based in Tempe, Arizona, works by renewing an individual's fraud alert with one of the nation's three large credit bureaus, a service which federal laws mandate any individual can do for free, usually within a few minutes over the phone or Internet.
“What the fraud alert does is it basically puts a red flag on your credit report and it tells any potential creditor that if they receive an application for credit, they should take additional measures to determine that the person is the person that they're claiming to be. Typically that would be a phone call,” said Paul Stephens, director of public policy at the Privacy Rights Clearinghouse, a nonprofit consumer advocacy organization.
Fraud alerts last 90 days and then must be renewed. LifeLock charges $10 a month to make sure its customers' fraud alerts never expire – a service most consumer advocates are baffled anyone would pay money for.
“No one needs to pay a third party firm to assert their federal rights,” Ed Mierzwinski, consumer program director at the U.S. Public Interest Research Group, a nonprofit consumer advocacy organization, wrote in an e-mail. “And for one hundred bucks plus each year, it is certainly not cheap to do so.”
“I like to think of LifeLock as being a concierge service,” Stephens said “Are you the kind of person who would pay somebody, for example, to do your shopping for you?”
“I would point out that to do the sorts of things that LifeLock does for you, you don't even need to leave your house,” Stephens continued. “You can get on the phone or get on your computer and do it in a couple of minutes. So I don't really see that they bring a lot of value to the consumer.”
Davis didn't argue the concierge analogy in a phone interview with ConsumerAffairs.com, but said the company offers much more than the renewal service.
“There are certainly steps beyond just convenience that we're doing, but one of the things that people love are those convenient steps: us renewing the fraud alerts, us being there if you have a question in a retail store when you're applying for credit, us being available 24/7, us being there in case you lose your wallet; (we will) assist canceling and renewing credit cards and helping to get a new driver's license,” Davis said.
“We're also doing other things like scouring the (Internet) looking for your personal information being bought or sold on the black market,” Davis said. “We're authenticating when someone puts in a change of address to confirm it's you.”
In advertisements, the company also promises to stop junk mail, including pre-approved credit offers and provide a credit report – services that again, a consumer can do for free over the phone or Internet.
The most controversial aspect of LifeLock is its $1 million guarantee.
“LifeLock's $1 million guarantee is our intent to go support any member of LifeLock who might become a victim of identity theft while subscribed to our service so we that can go out and (fill) our intent to do everything the law allows us to do to help that person recover their good name,” Davis said. “So whether that's hiring third person personnel, whether that's covering any losses or expenses, whether it's getting accounts closed and getting new ones issued, that's what we'll do.”
But two pending class action lawsuits claim that the company's $1 million guarantee is not a guarantee at all, but just a “promise” that the company is not actually obligated to fulfill.
“There is no $1 million guarantee,” said Leonard Aragon, one of the attorneys who filed a class action lawsuit against the company. “If you look at the terms of the contract it very clearly says 'we won't pay consequential damages. We won't pay you directly' so there's really no way to get up into the million dollars.”
Consumers who wish to sign up for the 90-day fraud alert or a credit report, can do so for free at any of the three major credit bureaus' websites or by calling them. Once one of the credit bureaus has been notified of the fraud alert, it will immediately notify the other two. ? TransUnion: (800) 680-7289 ? Equifax: (800) 525-6285 ? Experian: (888) 397-3742
Consumers who wish to opt out of credit offers can do so by calling the Consumer Credit Reporting Industry at (888) 567-8688 or by visiting its website.
Copyright 2010 consumeraffairs.com