FTC, state attorneys general slap huge penalties on identity protection firm

LifeLock, Inc. must now pay the Federal Trade Commission and 35 state attorneys general a total $12 million to settle a score of complaints that it misled consumers about its popular identity-theft protection service.

Ultimately, the FTC will allow the company to continue operating its $10-a-month business, which it began advertising in 2006 as a fool-proof way to safeguard computer users' personal information, the FTC announced on Tuesday.

However, the company could face additional, stiff financial penalties if it continues advertising its identity protection services in a deceptive manner, officials suggested.

"We took all of the money they had on hand to give back to consumers," FTC Chairman Jon Leibowitz said at a press conference along side Illinois Attorney General Lisa Madigan, adding the FTC did not have power in this instance to shut LifeLock down.

"We think act the lesson learned here is that if you advertise deceptively, the state attorneys general and the FTC are going to come after you," he later told reporters on a conference call.

Tuesday's settlement against LifeLock -- the FTC's biggest identity-theft settlement to date -- arrives in response to multiple complaints from customers, state lawmakers and federal officials, who together argued LifeLock's founders have exaggerated their service's level of protection.

LifeLock promised users it could totally safeguard their information in countless popular ads -- one of which broadcast the company CEO's Social Security number on the side of a truck to prove how much LifeLock executives trusted their product. But 35 state attorneys general and the FTC quickly determined LifeLock was unable to provide such services, in part because their primary response was to issue fraud alerts.

Additionally, investigators discovered serious vulnerabilities in the company's own security architecture -- gaps that could have exposed its customers' data to possible theft, the FTC said.

Consequently, LifeLock must now pay both federal and state officials about $12 million in penalties, the FTC announced. The agency also ordered ordered LifeLock "to establish a comprehensive data security program and obtain biennial independent third-party assessments of that program for twenty years," according to officials.

(Update: 1:21 p.m.) LifeLock Chairman and CEO Todd Davis later on Tuesday said he was "pleased with this agreement, which, for the very first time, works to set advertising guidelines for the entire industry."

"We welcome federal and state efforts to regulate our industry, because doing so helps to protect consumers from the risks of identity theft,” he said.

But Davis nonetheless defended his company's work and promised LifeLock would continue to work in the identity-protection industry.

“Because of LifeLock’s marketing efforts over the years, many more Americans now know of the risks of identity theft,” he said. “More than one and a half million consumers rely on us 24 hours a day to help protect their identities.”

---