Feds go after LifeLock, alleging poor data security

Feds go after LifeLock, alleging poor data security
© Getty Images

Federal regulators are going after identity fraud protection firm LifeLock for allegedly deceiving customers about how secure their data is.

The Federal Trade Commission (FTC) on Tuesday accused LifeLock, which has over 3 million subscribers, of violating a $12 million 2010 settlement with the agency and 35 state attorneys general.

“It is essential that companies live up to their obligations under orders obtained by the FTC,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “If a company continues with practices that violate orders and harm consumers, we will act.”

In a statement, LifeLock said it refused to settle with regulators again because “we disagree with the substance of the FTC’s contention.” The company will take the FTC to court.

LifeLock offers a variety of services that alert customers of suspicious activity on their bank account and data breaches that may affect their information.

In 2010, regulators took action against the company, accusing it of making false claims to promote its products.

Since then, the FTC said LifeLock has not lived up to the agreement. It has continued to promote its products with inaccurate statements and has failed to install a robust information security program, the FTC said.

As part of its products, LifeLock collects sensitive information on its customers, such as credit card details, Social Security numbers and bank account specifics. The FTC says the company never created a reasonable method to lock down this data despite telling customers their data was receiving financial institution-level security.

LifeLock vigorously opposed the FTC’s allegations.

“LifeLock hired highly-credentialed, independent professionals to assess its information security,” the company said. “We have spent thousands of hours and millions of dollars to achieve those standards in full compliance with the order.”

The FTC also accused LifeLock of making the false statement that its services sent out alerts “as soon as” there was any indication of fraud.

“LifeLock takes the accuracy of our advertising materials very seriously,” the company said. “The alerting claims raised by the FTC did not result in any known identity theft for LifeLock members.”

The identity protection company pointed out that none of the FTC’s claims related to the company today.

“Importantly the FTC is not seeking any relief that would change LifeLock services and products going forward,” it said. “The claims raised by the FTC are all related to the past, not to current business practices.”

The two sides will now take their fight to court, in what will likely be a closely watched case.

As the FTC has gradually become the government’s de facto data security watchdog, the vast majority of dinged companies have chosen to settle with the agency rather than go to court.