FTC, state attorneys general slap huge penalties on identity protection firm

Tuesday's settlement against LifeLock -- the FTC's biggest identity-theft settlement to date -- arrives in response to multiple complaints from customers, state lawmakers and federal officials, who together argued LifeLock's founders have exaggerated their service's level of protection.

LifeLock promised users it could totally safeguard their information in countless popular ads -- one of which broadcast the company CEO's Social Security number on the side of a truck to prove how much LifeLock executives trusted their product. But 35 state attorneys general and the FTC quickly determined LifeLock was unable to provide such services, in part because their primary response was to issue fraud alerts.

Additionally, investigators discovered serious vulnerabilities in the company's own security architecture -- gaps that could have exposed its customers' data to possible theft, the FTC said.

Consequently, LifeLock must now pay both federal and state officials about $12 million in penalties, the FTC announced. The agency also ordered ordered LifeLock "to establish a comprehensive data security program and obtain biennial independent third-party assessments of that program for twenty years," according to officials.

(Update: 1:21 p.m.) LifeLock Chairman and CEO Todd Davis later on Tuesday said he was "pleased with this agreement, which, for the very first time, works to set advertising guidelines for the entire industry."

"We welcome federal and state efforts to regulate our industry, because doing so helps to protect consumers from the risks of identity theft,” he said.

But Davis nonetheless defended his company's work and promised LifeLock would continue to work in the identity-protection industry.

“Because of LifeLock’s marketing efforts over the years, many more Americans now know of the risks of identity theft,” he said. “More than one and a half million consumers rely on us 24 hours a day to help protect their identities.”