A company that provides identity theft prevention services, has settled charges brought by the FTC that it falsely advertised both the extent of the identity theft protection it offers as well as the extent of its own data security measures to protect customers’ personal information. LifeLock, which gained some notoriety due to advertisements that prominently displayed the CEO’s social security number, has agreed to a $12 million settlement--$11 million to be paid to the FTC and $1 million to be paid to a group of 35 state attorneys general.
First, the FTC had alleged that the company misled consumers by guaranteeing absolute protection against identify theft when, “in truth, the protection it actually provided left enough holes that you could drive a truck through it” according to FTC Chairman Jon Leibowitz. While LifeLock may provide valuable protection against identify theft, the charges were brought because the company allegedly overpromised the amount of protection it could actually provide. The FTC and state attorneys general took issue with certain advertising claims including the following:
- “By now you’ve heard about individuals whose identities have been stolen by identity thieves . . . LifeLock protects against this ever happening to you. Guaranteed.”
- “Please know that we are the first company to prevent identity theft from occurring.”
- “Do you ever worry about identity theft? If so, it’s time you got to know LifeLock. We work to stop identity theft before it happens.”
The FTC claimed such statements are false because the services are limited to only certain forms of identity theft and the protection for the covered forms is itself limited, as is inevitable because there is “no foolproof way to avoid ID theft,” according to Illinois Attorney General Lisa Madigan. In addition to the financial penalty, LifeLock is barred from continuing to make deceptive claims.
Lifelock has also been sued in federal court on similar claims.
Second, the FTC also claimed that the company made false claims regarding its own data security. As part of its program, consumers must entrust extremely sensitive information to LifeLock such as social security and credit card numbers but are assured that the information is protected through a myriad of security measures. The FTC claimed that LifeLock did not follow these internal security measures and the data was vulnerable. As part of the settlement, the company is also barred from misrepresenting its data security measures and is required to establish a stricter and more comprehensive data security program that will have to be assessed by a third party every two years.
Companies should beware of marketing campaigns that overstate what the company can actually deliver. In addition, prudent companies will ensure that any statements they make regarding protecting customer data, including in website or other privacy policies, are in line with the companies’ actual privacy and security protection measures.
The FTC will use the $11 million to provide refunds to former and current Lifelock customers.
- Candida Harty and Nancy Perkins
