FTC Charges Founder, CEO Of LifeLock In Deceptive Claims And Privacy Case; Company Agrees To $12 Million Settlement With Agency, 35 State Attorneys General

Screen shot: From Exhibit 1 in FTC case against LifeLock, whose CEO, Todd Davis, appeared in ads that published his Social Security number to demonstrate his confidence in the company's services. (The PP Blog added the red highlight. Court filings obscure the number, which LifeLock published openly while prompting customers of its $10-a-month service to "Always protect your social security number. Do not share it unless necessary.")

LifeLock Inc. and its principals have been barred from making deceptive claims and required to take more stringent measures to safeguard the personal information collected from customers, the FTC said.

The FTC charged LifeLock and its co-founders — CEO Richard Todd Davis and former COO Robert J. Maynard Jr. — in the civil case. The case, which has been settled in U.S. District Court for the District of Arizona, alleged that LifeLock “used false claims to promote its identity theft protection services” and “made claims about its own data security that were not true.”

LifeLock agreed to pay $12 million to settle the case, which the FTC described as “one of the largest FTC-state coordinated settlements on record.” The company, Davis and Maynard settled without admitting the allegations were true.

“While LifeLock promised consumers complete protection against all types of identity theft, in truth, the protection it actually provided left enough holes that you could drive a truck through it,” said FTC Chairman Jon Leibowitz.

LifeLock said it welcomed the settlement.

“LifeLock is pleased with this agreement, which, for the very first time, works to set advertising guidelines for the entire industry,” said LifeLock Chairman and CEO Todd Davis. “We welcome federal and state efforts to regulate our industry, because doing so helps to protect consumers from the risks of identity theft.”

In court filings, the FTC said LifeLock did not take adequate steps to protect data it collected from customers — even though Davis appeared in ads that published his own Social Security number to demonstrate his confidence in the company’s ability to prevent identity theft.

“I’m Todd Davis, CEO of LifeLock, and yes, that’s my real social security number,” the ad read.

Illinois Attorney General Lisa Madigan said there is no foolproof way to protect against identity theft.

“This agreement effectively prevents LifeLock from misrepresenting that its services offer absolute prevention against identity theft because there is unfortunately no foolproof way to avoid ID theft,” Madigan said. “Consumers can take definitive steps to minimize the chances of having their personal information stolen, and this settlement will help them make more informed decisions about whether to enroll in ID theft protection services.”

The FTC said LifeLook “routinely collected sensitive information from its customers, including their social security numbers and credit card numbers,” but did not adequately protect the data.

Among the LifeLock claims, according to FTC court filings:

• “Only authorized employees of LifeLock will have access to the data that you provide to us, and that access is granted only on a ‘need to know’ basis.”
• “All stored personal data is electronically encrypted.”
• “LifeLock uses highly secure physical, electronic, and managerial procedures to safeguard the confidentiality and security of the data you provide to us.”

But the FTC alleged that “LifeLock’s data was not encrypted, and sensitive consumer information was not shared only on a ‘need to know’ basis. In fact, the agency charged, the company’s data system was vulnerable and could have been exploited by those seeking access to customer information.”

Employees and vendors “working from their homes or other locations beyond the Defendants’ headquarters could access the network remotely,” the FTC alleged.

“[U]ntil at least September 2007, Defendants engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security to prevent unauthorized access to personal information stored on its corporate network, in transit through its corporate network or over the internet, or maintained in Defendants’ offices,” the FTC alleged.