LifeLock spent millions spreading its CEO's Social Security Number all across America. Now the firm will spend $12 million settling claims that it engaged in deceptive advertising and failed to protect customers' personal information.
The Federal Trade Commission and 35 state attorneys general announced on Tuesday that Lifelock is changing its business model to address allegations of unfair and deceptive business practices.
"They developed a market to capitalize on consumers' fear," FTC Chairman Jon Leibowitz said at a news conference. "They were exaggerating the service they offered to consumers. This was a fairly egregious case of deceptive advertising."
Consumers who signed up with the service as early as 2005 -- about 1 million customers in all -- will be eligible for refunds. The fine is steep for the firm, said Leibowitz.
"We're taking all the money they had on hand," he said.
The firm remains in business, and has agreed to change its advertising practices. Leibowitz said its services do provide some protection against identity theft, but not the level it repeatedly promised consumers in its well-known advertising campaigns.
LifeLock made a name for itself by plastering CEO Todd Davis' Social Security Number across billboards and other advertising. Many of the ads suggested that LifeLock could provide absolute protection against ID theft.
In one ad, the firm said it could make consumers' personal information "useless to a criminal."
"Consumers received far less protection than they were promised," Leibowitz said. For example, Lifelock was useless against identity theft involving existing credit cards or bank accounts, he said.
The firm also collected extensive personal information from consumers when they registered, and promised to keep that data safe. The FTC says LifeLock failed to do so. In its complaint, the FTC says the firm:
- Did not encrypt data, but stored and transmitted it in clear text.
- Failed to require employees to use hard-to-guess passwords.
- Did not install patches and critical updates.
- Did not plan for common vulnerabilities to their network, including SQL injection attacks.
- Did not install antivirus software on employee computers.
- Allowed faxes with personal information to be available in open office area.
Illinois Attorney General Lisa Madigan said LifeLock engaged in "scare tactics" while advertising to state residents. She said the firm sent letters to individual consumers implying they were at heightened risk for ID theft -- one of which was mailed to her at home.
"Don't be scared into spending your hard-earned money," she said, addressing consumers.
Lifelock has numerous imitators in the marketplace. Madigan said her office will continue to monitor their advertising.
"Know that if you are misleading consumers, we will go after you," she said.
LifeLock CEO Todd Davis said his firm has addressed all concerns raised by the FTC and has long since abandoned many of the techniques the agency said were misleading.
"This has has no impact on current practices or products," he said. "We haven't used the (Social Security number) ad in quite some time." He also said personal data stored by LifeLock is now carefully guarded, and that the FTC complaint refers to vulnerabilites that have been addressed.
He said he welcomed new federal regulation in the competitive field of ID theft protection, comparing the industry to the early years of automobiles.
"When cars came out there weren't speed limits," he said. "We were told we were speeding. We understand and accept responsibility. We don't want in any way for someone to be misled."
LifeLock consumers will soon receive letters explaining how they can apply for refunds.
Madigan added that most of the services provided by paid ID theft prevention firms are available to consumers for free. They can place fraud alerts on their credit files at the credit bureaus, and get copies of their credit reports at AnnualCreditReport.com.