On December 17, 2015, the Federal Trade Commission (FTC) announced a $100 million settlement with LifeLock, Inc., to resolve litigation with the FTC and a national class of consumers relating to LifeLock’s marketing representations and information security programs. The settlement stems from allegations that LifeLock violated an earlier 2010 settlement agreement with the FTC. Once final, the settlement will stand as the highest monetary award ever in an FTC order enforcement action.
LifeLock offers three tiers of identity theft protection services to subscribers for a monthly fee ranging from $10 to $30. LifeLock’s CEO Todd Davis famously disclosed his Social Security number in early ads to prove just how safe consumers’ identities would be with LifeLock. The move reportedly backfired, resulting in Davis’s identity being stolen at least 13 times.
In 2010, LifeLock agreed to pay $11 million to the FTC and $1 million to a group of 35 state attorneys general to settle charges that LifeLock used false claims to promote its services, in violation of Section 5 of the FTC Act. Nearly 1 million consumers received a refund from the FTC as a result of the settlement. The 2010 complaint alleged, among other things, that LifeLock made false and deceptive claims about the effectiveness of its identity theft prevention services—such as guaranteeing that LifeLock protects against identity theft “ever happening” to its customers—and about its own data security, including representations that LifeLock encrypts customers’ data and grants its employees access to customers’ data only on a “need to know” basis. The complaint also alleged that the fraud alerts LifeLock placed on customers’ credit files protect against only new account fraud, which comprises just 17% of identity theft, and do not protect against misuse of existing accounts, the most common type of theft according to the FTC. Then FTC Chairman Jon Leibowitz characterized LifeLock’s identify theft protection as leaving “such a large hole . . . you could drive [a] truck through it.”
In addition to the monetary award, the 2010 settlement agreement barred LifeLock from making deceptive claims about its services, required LifeLock to implement a comprehensive data security program, subject to third-party audits, to protect the personal information collected from consumers, and placed recordkeeping requirements on LifeLock until 2018.
On July 21, 2015, after more than 18 months of failed negotiations, the FTC moved to hold LifeLock in contempt of the 2010 Order. The FTC alleged that LifeLock violated the Order between 2012 and 2014 by (1) failing to establish and maintain a comprehensive data security program, (2) falsely advertising that it protected consumer data on the same level as financial institutions, (3) falsely claiming that it protected consumers’ identities “24/7/365” by providing fraud alerts “‘as soon as’ it received any indication there was a problem,” and (4) failing to keep certain records as agreed. The contempt filing sent LifeLock’s stock spiraling. Shares of LifeLock (NYSE: LOCK) closed down at $8.15 on the filing date, a one-day loss of nearly 50%.
LifeLock vowed to fight the contempt charges but soon changed course, disclosing a prospective settlement with the FTC when reporting third quarter results in October 2015. According to a statement from LifeLock, the settlement would not impact its “current products, services, or business and information security practices, including in particular, [its] current marketing and advertising practices.”
LifeLock will now pay $100 million to settle the FTC contempt charges and to settle class action litigation in the Northern District of California. The FTC will direct $68 million to reimburse fees paid to LifeLock by the members of the class action. The remaining $32 million will fund future consumer redress ordered by state attorneys general or will revert to the FTC. The settlement also extends the 2010 Order’s recordkeeping requirements five more years, until 2023.
Commissioner Mauren K. Ohlhausen voiced the lone dissent to the FTC’s contempt action and subsequent settlement, arguing that the Commission could not meet the “clear and convincing” standard required to find a violation of the 2010 Order. Because reputable third parties certified LifeLock’s compliance with the Payment Card Industry Data Security Standard (“PCI DSS”) and other industry standards, she concluded that the record did not support the FTC’s action where there was no evidence that LifeLock’s customer information was breached.
Chairwoman Edith Ramirez, Commissioner Julie Brill, and Commissioner Terrell McSweeny disagreed, taking the position that “PCI DSS certification is insufficient in and of itself to establish the existence of reasonable security protections.” The majority’s statement emphasized industry certifications alone will not control if the Commission otherwise finds signs of security shortfalls—an important takeaway for security professionals. The FTC’s reasonableness inquiry will continue to “depend on the facts and circumstances of each case.”
The settlement is a major win for the FTC, which described LifeLock’s ongoing practices as “particularly troubling” considering “consumers paid LifeLock for help in protecting their sensitive personal information.” The $100 million award—nearly two thirds of LifeLock’s third quarter revenue—also sends a clear message to the C-Suite, boards of directors, and industry professionals: the stakes are rising. LifeLock’s stock traded at $14.18 at the closing bell on Friday, December 18, down more than 11.5 percent from its $16.05 opening price on July 21, 2015.
The new reality for corporate boardrooms is that data privacy and security issues demand attention at the highest level. Misrepresentations concerning data security products or programs, failures to implement reasonable data security measures, and regulatory compliance issues pose significant strategic and financial risks. This settlement demonstrates that the FTC will not tolerate unreasonable data security practices, particularly where an organization pairs those practices with empty promises of robust protection to its customers and the public.