LifeLock will pay $100 million to the Federal Trade Commission (FTC) to settle the FTC’s contempt charges that the company violated a 2010 federal court order that requires the company to protect consumers’ personal information and stop its deceptive advertising. This settlement is the largest award the FTC has obtained in an enforcement action.
In 2010, when the FTC first sued LifeLock, the FTC alleged that the company did not live up to identity protection claims it made in its advertisements. LifeLock settled that case by agreeing to refund customers a total of $24 million and to pay an additional $11 million to the FTC, along with a total of $1 million to attorneys general from 35 states. The company also agreed to not make any deceptive claims about its services and to secure customers’ sensitive information.
More recently, the FTC alleged that LifeLock violated the 2010 order in four ways:
- LifeLock failed to put in place a comprehensive security program to protect users’ sensitive personal information including their social security, credit card and bank account numbers, from 2010 to 2012.
- LifeLock used false advertisements to claim it protects consumers’ confidential information with the same level of security as financial institutions.
- LifeLock used false advertisements between 2012 and 2014 to promise consumers that they would receive alerts “as soon as” the company had any indication that the consumer could be an identity theft victim.
- LifeLock failed to abide by the recordkeeping requirements of the 2010 order.
The new settlement requires LifeLock to deposit $100 million into the registry of the U.S. District Court for the District of Arizona. From that deposit, $68 million will be used to compensate class action consumers who were injured by LifeLock’s actions. The remaining $32 million will cover settlements between LifeLock and state attorneys general, and any unused cash will go to the FTC in further consumer reparations. In addition to the settlement’s monetary provisions, recordkeeping provisions similar to those in the 2010 order have been extended to 13 years from the date of the original order.
The FTC Chairwoman Edith Ramirez said “this settlement demonstrates the Commission’s commitment to enforcing the orders it has in place against companies, including orders requiring reasonable security for consumer data.”
LifeLock also released a statement and said it was “pleased” to bring the FTC’s case to a close. “The allegations raised by the FTC are related to advertisements that we no longer run and policies that are no longer in place,” the company said. “The settlement does not require us to change any of our current products or practices.”
At the end of the day, LifeLock’s hefty nine digit settlement is another indication that there is not much the FTC takes more seriously than enforcement of existing orders. Moreover, the FTC has once again made it clear that it will not tolerate deceptive advertising or unreasonable data security practices.