On December 17, 2015, the Federal Trade Commission (“FTC” or “Commission”) and LifeLock, Inc. (“LifeLock”) announced the largest monetary award obtained by the Commission in an order enforcement action. The settlement resolves a July 2015 contempt motion by the FTC alleging that LifeLock violated a prior agreement regarding its data privacy and security practices, and the funds are largely earmarked for settlement of a related class action and settlements with state attorneys general.
LifeLock offers identity theft protection services and has millions of customers. On March 9, 2010, the FTC brought an enforcement action against LifeLock in the U.S. District Court for the District of Arizona, alleging that LifeLock’s advertising and data security practices constituted deceptive acts or practices under Section 5 of the FTC Act. On March 15, 2010, the parties entered into a stipulated judgment and injunction, which (i) prohibited LifeLock from deceptively advertising its services, (ii) required LifeLock to implement an information security program in accordance with specified requirements; (iii) required biennial assessments of LifeLock’s information security program; (iv) required LifeLock to pay $11 million to the FTC for use in consumer redress; (v) provided the FTC with compliance monitoring and reporting rights; and (vi) mandated record keeping of LifeLock’s compliance with the injunction and other materials.
On January 19, 2015, a class action suit was filed against LifeLock in California alleging that LifeLock had engaged in deceptive advertising and data security practices notwithstanding the FTC settlement, based in part on the allegations of two former employees who had filed wrongful termination suits. See Ebarle et al v. LifeLock, Inc., 3:15-cv-00258-HSG (N.D. Cal.). The lawsuit may have prompted the FTC to file a sealed motion for contempt on July 21, 2015 with the Arizona district court, alleging that LifeLock violated the 2010 settlement with the Commission and 35 state attorneys general by continuing to make deceptive claims about its identity theft protection services, and by failing to take steps required to protect customers’ data. In particular, the FTC asserted that following the 2010 settlement, LifeLock (i) failed to implement and maintain a comprehensive information security program, (ii) falsely advertised the protection it provided consumers’ information, and (iii) falsely advertising the frequency of its identity theft alerts.
The December 17, 2015 proposed settlement reflects a global resolution with the FTC, state attorneys general, and class action plaintiffs, with renewed requirements for compliance and monitoring, and a payout of $100 million that will primarily be allocated to consumer refunds through the settlement process in the class action suit.
FTC Commissioner Maureen Ohlhausen issued a dissent opposing both the contempt motion and the settlement. The Commissioner noted that reputable third parties had certified that LifeLock had complied with the Payment Card Industry Data Security Standard (“PCI DSS”), and that there was no evidence that LifeLock customers’ information had been compromised. The Commissioner also argued that there were weaknesses with the third allegation in the contempt motion (deceptive advertising), but could not elaborate because the relevant facts remain under seal.