In a significant development, the FTC announced today that LifeLock, the identity theft protection company, has agreed to settle the FTC contempt charges against it for $100 million. This is the largest monetary award the FTC has ever obtained in an order enforcement action.
The FTC contempt action arises from an earlier settlement with LifeLock. In 2010, LifeLock paid $12 million to settle charges by the FTC and 35 states that the company had made false claims when promoting its identify theft protection services. Then, in July 2015, the FTC alleged that LifeLock had violated the 2010 settlement order by continuing to make deceptive claims about its services. Specifically, the FTC charged that LifeLock violated the order by “(a) failing to establish and maintain a comprehensive information security program to protect its users’ sensitive personal data, including credit card, social security, and bank account numbers; (b) falsely advertising that it protected consumers’ sensitive data with the same high-level safeguards as financial institutions; (c) failing to meet the Permanent Injunction’s recordkeeping requirements; and (d) falsely claiming it protected consumers’ identity 24/7/365 by providing alerts “as soon as” it received any indication there was a problem.”
LifeLock does not admit these allegations in the new proposed settlement order. And while LifeLock has nominally agreed to pay $100 million, it can use most of that money to settle claims brought by plaintiffs in a California class action, and by other affected consumers. Any remaining money will be used by the FTC for “further consumer redress.”
The FTC Commissioners’ vote to approve the new settlement was 3-1. Commissioner Maureen Ohlhausen’s dissenting statement notes that there is no evidence that LifeLock subscribers’ information was breached, and that LifeLock was apparently in compliance with data security industry standards during the relevant periods.