On December 17, the FTC announced a $100 million settlement with an Arizona-based identity theft protection company for violating the terms of a prior federal court order. In 2010, the District Court of Arizona prohibited the company from engaging in deceptive advertising and required it to secure consumers’ personal information. According to the FTC’s contempt charges, the company violated the terms of the prior order primarily by (i) failing to establish and maintain an adequate information security program to protect consumers’ personal information, such as social security numbers, and credit card and bank account numbers; (ii) falsely advertising that it protected consumers’ sensitive data by using the same sophisticated protections that financial institutions use; (iii) falsely advertising that it would send consumers alerts “as soon as” it received any indication that the consumer was a victim of identity theft; and (iv) failing to sufficiently create and retain records regarding the sale or provision of products or services related to identity theft.
The settlement is the largest monetary award obtained by the FTC in an enforcement action. Of the $100 million, $68 million may be used to “redress fees paid to [the company] by class action consumers who were allegedly injured by the same behavior alleged by the FTC.” In addition to the monetary provisions, the company must adhere to the recordkeeping procedures outlined in the 2010 order for an additional 13 years.