Today the FTC announced a $100-million settlement of its most recent data security lawsuit against LifeLock, the ubiquitous B2C provider of credit monitoring and identity theft protection to consumers. Despite years of litigation with the FTC and 35 states’ attorneys general, LifeLock has continued with a business model that taps into consumers’ visceral fear of identity theft, and also consumers’ persistent belief that such exposure can magically disappear… all for “less than $10/ month.” But while “Nobody can conceive or imagine all the wonders there are unseen and unseeable in the world,” LifeLock’s settlement with the FTC is a reminder that there is no perfect protection against identity theft.
On the FTC’s naughty list
The FTC first sued LifeLock in federal court back in 2010, alleging that LifeLock misrepresented its safeguards and had inadequate security for consumer information, thereby violating the FTC Act’s Section 5 prohibition of unfair and deceptive trade practices. Lifelock settled in 2010, paying $11 million into an escrow fund for the FTC and $1 million to the 35 states that joined the FTC’s lawsuit, for consumer redress. LifeLock also stipulated to an injunction that barred certain business practices and required it to establish a comprehensive information security program, with periodic testing, reporting, and compliance monitoring.
In July, 2015, the FTC went back to court, asking that LifeLock be held in contempt for violating four elements of the injunction:
failing to establish and maintain a comprehensive information security program to protect its users’ sensitive personal data, including credit card, social security, and bank account numbers; falsely advertising that it protected consumers’ sensitive data with the same high-level safeguards as financial institutions; failing to meet the 2010 order’s recordkeeping requirements; and from at least January 2012 through December 2014, falsely claiming it protected consumers’ identity 24/7/365 by providing alerts “as soon as” it received any indication there was a problem.
LifeLock’s settlement of the pending contempt proceedings brings with it a $100-million payment for consumer redress, along with years of compliance monitoring and reporting.
As demonstrated today, and in its recent settlement with Wyndham, the FTC remains a determined regulator of adequate data security under FTC Act Section 5. Prudent companies are mindful of the FTC’s data security enforcement history and positions. Some pundits opined that the recent Wyndham settlement signaled FTC deference in payment card security matters to the Payment Card Industry’s Data Security Standard (PCI DSS). But LifeLock had fared well on its PCI security assessments, and the FTC was undeterred. As the Commission majority made clear today in approving the LifeLock settlement: “The injunctive relief we obtained in the Wyndham case… itself corroborates our longstanding view that PCI DSS certification is insufficient in and of itself to establish the existence of reasonable security protections. The Wyndham order calls for a number of additional significant protections, including the implementation of risk assessments, certification of untrusted networks, and certification of the assessor’s independence and freedom from conflicts of interest. In short, the existence of a PCI DSS certification is an important consideration in, but by no means the end of, our analysis of reasonable security.” There is indeed a Santa Claus, and will be for a thousand years, nay, ten times ten thousand years … but he doesn’t charge $10 per month.