LifeLock, the scandal-plagued anti-identify-theft company based in Tempe, has been ordered to pay $100 million for violating terms of a 2010 settlement agreement with the U.S. Federal Trade Commission, it was announced today.
The company, which charges customers a monthly fee for services it claims can protect against the crime of identity theft, failed to keep its customers' sensitive information secret and used deceptive advertising, the government says.
LifeLock announced in late October that it had agreed to an FTC settlement based on its violations, slashing the company's stock price in half overnight. But in retrospect, CEO Todd Davis' statement about the "positive step" being taken by the company didn't quite foreshadow that it was about to pay what the FTC calls the "largest monetary award obtained by the Commission in an order enforcement action."
The FTC released the terms of the order on its website (see below), stating that the money must be put in an escrow account with the U.S. District Court of Arizona within five days.
Many details of what LifeLock actually did wrong still are sealed by a court order in the FTC's civil lawsuit against the company, Jay Mayfield, an FTC spokesman, tells New Times.
The entire $100 million will be used for LifeLock "victims" whose identities will be determined in future court proceedings, he says. A class-action case (below) is expected to take up to $68 million of that, with any unused portion, plus the remaining $32 million, going to victims from state Attorney General's Office cases, if any, he says.
It's still unclear how many cases this may be. The FTC order extends the terms of its 2010 order to 2023, and adds a few new ones. Under these terms, LifeLock must continue to keep its marketing and advertising practices honest, and adhere to strict monitoring rules that allow the FTC to obtain documents, interview company officials, and even pose as LifeLock customers or employees in order to determine if LifeLock's in compliance.
The order states that LifeLock violated the 2010 permanent injunction order by:
"(a) failing to establish and maintain a comprehensive information security program to protect its users’ sensitive personal data, including credit card, social security, and bank account numbers;
"(b) falsely advertising that it protected consumers’ sensitive data with the same high-level safeguards as financial institutions;
"(c) failing to meet the Permanent Injunction’s record-keeping requirements;
"(d) falsely claiming it protected consumers’identity 24/7/365 by providing alerts 'as soon as' it received any indication there was a problem."
Despite the ominous nature of the complaints, FTC Commissioner Maureen Ohlhausen, who issued a dissenting opinion in the case, wrote that after exhaustive testimony by experts who contradicted each other, "courts have declined to find an order violation."
Ohlhausen also wrote in a footnote: "My dissent focuses on the data security issues that underlie allegations one and two. The third allegation also has substantial weaknesses, but there is little I can say about it as the case remains sealed."
LifeLock released a written statement about today's release by the FTC that says, in part:
"The allegations raised by the FTC are related to advertisements that we no longer run and policies that are no longer in place. The settlement does not require us to change any of our current products or practices. Furthermore, there is no evidence that LifeLock has ever had any of its customers' data stolen, and the FTC did not allege otherwise."
Which sounds good — except that it's LifeLock: A company founded on a lie (as New Times exposed in a 2007 article) and which now has to pay a nine-digit monetary punishment because of its lies.