Business Blog
FTC’s $100 million settlement with LifeLock: May (en)force be with you
The law may not authorize the use of light sabers, but to protect consumers and ensure that companies comply with existing orders, the FTC will use the forces within its power. It’s a lock that the agency’s $100 million settlement with LifeLock – one of the largest redress orders of its kind – makes that point as big as life.
LifeLock’s first go-round with the FTC and 35 state AGs was in 2010. According to that complaint, LifeLock didn’t live up to identity protection claims it made in its ads. To settle that case, the company agreed to secure customers’ sensitive information and promised not to mislead consumers in the future with deceptive claims about its services.
But as the FTC alleges, LifeLock violated four key provisions of that order. First, the FTC says that from October 2012 through March 2014, LifeLock failed to set up and maintain a comprehensive information security program to protect customers’ sensitive data, including their Social Security, credit card, and bank account numbers. The safety of consumers’ confidential information should be a serious consideration for any business – but for a company already under FTC order and in the business of selling identity protection services? You get the point.
Second, the filing charges that during that period, LifeLock falsely advertised that it protected consumers’ sensitive information with the same high-level safeguards as financial institutions. What about the company’s promise it would send alerts “as soon as” it received any indication that a customer may be a victim of identity theft? According to the filing, that ad claim was false, too. Finally, the FTC says LifeLock didn’t live up to the record-keeping provisions of the 2010 settlement, an essential part of any order.
Under the terms of the proposed settlement, the $100 million LifeLock has to pay will go toward consumer refunds. To make sure consumers are protected, the settlement explains in detail how that has to happen. LifeLock must deposit $100 million into the registry of the United States District Court in Arizona. Of that total, the company may use $68 million in settling an ongoing class action lawsuit related to the conduct alleged in the FTC’s filing. But let’s be clear: That money must go directly to consumers. Not one penny can be used for administrative costs or legal fees associated with the class action. Any money not received by consumers in the class action settlement or through settlements between LifeLock and the state AGs will go to the FTC for further consumer redress.
Surprised by the number of zeros in the settlement? You shouldn’t be. There’s not much the FTC takes more seriously than effective enforcement of existing orders. Furthermore, the FTC has made it clear that it won't tolerate deceptive advertising and unreasonable data security practices. Today’s announcement gives companies 100 million more reasons to avoid both courses of conduct.
It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.
The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.
We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.