Feds reach record $100M settlement with ID security firm

Identity theft protection firm LifeLock has agreed to pay a record $100 million fine to settle a government lawsuit that it had deceived customers about how secure their data was.

The Federal Trade Commission (FTC) brought its suit against LifeLock, which has over 3 million subscribers, in July, alleging the company had violated a $12 million 2010 settlement it made with the agency and 35 states.

{mosads}Roughly $68 million of the settlement will go toward paying back customers who sued the company in a similar class action suit. The penalty is the largest the FTC has ever obtained in an order enforcement action.

“This settlement demonstrates the commission’s commitment to enforcing the orders it has in place against companies, including orders requiring reasonable security for consumer data,” said FTC Chairwoman Edith Ramirez.

LifeLock offers a variety of services that alert customers of suspicious activity on their bank account and data breaches that may affect their information. To do this, the firm collects large quantities of personal information from its customers.

In 2010, regulators said LifeLock was misrepresenting its services, promising greater levels of data protection for customers’ personal information than it actually offered.

The ensuing agreement barred LifeLock from falsely advertising its products, and also directed the firm to install a robust information security program.

In its July suit, the FTC alleged LifeLock had not living up to its deal from at least late 2012 through early 2014. 

The company had continued to promote its products with inaccurate statements and failed to install a robust information security program, leaving sensitive data — including Social Security numbers, credit card details and bank account information — exposed, the agency said.

“The fact that consumers paid LifeLock for help in protecting their sensitive personal information makes the charges in this case particularly troubling,” Ramirez said.

In a statement, LifeLock noted that “the allegations raised by the FTC are related to advertisements that we no longer run and policies that are no longer in place.”

“The settlement does not require us to change any of our current products or practices,” it added. “Furthermore, there is no evidence that LifeLock has ever had any of its customers’ data stolen, and the FTC did not allege otherwise.”

One of the four FTC commissioners, Maureen Ohlhausen, dissented to the settlement. Ohlhausen also voted against filing the lawsuit this summer.

“The record lacks clear and convincing evidence that LifeLock failed to establish and maintain a comprehensive information security program designed to protect the security, confidentiality, and integrity of consumers’ personal information,” she said in a statement.