LifeLock Lawsuit

By Henry Bagdasarian
March 2010

The government initiated LifeLock lawsuit was settled for $12 million between LifeLock, FTC and 35 other States. The FTC will get $11 million while the States get $1 million on behalf of LifeLock customers. The lawsuit was settled in just one day on March 9, 2010 and the results of the LifeLock lawsuit prove once more that identity theft is unavoidable and we can only attempt to collectively reduce the identity theft risks through awareness and education, theft prevention, detection of theft and fraud, as well as timely follow up and resolution of all suspicious activities and fraud cases. I stress on the words "collective efforts" because if there is a gap in our collective identity management practices, then we collectively remain vulnerable to identity theft and fraud. For example, if companies fail to properly approve each business transaction or educate their customers about the latest identity theft threats and best identity protection practices, then companies expose themselves to identity theft risks because their customers are the weakest link in their efforts for protecting personal information and fraudsters know this and continue to take advantage of unaware customers through phishing, spams, spoofing, and social engineering. To my knowledge, very few companies care to educate their customers about identity theft risks and best identity protection practices because they think consumer education costs money and also they may not be aware that uninformed customers can cost them even more when they are hit with multi million dollar lawsuits.

LifeLock has been preaching guaranteed protection against identity theft for some time and I wish they had hired me as a management or Board consultant to tell them that the business message and motto was misleading not just because placing fraud alerts on credit reports does not guarantee full protection against identity theft but also because even if the fraud alerts were effective in preventing and detecting credit fraud which they are not, they would not detect other types of identity fraud. For example, if your medical records are altered without your knowledge because of identity theft, there is no way that a credit report fraud alert is going to save your life when your doctor prescribes a deadly medication or proposes a serious surgery based on your false medical information.

Let me say a few words about placing fraud alerts on credit reports which is what LifeLock was first doing when it started the business. The Fair and Accurate Credit Transaction Act or FACTA allows consumers to place fraud alerts on their credit reports when they become victims of identity theft or even suspicious that their identities might be used to commit fraud such as when someone loses a wallet. An initial fraud alert can be placed by anyone and is good for 90 days and the extended fraud alert can only be placed with an identity theft police report and is good for many years unless it is removed by the consumer. The LifeLock lawsuit alleges that LifeLock took advantage of the initial fraud alert law by offering customers automatic placement of the fraud alerts every 90 days and falsely guaranteeing its customers that by buying their identity protection services (placing fraud alerts), identity fraud will never happen. This is where LifeLock crossed the line. Identity theft will never fully stop and we can only reduce its rate of occurrence through awareness and prevention, and ensure the least damage due to timely detection and resolution of a fraud. A fraud alert is only effective if creditors actually notice the alert on credit reports and follow up with credit consumers to validate their identities which they don’t. Current identity theft laws are not designed to ensure that fraud alerts are not abused by consumers or their agents like LifeLock and that creditors are forced to follow up or take them seriously. As such, the LifeLock business practices crushed the meaning or rather the intentions of the fraud alert laws by casually placing them for any paid customer and falsely advertising their effectiveness. The fraud alert was meant for identity theft victims and those who suspect might become victims of identity theft in the near future but the idea or the law for that matter was sold to consumers as a full cycle identity protection solution.

In addition, it appears from the LifeLock lawsuit that the company failed to properly protect its customer information even within the boundaries of the company through encryption and access controls. Any company that collects customer information must take all measures necessary to protect the personal information that it collects, stores, and shares with others. An identity protection company must even be more sensitive to such practices as information protection is their business. The LifeLock lawsuit settlement orders the company to put its house in order and have a third party independent company review and asses its internal information protection practices.

The LifeLock lawsuit is in no doubt costing the company its reputation, financial losses, and competitive edge especially if it doesn’t change its business practices and properly communicate to consumers what its services will do for them. And honestly, LifeLock is not the only identity protection company to have deceived customers. Many companies still deceive customers by claiming full protection against identity theft and even advertise free credit reports while they fail to tell customers that they can get the free credit reports themselves from each year. I can only assume that some companies are aware of the risks of their actions, especially after this LifeLock lawsuit settlement, but have consciously decided to assume the losses when they are hit with identity theft lawsuits in exchange for short term profits.

Return to home page from LifeLock lawsuit.

Enter your E-mail Address
Enter your First Name (optional)

Don't worry — your e-mail address is totally secure.
I promise to use it only to send you Identity Management Journal.