LifeLock’s Protection Leaves Much to be Desired

With a rising number of consumers falling victim to identity theft, it’s not a surprise some companies are promising services that will protect you from the chaos and costs of stolen identities. More than 12.6 million Americans were victims of identity theft in 2012. LifeLock, based in Tempe, Ariz., promises it will “relentlessly” protect your identity. But what can a company like LifeLock do that you can’t do on your own? And can you trust it?

The answer to the first question is, essentially, not much. LifeLock customers pay between $10 and $25 dollars a month for the company to monitor their identities, but consumers can handle many of the services LifeLock provides – such as credit reports and cancelling cards in lost wallets – on their own with a couple of (free) phone calls. To answer the second question, consumers may want to check into LifeLock’s history. Consider these issues:

• The company agreed to pay $12 million in 2010 to settle charges by the Established in 1914 under President Woodrow Wilson, the FTC is the United States government’s primary regulatory authority in the area of consumer protection and anti-competitive business practices in the marketplace. Its Bureau of Consumer Protection assumes the lead in the Commission’s efforts to eliminate deceptive advertising and fraudulent business practices at work in the economy. that the company made deceptive claims about its ability to protect consumers from identity theft. The FTC took further action and charged that the company continued to make deceptive claims in violation of the 2010 order and announced in December 2015 that the company will pay $100 million to consumers to settle the charges, which is the largest monetary award obtained by the agency in an enforcement action regarding court orders.  Specifically, the FTC alleged that Lifelock violated four key components of the 2010 order, including that it failed to establish and maintain a security program to protect users’ sensitive personal information — the very key information consumers pay the company to protect. The agency also alleged, among other things, that Lifelock falsely advertised that it would protect customers’ sensitive data with the same high-level safeguards used by financial institutions and that it falsely advertised that it would send alerts “as soon as” it received any indication that a customer may be a victim of identify theft. Lifelock, in explaining net losses for its third quarter, announced it had allocated $96 million to settle charges with the FTC and attorneys general and a class-action lawsuit.
• The company faces several class-action lawsuits. One complaint that has reached a preliminary settlement alleges that the company failed to adequately disclose the terms of automatic renewals and continuous services. Another alleges that, among other things, the company falsely represented that it protects consumers’ data but did not actually safeguard it in the way it represented.
• The company didn’t do a particularly good job of protecting its CEO, Todd Davis, from getting his identity stolen after Davis publicized his Social Security number in a LifeLock marketing stunt in 2007.
• Its co-founder, Robert J. Maynard, was jailed in 2003 for defaulting on a casino loan.
• The credit bureau One of the primary consumer credit reporting agencies, Equifax and TransUnion being the other two. sued LifeLock in 2008 after it flooded Experian’s phone lines with bogus fraud alerts on LifeLock’s customer accounts (without alerting its customers that they can place such fraud alerts with the credit bureaus on their own, for free).
• The FTC has pages of complaints on file about the company dating back to 2008. More than 100 consumers filed complaints just from 2013-2015 against the company.
• One woman who said her ex-husband opened a Lifelock account under her name to track her financial expenditures said the company put up roadblocks when she tried to obtain information and documents about the problem until a local newspaper published a story on it.

Now, let’s take a look at some of these issues a little closer.

Company fails to protect Davis

Davis published his Social Security number in 2007 on flyers, billboards, and radio and print ads as part of a publicity stunt. He also, on occasion, announced it via bullhorn on city streets. LifeLock went so far as to actually print Davis’ Social Security number on the side of a truck and drive the truck across the country. (Davis’ information is still widely available on the Internet thanks to the marketing push.)

Not surprisingly, Davis had his identity stolen repeatedly throughout the ad campaign. The Phoenix New Times reported in 2010 that Davis’ identity had been stolen at least 13 times since the marketing ads began, despite LifeLock’s protection. According to the Associated Press, at least 20 people applied for driver’s licenses with Davis’ Social Security number, some of them successfully. Thieves used Davis’ information to open utility accounts, credit cards, and cellphone service, racking up thousands of dollars worth of debt in his name.

Consumer data not secured

The federal government stepped in when it said LifeLock was not properly protecting its customers’ information. In 2010, the company agreed to pay $11 million to the FTC and $1 million to a group of 35 state attorneys general to settle charges that the company used false claims to promote its services. The FTC charged that the company provided less protection against identity theft than promised and that it made claims about its own data security that were not true. The company mailed refund checks to 957,928 people the FTC said were victims of the false claims.

“The protection [LifeLock] actually provided left enough holes that you could drive a truck through it,’’ said then-FTC Chairman Jon Leibowitz.

LifeLock’s ads now include fine-print disclaimers that note, among other things, that “No one can prevent all identity theft” and that the“Network does not cover all transactions.”  (See the company’s 16-page terms and conditions, which notes that “membership will renew automatically until cancelled by you.”)

What’s not protected?

While LifeLock promises to monitor for fraudulent applications made using their customers’ identities (e.g., when an identity thief attempts to take out a loan or open a new credit card with someone else’s information), according to the FTC, only 18.5% of 2012 identity theft complaints were about new There are two basic forms of account fraud – the misuse of a victim’s existing account, and the opening of a new account in the victim’s name. According to FTC research, about three-fourths of identity theft victims report that the thief misused only their existing accounts.1 One-fourth of the victims report that the thief opened new accounts or committed other types of fraud with the victim’s personal information. Credit card accounts are the most commonly misused existing account. Telephone accounts, usually wireless, are the most common type of new account opened by identity thieves. Identity thieves also open or raid bank accounts, Internet payment accounts, and auto, personal, or student loan accounts.. If someone steals your credit-card number and begins making purchases with that information, there’s little LifeLock can do to preempt the thief. And the FTC now lists tax- and wage-related fraud — when someone steals your tax return or wages using your social security number — as the most common type of identity theft.

In regard to LifeLock’s protection, “scope may vary” indeed.

Check out how to protect yourself from identity theft.

This story was originally published on 4/9/13 and has been updated several times, most recently on 12/17/15.