LifeLock, an Arizona company promising customers protection from identity theft, has agreed to pay $12 million to settle charges that the company overstated its benefits and used "scare tactics" to gain subscribers.
Since 2006, LifeLock has promised in television and newspaper advertisements that it would protect customers from ID theft, but a complaint from the U.S. Federal Trade Commission and 35 state attorneys general said the company over-promised what benefits it could provide.
The company's $10-a-month subscription service provided some benefits, but "this was a fairly egregious case of deceptive advertising," said Jon Leibowitz, the FTC's chairman. "They promised protection, and they didn't deliver."
LifeLock's service, focused on fraud alerts for new accounts set up in a customer's name, could not protect customers from several types of ID theft, including misuse of existing credit accounts, Leibowitz said.
The company also told customers it encrypted their personal data and shared it between employees only on a "need-to-know" basis. However, LifeLock did not use encryption for personal data, the FTC said. The company's system was vulnerable to attacks, the FTC alleged.
A LifeLock spokeswoman did not immediately respond to a voice mail and an e-mail message asking for comments on the settlement.
One LifeLock TV ad showed a truck driving around a city with company Chairman and CEO Todd Davis' Social Security number written in large numbers on the side of the truck. Davis was later a victim of ID theft.
One of LifeLock's ads said its service prevented ID theft from "ever happening to you. Guaranteed." But the FTC knows of "several hundred" LifeLock customers who were victims of ID theft after subscribing to the service, Leibowitz said during a press conference in Chicago.
"There is nothing you can do or purchase that will provide you with a 100 percent guarantee against being a victim of identity theft," said Lisa Madigan, attorney general for Illinois. "But that doesn't mean you should do nothing."
U.S. residents can take several steps to help protect themselves against ID theft, including getting a free credit report once a year, Madigan said. But LifeLock sent prospective customers letters warning them they were at risk for ID theft.
"Don't be scared into spending your hard-earned money," Madigan said. "This is the typical tactic of scam artists."
LifeLock, despite promising it would pay up to $1 million for any ID theft losses suffered by customers, did not pay out-of-pocket expenses that customers incurred in trying to resolve ID theft problems, Madigan said.
The company will pay $11 million to the FTC and $1 million to the states to resolve the complaints, the FTC said. The FTC money will be used to reimburse LifeLock customers, Leibowitz said.
LifeLock will stay in business, but must make clear to customers the limits of its protections, Leibowitz said.
The fraud alerts that LifeLock placed on customers' credit files protected only against certain forms of identity theft and gave them no protection against the misuse of existing accounts, the most common type of identity theft, the FTC said. LifeLock's service also did not protect customers against medical ID theft or employment ID theft, in which thieves use personal information to get medical care or apply for jobs, the FTC alleged.
The fraud alerts that LifeLock used to protect its customers can also be thwarted by ID thieves, the FTC said.
New account fraud, the type of identity theft for which fraud alerts are most effective, comprised only 17% of identity theft incidents, according to an FTC survey released in 2007.
LifeLock also said it would prevent unauthorized changes to customers' address information, that it constantly monitored activity on customer credit reports, and that it would ensure that a customer always would receive a telephone call from a potential creditor before a new account was opened. Those claims were false, the FTC said.