Governance & Risk Management , PCI Standards , Privacy
LifeLock Settles FTC Case for $100 MillionCommission Cites Failure to Secure Private Data, Deceptive Advertising
In the largest monetary award obtained by the Federal Trade Commission in an enforcement action, LifeLock has agreed to pay $100 million to settle a case that, in part, stemmed from the identity protection company failing to establish and maintain an information security program to protect customers' personally identifiable information.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
The FTC, by a 3-1 vote, held LifeLock in contempt for violating terms of a 2010 federal court order requiring the company to secure consumers' personally identifiable information and prohibit the use of deceptive advertising.
The settlement demonstrates the FTC commitment to enforce orders to require reasonable security for consumer data, FTC Chairwoman Edith Ramirez says in a statement. "The fact that consumers paid LifeLock for help in protecting their sensitive personal information makes the charges in this case particularly troubling," Ramirez says.
LifeLock, according to the FTC filing, failed to establish and maintain a comprehensive information security program to protect users' sensitive personal information including their Social Security, credit card and bank account numbers from October 2012 through March 2014.
False Advertisements Alleged
The FTC noted that its 2010 settlement stemmed from previous commission allegations that LifeLock used false claims to promote its identity theft protection services.
That settlement barred the company and its principals from making any further deceptive claims, required LifeLock to take more stringent measures to safeguard the personal information it collects from customers and required LifeLock to pay $12 million for consumer refunds.
In its latest action, the FTC accused LifeLock of falsely advertising that it protected consumers' sensitive data with the same high-level safeguards used by financial institutions. The FTC alleged that LifeLock, from January 2012 through December 2014, falsely advertised it would send alerts as soon as it received any indication that a consumer may be a victim of identity theft. In addition, the FTC alleged that the company failed to abide by the order's recordkeeping requirements.
Of the $100 million that LifeLock will pay to settle the case, $68 million will go to consumers who were affected by the company's policies.
In addition to the settlement's monetary provisions, the FTC says recordkeeping provisions similar to those in the 2010 order have been extended to 13 years from the date of the original order.
The main lesson served up to other security information services firms by the FTC case against LifeLock is that "companies need to be conscious of the language of FTC consent orders," privacy and security attorney Ron Raether, a partner at the law firm Troutman Sanders LLP told Information Security Media Group when the tentative settlement was announced in October. He says marketing of products needs to be "tempered for puffery."
"This a lesson for companies to not overstate the capabilities of their products," he says.
The lone dissenter among FTC commissioners, Maureen Ohlhausen, contends the case presented by the FTC staff lacked clear and convincing evidence that LifeLock failed to establish and maintain a security program to protect customers' PII. During the periods in question, Ohlhausen said LifeLock complied with Payment Card Industry Data Security and other data security standards. "LifeLock's PCI DSS and other data security certifications undermine staff's ability to clear the high threshold for finding contempt," Ohlhausen says. "In fact, our recent data breach settlement with Wyndham shows that the FTC considers PCI DSS certifications to be important evidence of reasonable data security."
Earlier this month, the hotel chain Wyndham Worldwide agreed to an FTC settlement stemming from the hotel's three security breaches in 2008 and 2009 that exposed 619,000 payment cards and other personal information (see Wyndham Agrees to Settle FTC Breach Case). That settlement, which called on the hotel chain to maintain a comprehensive security program, did not include a monetary penalty.
PCI Certification Not Enough
The other three commissioners, in a statement, said a careful review of the evidence showed that LifeLock failed to maintain adequate privacy and security safeguards.
"The injunctive relief we obtained in the Wyndham case itself corroborates our longstanding view that PCI DSS certification is insufficient in and of itself to establish the existence of reasonable security protections," the commissioner's statement says. "The Wyndham order calls for a number of additional significant protections, including the implementation of risk assessments, certification of untrusted networks and certification of the assessor's independence and freedom from conflicts of interest. In short, the existence of a PCI DSS certification is an important consideration in, but by no means the end of, our analysis of reasonable security."
LifeLock, in a statement, says the settlement would allow it to move forward with a "singular focus" on protecting threats to customers' identities. "The allegations raised by the FTC are related to advertisements that we no longer run and policies that are no longer in place," the statement says. "The settlement does not require us to change any of our current products or practices. Furthermore, there is no evidence that LifeLock has ever had any of its customers' data stolen, and the FTC did not allege otherwise."
LabMD Case Continues
Another FTC case involving data security is still pending.
LabMD has been embroiled in a dispute with the FTC over the regulator's proposed enforcement actions tied to data breaches. The FTC filed a complaint against the medical testing company in August 2013 stemming from breaches in 2008 and 2012.
An FTC chief administrative law judge on Nov. 13 issued an initial ruling to dismiss the FTC's data security enforcement case against LabMD. In his ruling, the judge said the FTC failed to prove its case that two data security-related incidents involving LabMD caused, or were likely to cause, "substantial injury to consumers," such as identity theft, medical identity theft, reputational harm or privacy harm, and would, therefore, constitute unfair trade practices. But the FTC Consumer Protection Bureau has filed a notice to appeal the FTC administrative law judge's decision, and the matter will be decided by the FTC's commissioners (see FTC to Appeal Ruling That Dismissed LabMD Case).