The Federal Trade Commission announced the other day that a settlement has been reached with LifeLock to the tune of $12 million. Since the breaking of this news, and partially due to a press release issued by LifeLock referencing Identity Theft Lab’s rating of them as the “Best Overall” identity protection, we have been asked on a few occasions most notably by Zoran Basich in his Wall Street Journal Venture Blog whether our “best overall†rating will remain. The short answer is yes, for now, but first lets take a deeper look at this settlement and the, ahem, errors made by LifeLock before we give you the reason for our decision.
According to a press release issued by the FTC, LifeLock agreed to pay $11 million to the FTC and $1 million to a group of 35 state attorneys generals to settle charges that they used false claims to promote their identity theft protection services between April 1, 2005 and March 31, 2009 and that LifeLock failed, at least at some point within this timeframe, to adequately safeguard their clients personal information as they had stated they would do.
The FTC took exception to LifeLock CEO Todd Davis advertising his Social Security number everywhere and referenced its widely advertised use on the side of a truck. This combined with some other statements and advertisements may have given consumers a false sense of security in regards to how well their identity was protected and for some consumers may have given the impression that LifeLock was protecting them from all or other types of identity theft when they were predominantly just protecting them from financial identity theft with a strong emphasis on new account fraud.
The press release stated “And even for types of identity theft for which fraud alerts are most effective, they do not provide absolute protection. They alert creditors opening new accounts to take reasonable measures to verify that the individual applying for credit actually is who he or she claims to be, but in some instances, identity thieves can thwart even reasonable precautions.â€
Anyone who has followed this blog will know that there is no such thing as full-proof identity theft protection and that fraud alerts while effective should not be your only means of protection. It should also be noted that LifeLock changed its marketing practices by April of 2009, launched a new enhanced service by October 2009 and then, this past January, added a whole new level of protection called LifeLock Command Center that actually does help protect Americans from other types of identity theft such as criminal.
“As the crimes of identity theft and identity fraud continue to evolve, we have positioned our business to grow at a more rapid pace in attempt to stay in front of the crime,” said LifeLock Chairman and CEO Todd Davis. “With our next generation LifeLock Identity Alert(TM) system and our advanced LifeLock Command Center(TM) protection suite, we are using technologies that allow us to search broader, deeper and for more data than ever before.”
Even when considering LifeLock’s old service, what the FTC failed to see or at least point out is that Americans are mostly concerned about financial identity theft and that by discovering an identity theft situation of any kind you are better protected from other types as well because you now know that some thief has your personal information. This causes your guard to go up, at least it should, and you will become more vigilant in protecting your identity even for something totally unrelated such as a hospital visit. For example, you may ask your doctor to confirm that the last time you were looked after actually was the last time YOU were looked after.
The FTC press release also claimed that “LifeLock’s data was not encrypted, and sensitive consumer information was not shared only on a “need to know†basis. In fact, the agency charged, the company’s data system was vulnerable and could have been exploited by those seeking access to customer information. †It also states “the settlements require LifeLock to establish a comprehensive data security program and obtain biennial independent third-party assessments of that program for twenty years.â€
It is important to note that there was no external breach but still this shocked us. How can an identity theft protection company not be taking the highest of security measures when the lack of such measures can result in a devastating setback for the company. We know LifeLock has always taken the security of its clients seriously, they have earned and maintained an ISO 27001 Security Certification since January 2007, but the lack of encryption is unacceptable and should not have happened. There is no excuse for not employing the strictest security measures possible. We realize that the FTC claim is from the past and not relating to LifeLock’s current security measures but maybe this is why they hired a new Chief Technology Officer a few months back and added another Senior Executive to its technology team recently.
Many people will claim that the independent third-party assessments are over regulation but we do not see this as a bad thing. Even LifeLock welcomed the settlement and increased industry regulation.
“LifeLock is pleased with this agreement, which, for the very first time, works to set advertising guidelines for the entire industry. We welcome federal and state efforts to regulate our industry, because doing so helps to protect consumers from the risks of identity theft,” said LifeLock Chairman and CEO Todd Davis.
At least now, clients of LifeLock will know their personal information is protected to the highest levels of security. Financial Institutions, Credit Bureaus and Identity Theft Protection Companies should be held to a higher standard of security and independent third-party assessments for all of them would certainly ensure they are using best of breed technologies, implementing the strictest policies and procedures and enforcing the highest security measures possible. Don’t consumers deserve this?
So the question remains, does LifeLock still have the “best overall†identity protection. The answer is yes. As you probably picked up on, the FTC settlement was due to past behavior relating to their old outdated service and old marketing practices. This is not to condone what happened but LifeLock is far from the first company to take their advertising over the top. And quite frankly, we will leave the judgement of what constitutes acceptable marketing to the FTC, that is their role. Ours is to evaluate the service itself and for now, we still see LifeLock as the best overall identity theft protection service, and don’t see the point in punishing them for their past mistakes, especially since the FTC just did this.
But there is a caveat to this. We never intended to recommend LifeLock to everyone, our goal has always been to find the best of breed identity theft services and review and compare them in such a way that it allows consumers to see the points of difference between these services so that they can choose the right service for them.
We consider all the companies in our identity theft protection comparison chart (see our homepage) to be excellent and perhaps in the near future we will revert to presenting them all as best of breed and drop the “best overall†and other taglines or notes we have on our site. In the meantime, however brief, we have decided to let it stay because right now many people are shying away from LifeLock and given their current offering we don’t believe that is the right thing to do.
Here is our review of LifeLock basic.