Standards, Regulations & Compliance
LifeLock Tentatively Settles with FTC
Sets Aside $116 Million to Cover Costs of Settling with FTC, ConsumersLifeLock says it has reached a tentative agreement on a settlement with the Federal Trade Commission regarding a number of issues, including alleged information security shortcomings. It says it's also reached agreement on a proposed settlement of a related consumer class action lawsuit.
See Also: Alleviating Compliance Pain Points in the Cloud Era
The Tempe, Ariz.-based company acknowledges that the FTC settlement must still be approved by the commission and a federal judge, and the class action settlement will require court review and approval.
LifeLock markets a variety of identity theft protection and data breach alert services to consumers, as well as risk management services to governments and businesses.
The stock market reacted favorably to the company's Oct. 28 announcement. LifeLock stock was up nearly 44 percent on Oct. 29, closing at $13.94 on the New York Stock Exchange.
Back in July, the FTC alleged LifeLock had violated a 2010 settlement with the commission and 35 state attorneys by continuing to make deceptive claims about its identity theft protection services and by failing to take steps to protect users' data (see FTC Charges Lifelock with Deception).
In a press release announcing its 2015 third-quarter financial results, LifeLock said it had "reached agreements with the staff of the Federal Trade Commission and representatives of a national class of consumers on a comprehensive settlement resolving outstanding litigation relating to its past marketing representations and information security programs."
In an indication of the cost of the settlement, LifeLock noted: "In light of the agreements, LifeLock has accrued an additional $96 million in reserves, bringing the total amount of its reserves for this matter to $116 million. This $116 million also includes a $3 million reserve for a potential settlement with state attorneys general."
For the third quarter ended Sept. 30, the company posted a net loss of $65.1 million. In the same period a year earlier, it earned $5.5 million.
Long-term Financial Viability
The tentative settlements appear to help address questions related to LifeLock's financial viability, says privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek.
"The settlements appear to resolve long-term uncertainty for the company," he says. "LifeLock's quarterly report estimates that it will see $585 million in revenue for 2015. It had already set aside $20 million in reserves for resolution of the FTC and consumer litigation. The additional $96 million it expects to spend seems to be well within what investors had anticipated, based on their reaction to the news from the company."
LifeLock's efforts to reach a settlement with the FTC and to resolve lawsuits brought by consumers have been spurred by concerns in the financial markets that were negatively impacting its share price, Holtzman notes. "As a publicly traded company, it was keen to the concerns of investors who were apprehensive about the financial risk posed by the uncertainty of these unsettled legal actions."
FTC Review
The FTC declined to comment on the details of the proposed settlement. "Federal Trade Commission staff has filed a motion to stay its federal court proceedings against LifeLock to give the commission time to consider a proposed settlement," it said in a statement provided to Information Security Media Group.
In its earnings statement, LifeLock asserted: "The proposed FTC settlement does not require us to change our current products, services, or business and information security practices, including in particular, our current marketing and advertising practices."
In a separate statement that LifeLock posted on its website, the company said, "Once approved, these agreements will allow all of us at LifeLock to fully focus without distraction on our core mission - protecting our members."
LifeLock declined to comment on the tentative settlement agreements.
The Allegations
The FTC noted that its 2010 settlement stemmed from previous commission allegations that LifeLock used false claims to promote its identity theft protection services.
The settlement barred the company and its principals from making any further deceptive claims, required LifeLock to take more stringent measures to safeguard the personal information it collects from customers and required LifeLock to pay $12 million for consumer refunds.
In its July announcement, the FTC alleged that despite these promises, from at least October 2012 through March 2014, LifeLock violated the 2010 order by failing to establish and maintain a comprehensive information security program to protect its users' sensitive personal data, including credit card, Social Security and bank account numbers; falsely advertising that it protected consumers' sensitive data with the same high-level safeguards as financial institutions; and failing to meet the 2010 order's recordkeeping requirements.
The FTC also asserted that from at least January 2012 through last December, LifeLock falsely claimed it protected consumers' identity around the clock by providing alerts "as soon as" it received any indication there was a problem.
Analyzing the Settlement
Privacy and security attorney Ron Raether, a partner at the law firm Troutman Sanders LLP, says that it appears, based on what LifeLock disclosed so far, that the FTC may not be demanding additional behavioral changes by LifeLock beyond what was in the 2010 consent order because "such broad language was used to begin with in the behavioral changes" included in the 2010 order.
LifeLock had faced possible FTC penalties of $16,000 per consumer, per violation, based on the alleged failure to comply with FTC's previous consent order, he says.
The main lesson served up to other security information services firms by the FTC case against LifeLock, Raether says, is that "companies need to be conscious of the language of FTC consent orders." He says marketing of products needs to be "tempered for puffery."
"This a lesson for companies to not overstate the capabilities of their products," he says.
Holtzman of CynergisTek says it's not yet clear what implications the settlement has for LifeLock customers.
"The details of the agreements with the FTC and the terms of the class action settlements have not been released," he notes. "However, I would expect the result to be cash refunds to past customers and service credits for current consumers who may have signed up for the LifeLock service."
Other FTC Activities
The FTC actions against LifeLock are the latest examples of the commission stepping up its enforcement actions to protect consumers' digitized information.
In 2013, the FTC filed a complaint against LabMD, alleging that the medical testing lab failed to reasonably protect consumers' personal information, including medical information. LabMD argues that the FTC has overstepped its authority in issuing the proposed order. That case is currently awaiting a ruling by an FTC administrative judge (see FTC's LabMD Case: The Next Steps).
In 2012, the FTC filed a suit against the hotel chain Wyndham Worldwide and three of its subsidiaries in connection with three security breaches that exposed stored card details for nearly 670,000 accounts (see FTC Sues Hotel Chain for Card Breaches). That case continues to be adjudicated in the federal courts.