The firm that may have profited the most from consumer fears over identity theft has run into serious trouble with the Federal Trade Commission for the second time. LifeLock, which rose to prominence in the 1990s when its founder plastered his Social Security number across billboards in a marketing stunt, has violated the terms of a 2010 settlement with the FTC, the agency alleged in court documents made partially public on Tuesday.
LifeLock denies the allegations and said it will fight the FTC charges in court, but investors were immediately spooked by the court filing. The firm’s stock price was cut nearly in half right after the announcement, dropping 49 percent, from just above $16.05 to $8.15 — meaning the firm lost $1.5 billion of market capitalization.
Back in 2010, LifeLock refunded nearly a million customers to settle charges filed by the FTC and 35 state attorneys general that the firm misled consumers about its ability to prevent identity theft. Without admitting any wrongdoing, the firm agreed to change its marketing practices and to protect customer data.
On Tuesday, the FTC announced it has alleged in federal court that LifeLock has violated the terms of that settlement. Details of the allegations remain under court seal, though the FTC described them in vague terms — mostly focusing on LifeLock’s failure to properly secure its consumers’ sensitive information.
“The FTC charged today that in spite of these promises, from at least October 2012 through March 2014, LifeLock violated the 2010 Order by: 1) failing to establish and maintain a comprehensive information security program to protect its users sensitive personal data, including credit card, social security, and bank account numbers; 2) falsely advertising that it protected consumers sensitive data with the same high-level safeguards as financial institutions; and 3) failing to meet the 2010 orders recordkeeping requirements,” the agency said.
The FTC also hinted that it still has problems with LifeLock’s marketing tactics: “The FTC also asserts that from at least January 2012 through December 2014, LifeLock falsely claimed it protected consumers identity 24/7/365 by providing alerts as soon as it received any indication there was a problem.”
LifeLock denied the FTC allegations in this lengthy statement:
After more than 18 months of cooperation and dialogue with the FTC, it became clear to us that we could not come to a satisfactory resolution of their issues outside a court of law. We disagree with the substance of the FTCs contentions and are prepared to take our case to court,” the firm said
LifeLock is proud of the valuable service we provide to our members. Quite simply, our members are our highest priority, and we work hard to protect them against threats to their identity. We help our members by alerting them of potential identity threats and, if a member does become a victim of identity theft, our specialists step in. We spend up to $1 million to help in remediation and recovery.
Importantly the FTC is not seeking any relief that would change LifeLock services and products going forward. The claims raised by the FTC are all related to the past, not to current business practices.
LifeLock takes the accuracy of our advertising materials very seriously. The alerting claims raised by the FTC did not result in any known identity theft for LifeLock members,” the firm said. “Security of our systems has always been, and will remain, of primary importance to us. Based on the evidence, we do not believe that anything the FTC is alleging has resulted in any members data being taken. As required by the FTC’s consent order in 2010, LifeLock hired highly-credentialed, independent professionals to assess its information security. We are committed to maintaining high standards and to continual improvement, and we have spent thousands of hours and millions of dollars to achieve those standards in full compliance with the order. Every audit completed by those third parties affirmed that we were in compliance.