The Federal Trade Commission (FTC) recently approved a $100 million settlement with LifeLock, Inc. to resolve allegations that it violated a 2010 federal court order by failing to take steps required to protect its users’ data, and continuing to make deceptive claims about its identity protection services. The settlement is more than eight times the amount of the 2010 settlement, and is the largest monetary award obtained by the FTC in an action to enforce an existing order.
The settlement resolves contempt charges filed by the FTC earlier this year, alleging that LifeLock violated the 2010 Order by:
-
Failing to establish and maintain a comprehensive information security program to protect its users’ sensitive personal data, including credit card, social security, and bank account numbers
-
Falsely advertising that it protected consumers' sensitive data with the same high-level safeguards as financial institutions
-
Failing to meet the 2010 order's recordkeeping requirements, and
-
Falsely claiming it protected consumers' identity 24/7/365 by providing alerts "as soon as" it received any indication there was a problem
Under the proposed stipulated order LifeLock neither confirms nor denies the FTC’s allegations. In a statement issued in connection with the settlement announcement, LifeLock reported ''the allegations raised by the FTC are related to advertisements that we no longer run and policies that are no longer in place,'' and ''there is no evidence that LifeLock has ever had any of its customers' data stolen, and the FTC did not allege otherwise.''
The terms of the settlement require LifeLock to deposit $100 million into the registry of the U.S. District Court for the District of Arizona. Of that $100 million, $68 million may be used as restitution to affected consumers. The proposed order imposes additional requirements, including that LifeLock provide customers' information to the FTC, submit reports and information to the FTC, create and retain various records, and distribute copies of both court orders.
The settlement was approved by a 3-1 vote. In a dissenting statement, Commissioner Maureen Ohlhausen opined that the FTC lacked sufficient evidence to meet the ''clear and convincing'' standard that would have been required to succeed on its contempt motion. In particular, she cites LifeLock's representations in its annual financial disclosures that it complied with the Payment Card Industry Data Security Standard (PCI DSS) and the alleged lack of evidence that LifeLock suffered a breach affecting subscriber information. Commissioner Ohlhausen also cites to the FTC's settlement with Wyndham, to show that the FTC considers PCI DSS certifications to be ''important evidence of reasonable data security.''
The FTC's statement, however, makes explicit that ''PCI DSS certifications is insufficient in and of itself to establish the existence of reasonable security protections.'' The FTC notes its Wyndham order calls for a number of additional protections, including the implementation of risk assessments, certification of untrusted networks, and certification of the assessor’s independence and freedom from conflicts of interest.
