Identity Theft Company LifeLock Once Again Failed To Actually Keep Identities Protected, Must Pay $100M

lifelockFive months after federal and state regulators accused identity theft protection company LifeLock of violating a 2010 settlement in which it paid $11 million for allegedly using false claims regarding effectiveness of its services, the company has been ordered to pay $100 million in penalties and refunds for once again misleading consumers. 

The Federal Trade Commission announced the new settlement [PDF] today after finding that from at least October 2012 to March 2014, LifeLock violated four components of its previous agreement.

Under the previous deal, LifeLock was barred from making deceptive claims about services and was required to take more stringent measures to safeguard the personal information it collects from customers.

LifeLock had essentially promised not to misrepresent that its services offer “absolute protection against identity theft because there is, unfortunately, no foolproof way to avoid ID theft.”

But those are promises LifeLock hasn’t abided by, the FTC claims in its recently filed order.

According to the FTC, LifeLock failed to establish and maintain a comprehensive information security program to protect users’ sensitive personal information, including their social security, credit card and bank account numbers.

Despite these failings, the company routinely advertised that it protected consumers’ sensitive data with the same high-level safeguards used by financial institutions.

From January 2012 through December 2014, the FTC alleges that LifeLock falsely advertised it would send alerts “as soon as” it received any indication that a consumer may be a victim of identity theft.

Additionally, the complaint states that LifeLock violated its previous order by failing to establish and maintain a comprehensive information security program to protect its users’ sensitive personal data, including credit card, social security, and bank account numbers.

News of a settlement between the FTC and LifeLock is a bit of a surprise. When regulators filed action against the company in July, LifeLock said the two parties had gotten to that point because there was no way to reach an agreement outside of a court of law.

“We disagree with the substance of the FTC’s contentions and are prepared to take our case to court,” the company said in a statement at the time. “LifeLock takes the accuracy of our advertising materials very seriously. The alerting claims raised by the FTC did not result in any known identity theft for LifeLock members.”

On Thursday, the company said the agreement with regulators would allow it to move forward in helping consumers.

“The allegations raised by the FTC are related to advertisements that we no longer run and policies that are no longer in place,” the company said in a statement. “The settlement does not require us to change any of our current products or practices. Furthermore, there is no evidence that LifeLock has ever had any of its customers’ data stolen, and the FTC did not allege otherwise.”

Under the new settlement, in which LifeLock neither admits nor denies allegations, the company must deposit $100 million into the registry of the U.S. District Court for the District of Arizona. Of that $100 million, $68 million may be used to redress fees paid to LifeLock by class action consumers who were allegedly injured by the same behavior alleged by the FTC.

Any funds not received by consumers in the class action settlement or through settlements between LifeLock and state attorneys general will be provided to the FTC for use in further consumer redress.

In addition to the monetary settlement, the 2010 order’s stipulations on record keeping have been extended to 13 years from the date of the original order.