The identity-theft protection firm LifeLock leaped into public consciousness in 2006 with what turned out to be one of the most hilariously misbegotten marketing campaigns of all time. What’s happening with LifeLock at the moment isn’t so funny.
You probably remember the ads. They featured CEO Todd Davis brazenly broadcasting his Social Security number over the air and painting it on the side of panel trucks. The idea was that LifeLock’s identify-theft safeguards were so ironclad that Davis faced no risk. The reality, according to subsequent reports, was that his identity was stolen at least 13 times after the campaign began.
The protection [LifeLock] actually provided left enough holes that you could drive a truck through it.
That was embarrassing enough, although Davis tried to spin the frauds as proof that his service worked: Even more crooks had tried to use his Social Security number and failed.
What followed was a series of legal entanglements. The firm’s co-founder, Robert Maynard Jr., resigned as an officer after stories in The Times and elsewhere raised questions about his own shady past.
Then, in 2010, federal and state regulators lowered the boom on the Tempe, Ariz., company, hard. The Federal Trade Commission and 35 state attorneys general charged that LifeLock’s ads claiming that the company could protect against identity fraud “ever happening to you — guaranteed” and that it worked “to stop identity theft before it happens” were themselves deceptive.
Contrary to LifeLock’s claim that its customer data were “electronically encrypted” and “highly secure,” the FTC said, its data system in fact was vulnerable to identity thieves. The regulators extracted $12 million from the company and a pledge to clean up its act.
Last July, the FTC struck again, alleging that LifeLock has been violating the terms of the 2010 settlement. From 2012 through the end of 2014, the agency says, the firm failed to set up a program to safeguard its customers’ personal data, including credit card and Social Security numbers, falsely advertised that its high-level safeguards matched those of financial institutions and “falsely claimed it protected consumers’ identity 24/7/365 by providing alerts ‘as soon as’ it received any indication there was a problem.”
At the end of October, the company and the FTC reached another deal. This time LifeLock is on the hook for as much as $116 million in penalties and costs, judging from its public disclosure that it has reserved that much to cover the settlement.
You might think that a proposed legal settlement that would wipe out three years of cumulative pre-tax profits, as the company stated Monday, would warrant a full and frank disclosure for shareholders and customers.
You would be wrong. The FTC isn’t offering any details just now, and the company is similarly mum, beyond disclosing the size of its reserve for the deal and asserting that the settlement won’t “require us to change our current products, services, or business and information security practices, including in particular, our current marketing and advertising practices.” Emphasis on “current.”
The reason for the silence is that the deal, which was reached with the FTC staff, must yet be approved by the FTC itself. That may not happen for 90 days. That’s the length of the stay the agency sought from Federal Judge John J. Tuchi of Phoenix and received Oct. 30. Until the FTC acts or the stay expires at the end of January, all filings in the case related to the settlement are sealed.
What the settlement and the unsealing of documents probably won’t do is end questions about whether the services provided by LifeLock or other identity-protection firms provide value for the price — $9.99 to $29.99 a month at LifeLock.
Consumer Reports, which in 2010 listed identity-theft protection as one of eight financial products that are “a waste of money,” last year reported that consumer protection laws and bank protections limit the real cost of debit- and credit-card fraud, the largest component of identity theft, for most consumers. “Those who had out-of-pocket costs in 2013 lost only $108, on average,” the magazine reported.
The value of many LifeLock services and safeguards start to evaporate when you give them some thought or read the fine print. Much of what LifeLock’s top-of-the-line Ultimate Plus service offers can be handled by consumers themselves for free: If your wallet is stolen, “we’ll help cancel or replace credit cards, driver’s licenses, Social Security cards, insurance cards and more.” It will track your monthly credit score — which now appears on the monthly statements of many credit card issuers, for free. It gives you online access to your annual reports at the three major credit bureaus, which also are available free via the federally authorized website annualcreditreport.com.
Then there’s LifeLock’s purported $1-million “total service guarantee,” as it was advertised in 2006. The million-dollar guarantee is still part of LifeLock’s pitch, but it’s barnacled with caveats. The guarantee chiefly covers the expenses of professionals, such as lawyers, accountants and investigators the company might hire to help you with your identity-theft case.
LifeLock will replace a handbag, purse or wallet stolen as a result of identity theft, but how often does ID theft lead to the loss of a physical handbag? The guarantee might cover funds stolen from a bank account via identity fraud, but in many cases, the bank would do so itself — unless you can’t document that the loss is due to ID theft, in which case LifeLock might not cover it either.
LifeLock’s announcement of the FTC settlement implies that whatever issues the agency had with its services or marketing are relics of the past, and that its “current” products and policies are squeaky clean. Possibly. But as Consumer Reports and other critics of the identity-protection industry have argued, the best way to protect yourself against loss may be to keep an eye on your own bank and brokerage statements, download your annual free credit reports yourself, safeguard your passwords and skip the fees.