By Megan Rodgers

The FTC announced that the identity theft protection firm LifeLock will pay $100 million to resolve allegations that the company made false statements about its services and failed to safeguard consumer data.  This settlement represents the largest of its kind in an FTC order enforcement action.

The FTC first sued LifeLock in 2010, alleging that the company falsely advertised that it protected against the most common types of identity theft.  The FTC also alleged that LifeLock routinely transmitted customers’ personal information without encrypting it and permitted employees to use overly simplistic passwords.  LifeLock reached a settlement agreement with the FTC in 2010, agreeing to refund consumers $24 million and to pay an additional $11 million to the FTC, along with a total of $1 million to attorneys general from 35 states.  The company also agreed not to make any deceptive claims about its services and to enhance its security.

In this case, the FTC alleged that LifeLock violated the 2010 order in four ways.  First, the FTC claimed that LifeLock failed to establish and maintain a comprehensive information security program to protect users’ sensitive personal information.  Second, the FTC claimed that LifeLock falsely advertised that it protected consumers’ sensitive data with the same safeguards used by financial institutions.  Third, the FTC alleged that LifeLock falsely advertised that it would immediately alert consumers if they may be a victim of identity theft.  Fourth, the FTC alleged that LifeLock failed to abide by the 2010 order’s recordkeeping requirements.

Under the terms of today’s settlement agreement, $68 million will go to class action consumers who were allegedly injured by LifeLock’s behavior.  The remaining $32 million will cover additional settlements with state attorneys general, and any remaining money will be returned to the FTC.  In addition, the recordkeeping requirements in LifeLock’s 2010 order have been extended to 13 years from the date of the original order.

The Commission vote approving the stipulated final order was 3-1, with Commissioner Maureen Ohlhausen issuing a dissenting statement.  According to Commissioner Ohlhausen, the record “lack[ed] clear and convincing evidence that LifeLock failed to establish and maintain a comprehensive security program designed to protect the security, confidentiality, and integrity of consumers’ personal information.”