LifeLock to Pay $100 Million to Consumers to Settle FTC Charges it Violated 2010 Order (Updated)

I had previously reported that LifeLock was negotiating to settle FTC charges that it had violated a 2010 consent order. Now it’s official. From the FTC: LifeLock will pay $100 million to settle Federal Trade Commission contempt charges that it violated the terms of a 2010 federal court order that requires the company to secure consumers’ personal information and prohibits the company from deceptive advertising.  This is the largest monetary award obtained by the Commission in an order enforcement action. “This settlement demonstrates the Commission’s commitment to enforcing the orders it has in place against companies, including orders requiring reasonable security for consumer data,” said FTC Chairwoman Edith Ramirez. “The fact that consumers paid Lifelock for help in protecting their sensitive personal information makes the charges in this case particularly troubling.” The FTC’s filing in the case alleged that LifeLock violated four components of the 2010 order. First, the FTC alleged that from at least October 2012 through March 2014, LifeLock failed to establish and maintain a comprehensive information security program to protect users’ sensitive personal information including their social security, credit card and bank account numbers. Second, the filing alleged that during this period LifeLock falsely advertised that it protected consumers’ sensitive data with the same high-level safeguards used by financial institutions. Third, the FTC alleged that, from January 2012 through December 2014, LifeLock falsely advertised  that it would send alerts “as soon as” it received any indication that a consumer may be a victim of identity theft. Finally, the FTC alleged that the company failed to abide by the order’s recordkeeping requirements. Under the terms of the settlement, LifeLock must deposit $100 million into the registry of the U.S. District Court for the District of Arizona. Of that $100 million, $68 million may be used to redress fees paid to LifeLock by class action consumers who were allegedly injured by the same behavior alleged by the FTC. These funds, however, must be paid directly to and received by consumers, and may not be used for any administrative or legal costs associated with the class action. Any money not received by consumers in the class action settlement or through settlements between LifeLock and state attorneys general will be provided to the FTC for use in further consumer redress. In addition to the settlement’s monetary provisions, recordkeeping provisions similar to those in the 2010 order have been extended to 13 years from the date of the original order. The Commission vote approving the stipulated final order was 3-1, with Commissioner Maureen Ohlhausen voting no. Commissioner Ohlhausen issued a dissenting statement. The FTC filed the proposed order in the U.S. District Court for the District of Arizona. NOTE: Stipulated final orders have the force of law when approved and signed by the District Court judge. Update:  Dissenting Statement of Commissioner Maureen K. Ohlhausen In the Matter of FTC v. LifeLock, Inc. (30.71 KB).  In her dissent, Commissioner Ohlhausen also notes that filings in this matter remain sealed, which is a serious problem. Why won’t the FTC be more transparent?  [Proposed] Stipulated Order Resolving FTC’s Allegations of Contempt and Modifying Stipulated Final Judgment and Order for Permanent Injunction (185.68 KB)  Plaintiff Federal Trade Commission’s Consent Motion For Entry of Proposed Stipulated Order Resolving FTC’s Allegations of Contempt and Modifying Stipulated Final Judgment and Order For Permanent Injunction (36.56 KB)

Lifelock reaches tentative settlement with FTC to the tune of almost $100 million

Remember when FTC went after Lifelock for failure to comply with an earlier consent order?  And remember when I quoted Lifelock’s 10-Q SEC filing that mentioned the issue but reported: As a result of those discussions, we have accrued $20,000 as of December 31, 2014 for a possible settlement with the FTC. The ultimate resolution of the matter could result in a loss of up to $100,000. I had commented: That’s all? I had imagined that we were looking at a much bigger penalty and costs going forward. While I don’t mean to minimize the importance of $100,000 (I’d love to have it), the stock harm that has been done by the FTC action has likely cost a lot more than $100,000 to the company shareholders by now. LifeLock’s stock dropped about 50% after the announcement of FTC’s action, and so far, it is not rebounding. Well, it wasn’t $100,000. Maybe they left off a few zeroes? From their press release  yesterday, it looks more on the order of $100 million. Lifelock also announced a possible settlement with attorneys general and a class action lawsuit: The Company also announced that it has reached agreements with the staff of the Federal Trade Commission and representatives of a national class of consumers on a comprehensive settlement resolving outstanding litigation relating to its past marketing representations and information security programs. The Company noted that the agreements are not yet final, as the FTC staff’s recommendation to approve the settlement must still be approved by the Commission itself and a federal judge, and the class action settlement will require review and approval by the court. The proposed FTC settlement does not require us to change our current products, services, or business and information security practices, including in particular, our current marketing and advertising practices. In light of the agreements, LifeLock has accrued an additional $96 million in reserves, bringing the total amount of its reserves for this matter to $116 million. This $116 million also includes a $3 million reserve for a potential settlement with state attorneys general. Overall, they report a net income loss in the third quarter of 2015: Net income (loss): Net loss was $65.1 million for the third quarter of 2015, which included a pre-tax charge of $96.0 million related to a proposed settlement with the FTC, a consumer class action suit, and state attorneys general, compared with net income of $5.5 million for the third quarter of 2014. Net loss per diluted share was $0.68 for the third quarter of 2015 based on 95.3 million weighted-average shares outstanding, compared with net income per diluted share of $0.06 for the third quarter of 2014 based on 98.5 million weighted-average shares outstanding. Lifelock’s stock, which was trading at over $16/share prior to the FTC’s announcement in July, still has not recovered, and is still trading at less than $10. This post was cross-posted from PogoWasRight.org.

More details on the FTC-LifeLock case

In light of the FTC’s action against LifeLock, and the latter’s response, I thought it might be interesting to post this statement from LifeLock’s 10-Q SEC filing for the period ending March 31, 2015: On March 13, 2014, we received a request from the FTC for documents and information related to our compliance with the FTC Order. Prior to our receipt of the FTC’s request, we met with FTC staff on January 17, 2014, at our request, to discuss issues regarding allegations that have been asserted in a whistleblower claim against us relating to our compliance with the FTC Order. On October 29, 2014, we completed our responses to the FTC’s March 13, 2014 request for information. On January 5, 2015, we completed our responses to the FTC’s subsequent requests for clarification regarding certain information that we previously submitted. We have engaged in ongoing discussions with the FTC Staff regarding the FTC’s inquiry into our compliance with the FTC Order. On February 4, 2015, we made a $20,000 settlement offer to the FTC Staff and we remain in ongoing discussions with the FTC Staff regarding a possible settlement of this inquiry. As a result of those discussions, we have accrued $20,000 as of December 31, 2014 for a possible settlement with the FTC. The ultimate resolution of the matter could result in a loss of up to $100,000. That’s all? I had imagined that we were looking at a much bigger penalty and costs going forward. While I don’t mean to minimize the importance of $100,000 (I’d love to have it), the stock harm that has been done by the FTC action has likely cost a lot more than $100,000 to the company shareholders by now. LifeLock’s stock dropped about 50% after the announcement of FTC’s action, and so far, it is not rebounding. The FTC litigation is not the only litigation LifeLock is defending against, as there are several potential class action lawsuits that they describe in the 10-Q filing, too, but the stock drop seems clearly linked to the FTC announcement.

FTC Takes Action Against LifeLock for Alleged Violations of 2010 Order

Whoa. The Federal Trade Commission today asserted that LifeLock violated a 2010 settlement with the agency and 35 state attorneys general by continuing to make deceptive claims about its identity theft protection services, and by failing to take steps required to protect its users’ data. In documents filed with the U.S. District Court for the District of Arizona, the FTC charged that LifeLock failed to live up to its obligations under the 2010 settlement, and asked the court to impose an order requiring LifeLock to provide full redress to all consumers affected by the company’s order violations. “It is essential that companies live up to their obligations under orders obtained by the FTC,” said Jessica Rich, Director of the FTC’s Bureau of Consumer Protection. “If a company continues with practices that violate orders and harm consumers, we will act.” The 2010 settlement stemmed from previous FTC allegations that LifeLock used false claims to promote its identity theft protection services. The settlement barred the company and its principals from making any further deceptive claims; required LifeLock to take more stringent measures to safeguard the personal information it collects from customers; and required LifeLock to pay $12 million for consumer refunds. The FTC charged today that in spite of these promises, from at least October 2012 through March 2014, LifeLock violated the 2010 Order by: 1) failing to establish and maintain a comprehensive information security program to protect its users’ sensitive personal data, including credit card, social security, and bank account numbers; 2) falsely advertising that it protected consumers’ sensitive data with the same high-level safeguards as financial institutions; and 3) failing to meet the 2010 order’s recordkeeping requirements. The FTC also asserts that from at least January 2012 through December 2014, LifeLock falsely claimed it protected consumers’ identity 24/7/365 by providing alerts “as soon as” it received any indication there was a problem. Details of the FTC’s action against the company were filed under seal. The court will determine which portions of the case will be unsealed. The Commission vote to file the application for a show cause order was 4-1, with Commissioner Maureen K. Ohlhausen voting no. SOURCE: FTC In response, LifeLock, whose stock has plunged 38% since the announcement, issued the following statement: “After more than 18 months of cooperation and dialogue with the FTC, it became clear to us that we could not come to a satisfactory resolution of their issues outside a court of law. We disagree with the substance of the FTC’s contentions and are prepared to take our case to court. “LifeLock is proud of the valuable service we provide to our members. Quite simply, our members are our highest priority, and we work hard to protect them against threats to their identity. We help our members by alerting them of potential identity threats and, if a member does become a victim of identity theft, our specialists step in. We spend up to $1 million to help in remediation and recovery. “Importantly the FTC is not seeking any relief that would change LifeLock services and products going forward. The claims raised by the FTC are all related to the past, not to current business practices. “LifeLock takes the accuracy of our advertising materials very seriously. The alerting claims raised by the FTC did not result in any known identity theft for LifeLock members. “Security of our systems has always been, and will remain, of primary importance to us. Based on the evidence, we do not believe that anything the FTC is alleging has resulted in any member’s data being taken. As required by the FTC’s consent order in 2010, LifeLock hired highly-credentialed, independent professionals to assess its information security. We are committed to maintaining high standards and to continual improvement, and we have spent thousands of hours and millions of dollars to achieve those standards in full compliance with the order. Every audit completed by those third parties affirmed that we were in compliance.” Governor Tom Ridge, Former Secretary of Homeland Security, former Governor of Pennsylvania, and Member, LifeLock Board of Directors said, “My colleagues and I on the company’s board of directors know the people of LifeLock, meeting and talking with them on a regular basis. These are truly dedicated employees, committed to their work—namely, helping to protect LifeLock members from identity theft and restoring the identities of those who are victimized. Whether they’re responding to member calls or focused on developing new products and technology for LifeLock members, these are the kind of people you want on your side. As directors, we take great pride in their commitment to the communities in which they work and live. It’s part of the LifeLock culture, supporting children and victims of domestic violence, training law enforcement to help fight identity theft, and educating families on digital citizenship and online safety for their children.”

LifeLock under investigation by the FTC

Well, LifeLock said they come under investigation by the FTC, and it seems they are. SeekingAlpha points us to LifeLock’s most recent 8-K, which says, in part: On March 13, 2014, LifeLock received, as expected, a request from the FTC for documents and information related to LifeLock’s compliance with the FTC Stipulated Final Judgment and Order for Permanent Injunction and Other Equitable Relief that LifeLock entered into in March 2010. LifeLock intends to cooperate with the FTC in these requests.

LifeLock addresses FTC complaint; more from CEO Todd Davis

Hayley Ringle reports: My hour-long interview last week with LifeLock CEO and chairman Todd Davis covered a lot of ground in the Phoenix Business Journal’s inaugural “Inside the Reporter’s Notebook” event. But there were some extra questions I didn’t get a chance to ask, including some about a pending FTC investigation I just learned about. Davis, who co-founded the Tempe-based identity theft protection company in 2005, answered the following questions via email today and Friday. Q: Recent whistle-blower claims from former employees against LifeLock have said the company is not complying with the 2010 Federal Trade Commission order that the company used false claims to promote its identity theft protection services. Read more on Phoenix Business Journal. The portion of the 10-K Ringle refers to says, in part: On December 26, 2012, ID Analytics, along with eight other companies, received an information request from the FTC in conjunction with the FTC’s policy study of the operation of the data broker industry. ID Analytics was advised that this request is not an investigation of its business practices but will be the basis of consideration by the FTC whether to recommend to the Congress a legislative extension of FCRA-based consumer safeguards to the use of consumer personal information in the non-FCRA context. Although ID Analytics believes that it is not engaged in data broker activities in any manner, ID Analytics has indicated to the FTC that it will cooperate with the FTC’s study efforts by responding fully to the FTC’s information requests, and has done so to date. On December 17, 2013, we met with FTC Staff, at their request, to discuss the ID Analytics positions with regard to the FTC’s data broker study. At the meeting, we discussed a wide ranging number of matters, including industry conditions, the changing landscape relating to identity theft and fraud, technological developments to address identity theft and fraud, as well as recent security breaches. With the growing public concern regarding privacy and the collection, distribution, and use of consumer personal information, we believe we are in an environment in which there is an increased regulatory scrutiny concerning data collection and use practices and the provision and marketing of services, like ours, that seek to protect that information. We expect that kind of scrutiny to continue as the marketplace for services like ours continues to develop. In addition, we believe there has been a recent increase in whistleblower claims made to regulatory agencies, including whistleblower claims made by former employees, which we believe will likely continue, in part because of the provisions enacted by the Dodd-Frank Wall Street Reform and Consumer Protection Act, or the Dodd-Frank Act, that may entitle persons who report alleged wrongdoing to the SEC to cash rewards. Often, the allegations underlying such claims to regulatory agencies result in federal and state inquiries and investigations. On January 17, 2014, we met with FTC Staff, at our request, to discuss issues regarding allegations that have been asserted in a whistleblower claim against us relating to our compliance with the FTC Order. Following this meeting, we expect to receive either a formal or informal investigatory request from the FTC for documents and information regarding our policies, procedures, and practices for our services and business activities. Given the heightened public awareness of data breaches and well as attention to identity theft protection services like ours, it is also possible that the FTC, at any time, may commence an unrelated inquiry or investigation of our business practices and our compliance with the FTC Order. We endeavor to comply with all applicable laws and believe we are in compliance with the requirements of the FTC Order. We believe the increased regulatory scrutiny will continue in our industry for the foreseeable future and could lead to additional meetings or inquiries or investigations by the agencies that regulate our business, including the FTC.

LifeLock Will Pay $12 Million to Settle Charges by the FTC and 35 States That Identity Theft Prevention and Data Security Claims Were False

LifeLock, Inc. has agreed to pay $11 million to the Federal Trade Commission and $1 million to a group of 35 state attorneys general to settle charges that the company used false claims to promote its identity theft protection services, which it widely advertised by displaying the CEO’s Social Security number on the side of a truck. In one of the largest FTC-state coordinated settlements on record, LifeLock and its principals will be barred from making deceptive claims and required to take more stringent measures to safeguard the personal information they collect from customers. “While LifeLock promised consumers complete protection against all types of identity theft, in truth, the protection it actually provided left enough holes that you could drive a truck through it,” said FTC Chairman Jon Leibowitz. “This agreement effectively prevents LifeLock from misrepresenting that its services offer absolute prevention against identity theft because there is unfortunately no foolproof way to avoid ID theft,” Illinois Attorney General Lisa Madigan said. “Consumers can take definitive steps to minimize the chances of having their personal information stolen, and this settlement will help them make more informed decisions about whether to enroll in ID theft protection services.” Since 2006, LifeLock’s ads have claimed that it could prevent identity theft for consumers willing to sign up for its $10-a-month service. According to the FTC’s complaint, LifeLock has claimed: “By now you’ve heard about individuals whose identities have been stolen by identity thieves . . . LifeLock protects against this ever happening to you. Guaranteed.” “Please know that we are the first company to prevent identity theft from occurring.” “Do you ever worry about identity theft? If so, it’s time you got to know LifeLock. We work to stop identity theft before it happens.” The FTC’s complaint charged that the fraud alerts that LifeLock placed on customers’ credit files protected only against certain forms of identity theft and gave them no protection against the misuse of existing accounts, the most common type of identity theft. It also allegedly provided no protection against medical identity theft or employment identity theft, in which thieves use personal information to get medical care or apply for jobs. And even for types of identity theft for which fraud alerts are most effective, they do not provide absolute protection. They alert creditors opening new accounts to take reasonable measures to verify that the individual applying for credit actually is who he or she claims to be, but in some instances, identity thieves can thwart even reasonable precautions. New account fraud, the type of identity theft for which fraud alerts are most effective, comprised only 17 percent of identity theft incidents, according to an FTC survey released in 2007. The FTC’s complaint further alleged that LifeLock also claimed that it would prevent unauthorized changes to customers’ address information, that it constantly monitored activity on customer credit reports, and that it would ensure that a customer always would receive a telephone call from a potential creditor before a new account was opened. The FTC charged that those claims were false. In addition to its deceptive identity theft protection claims, LifeLock allegedly made claims about its own data security that were not true.

More details emerge on DOJ probe of Tiversa, company involved in FTC v. LabMD

When I’m right, I’m right.  The DOJ did raid Tiversa. DataBreaches.net was subsequently able to get additional details from a source. But first start with this report from Reuters’ Joel Schechtman:  Federal agents are investigating whether cyber-security firm Tiversa gave the government falsified information about data breaches at companies that declined to purchase its data protection services, according to three people with direct knowledge of the inquiry. The Federal Bureau of Investigation raided Tiversa’s Pittsburgh headquarters in early March and seized documents, the people said. Read more on Reuters. In addition to what Reuters reports, DataBreaches.net can add that five employees left Tiversa around the time Boback was placed on leave by board members. A source who has requested anonymity at this time tells DataBreaches.net that none of the five are suspected of any wrong-doing. They left because “they saw the writing on the wall,” the source tells DataBreaches.net. “There was no business plan, MetLife broke ties with its partnership, and Lifelock didn’t renew their contract.” Harris Jones of Adams Capital Management has taken over at the helm of Tiversa for now,  the source claims. ACM did not respond to inquiries, however. When asked whether any others were involved in the kind of fraud Boback is allegedly being investigated for, the source stated that “it was always between Bob (Boback) and Rick (Wallace). Not too many people realized what was going on. Now people are looking into the data.”  And the more they look into things, the source claims, the more they uncover in the way of lies and Boback asking or directing employees to falsify findings. The source later told DataBreaches.net that he was aware of one other instance where allegedly Boback asked someone to have multiple files spread to multiple IP addresses. It is not clear to DataBreaches.net whether that employee – whose identity is unknown to DataBreaches.net – ever cooperated with that request. Was the claim to Congress and the media about plans for Marine 1 being found on an Iranian IP a lie, DataBreaches.net asked? “Yes,” was the simple answer. “You have to understand that Tiversa had a great technology that is the real deal but RB fucked it up. Greed. Above the law, untouchable,” the source tells DataBreaches.net. Maybe not so untouchable after all. “Truth needs to be out there. #karma” the source added.    

House Committee on Oversight & Government Reform staff report slams Tiversa, cautions federal agencies about using them (updated with Tiversa’s response)

If you thought former Tiversa employee Rick Wallace’s testimony in FTC v. LabMD was sensational, wait until you read a staff report prepared for Darrell Issa, then-Chairman of the House Committee on Oversight and Government Reform. The 99-page report, prepared in January but embargoed until after Wallace’s testimony, delves into Tiversa’s business practices and problems with the testimony provided by its CEO, Bob Boback. And while Boback has generally tried to paint negative testimony about him and Tiversa as the work of one disgruntled and mentally disturbed and alcoholic former employee, the staff report makes clear that the committee took testimony from a number of named former employees who confirm key aspects of Wallace’s testimony about Tiversa’s business model and who contradict what Boback had testified to. Much of the report provides additional details about issues raised in OGR’s letter of last year: the contradictions in Boback’s testimony at different times, the seeming failure of Tiversa to turn over all documents when subpoenaed by the FTC, its seeming failure to produce all relevant documents when subpoenaed by OGR, and Tiversa’s claims that plans for Marine One had been found on an Iranian IP address. OGR was unable to determine whether that particular claim was true or not: Tiversa’s counsel also repeatedly told the Committee that the federal government verified the information Tiversa provided about an Iranian computer being in possession of the Marine One document. But that is simply not the case. The Committee learned from NCIS that the joint task force investigating the incident was only able to verify that the IP address provided by Tiversa was located in Iran. The agents did not verify whether that computer actually possessed the Marine One file as this was outside the scope of the investigation. Of course, the committee’s inability to confirm Tiversa’s claims does not mean that Tiversa’s claim was a lie, but the staff report outlines a number of reasons not to find Tiversa’s claims credible. While many people are now aware of LabMD’s claims about Tiversa’s conduct (LabMD’s CEO Michael Daugherty wrote a book about his experience with the FTC and Tiversa in The Devil Inside the Beltway), one of the most troubling parts of the report concerns what Tiversa allegedly did to a non-profit clinic treating AIDS/HIV patients, the Open Door Clinic in Elgin, Illinois. Although the clinic’s Executive Director, David Roesler, testified in a hearing the House Committee on Oversight and Government Reform held on Tiversa, the full magnitude or Tiversa’s problematic conduct is only fully appreciated after reading the staff report. The report documents that: Tiversa found a file with information on the clinic’s patients had been leaked via P2P software. Tiversa contacted the clinic and tried to sell its remediation services at $475/hour. When asked to provide additional details, it wouldn’t. The clinic was unable to find any evidence that any P2P software was present on any of its computers and was puzzled by the reported find. Rather than help the non-profit, though, after the clinic declined Tiversa’s sales pitch and its subsequent sales pitch for its partner, LifeLock: Tiversa provided the patients’ contact information to an attorney associated with Tiversa, who then sent the patients solicitation letters for a lawsuit. Tiversa allegedly provided the attorney – at no charge – with the very detailed analysis that Open Clinic had requested but that they had refused to provide them for free.  And although Tiversa claimed its sole motivation was to ensure that patients were notified of the breach and that they made no money from the lawsuit, that claim doesn’t pass the smell test because they turned the information over to an attorney who solicited the patients for a lawsuit instead of just providing information to Open Door.  Tiversa seemed unable to satisfactorily explain why it testified that it never contacted patients directly and didn’t have the resources to do so when their phone logs indicated that they had called over 50 patients shortly before the attorney sent solicitation letters. Tiversa also turned over its very detailed analysis – the one they wouldn’t give to Open Door – to the FTC, who then sent Open Door a letter about the incident. According to the staff report (footnotes omitted): On January 19, 2010, the FTC sent a letter to Open Door Clinic about the leak. The letter informed the clinic that a file had been exposed on the peer-to-peer network, and noted that the clinic’s failure to prevent the document from leaking could violate federal laws. Of note, once the clinic was able to subpoena all the documents Tiversa had found as part of discovery in defending against the class action lawsuit, the clinic determined that the source of the leak appeared to be a computer that had been stolen in 2007. Open Door believes that the P2P software was installed on the computer after it was stolen. If they are correct, then yes, they had a breach as files with PHI were stolen, but the data leak was not due to any P2P software that they installed. There’s much more to the report, of course, including allegations that Tiversa exaggerated its relationship with government agencies, and failed to notify the House Ethics Committee when it discovered a P2P leak involving its work. The report concluded that when, in a position to prevent harm to companies or the federal government, he acted to benefit himself and Tiversa. Federal departments and agencies should be aware of these business practices when determining whether to do business with Tiversa. Although the report was focused on Tiversa, the FTC came in for serious criticism, too, for allegedly misrepresenting the extent of its relationship with Tiversa to the Committee, for failing to question Tiversa’s creation of a shell organization, the Privacy Institute, to funnel information to the FTC, and for relying on Tiversa as its source of information about LabMD without fully verifying Tiversa’s claims: FTC officials relied heavily on Tiversa’s “credible” reputation in “self-verifying” the produced information.197 The FTC explained to the Committee the steps it took in “self-verifying” the […]