It's getting ugly out there for consumer data safety.
Not only are hackers stealing data left and right, but Lifelock, a company that claims to guard customers' personal information, has been called out for the second time over deceitful ads and shoddy security practices.
On Tuesday, the Federal Trade Commission announced it is taking action against LifeLock (lock) for allegedly lying about its identify protection services (again), and for failing to follow earlier orders about how it must treat consumer data. LifeLock, which heavily markets its services on TV, charges users a monthly fee to monitor their data and promises to warn them immediately about any problems.
According to the agency, LifeLock not only failed to provide such notices, but also failed to implement a comprehensive information security program for its customers' credit card and bank accounts. The company also failed to comply with record-keeping provisions:
from at least October 2012 through March 2014, LifeLock violated the 2010 Order by: 1) failing to establish and maintain a comprehensive information security program to protect its users’ sensitive personal data, including credit card, social security, and bank account numbers; 2) falsely advertising that it protected consumers’ sensitive data with the same high-level safeguards as financial institutions; and 3) failing to meet the 2010 order’s recordkeeping requirements.
The FTC also asserts that from at least January 2012 through December 2014, LifeLock falsely claimed it protected consumers’ identity 24/7/365 by providing alerts “as soon as” it received any indication there was a problem.
In 2010, the FTC and 35 states came to a $12 million settlement with LifeLock and forced it to issue refunds to consumers. At the time, the agency said LifeLock's security, "left enough holes that you could drive a truck through," and it placed a variety of conditions on the company—conditions LifeLock now appears to have violated.
LifeLock's share price tanked on the FTC news. It was down more than 30% at the time of writing.
It's not clear what the company's punishment will be this time around if the new accusations stick. In its release, the FTC says details of its investigation are under seal before a court, and that portions of the case will be unveiled in coming days. LifeLock disputed the allegations in a statement that read in part:
“After more than 18 months of cooperation and dialogue with the FTC, it became clear to us that we could not come to a satisfactory resolution of their issues outside a court of law. We disagree with the substance of the FTC’s contentions and are prepared to take our case to court.
The news comes as another in a series of low points for LifeLock. In 2010, Wired wrote that the company's CEO has had his identify stolen at least 13 times. Currently, the company is also suing Wences Cesares, founder of the bitcoin company Xapo, for fraud related to the digital wallet service it acquired from Cesares when it bought his company Lemon.
Meanwhile, amidst on an ongoing spate of alarming hacking news, consumers will have to look for another solution to protect their data – or demand lawmakers take action to require companies to take better care of it.
Updated at 4:45 ET with LifeLock statement