Risk
5/2/2008
05:18 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

ID Security Firm LifeLock Sued For Misleading Marketing

LifeLock CEO Todd Davis says his service, while not 100% bulletproof, is an effective deterrent to identity theft.

LifeLock, a subscription service that aims to protect consumers' credit and identities, promises to "guarantee your good name." But a lawsuit filed against the company in New Jersey in late March alleges that the company's claims are deceptive and that its services may actually damage its customers' credit.

The lawsuit alleges that LifeLock is engaged in the "concealment, suppression, and omission of material facts" about its service. The company allegedly fails to make clear that it charges subscribers for an annual credit report that's available to them for free when placing a fraud alert. And it allegedly fails to adequately disclose that its $1 million service guarantee "is essentially futile" given the way the guarantee is worded.

LifeLock has about 980,000 subscribers who pay about $110 annually for its identity-theft protection services, according to CEO Todd Davis.

"We want to go out there and be this first company to actually put preventive measures in place," Davis said in an interview. "And we know they're not bulletproof. We tell people on our Web site. Some of the things we do, some of the steps we do for you, you can do for free."

Davis believes it's clear that the company isn't promising to award $1 million to subscribers if they have their identities stolen. He said the company guarantees to fix problems that arise as a result of identity theft.

According to Davis, there have been about 90 cases in which LifeLock subscribers have reported that their identities had been compromised, and that in some of those cases, the identity theft had occurred before the victims became subscribers. "But we didn't try to use small print to say that's a pre-existing condition," he said. "We went and solved the problem for them. We went and reversed whatever charges, or helped them get a replacement driver's license, or whatever was involved, to fix the problem for them."

"Statistically," Davis said, "we should have almost 40,000 victims, if you just look at the actuarial data, with that sample size [of almost a million subscribers]. We've got 90. While it's not 100% bulletproof, [LifeLock] is an effective deterrent to identity theft."

Davis said as far as he's aware, the plaintiffs, Warren and Susan Paternack, who subscribed to LifeLock, are not claiming to have had their identities stolen while they were subscribers. "From what I know, they've never had an issue with LifeLock. They've never attempted to make a claim and they don't say that in the suit."

What the lawsuit does claim is that the company's marketing campaign -- which features Davis and his actual Social Security number because, the ad copy says, he's "absolutely confident LifeLock is protecting my good name and personal information" -- is deceptive.

"LifeLock does not necessarily protect its subscribers' identities as advertised," the lawsuit claims. "Indeed, the statements by LifeLock's CEO regarding the ability of LifeLock to protect his own identity are deceptive because his identity was stolen while he was a customer and is, upon information and belief, presently being misappropriated by at least 20 identity thieves."

"I'm not sure where they're getting some of these stats," said Davis. "I can tell you there has been one person who was able to affect me from a financial standpoint, who was able to get a $500 payday loan, out of Fort Worth, Texas, a year or so ago. There may be some other non-match scenarios or some kind of inquiries on my credit, but nothing that's ever impacted me financially. ... The key to understand is no one is bulletproof to identity theft."

Davis considers the fact that there has been only this one case in which he was affected financially, after having his Social Security number advertised publicly for two years, to be a testament to the effectiveness of his company's approach.

The lawsuit alleges that LifeLock failed to divulge that one of the company's founders is subject to a Federal Trade Commission injunction.

More than a decade ago, the FTC obtained an injunction against Robert J. Maynard Jr. "for alleged unfair or deceptive acts or practices by the defendants in connection with the sale of credit improvement services advertised in an infomercial and the collection of fees by depositing drafts drawn on consumers' checking accounts." It forbids Maynard from "advertising, promoting, offering for sale, selling, performing or distributing any product or service relating to credit improvement services."

An FTC attorney was not immediately available to comment on whether it sees Maynard's past involvement in LifeLock as a violation of the injunction.

Finally, the lawsuit claims, Maynard "engaged in the very type of identity theft his company had set out to eliminate, by stealing his father's own identity." It states that Maynard posed as his father to obtain an American Express card and ran up more than $100,000 in debt, which eventually prompted American Express to sue his father.

Davis considers these claims to be irrelevant to LifeLock today. "Robert has been gone for coming up on a year from the company," he said. "He has no bearing, no involvement, zero, in the company. I think that's just them grasping at straws."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7241
Published: 2014-12-19
The TSUTAYA application 5.3 and earlier for Android allows remote attackers to execute arbitrary Java methods via a crafted HTML document.

CVE-2014-7249
Published: 2014-12-19
Buffer overflow on the Allied Telesis AR440S, AR441S, AR442S, AR745, AR750S, AR750S-DP, AT-8624POE, AT-8624T/2M, AT-8648T/2SP, AT-8748XL, AT-8848, AT-9816GB, AT-9924T, AT-9924Ts, CentreCOM AR415S, CentreCOM AR450S, CentreCOM AR550S, CentreCOM AR570S, CentreCOM 8700SL, CentreCOM 8948XL, CentreCOM 992...

CVE-2014-7267
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the output-page generator in the Ricksoft WBS Gantt-Chart add-on 7.8.1 and earlier for JIRA allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-7268.

CVE-2014-7268
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the data-export feature in the Ricksoft WBS Gantt-Chart add-on 7.8.1 and earlier for JIRA allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-7267.

CVE-2014-8272
Published: 2014-12-19
The IPMI 1.5 functionality in Dell iDRAC6 modular before 3.65, iDRAC6 monolithic before 1.98, and iDRAC7 before 1.57.57 does not properly select session ID values, which makes it easier for remote attackers to execute arbitrary commands via a brute-force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.