Risk
5/2/2008
05:18 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

ID Security Firm LifeLock Sued For Misleading Marketing

LifeLock CEO Todd Davis says his service, while not 100% bulletproof, is an effective deterrent to identity theft.

LifeLock, a subscription service that aims to protect consumers' credit and identities, promises to "guarantee your good name." But a lawsuit filed against the company in New Jersey in late March alleges that the company's claims are deceptive and that its services may actually damage its customers' credit.

The lawsuit alleges that LifeLock is engaged in the "concealment, suppression, and omission of material facts" about its service. The company allegedly fails to make clear that it charges subscribers for an annual credit report that's available to them for free when placing a fraud alert. And it allegedly fails to adequately disclose that its $1 million service guarantee "is essentially futile" given the way the guarantee is worded.

LifeLock has about 980,000 subscribers who pay about $110 annually for its identity-theft protection services, according to CEO Todd Davis.

"We want to go out there and be this first company to actually put preventive measures in place," Davis said in an interview. "And we know they're not bulletproof. We tell people on our Web site. Some of the things we do, some of the steps we do for you, you can do for free."

Davis believes it's clear that the company isn't promising to award $1 million to subscribers if they have their identities stolen. He said the company guarantees to fix problems that arise as a result of identity theft.

According to Davis, there have been about 90 cases in which LifeLock subscribers have reported that their identities had been compromised, and that in some of those cases, the identity theft had occurred before the victims became subscribers. "But we didn't try to use small print to say that's a pre-existing condition," he said. "We went and solved the problem for them. We went and reversed whatever charges, or helped them get a replacement driver's license, or whatever was involved, to fix the problem for them."

"Statistically," Davis said, "we should have almost 40,000 victims, if you just look at the actuarial data, with that sample size [of almost a million subscribers]. We've got 90. While it's not 100% bulletproof, [LifeLock] is an effective deterrent to identity theft."

Davis said as far as he's aware, the plaintiffs, Warren and Susan Paternack, who subscribed to LifeLock, are not claiming to have had their identities stolen while they were subscribers. "From what I know, they've never had an issue with LifeLock. They've never attempted to make a claim and they don't say that in the suit."

What the lawsuit does claim is that the company's marketing campaign -- which features Davis and his actual Social Security number because, the ad copy says, he's "absolutely confident LifeLock is protecting my good name and personal information" -- is deceptive.

"LifeLock does not necessarily protect its subscribers' identities as advertised," the lawsuit claims. "Indeed, the statements by LifeLock's CEO regarding the ability of LifeLock to protect his own identity are deceptive because his identity was stolen while he was a customer and is, upon information and belief, presently being misappropriated by at least 20 identity thieves."

"I'm not sure where they're getting some of these stats," said Davis. "I can tell you there has been one person who was able to affect me from a financial standpoint, who was able to get a $500 payday loan, out of Fort Worth, Texas, a year or so ago. There may be some other non-match scenarios or some kind of inquiries on my credit, but nothing that's ever impacted me financially. ... The key to understand is no one is bulletproof to identity theft."

Davis considers the fact that there has been only this one case in which he was affected financially, after having his Social Security number advertised publicly for two years, to be a testament to the effectiveness of his company's approach.

The lawsuit alleges that LifeLock failed to divulge that one of the company's founders is subject to a Federal Trade Commission injunction.

More than a decade ago, the FTC obtained an injunction against Robert J. Maynard Jr. "for alleged unfair or deceptive acts or practices by the defendants in connection with the sale of credit improvement services advertised in an infomercial and the collection of fees by depositing drafts drawn on consumers' checking accounts." It forbids Maynard from "advertising, promoting, offering for sale, selling, performing or distributing any product or service relating to credit improvement services."

An FTC attorney was not immediately available to comment on whether it sees Maynard's past involvement in LifeLock as a violation of the injunction.

Finally, the lawsuit claims, Maynard "engaged in the very type of identity theft his company had set out to eliminate, by stealing his father's own identity." It states that Maynard posed as his father to obtain an American Express card and ran up more than $100,000 in debt, which eventually prompted American Express to sue his father.

Davis considers these claims to be irrelevant to LifeLock today. "Robert has been gone for coming up on a year from the company," he said. "He has no bearing, no involvement, zero, in the company. I think that's just them grasping at straws."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3341
Published: 2014-08-19
The SNMP module in Cisco NX-OS 7.0(3)N1(1) and earlier on Nexus 5000 and 6000 devices provides different error messages for invalid requests depending on whether the VLAN ID exists, which allows remote attackers to enumerate VLANs via a series of requests, aka Bug ID CSCup85616.

CVE-2014-3464
Published: 2014-08-19
The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) 6.2.0 and 6.3.0, does not properly enforce the method level restrictions for outbound messages, which allows remote authenticated users to access otherwise restricted JAX-WS handlers ...

CVE-2014-3472
Published: 2014-08-19
The isCallerInRole function in SimpleSecurityManager in JBoss Application Server (AS) 7, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 6.3.0, does not properly check caller roles, which allows remote authenticated users to bypass access restrictions via unspecified vectors.

CVE-2014-3490
Published: 2014-08-19
RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, does not disable external entities when the resteasy.document.expand.entity.references parameter is set to false, which allows remote attackers to read arbitrary files and have...

CVE-2014-3504
Published: 2014-08-19
The (1) serf_ssl_cert_issuer, (2) serf_ssl_cert_subject, and (3) serf_ssl_cert_certificate functions in Serf 0.2.0 through 1.3.x before 1.3.7 does not properly handle a NUL byte in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Dark Reading continuing coverage of the Black Hat 2014 conference brings interviews and commentary to Dark Reading listeners.