05:18 PM
Connect Directly

ID Security Firm LifeLock Sued For Misleading Marketing

LifeLock CEO Todd Davis says his service, while not 100% bulletproof, is an effective deterrent to identity theft.

LifeLock, a subscription service that aims to protect consumers' credit and identities, promises to "guarantee your good name." But a lawsuit filed against the company in New Jersey in late March alleges that the company's claims are deceptive and that its services may actually damage its customers' credit.

The lawsuit alleges that LifeLock is engaged in the "concealment, suppression, and omission of material facts" about its service. The company allegedly fails to make clear that it charges subscribers for an annual credit report that's available to them for free when placing a fraud alert. And it allegedly fails to adequately disclose that its $1 million service guarantee "is essentially futile" given the way the guarantee is worded.

LifeLock has about 980,000 subscribers who pay about $110 annually for its identity-theft protection services, according to CEO Todd Davis.

"We want to go out there and be this first company to actually put preventive measures in place," Davis said in an interview. "And we know they're not bulletproof. We tell people on our Web site. Some of the things we do, some of the steps we do for you, you can do for free."

Davis believes it's clear that the company isn't promising to award $1 million to subscribers if they have their identities stolen. He said the company guarantees to fix problems that arise as a result of identity theft.

According to Davis, there have been about 90 cases in which LifeLock subscribers have reported that their identities had been compromised, and that in some of those cases, the identity theft had occurred before the victims became subscribers. "But we didn't try to use small print to say that's a pre-existing condition," he said. "We went and solved the problem for them. We went and reversed whatever charges, or helped them get a replacement driver's license, or whatever was involved, to fix the problem for them."

"Statistically," Davis said, "we should have almost 40,000 victims, if you just look at the actuarial data, with that sample size [of almost a million subscribers]. We've got 90. While it's not 100% bulletproof, [LifeLock] is an effective deterrent to identity theft."

Davis said as far as he's aware, the plaintiffs, Warren and Susan Paternack, who subscribed to LifeLock, are not claiming to have had their identities stolen while they were subscribers. "From what I know, they've never had an issue with LifeLock. They've never attempted to make a claim and they don't say that in the suit."

What the lawsuit does claim is that the company's marketing campaign -- which features Davis and his actual Social Security number because, the ad copy says, he's "absolutely confident LifeLock is protecting my good name and personal information" -- is deceptive.

"LifeLock does not necessarily protect its subscribers' identities as advertised," the lawsuit claims. "Indeed, the statements by LifeLock's CEO regarding the ability of LifeLock to protect his own identity are deceptive because his identity was stolen while he was a customer and is, upon information and belief, presently being misappropriated by at least 20 identity thieves."

"I'm not sure where they're getting some of these stats," said Davis. "I can tell you there has been one person who was able to affect me from a financial standpoint, who was able to get a $500 payday loan, out of Fort Worth, Texas, a year or so ago. There may be some other non-match scenarios or some kind of inquiries on my credit, but nothing that's ever impacted me financially. ... The key to understand is no one is bulletproof to identity theft."

Davis considers the fact that there has been only this one case in which he was affected financially, after having his Social Security number advertised publicly for two years, to be a testament to the effectiveness of his company's approach.

The lawsuit alleges that LifeLock failed to divulge that one of the company's founders is subject to a Federal Trade Commission injunction.

More than a decade ago, the FTC obtained an injunction against Robert J. Maynard Jr. "for alleged unfair or deceptive acts or practices by the defendants in connection with the sale of credit improvement services advertised in an infomercial and the collection of fees by depositing drafts drawn on consumers' checking accounts." It forbids Maynard from "advertising, promoting, offering for sale, selling, performing or distributing any product or service relating to credit improvement services."

An FTC attorney was not immediately available to comment on whether it sees Maynard's past involvement in LifeLock as a violation of the injunction.

Finally, the lawsuit claims, Maynard "engaged in the very type of identity theft his company had set out to eliminate, by stealing his father's own identity." It states that Maynard posed as his father to obtain an American Express card and ran up more than $100,000 in debt, which eventually prompted American Express to sue his father.

Davis considers these claims to be irrelevant to LifeLock today. "Robert has been gone for coming up on a year from the company," he said. "He has no bearing, no involvement, zero, in the company. I think that's just them grasping at straws."

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.