05:18 PM
Connect Directly

ID Security Firm LifeLock Sued For Misleading Marketing

LifeLock CEO Todd Davis says his service, while not 100% bulletproof, is an effective deterrent to identity theft.

LifeLock, a subscription service that aims to protect consumers' credit and identities, promises to "guarantee your good name." But a lawsuit filed against the company in New Jersey in late March alleges that the company's claims are deceptive and that its services may actually damage its customers' credit.

The lawsuit alleges that LifeLock is engaged in the "concealment, suppression, and omission of material facts" about its service. The company allegedly fails to make clear that it charges subscribers for an annual credit report that's available to them for free when placing a fraud alert. And it allegedly fails to adequately disclose that its $1 million service guarantee "is essentially futile" given the way the guarantee is worded.

LifeLock has about 980,000 subscribers who pay about $110 annually for its identity-theft protection services, according to CEO Todd Davis.

"We want to go out there and be this first company to actually put preventive measures in place," Davis said in an interview. "And we know they're not bulletproof. We tell people on our Web site. Some of the things we do, some of the steps we do for you, you can do for free."

Davis believes it's clear that the company isn't promising to award $1 million to subscribers if they have their identities stolen. He said the company guarantees to fix problems that arise as a result of identity theft.

According to Davis, there have been about 90 cases in which LifeLock subscribers have reported that their identities had been compromised, and that in some of those cases, the identity theft had occurred before the victims became subscribers. "But we didn't try to use small print to say that's a pre-existing condition," he said. "We went and solved the problem for them. We went and reversed whatever charges, or helped them get a replacement driver's license, or whatever was involved, to fix the problem for them."

"Statistically," Davis said, "we should have almost 40,000 victims, if you just look at the actuarial data, with that sample size [of almost a million subscribers]. We've got 90. While it's not 100% bulletproof, [LifeLock] is an effective deterrent to identity theft."

Davis said as far as he's aware, the plaintiffs, Warren and Susan Paternack, who subscribed to LifeLock, are not claiming to have had their identities stolen while they were subscribers. "From what I know, they've never had an issue with LifeLock. They've never attempted to make a claim and they don't say that in the suit."

What the lawsuit does claim is that the company's marketing campaign -- which features Davis and his actual Social Security number because, the ad copy says, he's "absolutely confident LifeLock is protecting my good name and personal information" -- is deceptive.

"LifeLock does not necessarily protect its subscribers' identities as advertised," the lawsuit claims. "Indeed, the statements by LifeLock's CEO regarding the ability of LifeLock to protect his own identity are deceptive because his identity was stolen while he was a customer and is, upon information and belief, presently being misappropriated by at least 20 identity thieves."

"I'm not sure where they're getting some of these stats," said Davis. "I can tell you there has been one person who was able to affect me from a financial standpoint, who was able to get a $500 payday loan, out of Fort Worth, Texas, a year or so ago. There may be some other non-match scenarios or some kind of inquiries on my credit, but nothing that's ever impacted me financially. ... The key to understand is no one is bulletproof to identity theft."

Davis considers the fact that there has been only this one case in which he was affected financially, after having his Social Security number advertised publicly for two years, to be a testament to the effectiveness of his company's approach.

The lawsuit alleges that LifeLock failed to divulge that one of the company's founders is subject to a Federal Trade Commission injunction.

More than a decade ago, the FTC obtained an injunction against Robert J. Maynard Jr. "for alleged unfair or deceptive acts or practices by the defendants in connection with the sale of credit improvement services advertised in an infomercial and the collection of fees by depositing drafts drawn on consumers' checking accounts." It forbids Maynard from "advertising, promoting, offering for sale, selling, performing or distributing any product or service relating to credit improvement services."

An FTC attorney was not immediately available to comment on whether it sees Maynard's past involvement in LifeLock as a violation of the injunction.

Finally, the lawsuit claims, Maynard "engaged in the very type of identity theft his company had set out to eliminate, by stealing his father's own identity." It states that Maynard posed as his father to obtain an American Express card and ran up more than $100,000 in debt, which eventually prompted American Express to sue his father.

Davis considers these claims to be irrelevant to LifeLock today. "Robert has been gone for coming up on a year from the company," he said. "He has no bearing, no involvement, zero, in the company. I think that's just them grasping at straws."

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Diversity: It's About Inclusion
Kelly Jackson Higgins, Executive Editor at Dark Reading,  4/25/2018
Threat Intel: Finding Balance in an Overcrowded Market
Kelly Sheridan, Staff Editor, Dark Reading,  4/23/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.