Tag Archives: Lifelock

Lifelock Settles With FTC

Last month I wrote that Lifelock had set aside $120 million to deal with its fight with the FTC (see post).  I assumed this would be a Wyndham-like fight that would go on for years.  Apparently I was wrong.

Last week Lifelock settled with the FTC and deposited $100 million with the court that is overseeing the case.  The reason this is being managed by a court is that the FTC took Lifelock to court for failing to live up to the terms of the 2010 settlement between the FTC and Lifelock.  In 2010, the FTC said that, among other things, Lifelock was misrepresenting what it could really do and was not managing the security of it’s customers’ information.

It is no secret that I am not a big fan of Lifelock.  I think they significantly overstate what they can actually do.  For the basic $120 a year membership, what they effectively do is look at your credit report and if they find something new, they call you or send you an email.  It is not clear that this is worth $120 a year.  Recently, I opened a new credit account and a competitor to Lifelock who was monitoring my credit at the time as a result of the Home Depot breach called me with an alert about this new account – 90 days after I opened it.  This is because it takes that long for this stuff to get reported to a credit bureau – if it even does get reported at all.

If you are willing to pay Lifelock $300 a year or more, they do additional things.  This requires that you give Lifelock access to your bank accounts, credit accounts, retirement accounts, etc.  Once you do that, they do the same thing for those accounts as they do for your credit report – compare them against their standards and if anything stands out, they generate an alert.

Recently, JP Morgan Chase posted an alert on their home page that said that if you give someone else access to your accounts (as you would have to do with Lifelock), Chase grants themselves permission to deny any claims that you make for losses.  What they would do in reality is not clear, but that certainly makes me nervous.

With the premium versions of Lifelock, you are trusting them with a lot of information.  If they don’t keep it safe, you have a real problem.

Going back to the FTC settlement, of the $100 million, $68 million is set aside to pay redress to class members who were damaged.  None of that $68 million can be used for lawyers’ fees or administrative expenses.  This is very different than normal class action cases where attorneys will take any where from a third to a half of the money.  In this case, the FTC gets at least $32 million (which is actually a third) to continue its efforts to protect consumers.  In general, that is probably better than giving that same one-third to lawyers.

By the way, this is the largest monetary settlement that the FTC has ever made.

So what did the FTC claim Lifelock did or did not do?

  • That Lifelock failed to establish and maintain a comprehensive information security program to protect your information.
  • That Lifelock claimed that they protected your information with the same high level safeguards that banks do.  Chase, for example, is spending $500 million a year to protect our information.  Is that how much Lifelock is spending?  I *think* what Lifelock meant by that statement is that they use SSL (Https://) on their web site.  That is quite different from what they said.
  • That Lifelock falsely advertised that they would send an alert as soon it received any information that the consumer may be a victim of identity theft.  I gather that the FTC thinks that even that was delayed.
  • Finally, the FTC claimed that Lifelock failed to follow the court’s record keeping order from the 2010 settlement.

$100 million is a lot of money and Lifelock, unlike Wyndham, did not fight it very much.  They must have thought that they did not have much of a case.  Even if they just fought it enough to reduce the penalty from $100 million to $50 million, that, it seems, would have been worthwhile.  It would seem that Lifelock didn’t think they could make enough of a case to pull even that off.

So, for those of you who are Lifelock customers, consider what you are paying and what you are getting.

Information for this post came from the FTC.

Lifelock As A Stalking Tool

Those of you who know me are aware that I am not very fond of Lifelock – and USAToday is giving me even more reason to not like them.

Lifelock, when it works as planned, can be a useful tool for monitoring your credit.  However, since it is an unregulated private company, all you can do is hope that things work as they would like them to.  That does not always happen.

In this case, Suzanna Quintana says that he ex-husband opened a Lifelock account in her name and, for several years was able to see every financial transaction she did – opening a bank account, getting a credit card, leasing a car, etc.

This particular problem stems from the fact that, as I have written about before, using non-public personal information as a way to prove someone’s identity in the age of the Internet is a joke.  Her ex-husband (at the time he opened the account they were separated and living in different states, however the activity continued after they were divorced) knew her name, birthday and social security number.  It appears that this is sufficient to open an account.

She discovered the account in March when her kids were visiting their father and discovered a spreadsheet detailing her financial transactions on her ex-husband’s computer and shared it with her.

She says that Lifelock did not respond to emails, delayed responses and denied her access to her account.

Early this month, after the Arizona Republic contacted them, Lifelock acknowledged they were slow to respond to Quintana and offered to pay her legal fees.

Kelley Bonsall, Lifelock’s chief spin doctor said that they were distressed that someone used their service this way.  I am sure they are.

The Sheridan County Sheriff’s Department validated Lifelock’s slow response – when they asked for information in June, it took the Sheriff months to get the information they asked for.

Lifelock is not new to being on the wrong side of the law.  Last month they announced they were setting aside $120 million to deal with a class action and handle claims filed by the FTC and 35 state attorneys general that they were in violation of an earlier settlement regarding making false claims.  They settled that first lawsuit by paying the FTC an $11 million fine.

At the time of the first lawsuit, when they were they were promising to protect your identity, they did not even have a formal information security program.

The company issued a letter of apology which Quintana says distorts the situation and is worded to minimize the company’s role in the illegal activities.  Given that they are in the middle of a fight with the FTC regarding violating their earlier settlement, the last thing they want is new allegations that their security is not up to par and that they are not responding to complaints promptly.

Lifelock represents the problem as a squabble between a husband and a wife (thereby trying to dismiss any liability), even though they were separated, living in different states, she had a restraining order against him and they were later divorced, all while this activity was going on.

More importantly, apparently, I can open a Lifelock account using your information and you likely would never know.  I would have access to your credit information and be able to follow your financial transactions.  While this is likely illegal, companies like Lifelock are new and do not fall into any of the neat buckets that lawmakers have created.  They are not a credit grantor nor a credit reporting agency, so they are not covered by the fair credit reporting act (FCRA).  In fact, the only part of the government that seems to have any control over them is the FTC and that has been a long and convoluted fight.

As far as I can tell, there is no easy way for you to find out if someone has done this to you.  I spoke to several people at Lifelock trying to get an answer to this question, but was not successful.

So, unfortunately, I don’t have a good answer to how you can protect yourself.  Perhaps the FTC will ask that question now that USAToday blew the whistle.

While this is likely not common, Lifelock did acknowledge another case like this one occurred earlier this year.  How many fraudulent accounts exist is an unknown.  I doubt Lifelock would know if I opened a fraudulent account, so they can legitimately claim ignorance.  And, as we all know, ignorance is bliss.

Information for this post came from USAToday.

FTC Takes Against Life Lock – Again

In documents filed in district court today, the FTC said that LifeLock failed to live up to it’s 2010 settlement with the FTC and asked the court to order full redress to all consumers affected.

The 2010 settlement stemmed from the FTC complaining that LifeLock used false claims to sell it’s services (remember when their CEO used to put his social security number on billboards?  Not any more).

Disclosure:  I am not a big fan of LifeLock and never have been.  In order to make the service work, you have to give them access to all your accounts.  That makes them a weak spot and a target for hackers.  The FTC claims, in this most recent court document that even though LifeLock was ordered in the 2010 settlement to create a comprehensive information security program, at least through March 2014 they did not have such a program.  It is not clear if they have one now.

The FTC also says that they falsely claim that they protected your information with the same high level safeguards as banks.  If that means that they use SSL on their web site, I would be concerned.

They also failed to meet the 2010 order’s requirement for record keeping.

Finally, the FTC said that LifeLock falsely claimed that it protected consumers’ identity 24/7/365 by providing alerts “as soon as” it received any indication there was a problem.

While the details of the FTC’s action were sealed, the vote against LifeLock was 4-1.  I am sure that LifeLock will say they did nothing wrong and more information will come out during court proceedings, so stay tuned.

For the most part, LifeLock does not do anything that you cannot do yourself, so your trade off is your time vs. $9 to $26 a month.  And if their security is not so good, that is a big problem.

Information for this post came from the FTC web site.

Credit Monitoring Services – Are They Worth It?

It   is common, if not automatic, for companies that have their information systems breached to offer credit monitoring services, and this includes medical record breaches.  Consumers can also pay companies like Lifelock to provide the same services.  The question is do they work and the answer is, for the most part, not really.

Brian Krebs has written two columns on the subject (here and here) that you can read to get more detailed information.  To be fair, these services do help in one particular area, but it is not timely in my personal experience.  Also, different services offer different features, so if you are going to purchase one, compare before you buy.  Also, some insurance carriers are starting to offer identity theft insurance for a very nominal fee, so you may also want to check with your insurance carrier.

What is below just hits the highlights, so please read the linked articles if you want more details.

  • I got a service from AllClearID as a result of one of last year’s big breaches.  I opened a new credit account at a retail store a few months ago.  60 to 90 days after I opened it, I got a number of emails, texts and automated phone calls from them alerting me to the fact that I, or someone in my name, opened the account.  When I finally called them, they asked if I opened it and I said yes.  The delay is not their fault – it is the fault of the system where it takes a couple of months for the store to report to the credit bureau – if they report at all.  After all, there is no law requiring that.
  • None of these services will detect charges on your existing credit card – it would drive you crazy if they sounded alarm bells every time you used your credit card.
  • Likewise, they do not alert if you use your debit card or write a check on an existing account for the same reason.
  • Of course, you can and should watch for charges on existing accounts – I get a text message from my bank when any number of events occur and that is all free – you just need to turn it on.
  • A security freeze (which Lifelock used to do until they got sued for doing so) generates a warning to any credit grantor that that there is the possibility of credit fraud.  You can put it on for free, but, except in special circumstances, it expires after 90 days and you have to remember to renew it.  Also, credit grantors do not have to pull a credit report to grant credit, although most do, and they do not have to respect the credit freeze, but again, most do.  If you have a freeze on and you want to apply for credit, you may have to remove the freeze, for which the bureau charges you, and then put it back on.
  • A fraud alert is similar in that it alerts the merchant that there is a chance of fraud and they should take extra care.  Again, voluntary on their part.
  • You can get a free copy of your credit report, but not your credit score, from each bureau once a year.  There are actually 4 major bureaus, not 3 (people usually forget about Innovis), so you can and should get 1 free report every 3-4 months and look for anything that does not belong there.
  • You can also contact ChexSystems for a report.  That is the company that stores and banks use to look for check fraud.
  • If you freeze your credit, your existing creditors will not be able to pull credit reports on you – they typically do this every month – and they MAY suspend your accounts – it depends.
  • Gartner has their own list of woes including:
  • Most of these services will not tell you if a new wireless account is opened or cable service turned on (they may not report to the bureaus)
  • They don’t, as I said above, monitor existing credit, debit, checking, brokerage, retirement, loyalty and other accounts.
  • They do not stop a bad guy from using your information for non financial transactions like getting a fake drivers license.
  • Crooks who get fake IDs and then wind up in prison can cause YOU untold hurt including you getting arrested and thrown in jail (the cops don’t know what is going on, so they arrest people and let the system figure it out).  It has also caused SWAT teams to break into people’s houses for the same reason.  It is very messy and expensive to fix.  This is one reason, that, if you plan on getting a program, to get one that provides payment to fix this and make sure what it will pay for (like an attorney) and what it won’t pay for.
  • They won’t stop tax fraud
  • Finally, they will not stop medical care fraud.

So now, if you are completely paranoid, join the club.  It is part of living in the 21st century, so take a deep breath and hope you don’t have to deal with most of these issues.