The Federal Trade Commission many times will allow first-time offending companies to get off relatively easily when they run afoul of consumer-protection laws, often settling with non-financial penalties. But that generosity does not extend to companies that later violate those settlements.
LifeLock executives found that out the hard way on Thursday when the FTC handed the company the largest financial penalty in the commission’s history: $100 million. The penalty is the result of LifeLock allegedly violating a court order from 2010 and the FTC says that the company came up short on four separate components of that order.
“This settlement demonstrates the Commission’s commitment to enforcing the orders it has in place against companies, including orders requiring reasonable security for consumer data,” said FTC Chairwoman Edith Ramirez. “The fact that consumers paid Lifelock for help in protecting their sensitive personal information makes the charges in this case particularly troubling.”
LifeLock provides identity theft protection services to consumers, and the FTC punishment of LifeLock stems from the company allegedly failing to establish and maintain an information security program, among other violations of the court order. LifeLock had agreed in the 2010 case to establish a program to protect customers’ Social Security numbers, credit card data, and other information, and the FTC alleges that the company failed to do so.
“Surprised by the number of zeros in the settlement? You shouldn’t be.”
The commission also alleges that LifeLock violated the order in several other ways.
“On July 21, 2015, the Commission alleged that LifeLock violated the Permanent Injunction by: (a) failing to establish and maintain a comprehensive information security program to protect its users’ sensitive personal data, including credit card, social security, and bank account numbers; (b) falsely advertising that it protected consumers’ sensitive data with the same high-level safeguards as financial institutions; (c) failing to meet the Permanent Injunction’s recordkeeping requirements; and (d) falsely claiming it protected consumers’ identity 24/7/365 by providing alerts “as soon as” it received any indication there was a problem,” the order filed in United States District Court in Arizona says.
As part of the settlement, LifeLock will deposit $100 million in the district court’s registry and $68 million of that sum will be used to pay restitution to customers. FTC officials said that although the size of the settlement is historic, it should serve as a warning to other companies under FTC orders.
“Surprised by the number of zeros in the settlement? You shouldn’t be. There’s not much the FTC takes more seriously than effective enforcement of existing orders. Furthermore, the FTC has made it clear that it won’t tolerate deceptive advertising and unreasonable data security practices. Today’s announcement gives companies 100 million more reasons to avoid both courses of conduct,” Lesley Fair, a senior attorney at the FTC, wrote in a blog post.
Image from Flickr stream of Got Credit.