The company whose advertising campaign included displaying their CEO's social security number on the side of a truck has reached a settlement to pay $12 million to the FTC and 35 states who charged LifeLock, Inc. with false representations about the effectiveness of its services. In an official press release, FTC Chairman Jon Leibowitz said that “[w]hile LifeLock promised consumers complete protection against all types of identity theft, in truth, the protection it actually provided left enough holes that you could drive a truck through it.”
But the case against LifeLock didn't end there. The FTC and the states also charged LifeLock with making false claims about its own data security practices. According to the FTC, LifeLock failed to live up to the following representations:
• “Only authorized employees of LifeLock will have access to the data that you provide to us, and that access is granted only on a ‘need to know’ basis.”
• “All stored personal data is electronically encrypted.”
• “LifeLock uses highly secure physical, electronic, and managerial procedures to safeguard the confidentiality and security of the data you provide to us.”
The FTC charged that "LifeLock’s data was not encrypted, and sensitive consumer information was not shared only on a 'need to know' basis." The agency also charged that the company’s data system was vulnerable and could have been exploited by those seeking access to customer information." Read more here.
Takeaway: Many companies make promises about data security, particularly in connection with online transactions. If your company is going to publish those kinds of assurances, make sure you live up to them. While this is not the first time the FTC has penalized a company for allegedly false claims about data security, the fine is one of the largest.