On December 17, 2015, the Federal Trade Commission (FTC) announced that Lifelock, Inc. (LifeLock), agreed to pay a record-breaking $100 million to settle charges that it violated an earlier consent agreement related to flawed data security practices issued in March 2010. The LifeLock settlements implicate both the “fairness” of the company’s data security practices and its representations about those practices. The FTC contended that LifeLock both failed to implement a comprehensive security program as required by the earlier order, and falsely advertised the level of its security practices. The bulk of the $100 million – $68 million – is earmarked to pay class action consumers restitution for fees paid to LifeLock, but must be paid directly to consumers and may not be used towards administrative or legal fees.
The stipulated order requires LifeLock to share with the Commission information on customers sufficient to allow the FTC to administer the order, requires reporting for 5 years, and extends record-keeping obligations for 13 years. Commissioner Ohlhausen dissented on grounds that LifeLock’s Payment Card Industry Data Security Standard (PCI DSS) and other certifications undermine the staff’s ability to assert that it was in contempt, pointing out also that PCI DSS certifications were “important evidence of reasonable security” in the recent settlement with Wyndham Laboratories.
The stipulated order represents the largest amount obtained by the FTC in a proceeding to enforce an order.