The FTC Charges For $100 Million Over Failure To Protect Data
IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF ARIZONA
Federal Trade Commission, Plaintiff, v. LifeLock Incorporated, et al., Defendants.
No. CV-10-00530-PHX-JJT
COMPLAINT FOR PERMANENT INJUNCTION AND OTHER EQUITABLE RELIEF
Plaintiff, the Federal Trade Commission (“FTC”), for its Complaint alleges:
- The FTC brings this action under Section 13(b) of the Federal Trade Commission Act (“FTC Act”), 15 U.S.C. § 53(b), to obtain permanent injunctive relief, rescission or reformation of contracts, restitution, the refund of monies paid, disgorgement of ill-gotten monies, and other relief for Defendants’ acts or practices in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a).
JURISDICTION AND VENUE
-
This Court has subject matter jurisdiction over this matter under 28 U.S.C. §§ 1331, 1337(a), and 1345, and 15 U.S.C. §§ 45(a) and 53(b).
-
Venue is proper in this District under 28 U.S.C. §§ 1391(b) and (c) and 15 U.S.C. § 53(b).
PLAINTIFF
-
The FTC is an independent agency of the United States Government created by statute. 15 U.S.C. §§ 41-58. The Commission enforces Section 5(a) of the FTC Act, 15 U.S.C. § 45(a), which prohibits deceptive or unfair acts or practices in or affecting commerce.
-
The FTC is authorized to initiate federal district court proceedings by its own attorneys, to enjoin violations of the FTC Act and to secure such equitable relief as may be appropriate in each case, including rescission or reformation of contracts, restitution, the refund of monies paid, and disgorgement of ill-gotten monies. 15 U.S.C. §§ 53(b) and 56(a)(2)(A).
DEFENDANTS
-
Defendant LifeLock, Inc. (“LifeLock”) is a Delaware corporation with its principal office or place of business at 60 East Rio Salado Parkway, Tempe, Arizona 85281. LifeLock transacts or has transacted business in this District and throughout the United States. At all times material to this Complaint, acting alone or in concert with others, LifeLock has advertised, marketed, distributed, or sold an identity theft service to consumers in this District and throughout the United States.
-
Defendant Robert J. Maynard, Jr. (“Maynard”) was LifeLock’s Chief Operating Officer until on or about May 18, 2007. He then served as LifeLock’s Chief Marketing Strategist until his resignation on or about June 11, 2007. Until his resignation, acting alone or in concert with others, he formulated, directed, controlled, had the authority to control, or participated in the acts or practices of LifeLock, including the acts and practices set forth in this Complaint. Defendant Maynard, in connection with the matters alleged herein, transacts or has transacted business in this District and throughout the United States.
-
Defendant Richard Todd Davis (“Davis”) is the Chief Executive Officer of LifeLock. At all times material to this Complaint, acting alone or in concert with others, he has formulated, directed, controlled, had the authority to control, or participated in the acts and practices of LifeLock, including the acts and practices set forth in this Complaint. Defendant Davis resides in this District and, in connection with the matters alleged herein, transacts or has transacted business in this District and throughout the United States.
COMMERCE
- At all times relevant to this Complaint, Defendants have maintained a substantial trade in or affecting commerce, as “commerce” is defined in Section 4 of the FTC Act, 15 U.S.C. § 44.
DEFENDANTS’ BUSINESS ACTIVITIES
-
Since at least April 2005 until at least October 2009, Defendants have advertised, promoted, offered for sale, sold, or otherwise made available to consumers a service purportedly designed to prevent identity theft through placing fraud alerts on consumers’ behalf (hereinafter, “the ID theft prevention service”).
-
Defendants’ ID theft prevention service was based on Defendants taking the following measures:
- Placing an “Initial Alert” (as defined in Section 605A(a) of the Fair Credit Reporting Act (“FCRA”), 15 U.S.C. § 1681c-1(a)) on a customer’s consumer report with a consumer reporting agency (often referred to as a “credit bureau”), and periodically renewing the alert for an additional 90 days.
- Obtaining and providing to the customer a copy of his or her free annual disclosure of his or her consumer report, pursuant to Section 612(a) of the FCRA, 15 U.S.C. § 1681j(a).
- Submitting a request on a customer’s behalf to remove the customer’s name from lists for prescreened offers of credit, pursuant to Sections 604(c) and 604(e) of the FCRA, 15 U.S.C. §§ 1681b(c) and (e).
- Offering a $1 million guarantee to customers who become victims of identity theft while subscribing to the ID theft prevention service.
-
Defendants advertised, promoted, and marketed the ID theft prevention service in a variety of ways, including by print, radio, and television advertisements, and through their www.lifelock.com website.
-
Under Federal law, identity theft includes many types of criminal activities, including the misuse of another person’s identifying information to access existing credit accounts, open new accounts, obtain medical care or employment, or to evade law enforcement. 18 U.S.C. § 1028(a)(7).
-
Defendants charged customers a fee of ten dollars ($10) per month for the ID theft prevention service, and enrolled over one million customers.
-
In the course of selling the ID theft prevention service, Defendants routinely collected sensitive information from their customers including, but not limited to name, address, e-mail address, telephone number, Social Security number, and, for customers paying with a credit card: the card number, expiration date, and security code number (collectively, “personal information”). Defendants collected this information by telephone, facsimile, and online. It is widely recognized that such personal information may be misused to facilitate identity theft, including, but not limited to, the misuse of existing credit card accounts.
-
Defendants store personal information obtained from customers on computers on the corporate computer network, or on computers maintained by third-party vendors that are accessible from the corporate network. Defendants’ employees can access the corporate network using computers located at Defendants’ headquarters. Additionally, for at least some portion of time relevant to this Complaint, employees and vendors working from their homes or other locations beyond the Defendants’ headquarters could access the network remotely.
STATEMENT ABOUT THE EFFECTIVENESS OF DEFENDANTS' SERVICE TO PREVENT IDENTITY THEFT
-
From at least December 2006, Defendants, directly or indirectly, have disseminated or caused to be disseminated to consumers advertisements and other promotional materials in connection with the advertising, promotion, marketing, offering for sale, sale, or distribution of their ID theft prevention service. These materials have included, but are not limited to, the following statements, among others:
- “MY SOCIAL SECURITY # IS XXX-XX-5462. I’m Todd Davis, CEO of LifeLock, and this really is my social security number.* I give it just to prove how safe your identity can be with LifeLock.” (Exhibit 1)
- “Do you ever worry about identity theft? If so, it’s time you got to know LifeLock. We work to stop identity theft before it happens. We’re so confident, we back our clients with a $1 million guarantee.” (Exhibit 1)
- “We aim to stop identity theft before it happens. . . . Every three seconds an identity is stolen. We’re here to make sure it doesn’t happen to you.” (Television Ad)
- “My social security number is XXX-XX-5462. I’m Todd Davis, CEO of LifeLock, and yes, that’s my real social security number.* Identity theft is one of the fastest growing crimes in America, victimizing over 10 million people a year and costing billions of dollars. So why publish my social security number? Because I’m absolutely confident LifeLock is protecting my good name and personal information, just like it will yours.” (Exhibit 2)
- “By now you’ve heard about individuals whose identities have been stolen by identity thieves . . . . LifeLock protects against this ever happening to you. Guaranteed.” (Exhibit 3)
- “LifeLock doesn’t just report unauthorized use of credit information, we prevent it by working with the top four credit bureaus to make sure you’re contacted to approve any credit transaction before it takes place.” (Exhibit 3)
- “LifeLock clients are contacted every time someone attempts to open credit in their name or change an address.” (Exhibit 4)
- “Please know that we are the first company to prevent identity theft from occurring.” (Exhibit 5)
- “LifeLock will make your personal information useless to a criminal.” (Exhibit 6)
- “LifeLock can keep this [identity theft] from happening to you . . . .” (Exhibit 6)
- “Every time you apply for new credit or someone tries to do something with your credit: You should receive a phone call from the bank asking if you are actually the person applying for credit in your name.” (Exhibit 7)
- “We work with all major credit bureaus on an ongoing basis, setting up fraud alerts and constantly monitoring what’s happening with each person’s credit.” (Exhibit 8)
- “LifeLock, the industry leader in proactive identity theft protection, offers a proven solution that prevents your identity from being stolen before it happens.” (Exhibit 9) (emphasis in original)
- “So why is LifeLock CEO Todd Davis still giving out his real Social Security number to anyone who will listen? ‘Because between LifeLock’s proactive approach and our $1 million service guarantee, I’m more confident than ever before in LifeLock’s ability to continue keeping my identity safe.’” (Exhibit 10)
- “I give [my Social Security number] out just to prove how safe your identity is with LifeLock.” (Exhibit 11)
-
In fact, the ID theft prevention service did not prevent identity theft and did not provide many of the protections claimed by Defendants. Among other things:
- The ID theft prevention service did not protect against all types of identity theft. The centerpiece of the ID theft prevention service was Defendants’ placement and renewal of Initial Fraud Alerts on their customers’ consumer reports. Although Initial Alerts can provide notice to creditors and other businesses that someone may be impersonating another, the Initial Alerts are only useful if the business accesses the consumer’s consumer report as part of the transaction, most commonly when the identity thief is attempting to open a new account in the consumer’s name. The Alerts do not protect against more common types of identity theft, such as misuse of an existing credit account, that typically do not involve obtaining consumer reports. Nor do the alerts protect against other types of identity theft, such as medical identity theft, employment-related identity theft, or using another’s identity to evade law enforcement.
- In some cases, the ID theft prevention service could fail to prevent identity theft even as to transactions in which consumer reports were obtained. Some businesses ignore fraud alerts or fail to take sufficient precautions to confirm the identity of the applicant. In some instances, identity thieves can thwart even reasonable precautions.
- The ID theft prevention service does not prevent unauthorized changes to customers’ address information because the Initial Alerts Defendants place for customers do not require users of the customers’ consumer reports to contact customers with fraud alerts before changing address information.
- The ID theft prevention service did not ensure that a consumer would receive a telephone call from a potential creditor before a new account was opened in the consumer’s name. Section 605A of the FCRA permits but does not require businesses to call consumers before opening the account, and also allows businesses to use other “reasonable steps to verify the consumer’s identity.”
- The ID theft prevention service did not provide ongoing monitoring or review of customers’ credit files.
STATEMENTS ABOUT THE SECURITY OF CUSTOMERS' INFORMATION
Since at least December 2006, Defendants, directly or indirectly, have disseminated or caused to be disseminated to consumers privacy policies and statements, including, but not necessarily limited to, the following statements regarding the privacy, confidentiality, and security of personal information they receive from their customers:
- "Only authorized employees of LifeLock will have access to the data that you provide to us, and that access is granted only on a 'need to know' basis."
- "All stored personal data is electronically encrypted."
- "Any data that we transmit over a private network will be sent via secure, encrypted channels."
- "When you enter sensitive information (such as credit card number and/or social security number) on our registration or order forms, we encrypt that information using secure socket layer technology (SSL)."
- "Your documents, while in our care, will be treated as if they were cash."
- "LifeLock uses highly secure physical, electronic, and managerial procedures to safeguard the confidentiality and security of the data you provide to us." (Exhibit 12).
In fact, until at least September 2007, Defendants engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security to prevent unauthorized access to personal information stored on its corporate network, in transit through its corporate network or over the internet, or maintained in Defendants’ offices. Among other things, Defendants:
- Created an unnecessary risk to personal information by storing it on the network and transmitting it over the network and the internet in clear readable text.
- Failed to require employees, vendors, and others with access to personal information to use hard-to-guess passwords or to implement related security measures, such as periodically changing passwords or suspending users after a certain number of unsuccessful log-in attempts.
- Failed to limit access to personal information stored on or in transit through its networks only to employees and vendors needing access to the information to perform their jobs.
- Failed to use readily available security measures to routinely prevent unauthorized access to personal information, such as by installing patches and critical updates on its network.
- Did not adequately assess the vulnerability of the network and web applications to commonly known and reasonably foreseeable attacks, such as SQL injection attacks.
- Failed to employ sufficient measures to detect and prevent unauthorized access to the corporate network or to conduct security investigations, such as by installing antivirus or anti-spyware programs on computers used by employees to remotely access the network or regularly recording and reviewing activity on the network.
- Did not implement simple, low-cost, and readily available defenses to commonly known and reasonably foreseeable attacks.
- Failed, from at least December 2006 until February 2007, to secure paper documents containing personal information that were received by facsimile in an open and easily accessible area.
As a result of these practices, an unauthorized person could obtain access to personal information stored on Defendants’ corporate network, in transit through Defendants’ corporate network or over the internet, or maintained in Defendants’ offices.
VIOLATIONS OF SECTION 5(a) OF THE FTC ACT
- Section 5(a) of the FTC Act, 15 U.S.C. § 45(a), prohibits "unfair or deceptive acts or practices in or affecting commerce."
- Misrepresentations or deceptive omissions of material fact constitute deceptive acts or practices prohibited by Section 5(a) of the FTC Act.
COUNT I
- Through the means described in Paragraph 17, Defendants have represented, directly or indirectly, expressly or by implication, that the ID theft prevention service provided complete protection against all forms of identity theft by making customers’ personal information useless to identity thieves.
- In truth and in fact, as described in Paragraph 18, the ID theft prevention service did not provide complete protection against all identity theft and did not make customers’ personal information useless to identity thieves.
- Therefore, the making of the representation set forth in Paragraph 23 of this Complaint constitutes a deceptive act or practice, in or affecting commerce, in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a).
COUNT II
- Through the means described in Paragraph 17, Defendants have represented, directly or indirectly, expressly or by implication, that the ID theft prevention service prevented unauthorized changes to customers’ address information.
- In truth and in fact, as described in Paragraph 18, at the time this representation was made, the ID theft prevention service did not prevent unauthorized changes to customers’ address information because the Initial Alerts Defendants place for customers do not require users of the customers’ consumer reports to contact customers with fraud alerts before changing address information.
- Therefore, the making of the representation set forth in Paragraph 26 of this Complaint constitutes a deceptive act or practice, in or affecting commerce, in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a).
COUNT III
- Through the means described in Paragraph 17, Defendants have represented, directly or indirectly, expressly or by implication, that the ID theft prevention service constantly monitored activity on each of its customers’ consumer reports.
- In truth and in fact, as described in Paragraph 18, the ID theft prevention service did not monitor activity on customers’ consumer reports.
- Therefore, the making of the representation set forth in Paragraph 29 of this Complaint constitutes a deceptive act or practice, in or affecting commerce, in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a).
COUNT IV
- Through the means described in Paragraph 17, Defendants have represented, directly or indirectly, expressly or by implication, that the ID theft prevention service would ensure that a customer would always receive a phone call from a potential creditor before a new credit account was opened in the customer’s name.
- In truth and in fact, as described in Paragraph 18, the ID theft prevention service did not ensure that a customer would receive a phone call from a potential creditor before a new credit account was opened in their name because the Initial Alerts that Defendants placed for customers do not require that the potential creditor contact consumers before opening new credit accounts.
- Therefore, the making of the representation set forth in Paragraph 32 of this Complaint constitutes a deceptive act or practice, in or affecting commerce, in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a).
COUNT V
- Through the means described in Paragraph 19, Defendants have represented, directly or indirectly, expressly or by implication, that they employed reasonable and appropriate measures to protect personal information of customers from unauthorized access.
- In truth and in fact, as described in Paragraph 20, Defendants did not employ reasonable and appropriate measures to protect personal information of customers from unauthorized access.
- Therefore, the making of the representation set forth in Paragraph 35 of this Complaint constitutes a deceptive act or practice, in or affecting commerce, in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a).
COUNT VI
- Through the means described in Paragraph 19, Defendants have represented, directly or indirectly, expressly or by implication, that they encrypted sensitive customer information that they stored or transmitted in the course of their business.
- In truth and in fact, as described in Paragraph 20, Defendants did not encrypt sensitive customer information that they stored or transmitted in the course of their business.
- Therefore, the making of the representation set forth in Paragraph 38 of this Complaint constitutes a deceptive act or practice, in or affecting commerce, in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a).
COUNT VII
- Through the means described in Paragraph 19, Defendants have represented, directly or indirectly, expressly or by implication, that they limited access to sensitive customer information only to authorized employees on a “need-to-know” basis.
- In truth and in fact, as described in Paragraph 20, Defendants did not limit access to sensitive customer information only to authorized employees on a “need-to-know” basis.
- Therefore, the making of the representation set forth in Paragraph 41 of this Complaint constitutes a deceptive act or practice, in or affecting commerce, in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a).
CONSUMER INJURY
- Consumers have suffered and will continue to suffer substantial injury as a result of Defendants’ violations of the FTC Act.
- In addition, Defendants have been unjustly enriched as a result of their unlawful acts or practices.
- Absent injunctive relief by this Court, Defendants are likely to continue to injure consumers, reap unjust enrichment, and harm the public interest.
THIS COURT’S POWER TO GRANT RELIEF
- Section 13(b) of the FTC Act, 15 U.S.C. § 53(b), empowers this Court to grant injunctive and such other relief as the Court may deem appropriate to halt and redress violations of any provision of law enforced by the FTC.
- The Court, in the exercise of its equitable jurisdiction, may award ancillary relief, including rescission or reformation of contracts, restitution, the refund of monies paid, and the disgorgement of ill-gotten monies, to prevent and remedy any violation of any provision of law enforced by the FTC.
PRAYER FOR RELIEF
Wherefore, Plaintiff Federal Trade Commission, pursuant to Section 13(b) of the FTC Act, 15 U.S.C. § 53(b), and the Court’s own equitable powers, requests that the Court:
- Enter a permanent injunction to prevent future violations of the FTC Act by Defendants;
- Award such relief as the Court finds necessary to redress injury to consumers resulting from Defendants’ violations of the FTC Act, including, but not limited to, rescission or reformation of contracts, restitution, the refund of monies paid, and the disgorgement of ill-gotten monies; and
- Award Plaintiff the costs of bringing this action, as well as such other and additional relief as the Court may determine to be just and proper.
Dated: March 8, 2010 |
Respectfully submitted, Willard K. Tom DAVID W. LINCICUM Attorneys for Plaintiff FEDERAL TRADE COMMISSION |
AMENDED ORDER
This Amended Order supersedes the Court’s December 22, 2015 Order (Doc. 65). Plaintiff Federal Trade Commission (“FTC” or “Commission”) and Defendant LifeLock, Inc. (“LifeLock”) have settled and resolved all matters in dispute arising from the FTC’s Contempt action initiated against LifeLock on July 21, 2015 (Doc. 20), and pursuant to Federal Rule of Civil Procedure 60(b), seek to modify this Court’s March 15, 2010 Stipulated Final Judgment and Order for Permanent Injunction and Other Equitable Relief (Doc. 9) (“Permanent Injunction”). Based on the Findings set forth below, upon review of the parties’ submissions, and good cause appearing, the Court will grant the Consent Motion for Entry of Order (Doc. 64) and enter such Order on the terms that follow:
FINDINGS
- This Court entered the Permanent Injunction enjoining LifeLock from, inter alia, “misrepresenting in any manner, expressly or by implication, the means, methods, procedures, effects, effectiveness, coverage, or scope” of its identity theft protection service (Section I.A.5).
- The Permanent Injunction enjoins LifeLock from “misrepresenting in any manner, expressly or by implication, the manner or extent to which they maintain and protect the privacy, confidentiality, or security of any personal information collected from or about consumers” (Section I.B.).
- The Permanent Injunction requires LifeLock to “establish and implement, and thereafter maintain, a comprehensive information security program” (Section II).
- The Permanent Injunction further requires LifeLock to create and retain “[a]ll records and documents necessary to determine full compliance with each provision” of the Permanent Injunction (Section VIII.A.7).
- On July 21, 2015, the Commission alleged that LifeLock violated the Permanent Injunction by (a) failing to establish and maintain a comprehensive information security program to protect its users’ sensitive personal data, including credit card, social security, and bank account numbers; (b) falsely advertising that it protected consumers’ sensitive data with the same high-level safeguards as financial institutions; (c) failing to meet the Permanent Injunction’s recordkeeping requirements; and (d) falsely claiming it protected consumers’ identity 24/7/365 by providing alerts “as soon as” it received any indication there was a problem.
- LifeLock neither admits nor denies the allegations identified in Paragraph 5 above.
- These findings constitute an appropriate change in circumstances to warrant modifying Sections VI through IX of the Permanent Injunction pursuant to Rule 60(b) of the Federal Rules of Civil Procedure.
- The parties have agreed to settle the Commission’s allegations with the entry of this Order.
DEFINITIONS
- “Affected Consumer(s)” means any person(s) who has subscribed to any LifeLock fee-based identity theft protection service, and could assert a claim arising from the types of violations alleged in Paragraph 5 of the Findings, excluding LifeLock; any parent, subsidiary, affiliate, or controlled person of LifeLock; the officers, directors, agents, employees of LifeLock; any counsel in the Covered Class Action; and any judge or court staff presiding over the Covered Class Action or this action.
- “Covered Class Action” means Napoleon Ebarle et al. v. LifeLock, Inc., No. 3:15-cv-258 (N.D. Cal. filed Jan. 19, 2015).
- “Money Received” means money paid as restitution by LifeLock to Affected Consumers by check, charge-back, or other transfer of funds, to the extent:
- Such money was issued by LifeLock pursuant to settlement: (i) of the Covered Class Action, or (ii) with any State Attorney General’s Office entered within four (4) months from the date of this Order;
- Either: (i) a credit card company, bank, or other financial institution has credited the Affected Consumer’s financial account with such money, or (ii) any such check has been cashed by the Affected Consumer; and
- Consumer information involved in payment of such money is handled in a manner that is consistent with the Commission’s privacy and data security standards, policies, and practices.
- For the purpose of clarification, Money Received shall not include any administrative fees, attorneys’ fees, or any other amount not directly issued to an Affected Consumer, or any coupons, credits, or other consideration applicable towards the purchase of products or services offered by LifeLock or any other entity.
ORDER
IT IS ORDERED granting the Consent Motion for Entry of Order (Doc. 64).
I. PERMANENT INJUNCTION
IT IS FURTHER ORDERED that the Permanent Injunction shall remain in full force and effect except Sections VI through IX of the Permanent Injunction as to LifeLock, which are replaced with Sections V through VIII below.
II. MONETARY JUDGMENT AND CONSUMER REDRESS
IT IS FURTHER ORDERED that:
-
Judgment in the amount of One Hundred Million Dollars ($100,000,000) is entered in favor of the Commission against LifeLock as equitable monetary relief.
-
LifeLock shall satisfy the judgment as follows:
- Pursuant to L.R. Civ. 67.1 and Fed. R. Civ. P. 67, LifeLock shall: (a) deposit One Hundred Million Dollars ($100,000,000) (“Settlement Funds”) into the Court’s Registry within five (5) business days of entry of this Order to be held in escrow for the sole purpose of distributing the funds in accordance with this Order, and (b) comply fully with all of its obligations under Section II of this Order. LifeLock is hereby authorized to deposit One Hundred Million Dollars ($100,000,000) into the Court’s Registry.
- If LifeLock fails to comply with Section I.B.1(a), the judgment amount of One Hundred Million Dollars ($100,000,000) shall become immediately due and payable to the Commission, and
LifeLock shall not have any right to any credit, offset, or any other reimbursement for any Money Received by Affected Consumers as provided in this Order.
-
The Settlement Funds shall include any interest that the funds accrue while in the Court’s Registry, minus costs pursuant to L.R. Civ. 67.1.
-
The Settlement Funds shall be disbursed by motions pursuant to this Section II, if both of the following conditions are met: (1) LifeLock acts expeditiously to obtain final court approval of the settlement agreement in the Covered Class Action, and (2) all such motions are filed by the earlier of eighteen (18) months from the date of this Order or two hundred seventy (270) days from the date of final court approval of the settlement agreement in the Covered Class Action.
-
Subject to Section II.D, LifeLock may use up to Sixty-Eight Million Dollars ($68,000,000) of the Settlement Funds to fund an escrow account established in the Covered Class Action if all of the following conditions are met:
- LifeLock has obtained preliminary court approval of the settlement agreement in the Covered Class Action, and
- The agreement governing the escrow fund ensures that:
- All payments from the escrow account are issued directly to Affected Consumers for the sole purpose of providing consumer redress.
- All payments from the escrow account either become Money Received by Affected Consumers within one hundred twenty (120) days of such payment or are returned immediately to the escrow account.
- The escrow account transfers all remaining funds, including any interest that has accrued in the escrow account, to the Commission after the expiration of the deadline for motions in Section II.D.
- As many Affected Consumers as reasonably practicable receive payments from the escrow fund.
-
If an agreement governing an escrow account funded pursuant to Section II.E ceases to comply with any of the criteria in Section II.E.2, or such escrow account ceases to be administered in compliance with all of the criteria in Section II.E.2, LifeLock shall immediately (1) deposit into the Court’s Registry as Settlement Funds the amount of money in the escrow fund immediately prior to such non-compliance, or if the Settlement Funds have already been transferred by the Court to the Commission under Section II.J, (2) pay such amount directly to the Commission.
-
Subject to Sections II.D and H through M, LifeLock shall have a right to the amount of Settlement Funds remaining in the Court’s Registry equal to: (1) money Received by Affected Consumers, other than such Money Received that was paid out of an escrow account funded under Section II.D and compliant with Section II.D.2 at the time of issuance of payment to the Affected Consumer, plus
(2) the interest accrued on such amount specified in subsection (1) while in the Court’s Registry.
-
LifeLock shall have a right to seek disbursement of the funds identified in Section II.G by motion in up to three (3) installments.
-
Under no circumstances shall LifeLock receive more than one (1) disbursement from the Settlement Funds for each payment of Money Received by Affected Consumers.
-
The Commission shall be entitled to all remaining Settlement Funds in the Court’s Registry: (1) upon the Court’s resolution of all motions timely filed under this Section II, or if no such timely filed motion is pending, (2) upon the expiration of the deadline for motions in Section II.D.
-
If any portion of the Money Received by Affected Consumers for which LifeLock received disbursement from the Settlement Funds is returned to LifeLock, LifeLock shall remit such portion to the Commission within ten (10) business days.
-
All money paid to the Commission pursuant to this Order may be deposited into a fund administered by the Commission or its designee to be used for equitable relief, including consumer redress and any attendant expenses for the administration of any redress fund. If a representative of the Commission decides that direct redress to consumers is wholly or partially impracticable or money remains after redress is completed, the Commission may apply any remaining money for such other equitable relief (including consumer information remedies) as it determines to be reasonably related to LifeLock’s practices as set forth in this Order. Any money not used for such equitable relief is to be deposited to the U.S. Treasury as disgorgement. LifeLock has no right to challenge any actions the Commission or its representatives may take pursuant to this Subsection.
-
LifeLock relinquishes dominion and all legal and equitable right, title, and interest in all assets transferred to the Court’s Registry or to the Commission pursuant to this Order, except as specified in Sections II.D through II.J.
-
LifeLock warrants and represents that as of the date it executes this Order, after giving effect to Section II, LifeLock will not: (1) be insolvent (either because its financial condition is such that the sum of its debts is greater than the fair market value of its assets or because the fair saleable value of its assets is less than the amount required to pay its probable liabilities on its existing debts as they mature). (2) have unreasonably small capital with which to engage in its business. (3) have incurred debts beyond its ability to pay as they become due.
-
LifeLock acknowledges that its Taxpayer Identification Numbers, which it previously submitted to the Commission, may be used for collecting and reporting any delinquent amount arising out of this Order, in accordance with 31 U.S.C. § 7701.
-
All payments to the Commission under this Order must be made by electronic fund transfer in accordance with instructions previously provided by a representative of the Commission.
III. CUSTOMER INFORMATION
IT IS FURTHER ORDERED that LifeLock shall provide customer information requested by the Commission to enable the Commission to efficiently administer customer redress. If a representative of the Commission requests in writing any information related to redress, LifeLock must provide it, in the form prescribed by the Commission, within ten (10) days.
IV. ENTRY OF ORDER
IT IS FURTHER ORDERED that there is no just reason for delay of entry of this Order, and the clerk shall enter this Order immediately.
V. COMPLIANCE REPORTING
IT IS FURTHER ORDERED that, in order that compliance with the provisions of the Permanent Injunction and this Order may be monitored:
-
For a period of five (5) years from the date of entry of this Order, LifeLock shall notify the Commission of any changes in its corporate structure or any business entity that LifeLock directly or indirectly controls, or has ownership interest in, that may affect compliance obligations under the Permanent Injunction or this Order, including, but not limited to: Incorporation or other organization; A dissolution, assignment, sale, merger, or other action; The creation or dissolution of a subsidiary, parent, or affiliate that engages in any practices subject to the Permanent Injunction or this Order; or A change in the business name or address, at least thirty (30) days prior to such change, provided that, with respect to any proposed change in the business entity of which LifeLock learns less than thirty (30) days prior to the date such action is to take place, LifeLock shall notify the Commission as soon as practicable after obtaining such knowledge.
-
One hundred eighty (180) days after the date of entry of this Order and annually thereafter for a period of five (5) years, LifeLock shall provide a written report to the FTC, which is true and accurate and sworn to under penalty of perjury, setting forth in detail the manner and form in which it has complied and is complying with the Permanent Injunction and this Order. This report shall include, but not be limited to: (1) a copy of each acknowledgment of receipt of the Permanent Injunction and this Order obtained pursuant to the Section titled “Distribution of Order.” (2) Any other changes required to be reported under Subsection A of this Section.
-
LifeLock shall notify the Commission of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding within fifteen (15) days of its filing. Unless directed otherwise by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to:
Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, DC 20580. The subject line must begin: FTC v. LifeLock, Inc., X100023.
VI. COMPLIANCE MONITORING
IT IS FURTHER ORDERED that, for the purpose of monitoring LifeLock’s compliance with the Permanent Injunction and this Order:
-
Within fourteen (14) days of receipt of written notice from a representative of the Commission, LifeLock shall submit additional written reports or other requested information, which are true and accurate and sworn to under penalty of perjury; produce documents for inspection and copying; appear for deposition; provide entry during normal business hours to any business location in LifeLock’s possession or direct or indirect control to inspect the business operation.
-
In addition, the Commission is authorized to use all other lawful means, including but not limited to:
- Obtaining discovery from any person, without further leave of court, using any of the procedures prescribed by Federal Rules of Civil Procedure 29, 30 (including telephonic depositions), 31, 33, 34, 36, 45, and 69.
- Posing as consumers and suppliers to LifeLock, their employees, or any other entity managed or controlled in whole or in part by LifeLock without the necessity of identification or prior notice.
-
LifeLock shall permit representatives of the Commission to interview any employer, consultant, independent contractor, representative, agent, or employee who has agreed to such an interview, relating in any way to any conduct subject to the Permanent Injunction or this Order. The person interviewed may have counsel present.
-
Nothing in this Order limits the Commission’s lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1, to obtain any documentary material, tangible things, testimony, or information relevant to unfair or deceptive acts or practices in or affecting commerce (within the meaning of 15 U.S.C. 45(a)(1)).
VII. RECORD KEEPING PROVISIONS
IT IS FURTHER ORDERED that:
-
LifeLock is hereby restrained and enjoined from failing to create and retain the following records for the following periods:
- For a period of thirteen (13) years from the date of entry of the Permanent Injunction, the following records in connection with the sale or provision of products or services related to identity theft:
- Accounting records that reflect the cost of goods or services sold, revenues generated, and the distribution of such revenues.
- Personnel records accurately reflecting: the name, address, and telephone number of each person employed in any capacity by such business, including as an independent contractor; that person’s job title or position; the date upon which the person commenced work; and the date and reason for the person’s termination, if applicable.
- Consumer files containing the names, addresses, phone numbers, dollar amounts paid, quantity of items or services purchased, and description of items or services purchased, to the extent such information is obtained in the ordinary course of business.
- Complaints and refund requests (whether received directly, indirectly, or through any third party) and any responses to those complaints and requests.
- Copies of all sales scripts, training materials, advertisements, or other marketing materials.
- Any documents, whether prepared by or on behalf of LifeLock, that contradict, qualify, or call into question LifeLock’s compliance with Sections I, II, and III of the Permanent Injunction.
- All records and documents necessary to demonstrate full compliance with each provision of the Permanent Injunction and this Order, including but not limited to, copies of acknowledgments of receipt required by the Permanent Injunction and this Order, all reports submitted to the FTC pursuant to the Section of this Order titled “Compliance Reporting.”
- For a period of thirteen (13) years from the date of entry of the Permanent Injunction, the following records in connection with the sale or provision of products or services related to identity theft:
-
For a period of three (3) years after the date of preparation of each Assessment required under the Section of the Permanent Injunction titled “Biennial Assessment Requirements,” LifeLock shall retain all materials relied upon to prepare the Assessment, whether prepared by or on behalf of LifeLock, including but not limited to all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, and any other materials relating to LifeLock’s compliance with the Section of the Permanent Injunction titled “Biennial Assessment Requirements.”
-
For a period of five (5) years from the date of entry of this Order, LifeLock shall retain records and documents sufficient to provide all material facts regarding Money Received by Affected Consumers and the administration of the escrow account funded under Section II.E, including but not limited to: (1) The identity of each Affected Consumer who received a payment. (2) The amount of each payment. (3) The manner in which LifeLock issued each payment. (4) The date of each payment. (5) Evidence that each payment was credited to an Affected Consumer’s financial account or was otherwise cashed. (6)All escrow account activity and balances.
VIII. DISTRIBUTION OF ORDER
IT IS FURTHER ORDERED that:
-
For a period of five (5) years from the date of entry of this Order, LifeLock shall deliver copies of the Permanent Injunction and this Order as directed below:
- LifeLock must deliver a copy of the Permanent Injunction and this Order to: (1)All of its principals, officers, directors, and managers. (2) All of its employees, agents, and representatives who engage in conduct related to the subject matter of the Permanent Injunction and this Order. (3) Any business entity resulting from any change in structure set forth in Subsection A of the Section of this Order titled “Compliance Reporting.” For current personnel, delivery shall occur within seven (7) days of entry of this Order. For all others, delivery shall occur prior to them assuming their responsibilities. For any business entity resulting from any change in structure set forth in Subsection A of the Section of this Order titled “Compliance Reporting,” delivery shall be at least ten (10) days prior to the change in structure.
-
LifeLock must secure a signed and dated statement acknowledging receipt of the Permanent Injunction and this Order, within thirty (30) days of delivery, from all persons receiving a copy of the Permanent Injunction and this Order pursuant to this Section.
IX. ACKNOWLEDGEMENT OF RECEIPT OF THIS ORDER
IT IS FURTHER ORDERED that LifeLock, within five (5) business days of receipt of this Order as entered by the Court, must submit to the Commission a truthful sworn statement acknowledging receipt of this Order.
X. RETENTION OF JURISDICTION
IT IS FURTHER ORDERED that the Court shall continue to retain jurisdiction of this matter for all purposes.
Dated this 4th day of January, 2016.
Honorable John J. Tuchi United States District Judg |
Table of contents
Questions?
If you would like to learn more, our compliance experts are happy to support you..
Leave us a Message