The FTC has consistently brought enforcement proceedings against companies that do not follow their own privacy policies (see examples here, here, and here). In the most recent example of this trend, the FTC has settled charges that an Arizona company called LifeLock Inc. had made false promises about the extent of its data security measures. You can read the settlement agreement here.
LifeLock casts itself as the “industry leader in the rapidly growing field of identity theft protection” providing its customers with “early notification of identity threats” (fraud alerts). The company advertised in print and on radio, television, and the Web. While marketing the service, the company collected personally identifiable information for more than one million customers. The FTC complaint alleged, among other things, that the service did not prevent identity theft, as advertised. The FTC also charged that the company did not safeguard the personal information of its customers, noting that ”an unauthorized person could obtain access to personal information stored on Defendants’ corporate network, in transit through Defendants’ corporate network or over the internet…”
In the settlement agreement, confirmed by the Federal District Court for the District of Arizona, LifeLock and its principals agreed to never again misrepresent in advertising or elsewhere the features of their identity theft products and services. In addition, the company agreed to establish “a comprehensive information security program that is designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers.” The company agreed to pay $12 million in fines ($11 million to the FTC to redress consumer harm, and $1 million to be divided among 35 state attorneys general who had complained). The COO and CEO of LifeLock agreed to pay $10,000.00 each. Finally, the company agreed to be audited for compliance 180 days after service of the order and every two years thereafter for the next 20 years.