The FTC has consistently brought enforcement proceedings against companies that do not follow their own privacy policies (see examples here, here, and here). In the most recent example of this trend, the FTC has settled charges that an Arizona company called LifeLock Inc. had made false promises about the extent of its data security measures. You can read the settlement agreement here.
LifeLock casts itself as the “industry leader in the rapidly growing field of identity theft protection” providing its customers with “early notification of identity threats” (fraud alerts). The company advertised in print and on radio, television, and the Web. While marketing the service, the company collected personally identifiable information for more than one million customers. The FTC complaint alleged, among other things, that the service did not prevent identity theft, as advertised. The FTC also charged that the company did not safeguard the personal information of its customers, noting that ”an unauthorized person could obtain access to personal information stored on Defendants’ corporate network, in transit through Defendants’ corporate network or over the internet…”
In the settlement agreement, confirmed by the Federal District Court for the District of Arizona, LifeLock and its principals agreed to never again misrepresent in advertising or elsewhere the features of their identity theft products and services. In addition, the company agreed to establish “a comprehensive information security program that is designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers.” The company agreed to pay $12 million in fines ($11 million to the FTC to redress consumer harm, and $1 million to be divided among 35 state attorneys general who had complained). The COO and CEO of LifeLock agreed to pay $10,000.00 each. Finally, the company agreed to be audited for compliance 180 days after service of the order and every two years thereafter for the next 20 years.
If you have a Web site privacy policy, the LifeLock settlement is a good reminder to check that your company is taking the steps you promised to take to safeguard your customer data and privacy.
1 ping
CyberLaw Currents » FTC Settles Charges Against Twitter
June 28, 2010 at 3:03 pm (UTC 0) Link to this comment
[...] If you promise customers that their personal information is secure, you had better deliver on that promise. That is the message of last week’s settlement between the FTC and Twitter — the FTC’s first case against a social networking service. It’s a message the FTC has sent to industry before. [...]