On Life Lock and the limits of protection
Your personal financial information can’t be completely protected.
With the already immeasurable list of data breaches that seems to grow longer by the day, maybe we should be praying not for protection but for better interventions. Witness the recent news involving the Federal Trade Commission and LifeLock, one of the leading companies in the identitytheft protection business.
The FTC has filed charges alleging that LifeLock violated a 2010 settlement in which the company vowed to stop making deceptive claims about its services and implement stronger measures to safeguard its own customers’ personal data, including credit card, Social Security and bank account numbers.
I hope the irony is not lost on you. The FTC contends that a company that people hired to defend against identity thieves didn’t, for a period of time, adequately guard the personal data that the company itself collected.
“We disagree with the substance of the FTC’s contentions and are prepared to take our case to court,” LifeLock said in a statement. “LifeLock takes the accuracy of our advertising materials very seriously. The alerting claims raised by the FTC did not result in any known identity theft for LifeLock members.”
Whatever happens this time (LifeLock previously shelled out $12 million), the case should serve as a reminder that identitytheft services are limited in what they can do and still can leave you exposed. Here’s how:
The claim: In its advertising, LifeLock says it “uses advanced technology to constantly monitor over a trillion data points to help detect suspicious uses of your identity information to get loans, credit and services in your name.”
The caveat: Let’s say that with all of its super-duper detection, LifeLock discovers that your data has been compromised. This means it is already out there and perhaps being sold for goodness knows what. By the time a breach is detected, it’s too late. Oh, and by the way, in those ads is this disclosure: “Network does not cover all transactions.”
The company further explains in its Web site’s FAQ section: “Not all merchants participate and on occasion an application may be submitted by a lender or service provider that does not fall within our network.”
The claim: “At the center of all LifeLock services is the patented LifeLock Identity Alert system. Actionable alerts are sent in near real time as soon as LifeLock detects your Social Security number, name, address or date of birth in applications for credit and services within our extensive network. . . . You can choose alerts by text, phone or e-mail.”
The caveat: Again, alerts only come after the fact. Also, the FTC noted in its original 2010 complaint that LifeLock’s alerts don’t protect you from some of the more common types of identity theft, such as misuse of an existing credit account, that typically do not involve obtaining consumer credit reports. “Nor do the alerts protect against other types of identity theft, such as medical identity theft, employment-related identity theft, or using another’s identity to evade lawenforcement,” the FTC added.
The claim: Identity-theft services may offer alerts of activity on your credit card, checking and savings accounts.
The caveat: You’re paying for something you can do yourself.
With so many data breaches, most financial institutions now allow you to sign up for free alerts. I have alerts on allmy accounts. I set a threshold upon which I want to be alerted by email. And believe me, I investigate every alert I get. The sooner you catch something, the quicker you can intervene.
The claim: You’ll get your alerts lickety-split.
The caveat: Youmay not get alerted as quickly as you think.
Inits new complaint, the FTC said that from at least January 2012 through December 2014, LifeLock falsely claimed it protected consumers’ identity around the clock, 365 days a year, by sending alerts “as soon as” there was any indication there was a problem.
LifeLock says in its FAQs that it’s “possible that, due to a lender or service provider’s internal processing procedures, in limited circumstances an application made within our network may not result in an alert ormay result in a delayed alert notification.”
As the FTC noted, even when you put a fraud alert on your credit files, creditors could overlook such notices. And many institutions simply don’t have sufficient protections within their systems to thwart thieves.
Youmay feel some comfort in an identity-theft protection service. But even the best of them still leave you vulnerable because what they largely provide is an after-the-fact “defense.”