On Life Lock and the lim­its of pro­tec­tion

The Washington Post Sunday - - BUSINESS - Michelle Singletary

Your per­sonal fi­nan­cial in­for­ma­tion can’t be com­pletely pro­tected.

With the al­ready im­mea­sur­able list of data breaches that seems to grow longer by the day, maybe we should be pray­ing not for pro­tec­tion but for bet­ter in­ter­ven­tions. Wit­ness the re­cent news in­volv­ing the Fed­eral Trade Com­mis­sion and LifeLock, one of the lead­ing com­pa­nies in the iden­ti­tytheft pro­tec­tion busi­ness.

The FTC has filed charges al­leg­ing that LifeLock vi­o­lated a 2010 set­tle­ment in which the com­pany vowed to stop mak­ing de­cep­tive claims about its ser­vices and im­ple­ment stronger mea­sures to safe­guard its own cus­tomers’ per­sonal data, in­clud­ing credit card, So­cial Se­cu­rity and bank ac­count num­bers.

I hope the irony is not lost on you. The FTC con­tends that a com­pany that peo­ple hired to de­fend against iden­tity thieves didn’t, for a pe­riod of time, ad­e­quately guard the per­sonal data that the com­pany it­self col­lected.

“We dis­agree with the sub­stance of the FTC’s con­tentions and are pre­pared to take our case to court,” LifeLock said in a state­ment. “LifeLock takes the ac­cu­racy of our advertising ma­te­ri­als very se­ri­ously. The alert­ing claims raised by the FTC did not re­sult in any known iden­tity theft for LifeLock mem­bers.”

What­ever hap­pens this time (LifeLock pre­vi­ously shelled out $12 mil­lion), the case should serve as a re­minder that iden­ti­tytheft ser­vices are lim­ited in what they can do and still can leave you ex­posed. Here’s how:

The claim: In its advertising, LifeLock says it “uses ad­vanced tech­nol­ogy to con­stantly mon­i­tor over a tril­lion data points to help de­tect sus­pi­cious uses of your iden­tity in­for­ma­tion to get loans, credit and ser­vices in your name.”

The caveat: Let’s say that with all of its su­per-duper de­tec­tion, LifeLock dis­cov­ers that your data has been com­pro­mised. This means it is al­ready out there and per­haps be­ing sold for good­ness knows what. By the time a breach is de­tected, it’s too late. Oh, and by the way, in those ads is this dis­clo­sure: “Net­work does not cover all trans­ac­tions.”

The com­pany fur­ther ex­plains in its Web site’s FAQ sec­tion: “Not all mer­chants par­tic­i­pate and on oc­ca­sion an ap­pli­ca­tion may be sub­mit­ted by a len­der or ser­vice provider that does not fall within our net­work.”

The claim: “At the cen­ter of all LifeLock ser­vices is the patented LifeLock Iden­tity Alert sys­tem. Ac­tion­able alerts are sent in near real time as soon as LifeLock de­tects your So­cial Se­cu­rity num­ber, name, ad­dress or date of birth in ap­pli­ca­tions for credit and ser­vices within our ex­ten­sive net­work. . . . You can choose alerts by text, phone or e-mail.”

The caveat: Again, alerts only come af­ter the fact. Also, the FTC noted in its orig­i­nal 2010 com­plaint that LifeLock’s alerts don’t pro­tect you from some of the more com­mon types of iden­tity theft, such as mis­use of an ex­ist­ing credit ac­count, that typ­i­cally do not in­volve ob­tain­ing con­sumer credit re­ports. “Nor do the alerts pro­tect against other types of iden­tity theft, such as med­i­cal iden­tity theft, em­ploy­ment-re­lated iden­tity theft, or us­ing another’s iden­tity to evade lawen­force­ment,” the FTC added.

The claim: Iden­tity-theft ser­vices may of­fer alerts of ac­tiv­ity on your credit card, check­ing and sav­ings ac­counts.

The caveat: You’re pay­ing for some­thing you can do your­self.

With so many data breaches, most fi­nan­cial in­sti­tu­tions now al­low you to sign up for free alerts. I have alerts on allmy ac­counts. I set a thresh­old upon which I want to be alerted by email. And be­lieve me, I in­ves­ti­gate ev­ery alert I get. The sooner you catch some­thing, the quicker you can in­ter­vene.

The claim: You’ll get your alerts lick­ety-split.

The caveat: Youmay not get alerted as quickly as you think.

Inits new com­plaint, the FTC said that from at least Jan­uary 2012 through De­cem­ber 2014, LifeLock falsely claimed it pro­tected con­sumers’ iden­tity around the clock, 365 days a year, by send­ing alerts “as soon as” there was any in­di­ca­tion there was a prob­lem.

LifeLock says in its FAQs that it’s “pos­si­ble that, due to a len­der or ser­vice provider’s in­ter­nal pro­cess­ing pro­ce­dures, in lim­ited cir­cum­stances an ap­pli­ca­tion made within our net­work may not re­sult in an alert or­may re­sult in a de­layed alert no­ti­fi­ca­tion.”

As the FTC noted, even when you put a fraud alert on your credit files, cred­i­tors could over­look such no­tices. And many in­sti­tu­tions sim­ply don’t have suf­fi­cient pro­tec­tions within their sys­tems to thwart thieves.

Youmay feel some com­fort in an iden­tity-theft pro­tec­tion ser­vice. But even the best of them still leave you vul­ner­a­ble be­cause what they largely pro­vide is an af­ter-the-fact “de­fense.”

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.