[ISN] ID theft protection firm sued

From: InfoSec News (alerts@private)
Date: Mon May 19 2008 - 00:08:57 PDT


By Andrew Clevenger
Staff writer
The Charleston Gazette
May 18, 2008

For a time, the ads were everywhere on TV and radio, the ones with the 
head of a security company brazenly challenging would-be thieves to try 
to steal his identity.

Richard Todd Davis, CEO of LifeLock Inc., was so confident in his 
company's ability to protect his identity that he publicly revealed his 
Social Security number: 457-55-5462.

But according to a new class-action lawsuit filed last week in Jackson 
County, LifeLock's identity theft protection services were so inept that 
Davis' personal information was stolen repeatedly.

"While LifeLock has only publicly acknowledged that Davis' identity was 
compromised on one occasion, there are more than 20 driver's licenses 
that have been fraudulently obtained [using his personal information]," 
the suit states.

"Furthermore, a simple background check performed using Davis' Social 
Security number reveals that his entire personal profile has been 
compromised to the extent that the birth date associated with his Social 
Security number is Nov. 2, 1940, which would [inaccurately] make Davis 
67 years old."

The lawsuit maintains that LifeLock, which claims on its Web site to be 
"the industry leader in the rapidly growing field of Identity Theft 
Protection," made false and misleading claims in its multimillion-dollar 
ad campaign about the level of protection it provides.

"Through its advertisements, LifeLock misrepresents and assures 
consumers that it can protect against all types of fraud including, 
without limitation, computer hacking, password theft and other 
noncredit-related theft," the suit reads.

But LifeLock doesn't protect against many forms of identity theft, 
according to the lawsuit.

The Arizona-headquartered company does place and renew fraud alerts on 
its subscribers' credit profiles. But it does nothing to combat breaches 
involving personal bank, employment or medical information, as well as 
theft pertaining to government documents and benefits, the suit alleges.

"LifeLock knows, yet fails to disclose, that the services it provides do 
not offer the breadth of protection that it promotes through its massive 
advertising campaign," the suit states.

The West Virginia suit follows similar suits filed in New Jersey in 
March and Maryland in April. It asks the judge to certify it as a 
class-action suit.

The lawsuit was filed on behalf of Kevin Gerhold of Falling Waters, and 
maintains that there are numerous other state residents who were 
similarly misled into signing up.

Gerhold was attracted by LifeLock's $1 million guarantee against any 
damages resulting from breaches that occur under the company's watch.

But even that is misleading, according to Charleston attorney David 
Grubb, who is serving as the suit's local counsel.

"In actuality, once you get beyond the numerous legal limitations and 
disclaimers, the policy really only guarantees that LifeLock will 
investigate how to fix its failure," Grubb said in a news release. "The 
subscriber receives no monetary recompense and no guarantee that their 
reputation and credit status will be restored."

According to the suit, the company has almost 1 million subscribers who 
pay roughly $110 a year for LifeLock's protection.

"This is a service that you pay for and it kind of lays dormant," said 
David Paris, an attorney with the New Jersey firm Marks & Klein who is 
heading the case against LifeLock. "So no one knows that they're not 
getting what they paid for, because they don't know what to look for."

Paris said that consumers can activate for free the same safeguards that 
LifeLock does, but the company fails to mention that in its marketing 

The suit alleges that LifeLock's services can actually harm its clients 
because the constant placement of fraud alerts can prevent them from 
getting a home loan or refinancing their existing loans.

In addition, the company fails to reveal that it obtains its credit 
reports by requesting on its clients' behalf their free annual credit 
report. That means consumers can't ask for their own free report for at 
least 12 months, according to the suit.

The suit also traces what it calls the "nefarious origin" of the 
company, including the background of Robert J. Maynard Jr., who 
co-founded the company with Davis in 2005.

"Upon information and belief, Maynard developed the idea for LifeLock 
while sitting in a jail cell after having been arrested for failure to 
repay a $16,000 casino marker taken out at the Mirage Hotel in Las 
Vegas," the suit states.

Maynard was sanctioned by the Federal Trade Commission because of 
misleading infomercials for National Credit Foundation, a separate 
credit-improvement company, according to the suit.

The suit also maintains that Maynard stole his father's identity by 
using his information to get an American Express card, which he used to 
rack up more than $100,000 of debt.

Paris said he plans to file another suit in a fourth state soon, and he 
is still gathering information about LifeLock's practices.

"In Wisconsin, a woman's debit card was stolen, and that thief used that 
card to sign up for LifeLock," he said. "If you can't provide the basic 
information to verify someone for subscription purposes, how can you be 
relied upon to protect people's identities?"

Attend Black Hat USA, August 2-7 in Las Vegas, 
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings 
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting. http://www.blackhat.com

This archive was generated by hypermail 2.1.3 : Mon May 19 2008 - 00:23:30 PDT