The Norton anti-virus owner will also acquire the company’s controversial public image
Considering the whole identity theft protection industry in the US is estimated to be worth $3 billion by IBISWorld, the acquisition shows Symantec’s confidence in the brand performing well under its umbrella in the larger, $10 billion cyber security industry.
That brand has weathered some snafus in recent years yet continues to add more users at the $10, $20, and $30 monthly fees it charges to monitor for fraudulent transactions and fake account sign-ups. LifeLock’s annual 2015 revenue, for instance, increased by over $100 million from 2014 and will continue to grow.
That’s a good thing for the company especially now that LifeLock has to pay $100 million out in a class action lawsuit.
The whole identity protection industry, though, weathering bad press and government inquiries into their efficacy even as its revenues continue to grow, is driven by the reality that more and more data breaches happen every day to consumers.
This nine-figure settlement followed from a 2010 ruling covering multiple US states that ordered the company to pay $12 million in fines. Several years after that, the FTC found that the company was advertising identity protection services it could not deliver one as they were outside its actual operational scope.
The 2015 and 2010 rulings both implicated LifeLock in unsafe data handling practices, though with the proceedings still sealed, it is not clear what exactly this issue (or issues) was beyond the FTC statement that it is, “failing to establish and maintain a comprehensive information security program to protect its users’ sensitive personal data” by instituting necessary encryption standards.
Unlike with other companies dealing with the very visible fallout of such practices, LifeLock’s user data has so far not turned up in the wild, so the exact threats users face are not clear. Credit card data, at least, conforms to Payment Card Industry Data Security Standard metrics, though the FTC argues this isn’t enough given other issues found, like password management, intrusion detection practices, and “need-to-know” distribution of user information.
High confidence and limits to success
Underscoring the company’s limits was the fact that its former CEO, Todd Davis, posted his own Social Security Number in TV ad spots. The ads, featuring Davis holding up his Social Security card, proclaimed, “we work to stop identity theft before it happens.”
To date, Davis’s identity had been stolen at least 13 times. Most of these thefts saw his information used to rack up bills, including a couple thousand dollars for an AT&T account.
Though he did not have to pay any of the charges falsely incurred in his name, the fact that a number of the episodes were uncovered only when collections agencies came knocking for the real Davis was bad PR for the company. It meant LifeLock had failed to notify even its own CEO of these 13 incidents, and they found out about them the same way most people do, when the collections agency comes calling.
Aside from those incidents, though, Davis says that 87 further identify theft attempts against him were stopped before they came to pass.
That the company cannot protect all its users all of the time is something it more readily acknowledges now, and offers payment for legal costs up to $1 million and reimbursements up to $25,000 for lost income. (Bloomberg notes, though, that this often doesn’t kick in since people’s banks already have such coverage.)
Most credit monitoring services, after all, cannot stop the actual fraud and can only help users catch further incidents and then, as an absolute necessity in such instances, fix their credit scores.
Common sense safety
LifeLock also offers, for free, a lot of advice on how to reduce your susceptibility to scammers and hackers since an ounce of prevention goes a long way. Obviously, if someone is determined to steal your identity and has the right set of tools to break into your online life, they will get it. Even legitimate web features and business services can be compromised without users knowing. But a lot of low-level scams can be easily defeated just by basic common sense.
As someone who once worked at an IT help desk in school, I often told people that there was a reason their anti-virus software wouldn’t let you download that one torrent of your favorite show. Which they downloaded anyway after disabling the service, which, while not perfect, was at least scanning for some threats.
Which they then downloaded alongside their favorite shows. For weeks, until coming to us with a machine moving at a fraction of its normal speed.
As one reviewer noted, a lot of LifeLock’s services can be had from credit bureaus and ratings agencies for free, or just your own due diligence online. Some of the monitoring work, though, is not free for any such services and too complicated to really be DIY. It does at least do time-consuming work for you, and does so across a lot of databases, forums, and businesses.
So, having an identity theft prevention service is more a matter of convenience, and peace of mind, than anything else. Users shouldn’t, though, just assume that this will protect them from determined attackers. Peace of mind shouldn’t breed complacency.