The Death of LifeLock

You have seen the ads for a company called LifeLock.  They’re the ones with the CEO’s Social Security number.  It must be a very effective campaign. The company currently has 1.5 million subscribers at $10 a month each.

Padlock And what do you get for your $120 a year?  Well, a few things, but the major one is that LifeLock will place a "fraud alert" on your credit reports. These warn potential grantors of credit that something is fishy and tell them to contact you directly to confirm that it was really you that asked for the loan.  Fraud alerts expire after 90 days, so LifeLock dutifully renews them for you four times a year.

That’s a nice little business they’ve got. $180 Million in recurring annual revenue for not a lot of work.  But before you slap your forehead and ask why you didn’t think of it first, you should know that it looks like the party’s over.

LifeLock’s use of fraud alerts is pretty clearly abusive.  They were created by federal law as a way for consumers to place a red flag on their credit reports if they were currently involved in fraud, not as a precautionary step to be taken by millions.  (The LifeLock website says that to use the service you must "confirm that you have a good faith suspicion that you have been or are about to become a victim of identity theft."  Wink wink.)

From the point of view of the credit reporting agencies, what LifeLock does is not just annoying, it costs money.  They are processing 6 million fraud alerts a year and getting paid nothing at all to do it.  And the cost is larger than you might think.  You might assume that LifeLock periodically sends over some kind of computer file with a list of names for whom fraud alerts were to be set, but apparently this is not so.  At least in the case of Experian, they had employees making phone calls to the credit bureau’s 800 number.  So somewhere there was a sea of cubicles whose job was to call another sea of cubicles and read off information from one computer screen to be transcribed onto another.

Moreover, there is an even more serious "cry wolf" problem with this abuse.  Companies that use credit reports are under no obligation to do anything about a fraud alert.  If they are very rare and mean that somebody has recently been using the credit info fraudulently, the company has every incentive to tread carefully.  But if there are millions of fraud alerts with no actual fraud involved, the constant false alarms are likely to convince companies to just ignore them altogether.

Experian sued LifeLock and two weeks ago won a summary judgment in federal court.  Turns out that the law is clear that consumers, and only consumers, can place a fraud alert on their credit reports.  The judge ruled that "Congress expressly excused Experian and other credit reporting agencies from placing fraud alerts requested by companies like LifeLock." Game over.

LifeLock’s CEO, Todd Davis, Mr. 457-55-5462 himself, put a brave face on and said that they will appeal the decision and continue to file fraud alerts with the other two credit bureaus, Equifax and TransUnion. As if those two will waste any time applying to the nearest federal judge for the same ruling.

LifeLock does provide some other services for its $120 a year, but the fraud alert was the centerpiece.  Right now it looks like the company is set to go away as fast as it arrived.

No Comments

  • By Rob Bennett, June 1, 2009 @ 8:57 am

    There was a day when shame would have stopped people from profiting from other people’s vulnerabilities in this way.

    The good old days!

    Rob

  • By Kevin M, June 1, 2009 @ 9:01 am

    I thought I read something a month or 2 ago about the LifeLock CEO being a victim of ID theft. I guess I just assumed the company would die after that.

  • By Kosmo @ The Casual Observer, June 1, 2009 @ 9:12 am

    Holy cheese balls … I wasn’t fully aware of how Lifelock worked (because I tuned it out after the first time).

    As an IT guy, the “sea of cubicles calling another sea of cubicles” is basically the equivalent of fingers scratching a chalkboard to me :)

  • By kurt, June 1, 2009 @ 9:39 am

    Let’s not forget that all three credit reporting agencies offer their own fraud services for a mere 14.95 per month. But I’m sure that had nothing to do with going after Lifelock.

  • By Rick Francis, June 1, 2009 @ 11:07 am

    All of the credits monitoring solutions are junk- a credit freeze is the correct solution. It’s a bit of a pain but essentially you prevent any credit applications from going through until you use a PIN number to unfreeze the credit. The annoying thing is that you have to freeze with each of the three credit reporting agencies. It also costs a bit to do although it varies by state-but I think it is around ~$10/agency.

    -Rick Francis

  • By the weakonomist, June 1, 2009 @ 11:20 am

    Kevin, someone opened an account in his name as a proof of concept. You would think that would kill the company, but they don’t ever really promise to keep you from getting your ID stolen, just sort of insurance if it is. Though their ads to allude to some kind of prevention, it’s basically impossible.

  • By Dave C., June 1, 2009 @ 11:39 am

    I hear you Kosmo. Perhaps that have no concept of the idea of web services or at least have some kind of automated batch file handling. The manual calling process they use just boggles the mind.

  • By Denise Richardson, June 1, 2009 @ 11:58 am

    The title -though far from reality -caught my eye. And I agree with Rob’s comment in… “There was a day when shame would have stopped people from profiting from other people’s vulnerabilities in this way.” -But that doesn’t apply to LifeLock or any of the other companies trying to be part of the id theft epidemic’s solution. It does however relate to Experian. In the good old days we owned our own information and could choose which Mom and Pop credit reporting agency we wanted to deal with. Credit bureaus competed for our business. If we don’t like what LifeLock has to offer -we don’t have to do business with them. But we have NO choice in doing business with Experian.

    Though this partial ruling is unsettling -it’s far from the “death of LifeLock! And the suit is far from over. Experian is dealing with daily lawsuits -for years, and nobody talks about them -or their deceptive, fake free credit report commercials.

    In America we are allowed choices. I choose to pay a small amount of money for proactive/recovery services – only one of which is setting fraud alerts. Noticeably, this article slams LifeLock -but fails to mention the number of other companies offering to set fraud alerts nor does it mention that Experian’s agenda could be less then genuine -after all, they have competing products. What distresses me is the questionable motive behind this ruling in light of Experian’s recent press release. Here’s a clip;
    EXPERIAN FULL-YEAR PROFIT UP 11 PCT…
    “profits rose 11% to a NET profit of $486 million compared to $437 million in the previous year.”

    Experian boldly shares the news that their revenue rose 2 percent to $3.9 BILLION -yet cried to the Judge LifeLock was darn near putting them out of business. Wonder if they shared there great news with the -before he ruled LifeLock is costing Experian money. Knowing this news -would the Judge have ruled the same way? If so shame on the Judge -and shame on Experian.

    For more on Experian’s profits -see their press release here:
    http://finance.yahoo.com/news/Experian-fullyear-profit-up-apf-15299662.html?.v=1

  • By Zach, June 1, 2009 @ 2:26 pm

    I have to agree with Denise, this article is a great many things including biased, poorly researched, and full of holes. First and foremost as an Id theft educator and recognized expert I can tell you that companies like LifeLock do place fraud alerts as one of their tools to protect their subscribers. However, contrary to the rantings of the author, the alert is far from the major step and certainly not the only means these companies have in combating id theft. Moreover, the fact that id theft is America’s number one crime with 1 in 3 citizens being effected gives me cause to think everyone has a right to be suspicious of their identity being compromised (no wink wink needed its a real crime effecting millions and comments like that take away from the victims!)

    Second, if I’m not mistaken LifeLock is a partner with Trans Union and has taken some of the work out of placing fraud alerts for that company. Which the author would have known if they had spent more time researching and less time thinking of witty snaps. Furthermore, because all three agencies have to adhere to the alerts place with any one, Experian will still have to place alerts from LifeLock subscribers.

    Finally Experian has its own id theft program that consumers can subscribe to for some 10 dollars a month as well. I highly doubt that this program will do anything shy of employing the same tools as the many id theft companies, like LifeLock, out there today. To say that this summary judgment is an end to companies like this is ludicrous. If for no other reason than it is a summary judgment, and legal speaking very open for appeal since there was no real trial!

    Next time do your research please and let the people really decide by giving them all the facts.

    to learn more about companies like LifeLock don’t go to these kinds of sites check real review and the companies sites themselves and make your own educated decisions.

  • By IndependentOperator, June 1, 2009 @ 4:07 pm

    Disagree with you, Frank. The cost of lending should include adequate fraud protection. Currently we’re enjoying subsidized interest rates because of inadequate fraud protection that hurts the few rather than the many. It is very rare that you’ll hear me cheering for regulations, but fraud protection needs to be increased even if that means interest rates increase.

  • By Kosmo @ The Casual Observer, June 1, 2009 @ 4:09 pm

    On the topic of LifeLock – they will be the “title sponsor” of the WNBA Phoenix Mercury. Their name will appear on the actual jerseys (similar to soccer jerseys in many countries)

    http://sports.espn.go.com/wnba/news/story?id=4222228

  • By Frank Curmudgeon, June 1, 2009 @ 4:49 pm

    Denise and Zach: It is true that LifeLock has a deal with TransUnion and it is true that I did not know this. Sorry to all. It does undercut my thesis that LifeLock is heading for a quick exit. Of course, if submitting fraud alerts to TransUnion only was sufficient, why was LifeLock bothering Experian?

    But the fact remains that LifeLock’s use of fraud alerts is abusive, not what was intended by their creators, illegal according to a federal judge, and likely to destroy the usefulness of fraud alerts to help stop actual fraud. The idea that all of LifeLock’s customers “have a good faith suspicion that [they] have been or are about to become a victim of identity theft” and will continue to do so indefinitely is, among other things, humorous.

    And I find the assertion that the judge might have ruled differently if he had known more about Experian’s profitability to be evidence of a bizarre attitude towards the rule of law and not a little insulting to the judge.

    The statement that 1 in 3 people are “effected” by identity theft is, at best, grossly misleading. In general, consumers aren’t the victims at all. There are, of course, many cases in which consumers have been caused harm by having their information used to perpetrate a fraud, but these cases are many orders of magnitude rarer than 1 in 3.

    The fear of identity theft is like the fear of swine flu. Neither is a hoax. They both are real and bad things. But the hysteria and media hullaballoo is massively out of proportion to the actual problem.

    The big difference being that there is a large constituency of those who stand to profit from fanning the flames of identity theft paranoia, including LifeLock and, it must be said, both of you.

  • By Frank Curmudgeon, June 1, 2009 @ 4:59 pm

    IO: Not sure I follow your logic. Fraud is primarily a cost to lenders, so wouldn’t it be baked into current interest rates?

    I think it could be argued that there is an externality in that the collateral damage done to people whose information is used to defraud a lender is not priced into the interest rate. In principle, I could support a regulation that shifted that cost back onto the lenders/borrowers. I just don’t think that externality is anywhere near as big as popular opinion would have it.

    I also think it is worth observing that the credit bureaus’ primary business is in providing creditors with information to help them decide if a potential loan is likely to be paid back. If what LifeLock does helped avert fraud in a cost-effective manner they would have adopted similar measures a long time ago.

  • By Jim, June 1, 2009 @ 4:59 pm

    I got a good laugh out of the picture of “a sea of cubicles whose job was to call another sea of cubicles and read off information from one computer screen to be transcribed onto another.”

    Zach, where do you get that “1 in 3 citizens being effected” by identity theft? I don’t see anything with numbers anywhere near that high.

  • By Jim, June 1, 2009 @ 7:53 pm

    BTW, I was curious about how the prevalence of identity theft compared to other crimes.

    FTC has data on identity theft. Dept. of Justice has general crime data.

    In 2005 there were 8.3 Million instances of identity theft. That would make it the #1 crime. By comparison there were 6.7M instances of larceny/theft, 2.1M instances of burglary and 1.2M instances of auto theft. All forms of violent crimes totaled 1.3M

    50% of identity thefts incurred a loss of $500 or more. Top 10% of identity theft was over $6000.

    And not all the costs are covered by the financial institutions. 10% of victims had out of pocket costs of $1200 or more.

  • By Frank Curmudgeon, June 1, 2009 @ 8:53 pm

    Great links. Read them very carefully.

    “In at least half of all incidents, thieves obtained goods or services worth $500 or less.” means that in some percentage of cases greater than 50% and possibly much higher, the thief got stuff worth less than $500, possibly $0.

    I’m also greatly skeptical about the methodology of this survey and disturbed at the conflict with the DOJ’s numbers. For reasons I can only speculate on, the FTC has been beating the drum on identity theft for years.

    But I am fascinated by the fact that fraudulently getting telephone service is more common than credit cards. You would think that stealing an on-going service would be a very poor choice.

  • By Denise Richardson, June 1, 2009 @ 9:45 pm

    Frank -Thanks much for taking time to respond. The bottom line is that Experian loses money when we set fraud alerts and that’s why they pushed to make it difficult for us to maintain them. And the industry lobbied fiercely against our right to freeze our credit -hoping that Congress would only allow us to do so -after we became victims of an identity theft! Thanks to our advocates -they didn’t get their way on that one! But remember, Congress doesn’t write the laws -the industry, lawyers and lobbyists wrote them -Congress simply passed them. But more importantly, it’s not LifeLock’s fault that creditors don’t take fraud alerts seriously -and it’s not LifeLock’s fault that creditors don’t verify identities prior to extending credit. Sloppy and reckless credit practices continue to be overlooked -in favor of blaming a company that is trying to be part of the solution -and not the problem. See: Memo to Experian:
    http://weblogs.sun-sentinel.com/news/opinion/theslant/blog/2009/05/xxxxxxx_1.html

    LifeLock isn’t the only company out there offering the convenience of placing our fraud alerts every 90 days -yet they are the only ones being attacked. Why? If Experian focused more on perfecting their customer service and procedures and less on its profits, LifeLock wouldn’t be even a blip on their radar. LifeLock’s not the problem -it’s Identity Theft!

    To claim that we as consumers are not the real victims falsely trivializes the effects of the crime. And yes, creditors may claim they are the victims but -trust me we all pay for “their” loses, one way or another. Identity theft can be far worse than having credit reports affected. People like Eric Drew, who had his identity stolen while in the hospital fighting for his life with terminal cancer, Kevin Wehner who wrongfully had his pictured plastered on TV for killing a police officer, (a crime he didn’t commit) or Cosmo Ricci – a 72 year old man who sat in jail for a weekend waiting to have his name cleared, all innocent probably wouldn’t agree with your stance. Our identifying information is out there -period. And if our Social Security number happens to be leaked, breached, hacked or stolen -that can cause a steady flow of headaches for a number of years as the information is bought, sold and traded amongst criminals. I am not spreading fear -just the opposite…knowledge. The more knowledge we have -the more power we have. I feel that this lawsuit is about money -not consumer protection. And if Experian wanted to protect consumers they would be willing to work with LifeLock to find solutions -not suing them to protect profits.

  • By Rob Bennett, June 2, 2009 @ 6:27 am

    I agree with Rob’s comment in… “There was a day….” But that doesn’t apply to LifeLock or any of the other companies trying to be part of the id theft epidemic’s solution. It does however relate to Experian.

    Thanks for your comment, Denise.

    I haven’t done the research I would need to do to say with certainty that I was wrong. But your words have convinced me that there is more to this than I was presuming when I wrote those words. You deepened my understanding of this question.

    Rob

  • By Jim, June 2, 2009 @ 5:30 pm

    Frank said:
    “In at least half of all incidents, thieves obtained goods or services worth $500 or less.” means that in some percentage of cases greater than 50% and possibly much higher, the thief got stuff worth less than $500, possibly $0.

    They are confusing with the “at least half” qualifier there.

    They really should have just said the median is $500. Thats what the full report actually says. See table 2 on page 5:
    http://www2.ftc.gov/os/2007/11/SynovateFinalReportIDTheft2006.pdf

    “But I am fascinated by the fact that fraudulently getting telephone service is more common than credit cards. You would think that stealing an on-going service would be a very poor choice.”

    I would bet that people committing identity theft to setup telephone lines or commit other forms of telephone service fraud are frequently illegal immigrants using the telephones to call home to relatives in foreign countries. Or simply petty thiefs looking for free mobile phone usage.

  • By Jim, June 2, 2009 @ 5:43 pm

    Also, I found a DOJ report specific to identity theft:
    http://www.ojp.usdoj.gov/bjs/abstract/it05.htm
    Their total # for 2005 is 6.4M. So with DOJ stats alone for the year 2005 identity theft as a large category actually comes in a close 2nd to larceny/theft nationally.

    The DOJ survey was of 40,000 households and the FTC survey was 4,917 people. THe FTC report used random digit dialing. So the differences in methodology would likely account for different results.

  • By GPR, June 2, 2009 @ 6:57 pm

    Kudos to Denise for not pretending to be someone neutral.

    To Zach: (“…as an Id theft educator and recognized expert…”)
    I offer my congratulations on your recognition. I myself am an unrecognized expert in a great many things, and it is truly a source of discontent.

  • By Wise FInish, June 3, 2009 @ 11:31 pm

    If you were a user of Lifelock or Debix, it’s good that you are concerned about protecting your identity & credit file. However, there is a better (and cheaper) way to go that will give you the same or greater protection without the monthly bill – locking your credit report yourself. It’s pretty easy and cheap, when compared with services like Lifelock. I posted an article about this if you want more information: http://wisefinish.com/2009/06/03/money/goodbye-lifelock-hello-low-cost-credit-protection/

  • By Chris, June 4, 2009 @ 2:48 pm

    Most likely they will (or should) change their business model to sell breach management services to either small or large business. About half the large fortune 500 companies with large PII risks have breach management plans in place. Smaller companies won’t have them at all. Would be a good place to start…

Other Links to this Post

RSS feed for comments on this post. TrackBack URI

Leave a comment

WordPress Themes