Your personal financial information can’t be completely protected.
With the already immeasurable list of data breaches that seems to grow longer by the day, maybe we should be praying not for protection but for better interventions. Witness the recent news involving the Federal Trade Commission and LifeLock Inc., one of the leading companies in the identity-theft protection business.
The FTC has filed charges alleging that LifeLock violated a 2010 settlement in which the company vowed to stop making deceptive claims about its services and implement stronger measures to safeguard its own customers’ personal data, including credit card, Social Security and bank account numbers.
I hope the irony is not lost on you. The FTC contends that a company that people hired to defend against identity thieves didn’t, for a period of time, adequately guard the personal data that the company itself collected.
“We disagree with the substance of the FTC’s contentions and are prepared to take our case to court,” LifeLock said in a statement. “LifeLock takes the accuracy of our advertising materials very seriously. The alerting claims raised by the FTC did not result in any known identity theft for LifeLock members.”
Whatever happens this time (LifeLock previously shelled out $12 million), the case should serve as a reminder that identity-theft services are limited in what they can do and still can leave you exposed. Here’s how:
▪ The claim: In its advertising, LifeLock says it “uses advanced technology to constantly monitor over a trillion data points to help detect suspicious uses of your identity information to get loans, credit and services in your name.”
▪ The caveat: Let’s say that with all of its super-duper detection, LifeLock discovers that your information has been compromised. This means the data is already out there and perhaps being sold for goodness knows what. By the time a breach is detected, it’s too late. Oh, and by the way, in those ads — and in smaller print than the protection claim — is this disclosure: “Network does not cover all transactions.”
The company further explains in its website’s FAQ section: “Not all merchants participate and on occasion an application may be submitted by a lender or service provider that does not fall within our network.”
▪ The claim: “At the center of all LifeLock services is the patented LifeLock Identity Alert system. Actionable alerts are sent in near real time as soon as LifeLock detects your Social Security number, name, address or date of birth in applications for credit and services within our extensive network. … You can choose alerts by text, phone or email.”
▪ The caveat: Again, alerts only come after the fact. Also, the FTC noted in its original 2010 complaint that LifeLock’s alerts don’t protect you from some of the more common types of identity theft, such as misuse of an existing credit account, that typically do not involve obtaining consumer credit reports. “Nor do the alerts protect against other types of identity theft, such as medical identity theft, employment-related identity theft, or using another’s identity to evade law enforcement,” the FTC added.
▪ The claim: Identity-theft services may offer alerts of activity on your credit card, checking and savings accounts.
▪ The caveat: You’re paying for something you can do yourself.
With so many data breaches, most financial institutions now allow you to sign up for free alerts. I have alerts on all my accounts. I set a threshold upon which I want to be alerted by email. And believe me, I investigate every alert I get. The sooner you catch something, the quicker you can intervene.
▪ The claim: You will get your alerts lickety-split.
▪ The caveat: You might not get alerted as quickly as you think.
In its new complaint, the FTC said that from at least January 2012 through December 2014, LifeLock falsely claimed it protected consumers’ identity around the clock, 365 days a year, by sending alerts “as soon as” there was any indication there was a problem.
LifeLock says in in its FAQs that it’s “possible that, due to a lender or service provider’s internal processing procedures, in limited circumstances an application made within our network may not result in an alert or may result in a delayed alert notification.”
As the FTC noted, even when you put a fraud alert on your credit files, creditors could overlook such notices. And many institutions simply don’t have sufficient protections within their systems to thwart identity thieves.
You might feel some comfort in purchasing an identity-theft protection service. But even the best of them still leave you vulnerable because what they largely provide is an after-the-fact “defense.”
Hear Michelle Singletary’s personal finance reports on www.npr.org. Readers may write to her c/o The Washington Post, 1150 15th St., NW, Washington DC 20081.