Credit reporting firm sues LifeLock over fraud alerts

LifeLock, which touts itself as one of the largest providers of identity theft protection services in the U.S., is being sued by Experian for allegedly placing false fraud alerts on consumer credit-history files maintained by Experian as part of its credit reporting business.

Experian filed its lawsuit in the U.S. District Court for the Central District of California, which has its main office in Los Angeles. In the suit, the Costa Mesa, Calif.-based company claimed that LifeLock is itself engaging in deceptive and fraudulent behavior. Lifelock's business model is built around false and misleading advertising and fraudulent practices that are causing millions of dollars in monetary damages to Experian and that eventually could reduce the effectiveness of fraud alerts, according to the suit.

Experian asked the court to order LifeLock to pay it full restitution of the costs incurred as a result of the latter's alleged wrongful conduct, as well as a "disgorgement" of any profits that Lifelock may have earned as a result of that conduct. The credit reporting firm also is seeking unspecified punitive and compensatory damages, plus an injunction barring LifeLock from continuing to engage in its allegedly false and misleading advertising activities.

In an interview today, LifeLock CEO Todd Davis strongly refuted Experian's claims and contended that the lawsuit was a blatant attempt to prevent his company from expanding its credit monitoring business. Phoenix-based LifeLock is making it harder for Experian to make money off of the credit history files it maintains on individual consumers, Davis said. He added that he welcomes the opportunity to argue the legal issues in court, and that he may even see if there's a way to bring the other two major credit reporting firms into the case as well.

"We are not surprised [by the lawsuit]," Davis said. "We realized we would be hearing from them when we began taking some of their turf. We feel extremely strongly about our position."

As part of LifeLock's identity theft protection service, the company places fraud alerts on behalf of its subscribers with Experian and its two main rivals: Equifax Inc. and TransUnion LLC. For an annual subscription fee of US$110, LifeLock promises to keep renewing the fraud alerts every 90 days and to remove the names of subscribers from credit card and other junk mail lists (Compare Identity Management products).

LifeLock also offers to order free credit reports on behalf of its customers and to act on their behalf to cancel and renew cards that are lost or stolen. The company guarantees that it will pay up to $1 million over the course of a subscriber's lifetime to cover any fraud-related costs caused by a failure of its service.

Hundreds of thousands of individuals have signed up for the service thus far, according to LifeLock. Meanwhile, Davis has gained considerable attention for publicly disclosing his Social Security number on the company's Web site as part of a marketing campaign aimed at showing how foolproof the service is.

But Experian claimed in its 58-page complaint that LifeLock is illegally placing "hundreds of thousands of fraud alerts" in its consumer credit database every three months. Experian said that under the federal Fair Credit Reporting Act (FCRA), such alerts are meant to be placed only by consumers or by other individuals who they appoint to act in their interest. The credit reporting firm also claimed that alerts should be entered only when people have already been victimized by identity theft or have legitimate reasons to believe that they are at imminent risk.

In addition, Experian said that the FCRA specifically prohibits companies from placing fraud alerts in the credit files of consumers. According to the lawsuit, LifeLock's practice of placing such alerts on behalf of its subscribers is costing Experian millions of dollars in charges for calls to its toll-free 1-800 telephone numbers, which were set up specifically for use in submitting fraud alerts.

There are other costs as well, Experian claimed. "Once an initial fraud alert is placed, it triggers costly statutory obligations for consumer reporting agencies such as Experian," the company said in the lawsuit. For instance, the credit reporting firms are required to mail a notice to anyone who has a fraud alert placed in his or her file. They also have to provide a free credit report, in addition to the one that people are entitled to annually, the company noted.

"Such obligations were never intended to be triggered by a private company seeking to profit by illegally placing fraud alerts on behalf of consumers who do not have a genuine suspicion of imminent fraud," Experian said in the lawsuit. It described LifeLock's business model as a scheme to "game the system" and said the latter company was misleading consumers by giving them the false impression that it was authorized to act on their behalf in placing the fraud alerts and that those alerts could be renewed indefinitely.

The lawsuit also calls into question the background of one of LifeLock's founders, saying that he spent time in jail for financial fraud and has been barred by the Federal Trade Commission from engaging in certain credit reporting activities.

Davis challenged Experian's assertions and said they were motivated not by concerns for consumers but instead by a desire on the part of Experian to protect its bottom line. LifeLock is cutting into Experian's own credit monitoring business, Davis claimed. And, he said, the fraud alerts placed by LifeLock make it harder for Experian to sell credit records to third parties because it is required to notify people beforehand.

In addition, Davis contended that Experian is making "semantic arguments" about the spirit of the FCRA as it relates to fraud alerts. Such alerts are meant to be used to protect consumers against identity theft, he said, adding that there is nothing in the law that says the alerts can only be used for 90-day periods. All the FCRA says is that an alert will remain in place for a maximum of 90 days, according to Davis. At the end of that period, an individual is free to place another alert if he or she chooses to, he said.

Davis said Experian also is ignoring the spirit of the FCRA by claiming that the law doesn't allow companies such as LifeLock to place fraud alerts on the behalf of individuals who appoint it to do so. "We are more than willing to let the court decide that issue," he said.

Furthermore, Davis said that if Experian provided LifeLock with an interface for placing the alerts in files electronically, it would be glad to use that option instead of the 1-800 phone numbers. In fact, LifeLock is discussing that option with one of the other credit reporting agencies, he said, declining to identify which one.

Donald Girard, a spokesman for Experian, dismissed the suggestion by Davis that the lawsuit was driven by fears of competition and said that Experian doesn't consider LifeLock to be a rival to any of its businesses.

Girard charged that LifeLock is abusing both the spirit and the letter of the FCRA. Laws regarding the use of credit alerts clearly intend for them to be used as a temporary measure to guard against identity theft and other types of fraud, he said. They aren't meant to be used as a permanent tool, and doing so will only end up diluting the efficacy of fraud alerts in the long term, according to Girard.

"LifeLock is acting as a proxy for an individual in a way that Congress did not intend or permit," he said. "They are using a temporary stop-gap method as a permanent perpetual tool." He added that Experian has yet to decide exactly how much it will seek from LifeLock in monetary damages but that the amount will run into the millions of dollars.

Learn more about this topic

 

This story, "Credit reporting firm sues LifeLock over fraud alerts" was originally published by Computerworld.

Insider Shootout: Best security tools for small business
Join the discussion
Be the first to comment on this article. Our Commenting Policies