By The CSRSI Team

Identity theft is the top complaint received by the FTC annually. Twenty-one percent of complaints in 2009 were related to ID theft. Companies are required to protect Personally Identifiable Information (PII) and those processing payments by credit cards must comply with the Payment Card Industry-Data Security Standard (PCI-DSS).

The announcement of the $12 million LifeLock settlement exposes the failure of LifeLock to protect consumer data. The loss of reputation is harder to quantify than the financial cost of the settlement itself, but is very real. The costs will continue to accumulate as the company performs remediation activities for the next 20 years consuming resources of staff and management as well as funds.

Charges filed by the FTC in their announcement March 9^th of the settlement listed several critical weaknesses in LifeLock’s systems:

1. Data was not encrypted
2. Information was not restricted on a “need to know” basis
3. The company’s “data system was vulnerable” to exploitation

LifeLock collected sensitive information from its customers, including both social security (covered under Personally Identifiable Information or PII) and credit card numbers (required to be protected by the PCI-DSS).

The penalties for making false claims about how sensitive data was handled will include the costs of remediation. According to the FTC: “the settlements require LifeLock to establish a comprehensive data security program and obtain biennial independent third-party assessments of that program for twenty years.”

The FTC will use $11 million of the settlement to provide refunds to LifeLock’s 1.5 million customers.

The FTC’s release continues: “While LifeLock promised consumers complete protection against all types of identity theft, in truth, the protection it actually provided left enough holes that you could drive a truck through it,” said FTC Chairman Jon Leibowitz.

Clearly it’s impossible to guarantee protection from identity theft. “Unfortunately, there is nothing that you can do or purchase that will provide you with a 100% guarantee against being a victim of identity theft,” according to Lisa Madigan, Illinois Attorney General.

The important takeaway is that NOT taking care to protect the data entrusted by a company’s customers can be tremendously more expensive in time, money and reputation than the efforts to be diligent with consumer data in the first place. In retrospect, LifeLock has learned a very expensive lesson. One that should give all companies pause to reflect on the completeness of their programs to protect precious customer information in all its forms and locations.

If you’d like to learn more about how CSRSI documents the flow of Personally Identifiable Information and guides clients through PCI Compliance, please call or email Ross Federgreen (866-462-7774 x1) or Jan Carroza (866-462-7774 x4).