We’ve all seen the commercial.   Todd Davis the CEO of LifeLock looks to the moving billboard that is emblazoned with his social security number to show how confident he is that his identity can’t be stolen (it can and was done, because the offending company didn’t run a credit check).  Now Judge Andrew Guilford has indicated the service provided by LifeLock and similar companies is illegal.

One of the three major credit credit reporting organizations filed a suit in Federal court claiming that LifeLock was improperly requesting credit fraud alerts be placed on consumer accounts, which resulted in additional costs of millions of dollars every year (see the complaint here).

While I understand Experion’s claims of LifeLock crying “FIRE” when there is no smoke in the building, and regret the extra work required to proactively protect LifeLock customers, I see this decision setting a precedent that will push more work to consumers.

Judge Guilford’s ruling indicated that the original wording of the Federal Credit Reporting Act (FCRA) allowed for the consumer directly or an individual acting on behalf of or as a personal representative of the consumer to be the requester for the fraud alert when the consumer is or about to become a victim of fraud or related crime including identity theft (bolding and italicizing added by me).  Because LifeLock is a company, they do not meet this criteria and thus are unable to file the fraud alert.

SO, you ask, what does this mean to my company?   If your company suffers a data breach that causes sensitive employee or consumer data to be exposed, technically you are no longer able to contract with a company to provide the fraud alert service.  To protect the consumers from identity theft each individual would need to file a fraud alert with the three major credit reporting company in order to protect themselves.

This additional work shifted to the consumer could hurt your brand as well as your business reputation.   It may also affect your disaster recovery program for data breaches, something that needs to be reviewed and potentially updated with the Red Flag Rules set to go into place on August 1.

As a consumer, I hope that some compromise can be worked out that will allow a company to take the steps necessary to protect my identity, as a risk professional, I hope that occurs soon.