Last week, things really heated up in the credit monitoring and identity theft industry. Forbes magazine reported that Experian, one of the three major credit bureaus, had filed a lawsuit in California against LifeLock. According to the news report, Experian accused:
"... LifeLock of placing bogus 90-day fraud alerts on hundreds of thousands of credit files maintained by Experian. In the complaint, Experian says it has suffered "millions of dollars" in damages from being forced to process large numbers of initial fraud alerts and mail mandatory notices to customers."
What? Bogus fraud alerts? An increasingly large number of fraud alerts should not be a surprise to anyone in the identity theft/fraud business, given the steady number of corporate data breaches. 2007 was a record year with corporate data breaches. Depending upon the source you use (e.g., Attrition, the Identity Theft Resource Center, or Privacy Rights Clearing house), the number of records lost or stolen in 2007 ranged from 49 to over 100 million. Any source you pick documents an increase in data breaches in 2007 over 2006.
It seems to me that an increasing number of consumers are starting to read and follow the advice available in industry products and services. One of the first steps after a data breach or identity theft event is for the consumer to place a Fraud Alert on their credit reports. This was one of the first steps I took after my data was "lost" (probably stolen) during the February 2007 IBM data breach incident, along with the sensitive data of thousands of current and former IBM employees. Some consumers are willing to pay for convenience; to pay for a service to help them protect their sensitive personal data.
The Forbes news story goes on to report:
"Experian claims that LifeLock keeps its clients' files in a perpetual state of alert by repeatedly "crying wolf" on behalf of its clients. Its suit questions whether LifeLock has the legal right to request the 90-day alerts, which it maintains are meant to be placed only by individuals who have a reasonable suspicion that fraudulent activity has occurred."
Perpetual state of alert? Come on, Experian. That seems to be a far overstatement of the situation.
When a company suffers a data breach and loses the sensitive personal data of employees, former employees, and/or customers the risk of identity theft and fraud doesn't disappear in a few months. The risk doesn't dissolve when the company issues a press release claiming, "there's no evidence that the data was stolen."
The consumers' sensitive data is out there... period... permanently. So, we consumers are forced to continually monitor our accounts and our credit reports for theft, abuse, or unauthorized access... permanently. We consumers are learning to better protect our sensitive personal data. Establishing repeated fraud alerts is one tool; a first step.
The Forbes article also reports:
"In the suit, Experian also charges that LifeLock has used false and misleading advertising to entice consumers into buying its protection, and is exploiting the system by acting as a middleman for services that the credit companies are required to provide to consumers for free, including annual credit reports, removal from mailing lists and fraud alerts."
That may be. I am not a subscriber to LifeLock since I have done by myself the identity-theft deterrence steps LifeLock charges a fee for. I must admit that LifeLock's advertising is everywhere... on radio, television, print ads, and around the web at social bookmarking sites. LifeLock seems to be doing a better job of promoting their service than Experian does of promoting its Family Secure credit monitoring service.
In his blog The Dunning Letter, Jack Dunnning wrote this about Experian:
"Back in August of 2005, the Federal Trade Commission settled a case with Experian Consumer Direct, a subsidiary of the credit bureau, for deception in advertising “free credit reports” by failing to add the customer would be automatically signed up for credit monitoring services costing $79.95 each year. The FTC ordered Experian to give up $950,000 of its “ill-gotten gains."
Regarding deceptive advertising, Experian's history is not squeaky clean either.
I wonder if Experian sees the handwriting on the wall. As more consumers "lock down" their credit reports with Security Freezes, it becomes harder for credit bureaus like Experian to make the same profit amounts by selling only credit reports to potential lenders and creditors. Consumer credit reports with Security Freezes on them are credit reports Experian (and the other two credit bureaus) can't sell to potential lenders.
Combine this with the trend by more consumers to opt out of pre-approved credit offers, and the market for credit reports has to be negatively affected. So, to make the same profit amounts, Experian probably recognizes that it has to expand into new markets for more revenues. One of those new markets is the growing credit monitoring services market.
Fortunately for consumers, there are many choices today for a credit monitoring service. A consumer can monitor their credit report on their own, or subscribe to a credit monitoring service. These services are available from banks, credit card companies, credit bureaus, and independent companies... like LifeLock.
The wide range of choices is good for consumers, but is probably viewed negatively by Experian. The credit monitoring services market is filled with competitors offering a variety of services because the rise of identity theft has changed the marketplace. Consumers are slowly becoming educated about the scams, threats, and the value of theft-deterrence solutions. And companies have rushed to meet that need.
Consumers have also begun to realize that they want more control over who has access to their credit reports. The Security Freeze tool is a key tool for consumers to exercise control over their credit reports. The Security Freeze tool seems far stronger and more secure than the Fraud Alert tool. Starting with California in 2003, many states passed laws giving consumers the right to this Security Freeze tool. By the end of 2007, all three credit bureaus offered the Security Freeze tool nationwide, without waiting for states to pass more legislation.
So, the identity theft marketplace is changing at a fairly rapid pace. Previously, Experian competed against 2 other credit bureaus (e.g., Equifax and TransUnion) to sell consumers' credit reports. Now, Experian has a whole new set of competitors who offer credit monitoring services similar to Experian's credit monitoring service.
Is the lawsuit only about false/deceptive advertising? Maybe. But it may also be about intimidating or limiting competition, given the rapidly changing identity theft/fraud marketplace. What do you think?