This blog first discussed the Experian v. Lifelock lawsuit back in February of 2008. Last week, a U.S. District Court judge in California in favor of Experian. Finextra reported:
"US District Judge Andrew Guilford of California's central district backed the claim of credit referencing agency Experian in a lawsuit filed against LifeLock last year. As part of its $10 a month service, LifeLock requests that Experian, and other agencies, places fraud alerts on customers under the US Fair Credit Reporting Act (FCRA). It also renews the request every 90 days, when the alerts expire. Experian argued that under the act, companies like LifeLock cannot request alerts on behalf of customers. The judge agreed and granted the Experian motion..."
The Fair And Accurate Credit transactions Act of 2003 (FACTA) established the Fraud Alert as a free tool for consumers who have been or feel they will soon be victims of identity theft and fraud. The Fair Credit Reporting Act (FCRA) further specified how credit reporting agencies should administer Fraud Alerts, including how users of consumer credit reports (e.g., potential lenders, banks, and other businesses) before lending credit should contact consumers who have a Fraud Alert attached to their credit reports.
Lifelock gained consumers' attention with with splashy ads featuring its CEO advertising his real Social Security number, and a few celebrities like Rush Limbaugh promote the company's services. In March 2008, Lifelock proposed stronger fraud laws including:
- Restitution by the criminals for identity-theft victims
- Emphasis and funding for law enforcement to pursue identity-theft criminals.
- Clearer, consistent legislation across states about what consumers' personal data companies can archive, how they must protect it, and what items must be purged by when
- Consistent "Shine The Light" notification laws across states (requiring retailers to disclose where consumers' personal data is shared)
- Consistent data breach notification laws across states
- Consistent anti-skimming laws across states
- Stronger legislation to protect whistle blowers, and stronger penalties for companies and individuals who abuse them
- Suggestions to to strengthen data security among small businesses
Many of these proposals made sense back in March 2008, and still make sense today. Consumers need stronger protections. What does all of this mean?
This ruling means that individuals, and not credit monitoring companies, must place Fraud Alerts on their Experian credit reports. Lifelock will probably continue to place Fraud Alerts for consumers on their Equifax and TransUnion credit reports -- until those companies sue Lifelock.
It seems to me, these two companies have fought over who gets to "protect" consumers' credit reports with an arguably weak Fraud Alerts tool. The number of data breaches soared 47% in 2008 compared to 2007, and fraud victims struggled. Meanwhile, these two companies chose to waste a lot of time, money and effort fighting over a Fraud Alert tool that needs improvement, while their core services lack the comprehensive features consumers need.
This fight between Experian and Lifelock was like two five-year-old kids arguing over who gets the last brownie on the kitchen table while there is a fire burning in the living room.
There are bigger issues at stake. Credit monitoring does nothing to stop:
- Criminal identity theft: when a criminal uses another person's identity during a crime
- Medical identity theft and fraud: when a person uses another person's identity to gain free medical care, and wrecks the victim's access to health care they rightfully paid for
- Data breaches and fraud at outsourcing vendors and at offshore outsourcing vendors
- Poor data security practices by companies and employees
- Insider identity theft and fraud
This court case did absolutely nothing to strength a weak Fraud Alert tool. Consumers need far more comprehensive identity protection and resolution services than either company provides today.
In April 2008, Consumer Reports reviewed Lifelock's services. In this blog, you can read reviews of the Experian Triple Alert credit monitoring service and Experian's product line. I don't recommend any of these services, but judge for yourself.
Rather, I'd love to see a service with a truly comprehensive suite of identity protection and resolution services for consumers:
- Unlimited access to the full text of all of my credit reports from both the major credit reporting agencies and from the smaller, regional credit reporting agencies (e.g., Innovis)
- Unlimited access to the full text of all of my C.L.U.E. insurance reports
- Unlimited access to the full text of all of my sensitive personal medical information
- Monitoring of my identity across social networking sites
- Instant e-mail, text messaging, Twitter, or RSS alerts about status changes to any of the above
- Tools and calculators to help me evaluate these reports
- The ability for to customize alerts based on my individual needs
- Options to add Fraud Alerts to any or all of the above reports
- Options to add Security Freezes to any or all of the above reports
- Criminal fraud monitoring (if my identity is used by thieves during a crime)
- Identity fraud assistance when traveling outside the USA
- Identity resolution services and insurance covering all of the above reports
- 24/7, and easy access to a real person in customer service via phone and via e-mail
- Arrangements with employers so that after a data breach, I get reimbursed for my monthly fee for this service, rather than receive an offer for another credit monitoring service I don't need
Consumers can't get all of the above. To get large portions of it, a consumer would have to cobble together (and pay for) at least five or six different services. It shouldn't be this hard. It shouldn't be this costly, too.
So, as far as I can tell a truly comprehensive identity protection service doesn't exist. When it does, I will be happy to subscribe.