The Federal Trade Commission has repeatedly sued NortonLifeLock (formerly LifeLock) for making false and misleading claims about the scope of its identity theft protection coverage. In a pattern of deception spanning multiple decades, the company promised comprehensive protection against medical identity theft, employment identity theft, address changes, and fraud alerts—claims that regulators determined were either entirely fabricated or deliberately misleading.
The most significant FTC action resulted in a $100 million settlement in 2015 after the company violated a previous $12 million settlement from 2010, demonstrating a pattern of continuing deception even after being caught and punished by federal regulators. This article explains what false claims the FTC identified, how the company violated previous court orders, who qualifies for compensation through recent class action settlements, and what identity theft protection actually does and doesn’t cover. Understanding the gaps between marketing promises and real protection is critical for consumers evaluating identity theft services.
Table of Contents
- What Specific Claims Did LifeLock Make That the FTC Found False?
- How Did LifeLock Repeatedly Violate FTC Enforcement Orders?
- What Gaps Exist Between Identity Theft Service Promises and Actual Protection?
- Who Was Harmed by These False Claims and Is Eligible for Compensation?
- What Should Consumers Know About Identity Theft Services and Their Real Limitations?
- What Are the Details of the 2026 Settlement Against Gen Digital?
- What Does This History Tell Us About Enforcement and Corporate Accountability?
What Specific Claims Did LifeLock Make That the FTC Found False?
LifeLock’s core deception centered on the phrase “complete protection.” The company marketed itself as offering comprehensive identity theft protection that would guard against all forms of identity theft. However, regulators found that LifeLock provided no meaningful protection against medical identity theft—a category where criminals pose as patients to obtain medical services or prescription medications. The company also claimed to prevent employment identity theft, where bad actors use someone’s Social Security number to obtain work or access employment benefits, yet LifeLock’s service could not actually monitor for this activity. The company also made unsupported claims about monitoring address changes and delivering fraud alerts with the same reliability it advertised.
The 2015 ftc enforcement action added another layer of deception: LifeLock claimed its data security practices were “comparable to financial institutions.” Regulators determined this was false. Financial institutions operate under specific regulatory regimes with mandated security standards, regular audits, and enforcement mechanisms. LifeLock’s security program, the FTC found, was nowhere near equivalent. The company had failed to establish comprehensive information security safeguards despite holding sensitive personal information for millions of customers.
How Did LifeLock Repeatedly Violate FTC Enforcement Orders?
In March 2010, the FTC secured a $12 million settlement with LifeLock—$11 million went to the FTC and $1 million was distributed to 35 state attorneys general. This settlement included a court order prohibiting the company from making false or unsubstantiated claims about its identity theft protection coverage. However, LifeLock did not comply. The company continued running advertisements making the same misleading claims about comprehensive protection and security practices comparable to financial institutions. By 2015, less than five years after the initial settlement, the FTC returned to federal court. This time, the penalty was far more severe: LifeLock was ordered to deposit $100 million into the U.S.
District Court registry for the District of Arizona. The difference between the two settlements illustrates a fundamental enforcement principle—violating a prior FTC order triggers much harsher penalties than the original misconduct. The company had been given explicit notice about what claims were false, and continued making them anyway. This wasn’t a matter of unclear marketing language; it was knowing violation of a court order. The 2015 settlement also imposed strict oversight requirements. LifeLock had to maintain an independent auditor to verify its information security program, document all claims about its services, and prove that claims were substantiated before making them in any advertising. Despite these controls, the company has faced additional enforcement actions in subsequent years, indicating compliance problems persisted even after the $100 million penalty.
What Gaps Exist Between Identity Theft Service Promises and Actual Protection?
Identity theft services operate within inherent limitations that no company can overcome. Monitoring services—the core function of LifeLock and competitors—are reactive, not preventive. When a credit monitoring service alerts you that your Social Security number was used to open a new credit account, the fraud has already occurred. The service then helps you dispute it, but the damage is done. This is fundamentally different from “protection” in the sense that most consumers understand the term. Medical and employment identity theft exist outside the realm of credit monitoring because they don’t always appear on credit reports. If a criminal uses your name and Social Security number to see a doctor, obtain medication, or work illegally, credit monitoring won’t catch it.
A doctor’s office typically won’t run a credit check. An employer filing an I-9 may not verify that the Social Security number actually belongs to the person claiming it. This is why LifeLock’s claims about preventing medical and employment identity theft were particularly egregious—the company was marketing solutions to problems that exist in entirely different ecosystems from the credit-focused monitoring it actually provided. Address monitoring presents another false promise. While credit card companies and banks do notify customers of address changes, LifeLock cannot control whether every institution you do business with will flag such changes or deny fraudulent transactions. A criminal who changes your address on file at a financial institution can then receive statements or redirect refunds without your knowledge. LifeLock monitoring might eventually reveal this, but again, you’re discovering fraud after the fact, not preventing it.
Who Was Harmed by These False Claims and Is Eligible for Compensation?
Consumers who purchased LifeLock’s identity theft protection services while the company was making false claims are the direct victims. The harm operates on two levels: consumers paid for protection that was less comprehensive than advertised, and they relied on that false sense of security while their personal information remained vulnerable in ways LifeLock could not address. Someone paying for LifeLock protection against medical identity theft but never receiving any actual monitoring for medical fraud was essentially paying for false reassurance. Beyond the historical settlements, a more recent class action provides potential compensation.
In 2026, Gen Digital (LifeLock’s parent company through Norton) settled a $9.95 million TCPA class action lawsuit related to prerecorded marketing calls made between February 19, 2021, and October 30, 2025. The settlement provides individual compensation ranging from $200 to $625 per eligible claimant, depending on the number of valid claims submitted. This settlement received preliminary approval on January 28, 2026, with final approval scheduled for July 14, 2026. Consumers who received prerecorded marketing calls from LifeLock/Norton during this period may be eligible, though they must submit a claim to receive compensation.
What Should Consumers Know About Identity Theft Services and Their Real Limitations?
The lessons from the LifeLock enforcement actions apply to the entire identity theft protection industry. No service can offer “complete” protection because identity theft occurs across multiple systems with different monitoring capabilities and different security standards. Credit monitoring covers credit-related fraud.
Monitoring services might alert you to unauthorized addresses or phone numbers on file at major credit bureaus, but they cannot monitor every business you have a relationship with. When evaluating identity theft protection services, read the actual coverage details, not the marketing tagline. What specifically will be monitored? Where will alerts come from? What response services are included? Does the company pledge to help dispute fraudulent accounts, or just alert you that fraud occurred? Many of these services are now included free with bank accounts, credit cards, or insurance policies—which means the “complete protection” companies were selling for $100+ per year was already available for free elsewhere. Some of the best protection against identity theft doesn’t require paying a service at all: placing a security freeze on your credit reports with Equifax, Experian, and TransUnion, which is free and prevents new credit accounts from being opened without your authorization.
What Are the Details of the 2026 Settlement Against Gen Digital?
The recent TCPA class action settlement stands as the most current legal action affecting LifeLock consumers. The $9.95 million settlement compensates people who received unsolicited prerecorded marketing calls—a separate violation from the identity theft protection claims. The settlement class includes anyone who received such calls at their residential phone line during the roughly four-and-a-half-year window from February 19, 2021, through October 30, 2025. To receive compensation, eligible class members must submit a valid claim proving they were called during this period and that the calls violated the Telephone Consumer Protection Act (TCPA).
Compensation ranges from $200 to $625 per person, with the exact amount depending on claim volume. The preliminary approval stage, completed on January 28, 2026, confirmed that the court found the settlement terms fair and reasonable. Final approval is expected July 14, 2026, after which claim payments will be distributed. Class members should watch for official settlement notices and deadlines, which will be posted on the settlement’s official administration website.
What Does This History Tell Us About Enforcement and Corporate Accountability?
The LifeLock case demonstrates both the effectiveness and limitations of FTC enforcement. The agency successfully identified false claims, secured significant financial penalties, and obtained court orders preventing future deception. Yet LifeLock violated the first order within five years, requiring a second, much larger penalty. Even after the $100 million settlement, the company faced additional enforcement actions.
This pattern suggests that financial penalties alone, however large, do not guarantee compliance if a company’s business model depends on exaggerated marketing claims. Going forward, consumers should view identity theft protection services with appropriate skepticism. The industry has been effectively regulated on certain deceptive claims—major providers are now more careful about claiming “complete” protection or impossible guarantees. However, the history of LifeLock shows how easy it is for companies to make subtle, difficult-to-disprove claims about monitoring capabilities and security practices. The safest approach is to understand what identity theft actually is, which gaps exist in monitoring services, and which protections (like credit freezes) cost nothing but are highly effective.