In a decision that has privacy advocates and others scratching their heads, a federal judge has ruled that LifeLock has been breaking California law for years by placing fraud alerts on its customer's credit profiles.

The decision is a blow to the burgeoning identify-theft protection industry, and means that companies that experience data breaches may no longer be able to offer victims free subscriptions to such services – a standard damage-control tactic in recent years. Consumers can still place fraud alerts by contacting one of the three U.S. credit reporting agencies directly.

Bo Holland, founder and CEO of Debix, a competitor of LifeLock, called the ruling "dramatic and unexpected."

"It causes a real shift in the industry," he told Threat Level.

The pre-trial partial summary judgment comes in a lawsuit filed last year against LifeLock by Experian, one of the nation's three credit reporting bureaus. Experian claimed LifeLock is trying to "game the system" of fraud alerts to make a profit.

LifeLock, a controversial company that gained notoriety for publishing its CEO's Social Security number in advertisements , charges $120 a year to consumers to place fraud alerts on their credit profiles, among other services. The company also offers a $1 million guarantee to reimburse the expenses of any customer who suffers losses from identity theft while subscribed to LifeLock.

Under the 2003 Fair and Accurate Credit Transactions Act, or FACTA, fraud alerts are available for free to any consumer who believes he may have been a victim of identity theft, or is at imminent risk of it. With a fraud alert on a consumer's credit profile, banks and other businesses are required to make a reasonable effort to check with a consumer before opening a new line of credit in his or her name.

The consumer normally has to contact a credit reporting bureau directly to place the alert, and then repeat the process every 90 days for as long as the risk remains – a minor hassle that LifeLock and other companies have been happy to help consumers avoid, for a fee. On its face, the business model appeared consistent with FACTA, which allows fraud alerts to be placed by third parties acting on behalf of the consumer.

But in its lawsuit, Experian complained that LifeLock (.pdf) "surreptitiously placed hundreds of thousands" of alerts on Experian files "by posing as the consumer," even when there was no suspicion of identity theft. LifeLock then renewed the alerts every 90 days.

Claiming it was losing "millions of dollars every year" processing such requests, Experian asked a judge to rule that LifeLock was engaging in unlawful and unfair business practices under California's Unfair Competition Law.

U. S. District Judge Andrew Guilford granted the motion (.pdf) last week, finding that federal lawmakers, in writing FACTA, did not intend for consumers to be able to contract with a business to place fraud alerts.

To reach his conclusion, Guilford examined the legislative history of the law and determined that Congress intended only that a family member, guardian or attorney should make the request on behalf of a potential fraud victim, not "companies and entities such as credit repair clinics."

The judge's ruling opens the door for Experian to seek damages from LifeLock, and for the judge to issue an injunction barring the company from placing fraud alerts with any credit reporting agency.

LifeLock did not respond to a call for comment. Experian, in a statement sent to Threat Level, called the ruling "not just positive for Experian, but for consumers."

Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse, found the ruling odd, but says consumers haven't lost anything.

"They still retain the right to make an independent judgment as to whether or not it is appropriate to place a fraud alert on their credit reports," he says.

But Chris Hoofnagle, director of information privacy programs for the Berkeley Center for Law and Technology, says the ruling is a disappointment.

"The idea that we could some day see a market where we pay $10 a month to a company to opt us out of junk mail, to monitor our credit, to do all sorts of privacy-enhancing steps that we don't have time to take ... for that market to emerge, LifeLock's business model and similar ones have to be legal," Hoofnagle says.

LifeLock isn't the only company impacted by the ruling. Debix, which offers fraud alert services at an annual subscription of $24, says it will have to cancel its fraud alert placement service.

But Debix sees hope in a relationship it has established with Experian competitor TransUnion. Beginning in September, Debix plans to sell a version of TransUnion's credit monitoring service, which provides customers with alerts whenever someone inquires about a customer's credit history, attempts to open a new credit account in the customer's name or makes a change to the customer's address.

Under that service, TransUnion monitors inquiries and changes made to credit accounts in its own database, as well as the databases of Experian and Equifax. It will feed an alert to Debix whenever there is activity on one of its customer's accounts, and Debix will notify the customer. The company will pay TransUnion a fee for every customer it signs up for monitoring.

Holland says Debix currently has about 400,000 customers signed up for its now-outlawed fraud-alert service, which will end in 90 days. After that, Debix will provide those customers with free credit monitoring for the duration of their subscriptions.

See also: