A former employee of LifeLock Inc. has filed a lawsuit against the Tempe, Ariz.-based identity theft prevention company claiming he was fired for uncovering illegal practices and serious vulnerabilities in its data protection services.
In Peters v. LifeLock Inc. et al., filed March 20 in U.S. District Court in Phoenix, Michael Peters, LifeLock's former chief information security officer, says the initial risk assessment he began conducting upon his hire in July 2013 revealed that the company was performing only 27% of the minimum intrusion prevention, data leakage and encryption, and other technological security readiness measures needed to protect its customers' sensitive information.
Mr. Peters claims he also discovered that LifeLock had not dedicated any internal resources to security vigilance measures, including vulnerability testing, auditing or monitoring, incident management and event logging.
Additionally, Mr. Peters' lawsuit accuses the company of periodically and illegally suspending or reducing the data breach alerts it sends to elderly customers in order to minimize call volumes in its customer support center, and that a new product called PassLock that the company was preparing to launch would store customer credentials with a third-party cloud hosting provider without that provider's knowledge or consent.
“Mr. Peters concluded that millions of customers were at risk given the data LifeLock possesses and was incapable of protecting,” the lawsuit states.
Fired after disclosing concerns
Mr. Peters claims in the lawsuit that he brought his findings to LifeLock Chief Financial Officer Chris Power and Chief Information Officer Rich Stebbins, but that nothing was done to remedy the security flaws or alleged illegal activity, which he had determined represented a substantial risk and potential defrauding of the company's customers and shareholders.
Instead, Mr. Peters claims the company manufactured a reason to fire him just four weeks after he was hired. He alleges that one of his previous employers, Vantiv Inc. — formerly an operating unit of Fifth Third Bancorp — falsely informed LifeLock that he had been fired, when in fact he had resigned in order to accommodate his wife's position in the U.S. Army, according to court documents.
“Based on the false information, LifeLock decided it had cause to terminate Mr. Peters by claiming that he made a misrepresentation on his employment application regarding his departure from Fifth Third Processing Solutions,” the lawsuit states.
Mr. Peters has sued LifeLock for violating whistleblower protections under both the Sarbanes-Oxley Act and the Dodd-Frank Wall Street Reform and Consumer Protection Act, and is seeking back wages, benefits and additional compensatory damages.
LifeLock did not respond to a request for comment on the allegations.