LifeLock Inc. has formally denied allegations that it fired its chief information security officer for uncovering serious deficiencies in its data protection services, according to court documents filed this week.
The Tempe, Ariz.-based identity theft prevention company claims its former chief information security officer, Michael Peters, was terminated in July 2013 for allegedly providing false information on his employment application and behaving inappropriately toward a female co-worker, according to documents filed Monday in U.S. District Court in Phoenix.
Mr. Peters sued LifeLock in March for retaliation under the whistleblower provisions of both the Sarbanes-Oxley Act and the Dodd-Frank Wall Street Reform and Consumer Protection Act, claiming the company fired him in order to conceal the results of his initial risk assessment of its data protection systems and resources.
“LifeLock intends to continue to vigorously defend itself in the case and prosecute its own claims against Mr. Peters,” a spokesperson for the company said in an email to Business Insurance.
In his lawsuit, Mr. Peters claimed his risk assessment revealed that LifeLock allegedly was performing only 27% of the minimum intrusion prevention, data leakage and encryption, and other security measures needed to protect its customers' sensitive information. Mr. Peters also claimed in his lawsuit that the company had not dedicated any internal resources to security vigilance measures, including vulnerability testing, auditing or monitoring, incident management and event logging.
Additionally, the lawsuit accused LifeLock of illegally suspending data breach alerts sent to elderly customers in order to reduce customer support call volumes, and that a new product the company was preparing to launch would store customer credentials with a third-party cloud hosting provider without that provider's knowledge.
Mr. Peters claimed he brought his findings to LifeLock Chief Financial Officer Chris Power and Chief Information Officer Rich Stebbins, but that nothing was done to remedy the security flaws or alleged illegal activity, and that the company instead manufactured a reason to fire him.
In its answer to Mr. Peters' complaint, LifeLock denied the allegations regarding its data protection systems and resources, as well as the notion that it engaged in intentional reductions or suspensions of data breach alerts. The company also denied that Mr. Power and Mr. Stebbins were ever told of the alleged security flaws.
Instead, LifeLock entered an affirmative defense for its decision to fire Mr. Peters, claiming that it was based on the results of its investigation of his alleged improper workplace behavior toward female co-workers.
LifeLock claims that the investigation revealed that Mr. Peters was apparently fired from his previous position at Vantiv Inc. — known as Fifth Third Processing Solutions L.L.C. at the time of his departure in 2010 — contradicting information he had provided in his employment application and in interviews with LifeLock executives.
“LifeLock determined that it could not continue to employ as its CISO an individual who had made material misrepresentations and/or omissions in his employment application and engaged in inappropriate workplace conduct while employed at LifeLock,” the company claimed in court documents. “None of the individuals involved in the investigation regarding Mr. Peters' workplace behavior and employment application, or the persons responsible for the decision to terminate Mr. Peters, had any knowledge of Mr. Peters' alleged discussion with LifeLock's chief financial officer and chief information officer about (risk assessment) reports or any other purported areas of concern claimed to exist by Mr. Peters.”
LifeLock also filed a series of counterclaims against Mr. Peters for fraud, negligent misrepresentation, breach of contract and unjust enrichment, as well as a motion to dismiss Mr. Peter's whistleblower claim under the Dodd-Frank Act on procedural grounds.