LifeLock, Inc. made headlines in December 2015 when it finalized a $100 million settlement with the Federal Trade Commission—the largest monetary award ever in an FTC order enforcement action. As reported by McGuireWoods’ Password Protected blog, the 2015 enforcement action stemmed from allegations that LifeLock breached a 2010 settlement with the FTC mandating, among other things, that LifeLock maintain a comprehensive data privacy and security program.  Though resolution of the 2015 action was a significant step towards clearing the slate with state and federal regulators, the story did not end there.

Lawsuits related to the FTC action continued and, in the wake of the FTC settlement, LifeLock announced a shake-up in company leadership. Effective March 1, 2016, LifeLock president and former Yahoo Americas executive Hilary Schneider succeeded founder Todd Davis as LifeLock’s CEO, while lead director Roy C. Guthrie ascended to Davis’ former role as chairman of the board.

On June 30, 2016, LifeLock took another step to eliminate liability relating to its data privacy and security practices by agreeing to settle a consolidated shareholder derivative lawsuit pending in Arizona. The lawsuit, captioned In re: LifeLock, Inc. Derivative Litigation, alleged in part that LifeLock’s directors breached their fiduciary duties in failing to ensure compliance with FTC regulations post-2010. The newly proposed settlement will release those claims and others in exchange for terms including LifeLock’s agreement to: (1) spend at least $4 million annually on information security from 2016-17, (2) monitor and report on the effectiveness of its information security program, and (3) pay $6 million in attorneys’ fees to lead counsel for the plaintiffs.

Wall Street reacted favorably to the news. On July 11, 2016, shares of LifeLock (NYSE: LOCK) eclipsed $16.22 during trading for the first time since the FTC announced its 2015 enforcement action nearly a year earlier, and LifeLock’s stock hit a 52-week high of $16.89 during intraday trading on August 3, 2016.

Again, however, the story will not end here. LifeLock’s continuing obligations under recent settlements and the ever-looming threat of a third FTC enforcement action are sure to influence the deployment of company resources for years to come.  Likewise, healthy skepticism about LifeLock’s ability to keep its data security related promises could limit growth in the company’s market capitalization for the foreseeable future.  The 2015 FTC settlement, for example, (as amended on January 4, 2016) requires LifeLock to comply with its terms for 5 years.

These self-inflicted restraints, along with significant financial and other consequences for LifeLock’s customers, investors, executives, and board members, serve as a reminder that—while the costs of implementing a comprehensive data privacy and security program can be high—the cost of not complying with industry best practices can be catastrophic. If data privacy and security is not yet a priority at your company, make the case before it is too late.  Or you too, like LifeLock, may learn (not) to appreciate the FTC’s “pound of cure.”

The full text of the stipulation of settlement may be found here.