What Could Make LifeLock A Zero Sooner: Fraud Allegations And The FTC Or New Free Competition?

Apr.29.14 | About: LifeLock, Inc. (LOCK)


New 2014: highly credible security expert whistleblower lawsuit alleges shareholder fraud and lack of security for customer personal financial data (full 2014 document below).

FTC now investigating alleged noncompliance of 2010 order for permanent injunction, FTC has the power to shut down any company at any moment if found noncompliant.

Competitors have just begun offering services similar to LifeLock's $25/month "Ultimate" for FREE.

2013 whistleblower lawsuit alleges widespread IT system problems and deliberate suppression "throttling" of customer alerts, contrary to promises in advertising campaigns (full document below).

2010 FTC issued a permanent injunction and $12mm fine against LifeLock's deceptive false advertising and lack of security for customer data, FTC has a history of shutting companies down completely.


LifeLock (NYSE:LOCK) claims to offer a service to help protect your identity from theft and unauthorized credit charges. In my opinion, LifeLock is the smelliest kind of deceptive company, creating unnecessary fear and playing off of people's desire for security. Meanwhile insiders pay themselves handsomely: the top 6 execs bringing in $13.9mm in 2013 alone according to the proxy.

Watch Short Video Summary of LifeLock Report Here Now.

I think LOCK could be a $0 stock very soon if the FTC acts as quickly as it has in some other cases, or within a few years as new competition ramps up in the slow-growth, competitive, commodity market that LifeLock operates. Despite these risks, the stock trades at sky-high valuation of >100X TTM P/E excluding a one-time favorable tax adjustment in Q4 2013.



After multiple personal bankruptcies, Robert Maynard joined with Todd Davis to co-found LifeLock in 2005. In a comprehensive 2011 interview with Mike Prusinski, then senior vice president, LifeLock - gives the history of the company. The business struggled at first but Todd Davis, a sales and marketing genius, decided to pull the ultimate publicity stunt: Put his real SSN in the press and offer a $1 million guarantee for any customer who had their identity stolen. This hefty promise grew subscribers faster than they imagined but the stunt was a flop: Davis's identity was stolen at least 13 times despite his "protection" using LifeLock! They also mention the MOST they have ever paid out on the $1 million guarantee is about $2,500 (0.25%)!

-LOCK CEO Todd "Super Davis" Pulled a PR Stunt and had his identity stolen at least 13 times!


After LifeLock had attracted initial VC funding in mid 2007, co-founder Robert Maynard officially left the company, though stayed as a marketing consultant. Why did he leave? He attracted some controversy: The Times and elsewhere have tied Maynard to National Credit Foundation Inc., a failed "credit-repair" business that the Federal Trade Commission in 1996 said misled consumers by claiming it could erase credit-damaging records of bankruptcy filings.

The FTC also alleged that Maynard and another executive at the firm collected checking-account data from customers not for "verification" but to make unauthorized withdrawals from those accounts.

Given the questionable history and current credible allegations of ineffective data security: Is it possible that by giving their personal financial information to LifeLock, consumers INCREASE their risk of identity theft?


Businesses that involve "cash today for promises later" tend to attract a certain type of person and hefty promises to consumers need to be fulfilled. The Federal Trade Commission (FTC) was created to protect consumers against "snake oil" salesmen and ensure truthfulness in advertising. In 2010, The FTC in conjunction with 35 state attorney generals issued a Permanent Injunction and $12mm fine against LifeLock.

The 2010 FTC 22-page order for permanent injunction notably includes:

1) Ordering LOCK to prohibit deceptive false and misleading advertising

2) Ordering LOCK to create a comprehensive information security program to protect personal consumer data

"The protection they provided left such a large hole ... that you could drive that truck through it."

-FTC Chairman Jon Leibowitz

Interestingly, this part of the story gets quiet for a few years. It seems the FTC expects a company to be shaken enough after a permanent injunction (that is: FOREVER) that it would change its ways. My sources inform me that the FTC didn't make an effort to monitor compliance with the order for some time. Perhaps it was because the FTC was so busy PERMANENTLY SHUTTING DOWN SCAMS.



July 2013, Stephen Burke (Lawsuit HERE), a Senior Financial Analyst works his way through up ranks at LifeLock since his joining Feb 2010, focusing on optimizing call centers and marketing spend.

LifeLock's website claims: "We review each attempt to misuse your identity, and proactively contact you anytime we detect an exposure or threat. LifeLock Ultimate™ protection goes one step further-if we detect a change to the contact information on your bank accounts, we'll contact you to help correct the situation fast."

Burke alleges that LifeLock has "widespread system problems in processing these alerts and sending them out to the customers as promised in its national marketing campaigns. The problem of timely informing customers that their credit information was accessed is so widespread that Defendant instituted a code freeze. In essence, Defendant (LOCK) is deliberately "stepping on the brakes" with regard to sending this critical information to customers on a timely basis, and worse, often choosing not to send these alerts out at all. This practice has been referred to as "throttling."

In response to Burke expressing his concerns to his manager, he was terminated. LifeLock settled this lawsuit in Feb 2014 for an undisclosed amount. Being one man going against a Billion dollar corporation is not an easy fight for a typical employee. However, as Edward Snowden has proved, one man with an idealistic streak can cause big change in a corrupt organization by setting the dominoes going.

-Stephen Burke was terminated when he contacted his superiors about improving practices that appeared to contradict the FTC order.

We need to ACT AS IF we are Todd Davis and think what would Todd Davis do with his member/situation/co-worker....

-Actual "Inspirational" message painted on the wall at LOCK's call center

I question: Does LifeLock "throttle" Todd Davis's account too or does he receive preferential treatment over the many customers that he promises to protect??


If you want to pay someone credible to be a figurehead representing your company, like Rush Limbaugh or Rudy Giuliani, and expect them to just do what you ask without complaint: here's a tip… Don't ask them to go through 12 interviews, quit their job, move their family, selling their house at a loss, and then when they do the job you hired them to do, try to frame them for sexual harassment and fire them!

Michael Peters is an internationally recognized authority on information technology security is a member of the Information Systems Security Association (ISSA) Hall of Fame, only 42 people in the world have been inducted.

After an extensive recruiting effort, LifeLock hired him starting July 1, 2013. Peters immediately began his initial risk assessment of LifeLock.

This New 2014 lawsuit: includes important information for LOCK investors and customers, here are the highlights of Peters' allegations.

Before his hiring, LifeLock had never conducted a bonafide risk assessment. Even in the preliminary stages of the risk assessment, Peters began to discover many instances of illegal and incompetent practices that constituted fraud against LifeLock's shareholders. These include, but are not limited to, the following:

  1. LifeLock's manager of database administration, Jacqueline Hufford-Jensen, signed a Sarbanes-Oxley audit verifying that the information contained in that audit was true and correct even though the time period she was attesting to predated her hiring date at LifeLock.
  2. LifeLock's director of internal audits, Tony Valentine, had "collected" evidence that did not truly exist because the technology was still in boxes
  3. (consistent with the Burke 2013 Lawsuit allegations) LifeLock employee Dave Bridgman told Peters that LifeLock's current practice was to manipulate the customer alerts sent to its elderly customers. LifeLock would turn off or reduce the services alerting elderly customers to reduce the call volume received by LifeLock's customer support center. Peters believed this was fraudulent since it sold its services to the general public without any disclosure that alert services would be limited for certain segments of the population.
  4. LifeLock was in the process of finalizing a new product offering called PassLock. This system was designed to allow customers to include their passwords for up to ten accounts. PassLock would then crawl through hundreds of internet sites to check the username and password supplied by the customer and report back to the customer. The problem was that the database was not being protected with industry-grade encryption. The database was predicted to contain millions of customer credentials that would be devastating to consumers if a breach occurred.

After his initial risk assessment, Peters determined that LifeLock's security posture was at high risk. Peters determined that LifeLock's internal capacity for

  1. governance implemented (policies, audit plan, change controls, architectural review, etc.) was at 47% of the minimum to protect LifeLock's customers and their sensitive information;
  2. technological security readiness (intrusion prevention, data leakage, data encryption, access controls, physical security, etc.) was only at 27% of the minimum
  3. security vigilance (vulnerability testing, auditing, monitoring, awareness education, event logging, incident management, etc.) was at 0% of the minimum

A large part of this problem was staffing. LifeLock only had two people responsible for security. One individual lacked technical skill and only had minimal security experience; the other was fresh out of college and had technical skills, but lacked experience if a data breach occurred. Peters concluded that millions of customers were at risk given the data LifeLock possesses and is incapable of protecting.

Peters asked LifeLock to immediately hire at least 12 information security professionals to get LifeLock to the minimum level necessary for basic information security protection. LifeLock said it might hire two people during the next 12 months, but full staffing would take years, if at all.

Peters met with the CFO and the CIO to describe his findings and they did nothing in response. Instead, they decided to terminate Peters 28 days after he started.

In response, with his reputation and sensibilities attacked, Peters filed a complaint with the FTC, SEC, and OSHA August 19, 2013 and filed suit against LifeLock March 19, 2014 demanding a jury trial. I understand Peters is something of an idealist and not likely to be "bought off" and is spending substantially all his time today on this fight against LifeLock and has shared these and more details with the regulators.


The third week in January (13-17), 2014 must have been an interesting week for LifeLock executives:

  1. Earlier in January LifeLock gives the FTC a call to set up a meeting - reaching out to them rather than waiting for the inevitable incoming call?
  2. Insiders sell $2.3mm of stock this week alone (out of ~$12.8mm in the last year)
  3. CEO Todd Davis appears on CNBC's Cramer Mad Money to promote the stock
  4. LOCK meets with the FTC staff to discuss issues regarding allegations that have been asserted in a whistle blower claim against them relating to their compliance with the FTC Order - they expect an investigation to result following this meeting

-LOCK CEO Todd Davis appeared on CNBC to promote the company the DAY BEFORE they met with the FTC to begin its investigation into alleged noncompliance of 2010 permanent injunction.

On March 13, 2014 the FTC renewed its inquiry related to LifeLock's compliance with the 2010 Permanent Injunction.

Given the FTC has already given LifeLock a PERMANENT INJUNCTION that they appear to be in blatant violation of and fined them $12 million and another $25 million that they didn't even pay, what are the odds that the FTC would be satisfied with a slap on the wrist? If the FTC concludes that its order was violated, won't it have to take dramatic action to avoid looking like fools? In numerous other cases they have PERMANENTLY SHUT DOWN SCAMS.


Aside from the ironic facts that the CEO of an "identity protection" company had his identity stolen at least 13 times and his co-founder was shut down by federal regulators for taking money out of consumer's checking accounts that he was being paid to protect, there are larger market forces at work here that could spell the end for LifeLock - or at least its sky-high 100X P/E valuation multiple (net of one time Q4 2013 tax adjustment).


Click to enlarge

LifeLock offers substantially similar services to numerous other competitors.

Though LifeLock claims some 12mm+ people are victims of identity theft, the bulk of these cases are a fraudulent credit transaction (like when you notice a big screen TV on your card purchased at midnight that wasn't you). LifeLock has NO ability to stop these and your bank protects you from this kind of fraud.

The relevant identity theft metric is new account fraud - when someone opens a new account or loan using your identity. This is actually extremely rare and has been steadily declining in both incidence and severity. According to a Javelin Strategy study it declined from 1.0% of the adult population in 2003 to 0.8% in 2007 and 0.5% in 2013 with the median resolution time only 5 hours. For $250+/year, LifeLock is very expensive insurance for this unlikely problem. They attract customers with their $1 Million guarantee but the largest they have actually paid out is $2,500 according to a 2011 interview!

In fact - REAL insurance companies offer similar identity theft protection for 1/10th the price that LifeLock charges including State Farm for $25/Year. And you don't need to risk your personal financial data being stored on insecure servers with this cheaper option!


Firstly - the main service that LifeLock provides is available to the consumer for NO CHARGE through www.optoutprescreen.com where you can opt out of unsolicited credit card offers and www.annualcreditreport.com where you can see your credit report.

With the recent creation of the Consumer Financial Protection Bureau (CFPB), these kinds of products have been coming into the eye of numerous regulators. Recently Bank of America was ordered by the Office of the Comptroller of the Currency (OCC) to refund all identity protection services since 2000 that hadn't been providing the service promised. The Federal Deposit Insurance Corporation (FDIC) ordered World's Foremost Bank, a LifeLock partner to pay a $1 Million penalty for "deceptive and unfair acts and practices… in connection with marketing, promotion and administration of its consumer credit cards and related add-on products." I understand LifeLock just joined forces with Vivent, a company that uses Morman missionaries to hard sell door to door, how will regulators view that?


Most alarming for LifeLock, other than the imminent and tangible FTC inquiry is that just in the last month, new disruptive start-ups and entrenched large players such as CapitalOne and Experian have joined the competitive market.

March 25: CapitalOne offers FREE competitor to LifeLock Ultimate with similar functionality including free credit reports. AllclearID and CreditSesame have just come out with FREE offerings with substantially similar services to LifeLock's flagship Ultimate that has been driving sales at $25/month.


In a competitive market becoming more of a commodity, the way an existing player grows into new adjacent businesses is often through acquisition and using well-incentivized entrepreneurs to grow and leverage their existing customer base.

LifeLock has been trying desperately to transform itself into a technology and ride the current market sentiment for Silicon Valley businesses. The only problem: no entrepreneur apparently wants to work for Todd Davis! LifeLock acquired ID Analytics in a highly competitive process, paying around 10X revenue for a company whose business DECLINED last year from 227mm transactions in 2012 to 217mm transactions in 2013. The founder Bruce Hansen left immediately after the acquisition.

LifeLock bought Lemon Wallet in Q4 2013 for $43mm in cash and additional equity with nominal revenue and $5mm+ of losses and the CEO, serial entrepreneur Wences Casares wasn't even on the closing conference call and immediately left to work on a new company.


According to CapIQ data, insiders have sold >$12.8mm of stock in the last year since the IPO lockup ended including $5.3mm just since the Jan 17, 2014 FTC meeting! Smart money large fund holders also appear to be leaving in droves according to the Proxy:


I called LOCK four separate times over the past week and a half to try and get their response on all these potentially devastating issues. Unfortunately, they never called me back or even picked up the phone.


LifeLock is stuck between a rock and a hard place. On one side is the highly competitive and commodity-like identity protection market where they have little competitive advantage or IP. On their right is the FTC now re-investigating their claims that they have a unique edge and their apparently terrible IT systems that doesn't keep customer data secure in the event of a breach. If found to be violating the previous FTC order, as alleged in the whistleblower lawsuits, the FTC could shut LOCK down at anytime.

The only way out is to grow but customer acquisition costs keep rising and new free alternatives are just appearing to disrupt the industry and LifeLock stock is priced to perfection but can't retain any entrepreneurs because of the culture I believe is toxic: in 2 well documented cases, people who wanted to improve the business were terminated for apparently fabricated reasons and then filed lawsuits.


By reporting this you agree to the terms of this disclaimer.

You agree that the use of The Pump Stopper is at your own risk. In no event should The Pump Stopper be liable for any direct or indirect trading losses caused by any information available on this site. The materials on the site are not an offer to sell or a solicitation of an offer to buy any security, nor shall any security be offered or sold to any person, in any jurisdiction in which such offer would be unlawful under the securities laws of such jurisdiction. The Pump Stopper makes no representations, and specifically disclaims all warranties, express, implied, or statutory, regarding the accuracy, timeliness, or completeness of any material contained in this site. You should seek the advice of a security professional regarding your stock transactions.

The Pump Stopper does not guarantee in any way that it is providing all of the information that may be available. We recommend that you do your own due diligence before buying or selling any security.

The principals of The Pump Stopper most always hold a position in any of the securities profiled on the site. The Pump Stopper will not report when a position is initiated or covered. Each investor must make that decision based on his/her own judgment of the market.

Disclosure: I am short LOCK. I wrote this article myself, and it expresses my own opinions. I am not receiving compensation for it. I have no business relationship with any company whose stock is mentioned in this article.