|Shares Out. (in M):||99||P/E||115.1x||31.4x|
|Market Cap (in $M):||1,026||P/FCF||18.4x||22.8x|
|Net Debt (in $M):||-134||EBIT||13||33|
|TEV (in $M):||891||TEV/EBIT||68.0x||26.7x|
Sign up for free guest access to view investment idea with a 45 days delay.
Summary: LifeLock (LOCK) is a $1 billion (market capitalization) company with risks far beyond those disclosed in the filings. I believe that it is a compelling short idea due to severe legal risks from regulatory noncompliance, weak business model, increasing competition, disreputable management, and poor finances. I believe that the stock is worth less than $5 / share.
Introduction: LifeLock claims to provide protection against identity theft by monitoring the use of personal information. It charges a monthly or annual fee for this service. LOCK claims to have 2.5 million paying members and strong growth. The current stock price implies an EV / subscriber for LOCK of about $360, larger than the comparable statistics for such companies as Netflix (approx. $250) and Sirius XM (approx. $100). LOCK completed its IPO at $9/share on October 3, 2012. The lock-up on insiders’ shares expires 180 days after this date.
Note: The report was prepared with sources believed to be reliable, including SEC filings, court documents, newspaper and magazine articles, public statements, and industry reports. I have provided links to some, but not all, of these sources within the report.
The FTC Order
I begin by explaining what LOCK is not supposed to do. The FTC brought a deceptive advertising judgment against LOCK, CEO Todd Davis, and former COO Robert Maynard, Jr., in 2010. The case arose from lawsuits filed against LOCK by attorneys general of 35 states. The FTC summarized the case in these terms: “The FTC and 35 states have charged LifeLock with deceptive advertising. According to the lawsuit, LifeLock claimed its service would protect consumers against all forms of identity theft, when, in fact, LifeLock offered only limited protection against only some forms of ID theft.” The case was settled. The settlement can be found here:
LOCK provides minimal disclosure of this judgment in its filings. In public statements, Davis has tried to spin the ruling as positive. “We welcome federal and state efforts to regulate our industry, because doing so helps to protect consumers from the risks of identity theft,” Davis said in a LifeLock press release issued after the FTC judgment. It appears to me, however, that LOCK is in violation of the FTC order. Since LOCK’s filings give few details, let’s look at the FTC order. According to the order, LOCK is permanently restrained and enjoined from:
“in connection with the advertising, distributing, promoting, offering for sale, or
sale of any product, service, or program designed for the purpose of preventing, mitigating, or
recovering from any form of identity theft as defined in 18 U.S.C. § 1028, misrepresenting in
any manner, expressly or by implication:
1. that such product, service, or program provides complete protection
against all forms of identity theft by making customers' personal
information useless to identity thieves;
2. that such product, service, or program prevents unauthorized changes to customers’ address information
3. that such product, service, or program constantly monitors activity on each of its customers’ consumer reports
4. that such product, service, or program ensures that a customer will always
receive a phone call from a potential creditor before a new credit account is opened in the customers’ name
5. the means, methods, procedures, effects, effectiveness, coverage, or scope
of such product, service, or program;
6. the risk of identity theft to consumers;
7. whether a particular consumer has become or is likely to become a victim
of identity theft; and/or
8. the opinions, beliefs, findings, or experiences of an individual or group of
consumers related in any way to any such product, service, or program.
Such products, services, or programs include, but are not limited to, the placement of fraud alerts
on behalf of consumers, searching the internet for consumers' personal data, monitoring
commercial transactions for consumers' personal data, identity theft protection for minors, and
guarantees of any such products, services, or programs.”
Now, note the similarity between the FTC prohibition and a description of LOCK’s operations from its IPO prospectus:
“We are a leading provider of proactive identity theft protection services for consumers and identity risk assessment and fraud protection services for enterprises. We protect our consumer subscribers, whom we refer to as our members, by constantly monitoring identity-related events, such as new account openings and credit-related applications. If we detect that a member’s personally identifiable information is being used, we offer near real-time, actionable alerts that provide our members peace of mind that we are monitoring use of their identity and allow our members to confirm valid or unauthorized identity use. If a member confirms that the use of his or her identity is unauthorized, we can stop the transaction or otherwise rapidly take actions designed to protect the member’s identity.”
LOCK’s many Internet, radio, and TV ads claim that the company protects against identity theft. Here are some direct quotes taken from LOCK’s websites and ads:
“…the most comprehensive identity theft protection service available…”
“LifeLock offers a level of protection and member service that no one else can”
“…protect members from identity theft BEFORE it happens – and backs it up with a $1 Million Total Service Guarantee”
So, three years after the FTC Order, LOCK claims to have the best ID protection service on Earth. Recall that the FTC Order was a permanent injunction. LOCK’s pre- and post-2010 ads are nearly identical. The main difference is that LOCK changed “prevent” to “protect”. Despite taking LOCK to Federal court, the FTC seemingly never bothered to enforce its own ruling. The FTC, in fact, didn’t even collect $24 million of the $35 million judgment (LOCK plead poverty). There is also an easily overlooked second part to the FTC Order. The judgment states that LOCK is permanently prohibited from:
“B. misrepresenting in any manner, expressly or by implication, the manner or extent
to which they maintain and protect the privacy, confidentiality, or security of any personal
information collected from or about consumers.”
The FTC found that LOCK failed to encrypt personal information on its customers and that the information was available to more than just authorized employees. In other words, LOCK exposed its own customers to potential identity thieves. LOCK remains bound by the FTC Order. The company and Davis are required to submit annual compliance reports to the FTC. According to LOCK’s 10-K, the FTC has not accepted or approved them.
The Experian Lawsuit
A federal judge ruled in May of 2009 that LOCK’s main service (at the time) was illegal. Note that this case is separate from the FTC case. LOCK was sued by credit bureau (and competitor) Experian for fraud in 2008. Experian sued because LOCK was placing nearly perpetual fraud alerts with the credit bureaus for all of its clients. According to the suit, LOCK was placing thousands of calls per day to Experian to place fraud alerts. According to section 605A of the Fair Credit Reporting Act (FCRA), a fraud alert can be placed when there is “…a suspicion that the consumer has been or is about to become a victim of fraud or related crime, including identity theft…” LOCK was placing fraud alerts for clients where no suspicion existed. Judge Andrew Guilford ruled that LOCK did not have the authority to place fraud alerts for its clients. The case was settled in late 2009. As part of the settlement, LOCK agreed to cease placing credit alerts with the credit bureaus. It is remarkable that LOCK’s customers did not flee in droves after LOCK’s primary service was shut down. I presume that most of them did not know what they were paying for in the first place.
More information on Experian lawsuit:
The Experian suit exposed the flimsy basis of LOCK’s business. Until 2009, LOCK was essentially in the business of placing robo-calls to credit bureaus. LOCK was merely placing fraud alerts that anyone has the legal right to place for free. Moreover, according to Experian’s complaint, Davis and LOCK were greatly overstating the protection provided by these fraud alerts. The complaint cites numerous exaggerations in LOCK’s advertising and statements from Davis. The complaint also makes the claim that “…LifeLock has placed fraud alerts with Experian by disguising its identity and fraudulently misrepresenting to Experian that it was the consumer.” Isn’t that ironic?
What Does LOCK Do?
The services provided by LOCK do not appear to be proprietary. As we’ve seen, LOCK was prohibited from placing fraud alerts with credit reporting agencies in 2009. In 2010, it was prohibited from advertising itself as a company that can prevent identity theft. Looking at its services in 2013, it’s amazing that anyone pays $110 - $275 / year for them. The otherwise bullish analyst at Canaccord Genuity sums it up in his 11/7/2012 report: “It is completely fair to say that a consumer could do many of the things that LifeLock provides.” LOCK, in other words, is primarily a services business. Here are the services provided with LOCK’s basic service (from its website):
Anybody with access to the internet and ten free minutes can do simple things like ask for a credit report (annualcreditreport.com) and end unsolicited credit card mailings (optoutprescreen.com). Let’s look at some of LOCK’s purportedly proprietary services:
LOCK claims to monitor more than 10,000 “black market” websites on which personal information is bought and sold. Let’s say that this is true…so what? LOCK isn’t the FBI or Interpol. If a criminal gang in Ukraine posts my credit card number on a website, LOCK cannot do anything about it. It cannot shut down the site or fix the problem. My credit card number has already been stolen. At best, LOCK can notify me to cancel the card. I think it’s more likely that I would see bogus charges on the card long before LOCK’s watchdogs spot them.
LOCK’s wallet remediation service, impressively called WalletLock, is a service in which someone at LOCK calls your banks, credit card issuers, etc., if your wallet is lost or stolen. LOCK does exactly what anyone would do when his or her wallet is lost. LOCK does not reimburse for lost cash or other valuables or provide reimbursement for any fees incurred in getting new cards.
The threat notification service is the reason that most people pay for LOCK. Here is a basic description from the prospectus: “We protect our consumer subscribers, whom we refer to as our members, by constantly monitoring identity-related events, such as new account openings and credit-related applications. If we detect that a member’s personally identifiable information is being used, we offer near real-time, actionable alerts…” In other words, if someone opens a new credit card account with a member’s information, LOCK will contact him or her to make sure that he or she actually opened it. LOCK receives this information from outside sources (such as the credit bureaus). Here are just some of the types of protection which are NOT included in the basic service (which covers 90% of LOCK’s customers):
There are clearly lots of potential threats that LOCK doesn’t cover. Even in the areas that LOCK does cover, there is no guarantee that LOCK will actually catch anything. On its website, LOCK claims to monitor for “…threats against your identity within our network.” There is also this disclaimer: “Not all transactions are covered and scope may vary.” The reality is that LOCK is dependent on receiving credit alerts from other companies. Among the risk factors in the prospectus is: “Our business depends on our ability to utilize intellectual property, technology, and content owned by third parties, the loss of which would harm our business.” Despite the limitations in its services, LOCK is well-known for offering a guarantee to its clients.
The $1 Million “Guarantee”
LOCK makes a big deal about its $1 million guarantee in its advertising and on its website. What does it mean? Well, I suspect that LOCK’s customers think that it means that LOCK insures them against as much as $1 million in losses due to identity theft. It doesn’t mean that at all. It’s actually more of a really weak warranty. According to the actual policy, LOCK guarantees to pay up to $1 million in legal costs, remediation, service costs, and case management costs if an identity theft occurs. There is, however, no guarantee that you will actually receive this help. From LOCK’s website (emphasis mine):
Remediation Service Costs. The amount of reasonable and necessary expenses paid to investigators and other third-party business providers that are retained by LifeLock and involved in any services that are reasonably necessary, viewed in the context of LifeLock's business and Membership Programs, to restore your good name and identity, or to recover your Losses in accordance with any Membership Program.
In other words, LOCK will not pay for any legal help unless it decides that that customer’s losses were due to deficiencies in LOCK’s services. Since LOCK does not protect against many types of crime, it can easily claim that the alleged fraud is not covered. Moreover, LOCK (not the customer) determines whether or not legal aid is actually necessary. As if that wasn’t bad enough…the victim has to do all of the work! The actual policy has a long list of actions that the fraud victim has to take in order to be covered by LOCK’s policy. Here are just a few of the requirements (from the Master Policy):
vi. In the event of a Stolen Funds Loss, you shall:
So, the victim may not get any money from LOCK, but he or she will have to fill out plenty of paperwork. There are numerous other provisions that can be found on LOCK’s website. The bottom line is that it is a marketing gimmick.
LOCK admits that virtually nobody gets anything from its guarantee. LOCK has had millions of members covered by it, but Davis has told investors that “fewer than 5,000 people have invoked the guarantee.” He has not said how many actual claims have been paid. The 2012 10-K states that amounts paid by to customers under the guarantee are “not material”. The lameness of the so-called guarantee was one of the major factors in the cases brought by the state attorneys and the FTC in 2009-10. Once again, LOCK seems to have kept the FTC off its backs (so far) by making a few cosmetic changes in its marketing.
LOCK provides services based on manpower and outside technology. These services are easily replicated and there are no barriers to entry. More than 50% of the consumers that pay for identity protection are using services provided by banks (Wells Fargo, Chase, etc.). There are also numerous private companies and subsidiaries of larger companies that offer these services. As proof, I offer a list of 20(!!) of these firms: AllClear ID, CSID, Equifax ID Patrol, ID Armor, IdentityForce, Identity Hawk, Identity Guard (Intersections), IDTheft Protect, IdentityTruth, Intelius IDWatch, ID Watchdog, Protect My ID (Experian), TrustedID, IDFreeze (Fair Isaac), PrivacyGuard, Privacy Matters, SmarterCredit, LexisNexis, IdentitySecure (Affinion), and Identity Theft Shield (Kroll). All of these firms pretty much make the same claims about identity theft protection, offer the same services, and charge the same prices ($10-$20/month). LOCK is merely one player in a very crowded market.
The identity protection firms are often using the same software and getting their data from the same sources. They all rely on information from the credit bureaus, banks, and credit issuers. Credit bureau TransUnion, for example, serves as a fulfillment partner to LOCK and many other ID theft companies. Early Warning Services is another one of LOCK’s fulfillment partners. It is owned by a group of major banks and provides bank fraud protection to a wide variety of financial institutions. ID Analytics, now owned by LOCK, provides software to several firms in the industry. Austin-based CSID claims that more than 70% of the retail identity protection industry (including LOCK) uses its fraud detection software. CSID even offers a white label identity protection platform, allowing any firm to offer services with no investment in technology. The entire industry has become commoditized.
LOCK’s potential market is much smaller than is widely believed. Estimates of the current market size vary from $3.5 - $4.0 billion, implying that LOCK has about 7% dollar market share. According to a 2012 article in Consumer Reports, approximately 50 million Americans paid for identity theft protection in 2010. Based on this figure, LOCK has about 5% market share. In its presentations, LOCK claims that the addressable market is 78 million Americans. Assuming that this number is accurate, about two-thirds of the potential buyers are already paying for some type of protection. There is no guarantee that the other 25 million people want identity protection, but it is likely that the banks will sign up most of them that do. The Deutsche Bank analyst that follows LOCK estimates that LOCK will have 4.5 million members and $534 million in consumer revenues in 2017. LOCK would need to greatly increase its single-digit market share to achieve these estimates, which seems unlikely in a crowded market in which firms are practically interchangeable. Nonetheless, LOCK has effectively portrayed itself as the leader in identity theft protection. Anyone who knows LOCK’s history has to view this as an incredible accomplishment.
LifeLock’s corporate history is so unsightly that it is astonishing that the company still exists. Robert J. Maynard, Jr., and Richard Todd Davis are the official co-founders of the firm. Maynard does not work for LOCK anymore, but Davis remains CEO. On his personal website, Maynard explains that he “...invented the concept for LifeLock, built the initial systems and found a great partner in Todd Davis.” According to the story that both Davis and Maynard gave in numerous interviews, the genesis of LifeLock was an incident in which Maynard was a victim of identity theft. Maynard claimed that he was erroneously jailed for seven days in 2003 after someone stole his identity. Maynard was released, but he claimed that he spent more than $20,000 and many hours in clearing his good name. This harrowing experience convinced Maynard that people needed a service to protect them from identity theft. It’s a fine story, but it is only partly true. Maynard was actually jailed, but he was not a victim of identity theft. The police arrested him because he skipped out on a $15,000 marker from a Las Vegas casino. This is considered theft under Nevada law. It is also just one of many black marks on Maynard’s resume.
LOCK does not want investors to know about its sordid past. Even though he created the firm, Maynard’s name does not appear in the IPO prospectus. The details of his long history of financial impropriety can be found in a series of articles in the Phoenix New Times and Wired. Here are links to two of them: http://www.phoenixnewtimes.com/2007-05-31/news/what-happened-in-vegas/
I have used these articles as sources for this section. The stories are too long and ridiculous to repeat here, but I will present the highlights, starting with the origin story. The New Times discovered that the casino had a copy of Maynard’s driver’s license. There was never any question of identity. The newspaper presented evidence of Maynard’s deception to Davis in May of 2007. Davis, according to the newspaper, stonewalled the reporter and even continued to tell the fictional origin story. The controversy did lead to Maynard’s separation from LOCK…sort of. After Maynard left his Chief Marketing position, Davis hired him as a marketing consultant to do the exact same work. It is notable that LOCK completed two rounds of preferred stock sales to major institutional investors while Maynard was still a top executive. One might think that these investors would have been scared away by his background. After all, by the time that LOCK was founded, Maynard had declared bankruptcy three times, driven at least two companies into insolvency, been forced out as CEO of Internet America, and lost a defamation suit after falsely claiming to have been cyber-stalked. Most significantly, he had also agreed to a lifetime ban from the credit industry.
Maynard had an ugly experience in the credit monitoring business before he co-founded LOCK. In the mid-1990s, Maynard ran a credit repair business called National Credit Foundation. The business was targeted by both the Federal Trade Commission (FTC) and the attorney general of Arizona for numerous violations. Among these violations, according to federal court records, the company, “in numerous instances…withdrew funds from customers’ checking accounts without authorization.” Ex-employees at National Credit reported that distraught clients called and asked for help with unauthorized $300 charges- not knowing that National Credit had been the one who charged them! Maynard was slapped with a lifetime ban on “advertising, promoting, offering for sale, selling, performing, or distributing any product or service relating to credit improvement services.” LifeLock, you’ll recall, claims to protect people from credit card scams and other financial crimes. When confronted with this information by New Times, Davis was unsurprised and unconcerned. He claimed that the company’s attorney had provided an opinion that Maynard was legally allowed to work for LOCK. He didn’t seem to care that LOCK is supposed to protect its customers from people exactly like Robert J. Maynard, Jr.
More information / references:
LifeLock claims to protect its customers from people who wish to victimize them, yet Todd Davis apparently did not even notice or care that his own partner was untrustworthy. Maynard, who blames most of his problems on being bipolar, is even alleged to have engaged in identity theft. The New Times reported that Maynard fraudulently obtained an American Express card in his father’s (Maynard, Sr.) name and ran up $154,000 in charges. Maynard was apparently bought out of his 10% equity ownership in LOCK in or around 2009. After leaving LOCK, Maynard took his special brand of entrepreneurship to Hawaii and founded an ocean adventure company called Kandoo! Island. It was supposed to be some kind of giant activity catamaran for families. It was, not surprisingly, a total fiasco. Maynard had trouble getting insurance, trouble with the Coast Guard, and bounced paychecks all over the Pacific. The company went broke after two weeks of operations. In the aftermath, Maynard was sued for failing to pay off the promissory notes the he signed to pay for the boats and equipment.
Let’s now take a look at Maynard’s former partner and longtime apologist, Todd Davis, who has pulled off one of the most successful advertising hoaxes in recent memory. Many people have heard of LifeLock for just one reason: Davis put his Social Security number in the company’s ads. It was an audacious move. Social Security numbers are used in all sorts of financial transactions. By displaying his SSN in front of millions of potential crooks, Davis showed absolute faith in LOCK’s ability to protect his identity. His faith was misplaced. The FTC/attorneys general investigation into LOCK determined that Davis’ SSN had been used by someone in Ft. Worth, TX, to fraudulently take out a payday loan for $500. Although the incident was well-publicized, Davis has successfully downplayed it as isolated and unpreventable. The LOCK analyst at Canaccord even calls it an “urban myth” in his 10/28/2012 report. LOCK’s story is that the payday lender did not process the loan properly, so LOCK could not have caught it. One might overlook one isolated failure to protect Davis’ identity. It’s a bit more difficult, however, to overlook the fact that Davis’ identity has actually been stolen at least 13 times.
LifeLock proved to be completely unable to protect its own CEO from financial fraud. The New Times reported in 2010 that Davis’ SSN was used fraudulently in at least 13 separate instances, crimes that came to light when a LOCK employee filed a police report on Davis’ behalf. In one case, someone used Davis’ SSN to open a cell phone account with AT&T. That case resulted in an unpaid bill of $2,390. Other crimes using Davis’ information included the purchase of a gift basket at Swiss Colony and the opening a bank account at Bank One. In several of the instances, the unpaid bills went to collection agencies before LOCK or Davis knew about them. The exact number of times that Davis’ SSN has been fraudulently used is unknown since Davis has not released his credit records to the public. He has, however, continued to promote LOCK as an expert in identity protection.
Davis’ SSN publicity stunt exposes LOCK as a company without substance. Besides failing to protect his identity, it could not even clean up the messes. LOCK’s staff has no real authority to deal with identity theft. Like anyone else, the company can only report alleged crimes and contact affected parties. Davis did get personally involved in one of his own identity theft cases, but the result was rather unfortunate. As reported in Wired magazine, Davis’ involvement In the Texas payday loan case allowed the suspect to avoid prosecution. According to a Fort Worth police sergeant, Davis was warned to stay away from the suspect in the case as the investigation was ongoing. Instead, Davis and a camera crew “…yelled at him (the suspect) and browbeat him into signing a confession that they had already typed out.” Davis told the mentally disabled suspect that if he did not sign the confession, the police would arrest him. After they heard about the coerced confession, the Fort Worth police dropped the case. In one interview on the incident, Davis claimed, “We didn’t coerce him. But we want criminals to know, if you mess with any LifeLock member, there needs to be consequences.” I really don’t think that the criminals got the message, though, since LOCK did nothing and the guy got away with it. The message that I get is if that LOCK couldn’t even protect its own CEO, then its 2.5 million anonymous members shouldn’t expect anything better.
LOCK is a company driven by advertising. Prior to his involvement with LOCK, Davis was a salesman at Dell and worked at a few start-ups. It seems that these start-ups weren’t very successful as Davis filed for bankruptcy in 2000. In 2002, Davis created a marketing firm called Marketing Champions, LLC. According to Phoenix Business Journal, he became involved with LOCK when hired to generate publicity. Davis has been on a publicity tour ever since. One of the gimmicks employed by LOCK is to host free “Identity Theft Summits” for law enforcement officials. LOCK partners with a group called FBI-LEEDA to sponsor these seminars. LOCK, by no coincidence, is the largest (“Diamond Level”) sponsor for FBI-LEEDA’s annual conference. Given the limited training budgets of many police agencies, these free seminars are popular and generate lots of publicity for LOCK. Here is a typical headline from a website: “FBI Partners with LifeLock to Protect Identity Theft”. It’s a nice headline, but it’s inaccurate. Despite its name, FBI-LEEDA is not part of the FBI or acting on behalf of the FBI. The seminars are just one way in which LOCK uses its marketing dollars to craft a story.
America’s Mayor…LifeLock’s Shill?
A current ad campaign illustrates how LOCK exaggerates its expertise in identity protection. In November, 2012, LOCK announced that former New York mayor and federal prosecutor Rudy Giuliani had been hired as a “strategic consultant”. LOCK did not disclose his payment or exact role. Within days of the press release, Giuliani began to mention LOCK in interviews about personal security. In early 2013, Giuliani began to appear in infomercials for LOCK. In one of these, Giuliani identifies himself a LOCK member and discusses identity thieves who file false tax returns. The ad dramatizes a situation in which a young woman steals information from a man’s computer to claim a tax refund. The ad misleadingly implies that LOCK protects against stolen tax refunds. The reality is that the Internal Revenue Service (IRS) is not part of LOCK’s data network. LOCK does not have any ability to monitor tax returns or identify fraudulent tax refunds. The IRS does have a unit to combat identity theft. According to this report, the IRS appears to be making significant progress:
It is obvious that LOCK hired Giuliani due to his reputation as a crime fighter. He may also appeal to LOCK’s primary demographic (seniors). Davis, for one, appears to be a fan. According to the Federal Election Commission, he donated money to Giuliani’s 2008 Presidential campaign. It may seem odd that Giuliani would take money from LOCK, but he has a history of taking money from questionable sources. According to articles in Forbes and Vanity Fair, Giuliani and his partners have been paid millions of dollars to promote the interests of dubious companies. In several cases, Giuliani used his celebrity and access to the media to promote his clients’ interests.
The Richardson Lawsuit
Ongoing litigation reveals a bit more about LOCK’s marketing practices. LOCK’s 10-K gives brief mention of a lawsuit filed against LOCK and Davis by a woman named Denise Richardson. In the suit, Richardson claims that she was improperly paid as an independent contractor rather than as an employee. The suit claims that she is owed at least $250,000 in compensation and damages. On the surface, this appears to be a banal compensation dispute filed by an ex-employee. It turns out, however, that Richardson had a rather unusual marketing role at LOCK. On her website, she describes her relationship with LOCK (not named) in these terms: “August 2006 through February 2012 Identity Theft Education Specialist, Speaker, Spokesperson, Blogger, Consumer Liaison and Consumer Advocate fostering business development for a nationally known identity theft protection company.” In other words, LOCK paid her to promote the company all over the internet.
A simple search reveals dozens of positive comments, blogs, and news articles that Richardson has posted about LOCK. If you look up a negative news story about LOCK, there is a good chance that Richardson replied to it with a lengthy defense of the company and Davis. In most cases, she did not disclose any association with LOCK. A few times, however, she posted a disclaimer such as this: “…LifeLock has paid me to speak at their seminars as one of their Certified Identity Theft Risk Management Specialists. To be clear, I get paid to talk about identity theft, but I don’t get paid to promote LifeLock.” Well, Richardson’s own lawsuit proves that she was getting paid to do exactly that. The whole situation is quite ironic. She staunchly defended the integrity of Davis and LOCK for years, but now she is suing them for allegedly ripping her off. It appears that her views have changed. This comment appears on her site: “As of July of 2012, I no longer work with or endorse this particular ID theft protection company (LifeLock). As always, do your homework on ID theft protection services to help ensure you only deal with companies that practice the best identity theft protection practices.” That may be good advice, but it’s a bit hard to identify those companies since the internet is flooded with false information.
LOCK pays people to promote the company in a shady manner. LOCK offers an Affiliate program in which people create websites with links to lifelock.com. The Affiliates receive $40 - $60 for every person that subscribes to the service through these links. A December, 2010, article in a Maine newspaper describes how the Affiliates generate traffic: “A Google search for LifeLock brings up thousands of hits for blogs, supposed news sites and reviews. Most shower the company with praise and provide links to buy its services. However, most or all are operated by affiliates who receive a 30 percent commission on each sale generated by their site or review.” Here is one of these “reviews” that can be easily found with Google:
Pros: This service is excellent and continues to get better.
Cons: We found no weaknesses with this service.
The Verdict: It's hard to find better hands to put your identity in than this service.
The site also includes a link to lifelock.com and this banner: Prevent Identity Theft with LifeLock
Many of the Affiliates’ sites make assertions about LOCK’s services that would be prohibited by the FTC Order if LOCK made them. LOCK would likely claim that it has no direct control over the Affiliates’ sites. In my opinion, the Affiliates’ program is just one part of LOCK’s misinformation campaign.
The Fastest-Growing Crime…That Isn’t Growing
The threat of ID theft is greatly exaggerated by the ID protection industry. The industry incessantly promotes the idea that identity theft is a major risk and that threat is growing. Here’s a typical quote from LOCK’s website: “Identity theft is one of the fastest growing crimes in the nation.” The numbers, however, indicate that it isn’t growing at all:
Annual Losses from ID Theft (in $billions) - Source: Javelin Research
2004: $47.0 2007: $24.7 2010: $19.9
2005: $32.0 2008: $28.9 2011: $18.0
2006: $28.7 2009: $31.4 2012: $20.9
So, losses from ID theft in the U.S. fell by 55.6% in the past eight years and 33.4% in the past three years. The number of victims, according the Javelin, has been steady: the eight-year average of 11.6 million per year is equal to the 2011 number. The incidence rate is, therefore, only about 4% per year. LOCK and its competitors obviously do not want people to know that 96% of them are paying $100-$250 this year for no reason. One could argue, however, that identity protection is worth the price if it reduces risk of loss. There is evidence, however, that it does not even do that.
The entire identity protection industry is probably a waste of money for consumers. LOCK deserves credit (or blame) for helping to create an industry in which people pay for unnecessary and free services. A 2012 Consumer Reports article explains: “…consumers who buy this protection from their banks are helping to foot the bill for services that financial institutions are obligated to provide by federal law to shield their customers from losses stemming from credit-card and bank-account fraud.” If you use a credit card, you have probably noticed that the card issuers and banks are becoming much more proactive in freezing accounts when something appears unusual. As the above numbers show, the average loss per victim has fallen dramatically in the past decade. Again, from Consumer Reports: “…identity fraud is down because financial institutions are doing a better job preventing it. And consumers have been more eagle-eyed about their own accounts, without the need for a paid subscription service.” Indeed, Javelin found that people who discovered fraud by reviewing their paper statements had significantly less money stolen than victims who were notified by an identity protection service. In one sense, though, it does not really matter. Consumers have, according to a Wells Fargo executive, “essentially zero liability” for existing account fraud. Javelin estimates that the actual out-of-pocket costs of identity fraud are about $600. Here’s some simple math:
.04 (incidence rate / year) * $600 (avg. cost) = $24 expected loss / year
So, LOCK subscribers are paying $100 - $250 / year to avoid an expected $24 loss. That’s rather irrational, but it may actually be totally pointless. Javelin also found that the actual out-of-pocket costs of identity fraud are only slightly lower for people that paid for identity protection versus people that did not. LOCK’s marketing strategy is based on paranoia, not reality.
The use of the term “identity theft” is a major part of LOCK’s fear-mongering marketing strategy. The term implies that unknown people are committing crimes by stealing somebody’s entire life. LOCK’s marketing portrays identity theft as a new and sophisticated type of cyber-crime. In reality, a lot of the crime classified as “identity theft” is simple credit card fraud. There’s nothing new about it at all. Moreover, many of the identity thieves are not unknown people, but people known to the victim. A New York Times headline proclaims: “Identity Thief is Often Found in Family Photo.” Indeed, Javelin and the FTC have found that in half of cases in which the perpetrator was identified, the identity thief was a family member, friend, neighbor, or in-home employee. LOCK knows that it cannot do anything to prevent this type of crime. Its “guarantee” specifically states that fraudulent withdrawals by family members are not covered. LOCK tries to scare people into paying for a service that does not work and that they do not actually need.
The Busted IPO
LOCK’s IPO, completed on October 3, 2012, was ice cold from the very beginning. The initial price range was $9.50 - $11.50, but the IPO price was $9.00. The lead underwriters were Merrill Lynch, Goldman Sachs (a major shareholder), and Deutsche Bank. The stock price fell 7.1% on the day of the IPO and drifted downwards from there. It eventually hit a low of $6.80 on December 21, 2012. The lower than expected IPO price was negative for several reasons. LOCK raised about $30 million less than expected, selling 15.5 million shares for about $126 million. About one-half of the proceeds ($62.6 mil.) were immediately used to pay off loans from Merrill and RBC, two of the underwriters. The low IPO price triggered provisions in some of the previously issued preferred shares. LOCK was required to pay $10.7 million in cash to holders of some preferred shares and covert some preferred shares into an unexpectedly high number of common shares (20.5 million). LOCK is now expected to have 99 million shares outstanding by the end of 2013.
LOCK blamed the busted IPO on investors’ perception of it as a services company. Davis and the analysts want investors to evaluate it as a high-growth technology company. I believe that it is a business that charges fees for free services. At any rate, LOCK and the analysts went into full publicity mode to bring the stock price back from the depths. The publicity campaign, along with the Q4 results, pushed the stock higher. This rally in the share price is certainly good news for the early investors, including Goldman Sachs and several venture capital firms. The lock-up on insiders expires in at the beginning of April, 2013.
ID Analytics Acquisition
LOCK acquired privately-held ID Analytics in March of 2012. Bruce Hansen founded ID Analytics in San Diego in 2002. Hansen had been President at MHC Software until it was acquired by Fair Isaac. ID Analytics’ main business is to provide identification services to enterprises. ID Analytics, for example, helps businesses to authenticate the identities of credit card users. Users of ID Analytics’ services pay fees on a per transaction basis. Here’s a brief look at ID Analytics’ financials from LOCK’s filings and analysts’ reports:
2010 2011 2012E 2013E
Revenue (in $mil.) $22.9 26.9 27.0 27.5-30.5
Enterprise Transactions (mil.) 184.0 227.0
At the end of 2011 (prior to the acquisition), ID Analytics had an accumulated deficit of $28.7 million. Net income for the company in 2011 was $2.0 million. Revenue per transaction fell from approximately 14.6 cents in 2011 to approximately 11.9 cents in 2012. As a result, ID Analytics showed negligible year-over year growth for 2012. The Street analysts forecast growth of 10% or so for this segment for 2013. So, how much did LOCK pay for the company? LOCK paid $186 million! This deal valued ID Analytics at approximately 7 times 2011 sales and 93 times 2011 net income. As ID Analytics’ liabilities exceeded its assets, LOCK accounted for the acquisition by recognizing $129.4 million in goodwill and $57.5 million in intangible assets. It’s fair to say that LOCK is not a value investor.
LOCK paid a very high price to buy ID Analytics. Aside from its enterprise business, the company provides identity verification tools to LOCK and a number of its competitors. It is a major part of LOCK’s strategy to portray itself to investors as a high-growth tech company rather than a services business. So far, however, there’s no indication that ID Analytics is actually growing or benefitting LOCK’s consumer business. Moreover, it appears that ID Analytics’ business is getting worse. It is revealed at the very end of LOCK’s 10-K that its enterprise business reported an operating loss of $5.7 million for 2012. There is no explanation provided for this previously undisclosed loss in the filing. ID Analytics was supposedly (slightly) profitable prior to the acquisition. LOCK itself, by the way, represented 16.1% of ID Analytics’ revenues for 2012. It appears that LOCK’s plan for ID Analytics is already in trouble.
ID Analytics is involved in an FTC inquiry. In December, 2012, ID Analytics was one of nine companies contacted by the FTC in an investigation of data brokers. The FTC demanded that the companies turn over information on how they collect data on consumers and how they use it. The FTC is concerned that companies are collecting and selling data without complying with consumer protections required by law. Under the Fair Credit Reporting Act (FCRA), for example, consumers must be given the opportunity to correct inaccurate information in their credit histories. In June, 2012, the FTC levied a fine of $800,000 against a company called Spokeo for violations of consumer protections. Spokeo provides personal financial information to employers for background screenings on prospective employees. The company’s data was riddled with errors and consumers had no ability to review it. Spokeo, by the way, was also accused of using its own employees to post fake reviews and recommendations on websites. ID Analytics may be at risk if the FTC determines that it is selling personal data to businesses.
The ID Analytics deal appears to be all about perception. This statement appeared in the press release announcing the deal: “ID Analytics will continue to operate independently as a wholly owned subsidiary of LifeLock and will continue to operate under the leadership of its current CEO, Bruce Hansen, who will report to Todd Davis.” Alas, Hansen left ID Analytics as soon as the ink was dry on the deal. He was replaced as CEO by Larry McIntosh, ID Analytics’ former Chief Marketing Officer. McIntosh has a background in marketing and advertising, including many years at Pepsi / Frito Lay. He does not appear to have the background of a high tech executive. ID Analytics, on the other hand, may not be a high tech firm. LOCK only attributed $29.4 million of ID Analytics’ intangible assets to acquired technology, 16% of the purchase price. I suspect that LOCK mainly purchased ID Analytics to achieve a higher valuation from investors.
LifeLock has the valuation of a high-growth technology firm. Here are some of the key 2012 financials:
Total revenue: $276.4 mil. (excludes 2.5 months of ID Analytics)
Adj. net income: $22.0 mil. (includes $13.7 mil. tax benefit)
Adj. EBITDA: $30.3 mil.
FCF: $40.9 mil.
Tangible BV: $39.3 mil.
Tangible BV / Share: $0.40
In its Q4 2012 release, LOCK guided to the following for 2013:
Total revenue: $335 – $345 mil.
Adj. net income / share: $0.30 - $0.35
Total shares: 99 million
Adj. EBITDA: $37 - $42 mil.
FCF: $42 - $47 million
The market capitalization is about $1.04 billion. LOCK ended 2012 with $134.2 million in cash, so EV is approximately $900 million. The stock is trading at 23X tangible book value. Using LOCK’s estimates, the stock trades at forward multiples of approximately: 23X EV / EBITDA, 32X P/E, 20X EV/FCF, and 2.6X revenue. So, can LOCK achieve the kind of growth in 2013 and beyond that it needs to justify these multiples? There are indications that it cannot.
LOCK is spending huge amount of money to attract new customers. Despite its many problems, the company reports 2.5 million members. LOCK achieved this level by raising a lot of money from investors and spending it on advertising. LOCK has about 100 million shares outstanding because it repeatedly sold preferred stock as a private company to fund its (unprofitable) growth. This ad spending has accelerated in the past three years.
Annual sales and marketing expenses: Advertising spending:
2008: $80.9 mil. 2010: $42.7 mil.
2009: $77.8 mil. 2011: $54.6 mil. (+27.9% y-o-y)
2010: $78.8 mil. 2012: $66.0 mil. (+20.9% y-o-y)
2011: $91.2 mil. (+15.7% y-o-y)
2012: $123.0 mil. (+34.9% y-o-y)
So, LOCK has spent $163.3 million on advertising alone in just the past three years. LOCK provides statistics on the average cost of acquiring a new member. Average cost of acquiring a member:
2008: $82 2011: $130
2009: $126 2012: $150
LOCK’s numbers show that the cost of acquiring a new member has increased by 82.9% over the past five years.
Let’s look at year-over-year comparisons for gross new members for the past three quarters:
June, 2011: 180,000 June, 2012: 169,000 (-11,000)
September, 2011: 173,000 September, 2012: 187,000 (+14,000)
December, 2011: 205,000 December, 2012: 198,000 (-7,000)
LOCK added fewer gross new members in the final three quarters of 2012 than it did in the same period in 2011. The growth for the year came in the March, 2012, quarter. The growth in that quarter was fueled by LOCK’s agreement with AOL, a one-time event. LOCK provides the numbers of total members and gross new members. These numbers can be used to calculate net new members and dropped members. Let’s now look at membership (in mil.):
2008 2009 2010 2011 2012
Total Members (in mil.) 1.331 1.621 1.748 2.075 2.480
Gross New (in 1000s) 924 618 517 704 762
Net Adds (in 1000s) +290 +127 +327 +405
Dropped (in 1000s) 328 390 377 357
Y-O-Y Growth (%) 21.8 7.8 18.7 19.5
Duration (years) 4.5 4.3 5.1 6.4
Member Duration = (avg. # members for year) / (#dropped members)
As the table shows, LOCK loses 350K – 400K members per year. LOCK must increase its total membership by approximately 500K per year in order to meet analysts’ estimates. LOCK averaged about 287K net additions per year over the past four years.
LOCK is spending millions of dollars to attract customers that may never be profitable. It makes a big deal out of its member retention rate (87.1% at end 2012), but this statistic is not very useful. According to the 10-K: “We define member retention rate as the percentage of members on the last day of the prior year who remain members on the last day of the current year…” It is not a measure of the annual renewal rate. It also does not capture people who subscribe by the month but cancel in less than one year. In any case, the 2012 member retention rate was actually lower than it was in 2008 (89.8%). LOCK needs its members to renew in large numbers. Based on revenue and expense numbers, we can estimate the payback period of a new member.
2010 2011 2012
Monthly rev. / member $7.94 $8.54 $9.28
Acquisition cost / member $152 $130 $150
Gross margin % 68.3% 67.7% 71.1%
Payback on gross profit (in months) 28 22 23
Op. profit % ex. sales and marketing 40.8% 49.5% 49.2%
Payback on op. profit ex. s&m (in months) 47 31 33
So, based on the 2012 numbers, a customer becomes profitable on an operating basis after about 2.75 years of membership. I believe, however, that this number is misleadingly low because LOCK could not actually operate its business with zero sales and marketing expense. LOCK must spend enough money on sales and marketing to replace dropped members. I can estimate this cost and calculate a new payback period:
2010 2011 2012
Monthly rev. / member $7.94 $8.54 $9.28
Acquisition cost / member $152 $130 $150
Dropped members (in 1000s) 390 377 357
Marketing to replace dropped (in $millions) $59.3 $49.0 $53.6
Op. profit % ex. sales & marketing 7.8% 24.2% 29.8%
but incl. replacement marketing
Payback period (in months) 245 63 54
So, based on the 2012 numbers, the payback period on a new member rises to 4.5 years when the marketing expense to replace dropped members is included.
LOCK needs to be a lot more efficient to meet profit expectations. The (bullish) analysts’ forecasts for 2014 operating margins range from 7.5% to 12.25%. LOCK’s operating income was only $13.1 million in 2012, 4.7% of revenues. In order to meet long-term estimates, LOCK must add millions of new members while reducing its costs. I do not believe that this is possible. Nobody else in this industry spends as much money on direct-to-consumer ads as LOCK. By the time that it completed its IPO, LOCK had an accumulated deficit of more than $200 million. LOCK reported operating losses of more than $55 million in both 2008 and 2009. LOCK had to spend hundreds of millions of dollars on marketing to achieve its current market share of approximately 7%. LOCK needs rapid growth to justify its high stock market valuation.
LOCK vs. INTX
LOCK is vastly overpriced when compared to its most direct pure-play public competitor, Intersections (INTX). INTX, which operates IdentityGuard, generates 99% of its revenue from identity protection services. The services provided by INTX are nearly identical to those of LOCK.
Key 2012 statistics:
EV $900 million $144 million
Revenue $276.4 million $349.2 million
EV / Revenue 3.3 0.4
EV / EBITDA 43.8 3.0
Operating Income $13.1 million $33.5 million
Operating Margin 4.7% 9.6%
Price / BV 4.1 1.3
Price / Tangible BV 23.0 2.5
Price / Op. Cash Flow 18.7 2.9
Dividend Yield 0% 7.50%
Subscribers 2.5 million 4.5 million
The Street clearly likes LOCK a lot more than INTX right now. One factor is that LOCK has six analysts who follow the company, while INTX has zero. All six of LOCK’s analysts work for the IPO underwriters and rate the stock at “Buy” or “Strong Buy”. All of these analysts promote the thesis that the identity protection industry is in the early stages of hyper-growth. I believe, however, that the industry may be in the early stages of a crisis.
INTX’s situation demonstrates that the identity protection business has serious problems. The company’s stock price has declined by almost 60% since mid-2011 because its revenue growth has disappeared. INTX has historically acquired most of its subscribers through its relationships with banks. INTX only spent $21.1 million on marketing in 2012. Unfortunately for INTX, its banking partners have reduced or stopped enrolling customers in identity protection services. The reason, according to management, is that the banks are under pressure from the Consumer Financial Protection Bureau (CFPB). In 2012, for example, the CFPB levied a $210 million fine against Capital One Financial for deceptively marketing several services, including identity protection. Due to the slowdown in its banking business, INTX’s management has vowed to increase consumer spending to compete directly with LOCK. As it stands now, INTX receives the kind of valuation multiples that the Street gives to slow-growth services business. If and when LOCK’s growth slows down, the stock will be extremely overvalued. The bulls on LOCK do not want people to notice this fact. The Deutsche Bank analyst, for example, does not even list INTX as one of LOCK’s comps. It actually appears that the DB analyst is unfamiliar with LOCK’s business. He lists a bunch of unrelated companies as comps for LOCK (e.g., Red Hat, Adobe, Oracle), but not actual direct competitors such as Experian and Equifax.
Here are the current Street estimates for LOCK:
EPS $0.33 $0.45
Revenue $340.3 mil. $402.6 mil.
The DB analyst has the highest price target on the Street at $17. His target is based on 27X estimated 2014 unlevered free cash flow ($0.55/share). The Canaccord analyst has the lowest price target at $12.50, based on 17X estimated 2014 FCF ($0.61/share). These valuations only make sense if LOCK can grow 25+% / year for the indefinite future. As I’ve argued, LOCK is a services business in a highly competitive market. LOCK has about $1.40 / share in cash. I believe that LOCK should trade at no more than 1X 2013 revenues. This valuation implies a stock price below $5 / share.
There will be a large number of shares eligible to sell when the IPO lock-up expires. Davis is the only executive with significant stock ownership. As a private company, LOCK funded itself with seven rounds of preferred stock sales. The preferred shares were converted into common shares when the IPO was completed. A large number of these shares are held by VCs: Kleiner Perkins, Industry Ventures, and Bessemer Venture Partners. Goldman Sachs and Symantec Corporation are also large holders. The 180-day lock up on insider sales will expire at the beginning of April, 2013. According to the prospectus, the holders of about 56.8 million shares (3X the current float) have registration rights. It is difficult to determine an actual share count for LOCK. The original share count was about 86 million shares, but the company said that the share count for 2013 will be 99 million shares. The stock currently trades only about 250K shares per day. The analysts are (obviously) promoting the stock in anticipation of multiple secondary offerings.
LifeLock, the identity protection company that could not protect its own CEO, is a company that should have died long ago. If you have read this far, you know that I believe that LOCK is in blatant violation of the 2010 FTC Order. LOCK continues to make unsubstantiated claims about its ability to protect against identity theft, promotes its nearly worthless guarantee, pays people to promote the company on the Internet, and charges for services of little value. Anybody can look at LOCK’s financials and see that LOCK’s ad spending has accelerated since it was accused of deceptive marketing. Aside from that issue, LOCK faces a market that already has too many firms providing the same services. Meanwhile, the need for these services is shrinking as the credit card companies and consumers are getting better at stopping identity thieves. Since it is a services business, I believe that a fair value for LOCK is below $5. If, however, the FTC or state attorneys take another look at LifeLock’s business practices, then the stock is worth much less than that.
This research report expresses my research opinions, which I have based upon certain facts, all of which are based upon publicly available information. Any investment involves substantial risks, including complete loss of capital. Any forecasts or estimates are for illustrative purpose only and should not be taken as limitations of the maximum possible loss or gain. Any information contained in this report may include forward-looking statements, expectations, and projections. You should assume these types of statements, expectations, and projections may turn out to be incorrect. This is not investment advice nor should it be construed as such. You should do your own research and due diligence before making any investment decision with respect to securities covered herein. The author may have a short position in this stock and may trade this stock.
|show sort by|
Are you sure you want to close this position LIFELOCK INC?
By closing position, I’m notifying VIC Members that at today’s market price, I no longer am recommending this position.
Are you sure you want to Flag this idea LIFELOCK INC for removal?
Flagging an idea indicates that the idea does not meet the standards of the club and you believe it should be removed from the site. Once a threshold has been reached the idea will be removed.
You currently do not have message posting privilages, there are 1 way you can get the privilage.
Apply for or reactivate your full membership
You can apply for full membership by submitting an investment idea of your own. Or if you are in reactivation status, you need to reactivate your full membership.
What is wrong with message, "".