In re Lifelock Inc. Securities Litigation 14-CV-00416-Consolidated Amended Class Action
Transcript of In re Lifelock Inc. Securities Litigation 14-CV-00416-Consolidated Amended Class Action
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 1 of 81
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
SUSAN MARTIN (AZ#014226) MARTIN & BONNETT, PLLC 1850 N. Central Ave. Suite 2010 Phoenix, Arizona 85004 Telephone: (602) 240-6900 [email protected]
POMERANTZ LLP Patrick V. Dahlstrom (pro hac vice) Louis C. Ludwig (pro hac vice) Ten South La Salle Street, Suite 3505 Chicago, Illinois 60603 Telephone: (312) 377-1181 Facsimile: (312) 377-1184 [email protected] [email protected]
Attorneys for Plaintiff
[Additional Counsel on Signature Page]
UNITED STATES DISTRICT COURT DISTRICT OF ARIZONA
In re Lifelock Inc. Securities Litigation Case No. 2:14-cv-00416-SRB
THIS DOCUMENT RELATES TO: CLASS ACTION
ALL ACTIONS
Hon. Susan R. Bolton
CONSOLIDATED AMENDED CLASS ACTION COMPLAINT FOR VIOLATIONS OF FEDERAL SECURITIES LAWS
DEMAND FOR JURY TRIAL
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 2 of 81
1 Lead Plaintiff Chet K. Gray (“Plaintiff”), individually and on behalf of all
2
I other persons similarly situated, by his undersigned attorneys, for his complaint
3 against defendants, alleges the following based upon personal knowledge as to
4
5 himself and his own acts, and information and belief as to all other matters, based
6
I upon, inter alia, the investigation conducted by and through his attorneys, which
7 included, among other things, a review of the defendants’ public documents, 8
conference calls and announcements made by defendants, United States Securities 9
10 and Exchange Commission (“SEC”) filings, wire and press releases published by
11 and regarding LifeLock, Inc. (“LifeLock” or the “Company”), analysts’ reports and 12
advisories about the Company, interviews with Confidential Witnesses (“CWs”), 13
14 and information readily obtainable on the Internet.
15
NATURE OF THE ACTION
16 1. This is a federal securities class action on behalf of a class consisting
17
18 of all persons and entities that purchased or otherwise acquired LifeLock common
19 stock between February 26, 2013 and May 16, 2014, both dates inclusive (the
20 “Class Period”), seeking to recover damages caused by defendants’ violations of the 21
federal securities laws and to pursue remedies under §§ 10(b) and 20(a) of the 22
23 Securities Exchange Act of 1934 (the “Exchange Act”) and Rule 10b-5
24 promulgated thereunder against the Company and certain of its top officials. 25
2. Throughout the Class Period, defendants represented that the 26
27 Company was in compliance with a settlement it had entered into with the Federal
28
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 1 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 3 of 81
1 I Trade Commission (“FTC”) regarding the Company’s advertising and other
2
I representations about its business and services. Moreover, the Defendants
3 maintained that their settlement with the FTC was based on earlier practices and
4
5 technology employed by the Company and, therefore, only related to the earlier
6
I practices. The Defendants gave the impression that the Company was in full
7 compliance with the settlement with the FTC and that its present technology and 8
services supported the representations made by the Company in its advertising. 9
10 3. In fact, during the Class Period, the Company was not in compliance
11 with its FTC settlement, nor did the technology employed by the Company support 12
the claims in the Company’s advertising. Through selective misstatements and 13
14 omissions, the Defendants materially misrepresented to the market that it was in
15 compliance with the FTC settlement and that it had changed its practices to stay in
16 compliance and offer the protection against identity theft and identity fraud that the
17
18 Company advertised.
19
4. Towards the end of the Class Period, through a series of partial
20 disclosures of the Company’s materially false representations and the
21
22 materialization of the risk in omitting the truth about the Company’s services and
23 compliance with the FTC settlement, the price of LifeLock common stock declined
24 by statistically significant amounts, causing economic losses to Plaintiff and other
25
26 members of the Class who purchased LifeLock common stock during the Class
27 Period in violation of the Exchange Act.
28
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 2 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 4 of 81
INTRODUCTION 1
2
5. Founded in 2005, LifeLock is a self-proclaimed provider of proactive
3 identity theft protection, and provides services to consumers and enterprises.
4
5 6. LifeLock’s initial business model involved placing 90-day fraud alerts
6 on hundreds of thousands of its clients’ credit files maintained by the major credit
7 agencies. Essentially, LifeLock charged customers $10 a month to act as a 8
middleman for services that the credit agencies are required to provide to consumers 9
10 for free.
11 7. After one of those credit agencies, Experian, sued LifeLock for 12
allegedly forcing it to process large numbers of frivolous fraud alerts and to mail 13
14 mandatory notices to customers, the Company was forced to agree to abandon this
15 practice.
16
8. LifeLock resorted to aggressive marketing and advertising with its 17
18 CEO Todd Davis (“Davis”) appearing in a number of advertisements in which
19
Davis publicly revealed his Social Security number and dared anyone to steal his
20 financial information.
21
22 9. Despite the ads’ claim that LifeLock would all but thwart any attempt
23 on Davis’ data, enterprising identity thieves took the CEO up on his dare, and stole
24 his identity some 13 times. By this time, LifeLock’s predilection for making
25
26 outlandish claims on behalf of their products had drawn the notice of the FTC.
27
28
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 3 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 5 of 81
1 10. On March 8, 2010, the FTC revealed in a press release that it had
2 pursued claims against LifeLock and Davis in complaints alleging, inter alia, that
3 the Company issued dramatically misleading advertisements and guarantees to
4
5 customers regarding its identity theft protection services. The FTC alleged that the
6 Company’s aggressive advertising campaigns misled consumers into believing that
7 the Company provided certain services and benefits which, in fact, were not 8
provided. The FTC further alleged that the Company misled consumers to believe 9
10 that LifeLock’s protection services “provided complete protection against all forms
11 of identity theft by making customers’ personal information useless to identity 12
thieves.” 13
14 11. The FTC complaint highlighted the following specific fraudulent and
15 misleading advertisements and statements by the Company:
16
• “MY SOCIAL SECURITY # IS XXX-XX-5462. I’m Todd Davis,
17
CEO of LifeLock, and this really is my social security number. I give it
18 just to prove how safe your identity can be with LifeLock.”
19 • “Do you ever worry about identity theft? If so, it’s time you got to
20 know LifeLock. We work to stop identity theft before it happens.
We’re so confident, we back our clients with a $1 million guarantee.” 21
22 • “We aim to stop identity theft before it happens. . . . Every three
seconds an identity is stolen. We’re here to make sure it doesn’t happen
23
to you.”
24
• “My social security number is XXX-XX-5462. I’m Todd Davis, CEO
25 of LifeLock, and yes, that’s my real social security number. Identity
26 theft is one of the fastest growing crimes in America, victimizing over
10 million people a year and costing billions of dollars. So why publish
27 my social security number? Because I’m absolutely confident
28
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 4 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 6 of 81
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
LifeLock is protecting my good name and personal information, just like it will yours.”
• “By now you’ve heard about individuals whose identities have been stolen by identity thieves . . . . LifeLock protects against this ever happening to you. Guaranteed .”
• “LifeLock doesn’t just report unauthorized use of credit information, we prevent it by working with the top four credit bureaus to make sure you’re contacted to approve any credit transaction before it takes place .”
• “LifeLock clients are contacted every time someone attempts to open credit in their name or change an address.” (Bold added).
12. The FTC also alleged that after LifeLock collected sensitive,
personally identifiable information regarding consumers, such as names, addresses,
email addresses, telephone numbers, social security numbers, and credit card
I information, it failed to adequately and reasonably protect this information and
misled consumers regarding the nature of its data protection.
13. In February 2010, as a result of its fraudulent advertising practices
and false claims about safeguarding customer data, the Company and Davis entered
into the Stipulated Final Judgment and Order for Permanent Injunction and Other
Equitable Relief as to Defendants Lifelock and Davis (the “Settlement Order”),
whereby the Company and Davis settled allegations by the FTC that certain of the
Company’s advertising and marketing practices constituted deceptive acts or
practices in violation of the Federal Trade Commission Act of 1914 (15 U.S.C §§
41-58, as amended).
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 5 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 7 of 81
1 14. The Settlement Order imposed on the Company and Davis certain
2
I injunctive provisions relating to advertising and marketing of LifeLock’s identity
3 theft protection services, such as enjoining LifeLock from making any
4
5 misrepresentation of “the means, methods, procedures, effects, effectiveness,
6
I coverage, or scope of” the Company’s identity theft protection services.
7 15. At the time it entered into the Settlement Order, LifeLock also entered 8
into companion orders with 35 states’ attorneys general that imposed on the 9
10 Company similar injunctive provisions as the Settlement Order relating to
11 LifeLock’s advertising and marketing of identity theft protection services. The 12
Settlement Order provided for a consumer redress payment of $11 million, which 13
14 the Company made in 2010 to the FTC for distribution to the Company’s members.
15
The Settlement Order also provided for an additional consumer redress payment of
16 $24 million in the event of a default by the Company.
17
18 16. Despite the Settlement Order, Lifelock continued to pursue a range of
19
deceptive practices with respect to its products and services.
20 17. For example, one of LifeLock’s main selling points involves its
21
22 promise to keep its customers timely informed by alerting them through “alerts”
23 anytime a customer’s credit is run, such as when credit is applied for in the name of
24 the customer. Indeed, LifeLock’s website states as follows:
25
26 Alerts When You Need Them
27 With our patented LifeLock Identity Alert ® system, as soon as we
28 detect a threat to your identity, you’ll be notified by text, phone or
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 6 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 8 of 81
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
email, to help stop thieves before they do damage ... So while you’re out there connecting to the world, we’ll be here helping to keep your personal information safe. (Bold added).
18. To the contrary, as explained in more detail below, LifeLock, without
any warning, would turn off or reduce these alerts in order to reduce the call volume
received by its customer support center. Moreover, elderly customers were
specifically targeted for this treatment based on their supposed lack of technological
savvy. Indeed, thousands, if not hundreds of thousands, of alerts were never sent to
LifeLock’s customers by any means of communication.
19. Consequently, four years after entering into the Settlement Order, the
Company buried in a Form 10-K filed with the SEC on February 19, 2014, that it
had met with the FTC regarding its alleged non-compliance with the terms of the
Settlement Order, after what the Company called a “whistleblower” had alleged
certain violations of the Settlement Order in a complaint. The Company stated, in
relevant part:
On January 17, 2014, we met with FTC Staff, at our request, to discuss issues regarding allegations that have been asserted in a whistleblower claim against us relating to our compliance with the FTC Order . Following this meeting, we expect to receive either a formal or informal investigatory request from the FTC for documents and information regarding our policies, procedures, and practices for our services and business activities. Given the heightened public awareness of data breaches and well as attention to identity theft protection services like ours, it is also possible that the FTC, at any time, may commence an unrelated inquiry or investigation of our business practices and our compliance with the FTC Order. We endeavor to comply with all applicable laws and believe we are in compliance with the requirements of the FTC Order. We believe the increased regulatory scrutiny will continue in our industry for the foreseeable future and
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 7 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 9 of 81
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
could lead to additional meetings or inquiries or investigations by the agencies that regulate our business, including the FTC. (Bold added.)
20. Significantly, the renewed FTC investigation, which could potentially
I result in significant fines against the Company and threaten its future financial
viability, was not announced in a press release, listed under legal proceedings, or in
any way highlighted in the Company’s Form 10-K. Instead, it was buried in the
middle of a paragraph under the section “Government Regulation.” Market
watchers, however, found the reference and ultimately recognized its significance.
Within days, an article published on Seeking Alpha , a crowd-sourced content
service for financial markets, explained the import of the buried disclosure in an
article entitled: “Lifelock: Pending FTC Investigation Revealed in 10-K . ”
21. On this news of LifeLock stating in a filing with the SEC that a
“whistleblower” claimed that LifeLock had not complied with the Settlement Order,
LifeLock common stock fell from $21.79 to $20.32 per share, more than 6%, on
unusually heavy trading volume on the next trading day.
22. Although LifeLock referenced “a” whistleblower claim in its Form
10-K, Defendants knew in February 2014 that the Company had already settled one
whistleblower complaint under Arizona’s wrongful termination statute, and that a
second whistleblower under Sarbanes-Oxley had been filed alleging similar
violations of the Settlement Order.
23. Indeed, when the second whistleblower action was revealed to the
public regarding, among other things, non-compliance with the Settlement Order
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 8 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 10 of 81
1 I and turning off or reducing the number of alerts sent to customers in violation of the
2
I Settlement Order, the price of LifeLock common stock fell again, this time from
3 $20.10 to $17.11 per share, or more than a 15% decline.
4
5 24. LifeLock shares declined once again on the news that the Company’s
6
I technology did not support the claims the Company had made in its advertising
7 because it was not in compliance with security standards. Upon this further 8
revelation of non-compliance with the Settlement Order and additional violations 9
10 under FTC regulations, LifeLock common stock dropped from $12.98 to $10.70 per
11 share, a more than 17% decline. 12
25. Throughout the Class Period, defendants made materially false and 13
14 misleading statements regarding the Company’s business, operational and
15 compliance policies. Specifically, defendants made false and/or misleading
16 statements about and/or failed to disclose, inter alia, that: (a) Defendants
17
18 misrepresented “the means, methods, procedures, effects, effectiveness, coverage,
19 or scope of” Lifelock’s customer alerts in violation of the Settlement Order; (b)
20 LifeLock’s self-described “proactive, near real-time, actionable alerts” were subject
21
22 to regular delays and were actively disabled; (c) Lifelock did not “constantly
23 monitor[] identity-related events” or offer “24x7x365 member service support”; to
24 the contrary, Defendants actively disabled customer alerts on multiple occasions;
25
26 (d) Defendants misrepresented “the means, methods, procedures, effects,
27 effectiveness, coverage, or scope of” Lifelock’s credit-monitoring service, which
28
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 9 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 11 of 81
1 I provided inaccurate and/or misleading information to customers; (e) Defendants
2
I failed to establish a comprehensive data security program in violation of the
3 Settlement Order; (f) Defendants had failed to assess the effectiveness of their
4
5 information security practices and technical controls; (g) LifeLock failed to
6
I adequately monitor its compliance with the Settlement Order as required by the
7 FTC; (h) LifeLock and its operations were non-compliant with basic, industry-wide 8
credit card security standards, did not safeguard customer credit card data, and had 9
10 not trained its agents in such compliance; and (i) Defendants’ January 2014 meeting
11 with the FTC due to the renewed allegations against it was not part of a “regular” 12
pattern of meeting with the regulators, but was specifically relevant to the serious 13
14 allegations raised by wrongful termination and/or whistleblower complaints.
15
JURISDICTION AND VENUE 16
26. The claims asserted herein arise under and pursuant to §§ 10(b) and 17
18 20(a) of the Exchange Act (15 U.S.C. § 78j(b) and 78t(a)) and Rule 10b-5
19 promulgated thereunder (17 C.F.R. § 240.10b-5).
20 27. This Court has jurisdiction over the subject matter of this action 21
pursuant to § 27 of the Exchange Act (15 U.S.C. § 78aa) and 28 U.S.C. § 1331. 22
23 28. Venue is proper in this District pursuant to § 27 of the Exchange Act,
24 15 U.S.C. § 78aa and 28 U.S.C. § 1391(b), as LifeLock’s principal place of 25
business is located within this District and a substantial part of the conduct 26
27 complained of herein occurred in this District.
28
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 10 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 12 of 81
1 29. In connection with the acts, conduct and other wrongs alleged in this
2
Complaint, defendants, directly or indirectly, used the means and instrumentalities
3 of interstate commerce, including but not limited to, the United States mail,
4
5 interstate telephone communications and the facilities of the national securities
6 exchange.
7 PARTIES 8
30. Plaintiff, as set forth in the attached Certification submitted with his 9
10 motion for appointment as Lead Plaintiff (Dkt. No. 34-2), acquired LifeLock
11 securities at artificially inflated prices during the Class Period, and has been
12 damaged upon the announcement of partial disclosures and the materialization of
13
the risk related to Defendants’ material omissions. 14
15
31. Defendant LifeLock is a Delaware corporation with its principal
16 executive offices located at 60 East Rio Salado Parkway, Suite 400, Tempe,
17
Arizona 85281. LifeLock’s common stock trades on the New York Stock 18
19 Exchange under the ticker symbol “LOCK.”
20 32. Defendant Todd Davis (“Davis”) has served as the Company’s 21
Chairman and Chief Executive Officer at all relevant times. Between April 2, 2013 22
23 and March 19, 2014, Davis sold approximately 300,000 shares of LifeLock.
24 33. Defendant Hilary Schneider (“Schneider”) has served as the 25
Company’s President at all relevant times. Between January 13, 2014 and May 15, 26
27 2014, Schneider sold more than 90,000 shares of LifeLock.
28
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 11 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 13 of 81
1 34. Defendant Chris Power (“Power”) has served as the Company’s Chief
2
Financial Officer at all relevant times. Between June 17, 2013 and April 17, 2014,
3 Power sold nearly 150,000 shares of LifeLock.
4
5 35. The defendants named in ¶¶ 32-34 above are sometimes referred to
6 herein as the “Individual Defendants.”
7 SUBSTANTIVE ALLEGATIONS 8
Background and Marketing 9
10 36. LifeLock, which bills itself as “an industry leader in identity theft
11 protection and presents identity theft,” began offering services to the public in 2005. 12
LifeLock’s initial public offering (“IPO”) occurred in October, 2012. 13
14 37. Initially, LifeLock was founded as a simple fix to a perceived gap in
15
identity theft protection, namely the fact that every 90 days the major credit bureau
16 erased fraud alerts on customers’ credit accounts, even if questionable transactions
17
18 had recently occurred.
19
38. In response, customers began paying LifeLock $10 a month to call a
20 credit bureau every three months and put a fraud alert on their accounts. As the
21
22 Phoenix (Arizona) New Times explained in 2007, “[b]y law, if one bureau is
23 notified, it must alert the other two. LifeLock also offers insurance. If a customer
24 becomes a victim despite the service, LifeLock says it will pay losses (if the claim
25
26 holds up to scrutiny) of up to $1 million.”
27 39. During the Class Period, LifeLock offered Standard, Advantage,
28
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 12 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 14 of 81
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Ultimate and Junior monitoring subscriptions, ranging in price from $109.89 to
$329.89 annually, and boasting what LifeLock claims are varying levels of
technological sophistication. LifeLock Standard is advertised as including identity
theft detection and alerts within its network, lost wallet protection, address change
I verification, black market website surveillance, and reduced pre-approved credit
card offers. LifeLock Advantage claims to add Credit Alerts, Data Breach
Notification, Fictitious Identity Monitoring, Court Records Scanning, and online
annual credit reports and scores to the LifeLock Standard menu. LifeLock Ultimate
allegedly includes bank account takeover alerts within its network, enhanced credit
application alerts, and online credit reports and scores on top of the Standard
features. Lifelock’s Junior protection (aimed at children) purports to provide
identity theft detection and alerts, credit file verification, black market website
surveillance, and file sharing network searches.
40. All of LifeLock’s service plans feature the LifeLock Identity Alert ®
System: “[w]hen we find something suspicious, we’ll let you know through our
patented LifeLock Identity Alert® system.” The Identity Alert system is described
by the Company as follows:
Our technology searches for potential misuse of your Social Security number, name, address or date of birth in applications for credit and services. You can choose alerts by text, phone, email or mobile app and respond immediately to confirm if the activity is fraudulent with our proprietary Not Me ® verification technology.
41. Indeed, LifeLock’s website boasts (and boasted during the Class
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 13 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 15 of 81
1 Period) that “LifeLock actively monitors applications within an extensive network
2
for attempts to use your personal information. Whenever suspicious activity is
3 detected, you will receive an alert via email or phone. ” (Bold added).
4
5 42. During the Class Period, this actually involved little more than
6 LifeLock receiving files from one or more of the major credit bureaus that
7 contained information about activity on a customer’s credit card, and LifeLock’s 8
processing these files and sending alerts out to the customer about the activity. 9
10 43. LifeLock buries the limitations on its capabilities in its fine print. For
11 example, the pitch for LifeLock Ultimate PlusTM, which promises in full-sized print 12
that “We’ll issue alerts for merchant and lender inquiries being made against your 13
14 credit file so you can act quickly to help resolve fraudulent activity” is modified by
15 a small-font footnote warning vaguely that the “[n]etwork does not cover all
16 transactions[.]” See, e.g., http://www.lifelock.com/services/lifelock-ultimate-plus/
17
18 (Accessed Aug. 4, 2014).
19
44. The following graphic demonstrates how LifeLock promotes its
20 services as superior to traditional identify theft safeguards, i.e. , card issuers and
21
22 credit bureaus:
23
24
25
26
27
28
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 14 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 16 of 81
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
0 LifeLock
LifeLock Offers Comprehensive Proactive Protection
0 LifeLock
In fact, consumers can, as commenters have noted, “handle many of the services
LifeLock provides – such as credit reports and cancelling cards in lost wallets – on
their own with a couple of (free) phone calls.” See “LifeLock’s Protection Leaves
Much to be Desired,” truthinadvertising.org (Apr. 9, 2013).
45. Furthermore, unlike some of its competitors, LifeLock does not own a
credit bureau. As a result, it is unclear how LifeLock would be able to provide
services such as alerting customers in the event that a credit check is done on them
unless a credit bureau advises LifeLock.
46. Nevertheless, Lifelock has successfully promoted its services with
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
Black Market Wbzite Surveillance
File-Sharing Network SeMches
Sex Offender Registry Reports
Reduced Pre-Approved Credit Card Offers
Lost Wallet ProedIo,i
Bank Account Thkeover Alerts?
Checking and Savings Account AppLicatiQn Aletht
Non-Credit Report Alerts*
Now C dIt/1oanAppIItIon Alrt
Address Change Verification
New Credit Card Application from Other RankjIssuers*
New Credit Card App1icdtIol from Exisling Bank/Issuers
Monitor Existing Credit Card Tr n.action
- 15 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 17 of 81
1 aggressive marketing tactics that, in addition to publishing CEO Davis’ Social
2
Security number on flyers, billboards, ads, and the side of a truck, have included
3 television commercials with Davis challenging anyone to try and use his personal
4
information. 5
6 47. LifeLock has also partnered with major banks, national corporations
7 and boasts celebrity endorsers. In addition to television, LifeLock advertises 8
heavily on the Internet and radio – its ads have been featured on Rush Limbaugh 9
10 broadcasts. Celebrity spokespersons for LifeLock have included Howard Stern,
11 Mark Levin, Rudy Giuliani, and Rush Limbaugh. 12
48. These tactics have proved successful. Currently, LifeLock boasts 13
14 more than 3 million members to its monthly service, $369.65 million in annual
15 revenue (for 2013), and 675 employees. According to the Company’s proxy, the
16 top six executives were paid more than $18 million in 2013 alone.
17
18 Litigation and the FTC Settlement
19 49. In February 2008, Experian, a major U.S. credit bureau, sued
20
21 LifeLock, alleging that LifeLock's practice of setting fraud alerts for consumers
22
harmed it. It also argued that LifeLock’s repeated renewal of the fraud alerts
23 clogged its system with bogus alerts, diminishing their effectiveness. LifeLock had 24
25 used fraud alerts to place nearly perpetual 90-day warnings on its customers’ credit
26 reports.
27 50. The Experian lawsuit was settled confidentially in October 2009. 28
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 16 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 18 of 81
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
I According to Experian, LifeLock was “permanently restrained” from either directly
or indirectly filing alerts to any credit reporting agency on the behalf of its
customers, gutting the core of LifeLock’s original business model.
51. Around the same time, it was revealed that a marketing gimmick in
I which CEO Davis widely published his Social Security number, daring identity
thieves to take it, had backfired disastrously – Davis’ identity was stolen at least 13
times in the aftermath of the campaign. Thieves used Davis’ information to open
utility accounts, credit cards, and cell-phone service, racking up thousands of
dollars’ worth of debt in his name.
52. On March 8, 2010, the FTC announced that LifeLock had entered into
a settlement with the FTC for complaints against the Company and Defendant Todd
Davis alleging, inter alia, that the Company issued dramatically misleading
advertisements and guarantees to customers regarding its identity theft protection
services.
53. According to the FTC’s complaint, LifeLock had claimed:
• “By now you’ve heard about individuals whose identities have been stolen by identity thieves . . . LifeLock protects against this ever happening to you. Guaranteed .”
• “Please know that we are the first company to prevent identity theft from occurring .”
• “Do you ever worry about identity theft? If so, it’s time you got to know LifeLock. We work to stop identity theft before it happens .” (Bold added).
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 17 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 19 of 81
1 54. The FTC’s complaint further alleged that LifeLock also claimed that it
2 would prevent unauthorized changes to customers’ address information, that it
3 constantly monitored activity on customer credit reports, and that it would ensure that
4
5 a customer always would receive a telephone call from a potential creditor before a
6 new account was opened. The FTC charged that those claims were false or
7 deceptive. 8
55. The FTC’s complaint charged that the fraud alerts that LifeLock placed 9
10 on customers’ credit files protected only against certain forms of identity theft and
11 gave them no protection against the misuse of existing accounts, the most common 12
type of identity theft. It also allegedly provided no protection against medical 13
14 identity theft or employment identity theft, in which thieves use personal information
15 to get medical care or apply for jobs. And even for types of identity theft for which
16 fraud alerts are most effective, LifeLock does not provide complete protection. They
17
18 alert creditors opening new accounts to take reasonable measures to verify that the
19
individual applying for credit actually is who he or she claims to be, but in some
20 instances, identity thieves can thwart even reasonable precautions.
21
22 56. As then-FTC Chairman Jon Leibowitz summed it up, “The protection
23
[LifeLock] actually provided left enough holes that you could drive a truck through it
24 ...”
25
26 57. In addition to its deceptive identity theft protection claims, LifeLock
27 allegedly made claims about its own data security that were not true. According to
28
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 18 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 20 of 81
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
the FTC, LifeLock routinely collected sensitive information from its customers,
including their Social Security numbers and credit card numbers. The Company
claimed:
• “Only authorized employees of LifeLock will have access to the data that you provide to us, and that access is granted only on a ‘need to know’ basis.”
• “All stored personal data is electronically encrypted.”
• “LifeLock uses highly secure physical, electronic, and managerial procedures to safeguard the confidentiality and security of the data you provide to us.”
58. The FTC charged that LifeLock’s data was not encrypted, and
sensitive consumer information was not shared only on a “need to know” basis. In
fact, the agency charged, the company’s data system was vulnerable and could have
been exploited by those seeking access to customer information.
59. To settle the FTC complaint, LifeLock agreed, inter alia, to pay $11
million to the FTC, pay $1 million to a group of 35 state attorneys general, and
submit to continuing terms of compliance with the Settlement Order, including
biannual reporting obligations to extend for 20 years post-Settlement.
60. An “avalanche clause” for the full amount of judgment ($35 million)
plus interest would be triggered by any default in payment.
61. At the time, the FTC billed the settlement as one of the largest joint
FTC-state settlements on record.
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 19 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 21 of 81
1 62. In particular, the Settlement Order prohibits LifeLock from
2 misrepresenting “the means, methods, procedures, effects, effectiveness, coverage, or
3 scope of such product, service, or program” of any Company “product, service, or
4
5 program designed for the purpose of preventing, mitigating, or recovering from any
6 form of identity theft .... includ[ingj but ... not limited to, the placement of fraud
7 alerts on behalf of consumers, searching the internet for consumers' personal 8
data, monitoring commercial transactions for consumers' personal data, identity 9
10 theft protection for minors, and guarantees of any such products, services, or
11 programs.” (Bold added). 12
63. The Settlement Order also expressly bars LifeLock from 13
14 “misrepresenting in any manner, expressly or by implication, the manner or extent to
15 which they maintain and protect the privacy, confidentiality, or security of any
16 personal information collected from or about consumers.”
17
18 64. In addition, the Settlement Order required that LifeLock establish a
19 comprehensive data security program.
20
65. After the IPO, and prior to the disclosing events, LifeLock repeatedly, 21
22 albeit falsely, assured investors of its compliance with the Settlement Order.
23
66. Additionally, in 2012, LifeLock expanded its business dramatically
24 through its acquisitions of ID Analytics, described by LifeLock as “a leader in
25
26 enterprise identity risk management,” and Lemon, Inc., the creator of a “mobile
27 wallet” application that LifeLock marketed as part of its existing mobile service.
28
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 20 -
.1 1p
I IN
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 22 of 81
1 67. LifeLock also continued its growth in subscribers and business :
2
3 Cumulative Ending Members
(in thousands)
4
3,221 3.250
5 3.cwx
6 2.750
7 2.5lX
8 2.250
9
2,000 10
11
12
13
68. LifeLock’s success proved to be a double edged sword, however.
14 LifeLock lacked the personnel and technical ability necessary to avoid
15
16 misrepresenting their services to customers, as well as to safeguard those customers’
17 personal information.
18 69. For example, according to one insider who worked at the Company 19
throughout the Class Period, “there was constantly something going on with keeping 20
21 the system maintained and updating code that could and did cause issues.”
22
Accordingly, “when we were doing a lot of code changes, there was a higher
23 occurrence of when we had to shut things down and fix it.” These problems would
24
25 cause delays in alerts going out as well as delays in other types of customer notices.
26
Each time a problem was fixed, a large backlog of alerts and notices went out at
27 once, causing the call volume to dramatically increase.
28
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 21 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 23 of 81
1 70. The Company’s solution was to cut corners in both service and
2
I security. LifeLock deliberately turned off alerts to customers – in particular, elderly
3 subscribers – in order to lower call volume to its overburdened call center. Likewise,
4
5 LifeLock’s steps toward product expansion recklessly failed to protect customers’
6
I sensitive information, a supreme irony given LifeLock’s status as a self-styled
7 protector of such data. In the process, Defendants flagrantly violated the terms of the 8
Settlement Order, as well as misrepresented its services and abilities in its marketing 9
10 and advertising in violation of FTC regulations.
11 71. Defendants’ misrepresentations and omissions also were in violation of 12
Federal Securities laws as well as the Company’s own Code of Business Conduct and 13
14 Ethics, which enshrines the right of investors to “honest, accurate and consistent
15
information” while requiring LifeLock employees to “communicate truthfully and
16 completely.”
17
18 Wrongful Termination, the Whistleblower
Complaint, and the Renewed FTC Investigation 19
20 72. On July 8, 2013, Stephen P. Burke (“Burke”), a Senior Financial
21 Analyst and Cross Business Analytics Analyst at LifeLock, filed a complaint in the
22 United States District Court for the District of Arizona for wrongful termination 23
under Arizona state law. See Burke v. LifeLock, Inc. , No. 13-CV-1355 (D. Ariz.) 24
25 (Dkt. No. 1) (the “Burke Compl.”).
26 73. Burke alleged that, while working for LifeLock between February 2010 27
and March 2013, he learned that LifeLock 28
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 22 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 24 of 81
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
... had and continues to have widespread system problems in processing [] alerts and sending them out to the customers as promised in its national marketing campaigns. The problem of timely informing customers that their credit information was accessed is so widespread that Defendant instituted a code freeze. In essence, Defendant is deliberately “stepping on the brakes” with regard to sending this critical information to customers on a timely basis, and worse, often choosing not to send these alerts out at all. This practice has been referred to as “throttling.”
Burke Compl., ¶ 13 (Bold added).
74. Specifically, Burke alleged that he “first learned of an issue with
[Lifelock]’s alert notification services to customers through an e-mail chain
forwarded to him in late November 2012 by John Lenstrohm [(“Lenstrohm”)],
[Lifelock]’s Director, Direct Response.” Id. , ¶ 15.
75. Subsequently, Burke discussed his concerns regarding the delaying of
alerts, the diminished alert notification service, the effects of not sending out alerts,
and “throttling of alerts,” i.e., not sending out alerts to customers anytime anyone did
anything with the customer’s name, with numerous LifeLock personnel, including
Lenstrohm, Vice President of Marketing Erick Dickens, Senior Manager Amanda
Mellon, Manager Brent Hazel, Melinda Keels (Finance), and Burke’s own
supervisor, Gregory Lim (“Lim”). Id. , ¶¶ 16-19.
76. Perhaps most significantly, Burke expressed his concern in the course
of these discussions that “throttling” might violate the Settlement Order as LifeLock
was engaged in false and misleading advertising regarding the alerts. Id. , ¶¶ 16, 19.
77. In support of this view, Burke highlighted the following unequivocal
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 23 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 25 of 81
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
I representation made by the Company on its website as of July 2013 (and which has
since been taken down):
Responding to Identity Theft
With LkLock' identity theft poIec6ozL we a1i you by o - maL phone or xi niesage i f we detect that your personal information otay hae been tLed -
mi v.ilI hear tTroiii W, oitiv when aiecesai-v.
T1killg Ft Ai lion
We r -iew each at tempt o 1111 StT yom ideiitiy. and proac com a Ct yot uivtiine we detect an exposure or threat. L1eLock U1thnate protection sues oiie iep furt1ir—if we detect a change to the coiitct infomia tion on yotu uk
accotlnTc. venll coillact you to help correct the siflti on tit
I See Burke Compl., ¶ 13.
78. Burke told Lim, his supervisor, that LifeLock “should adjust its
marketing messaging to reflect this diminished service ....” Id. , ¶ 19.
79. In response to Burke expressing his concerns to Lim, he was
terminated. Adding insult to injury, LifeLock did not follow up on Burke’s concerns
regarding customer alerts. ¶¶ 20-25.
80. Ultimately, LifeLock settled Burke’s wrongful termination suit under
Arizona state law for an undisclosed amount in February 2014, just as a true
whistleblower complaint under federal law against the Company was set to become
public.
81. On March 20, 2014, Michael D. Peters (“Peters”), LifeLock’s former
Chief Information Security Officer (“CISO”), filed a complaint in the United States
District Court for the District of Arizona pursuant to the whistleblower protection CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION
OF THE FEDERAL SECURITIES LAWS
- 24 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 26 of 81
1 provisions of the Sarbanes-Oxley Act, 18 U.S.C. § 1514A (“SOX”), and the Dodd-
2
Frank Act, 15 U.S.C. § 78u-6(h)(1)(A). See Peters v. LifeLock, Inc. et al. , No. 14-
3 CV-00576 (D. Ariz.) (Dkt. No. 1) (the “Peters Compl.”). Earlier, on August 19,
4
5 2013, Peters filed complaints with the FTC and the SEC, and filed a whistleblower
6
I complaint under SOX with the Department of Labor on August 23, 2013.
7 82. Peters was certified as Chief Information Security Officer (“CISO”), 8
Information System Security Professional, Information Security Manager, and 9
10 Computer Examiner in Risk and Information Systems Control. Peters Compl., ¶ 6.
11 83. On or about July 1, 2013, Peters began work as LifeLock’s CISO 12
following “an intense screening and vetting process by LifeLock [that] included more 13
14 than twelve face-to-face interviews, numerous telephonic interviews, drug testing, a
15 thorough review of eight years of Peters’s tax returns, thorough criminal and civil
16 background checks, and background checks on his education and employment.”
17
18 Peters Compl., ¶¶ 12, 16.
19
84. Peters alleges that upon commencing work at LifeLock, he
20 immediately began an initial risk assessment at LifeLock. Before his hiring,
21
22 LifeLock had never conducted a bona fide risk assessment. Even in the preliminary
23 stages of the risk assessment, Peters began to discover many instances of illegal and
24 incompetent practices that constituted fraud against LifeLock’s shareholders.
25
26 According to Peters, these included, but were not limited to, the following:
27 a. LifeLock’s manager of database administration, Jacqueline Hufford-
28 Jensen, signed a Sarbanes-Oxley audit verifying that the information
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 25 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 27 of 81
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
contained in that audit was true and correct even though the time period she was attesting to predated her hiring date at LifeLock.
b. LifeLock’s director of internal audits, Tony Valentine, had “collected” evidence from the information security team that existed prior to Peters’s arrival related to access logging, audit logging, audit log reviews, network security controls, and data leakage controls that either (1) did not truly exist because the technology was still in boxes; or (2) LifeLock lacked the staff to keep track of everything; or (3) such reviews were not actually conducted.
c. LifeLock employee Dave Bridgman told Peters that LifeLock’s current practice was to manipulate the customer alerts sent to its elderly customers. LifeLock would turn off or reduce the services alerting elderly customers to reduce the call volume received by LifeLock’s customer support center. Peters believed this was fraudulent since it sold its services to the general public without any disclosure that alert services would be limited for certain segments of the population.
d. LifeLock was in the process of finalizing a new product offering called PassLock. This system was designed to allow customers to include their passwords for up to ten accounts. PassLock would then crawl through hundreds of internet sites to check the username and password supplied by the customer and report back to the customer. The problem was that the database was not being protected with industry-grade encryption. The database was predicted to contain millions of customer credentials that would be devastating to consumers if a breach occurred. Moreover, the system was going to utilize a third-party cloud hosting business without that third party’s knowledge or consent. Technically, the PassLock crawling would be identified by most service providers as intrusive, illegal, illegitimate, and then blacklist the source address. The unknowing third-party cloud hosting service would suffer significant business damage and LifeLock could face significant liability thereby damaging its shareholders.
Peters Compl, ¶ 17 (bold added).
85. Furthermore, Peters alleges that “LifeLock’s security posture was at
high risk.” In particular, “Peters determined that LifeLock’s internal capacity for
governance implemented (policies, audit plan, change controls, architectural review,
etc.) was at 47% of the minimum to protect LifeLock’s customers and their sensitive
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 26 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 28 of 81
1 information. If a security breach occurred, LifeLock’s shareholders would be
2
damaged.” Id. , ¶ 18.
3 86. Peters also “determined that LifeLock’s technological security
4
5 readiness (intrusion prevention, data leakage, data encryption, access controls,
6 physical security, etc.) was only at 27% of the minimum to protect LifeLock’s
7 customers and their sensitive information.” Id. , ¶ 19. Again, “[i]f a security breach 8
occurred, LifeLock’s shareholders would be damaged.” Id. 9
10 87. Additionally, Peters “determined that LifeLock’s security vigilance
11
(vulnerability testing, auditing, monitoring, awareness education, event logging, 12
incident management, etc.) was at 0% of the minimum to protect LifeLock’s 13
14 customers and their sensitive information.” Id. , ¶ 20. Accordingly, “[i]f a security
15
breach occurred, LifeLock’s shareholders would be damaged.” Id.
16 88. Peters attributes the above-discussed problems, in part, to a lack of
17
18 qualified personnel: “LifeLock only had two people responsible for security. One
19
individual lacked technical skill and only had minimal security experience; the other
20 was fresh out of college and had technical skills, but lacked experience if a data
21
22 breach occurred.” Id. , ¶ 21. Based on this, “Peters concluded that millions of
23 customers were at risk given the data LifeLock possesses and is incapable of
24 protecting.” Id.
25
26 89. Peters alleges that when he advised LifeLock management, including
27 Defendant Power, of all of these problems, as well as the imminent need to hire at
28
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 27 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 29 of 81
1 least 12 information security professionals, LifeLock, rather than seeking responsive
2 solutions, fired Peters on a trumped-up charge of lying on his employment
3 application, despite his having already passed the Company’s intensive and invasive
4
5 vetting process with flying colors. See id. , ¶¶ 22-31.
6 90. After his firing, Peters filed a whistleblower complaint with the FTC on
7 August 19, 2013. ¶ 33. The FTC’s investigation remains ongoing. On July 31, 2014, 8
the Company admitted in a public filing that it had “received a request from the 9
10 Federal Trade Commission, or the FTC, for documents and information related to our
11 compliance with the FTC Order” as of March 13, 2014. 12
Confidential Witnesses 13
14 91. The allegations in the Burke and Peters complaints are corroborated by
15 Confidential Witnesses who worked at LifeLock during the Class Period in positions 16
that provided them a basis to observe the facts they provided, including meetings 17
18 with the Individual Defendants.
19
92. CW1 was a product manager at LifeLock’s San Diego office from the 20
time her employer, ID Analytics, was acquired by LifeLock in December 2011 until 21
22 May 2013. CW1 reported to Eric Rosado, VP of Consumer Products.
23
93. CW1’s job involved working on ID Analytics website and its
24 integration into LifeLock after acquisition in late 2011. CW1 was specifically
25
26 instructed remove some of the language on the ID Analytics website “so we didn’t
27 compete with LifeLock’s product offerings.”
28
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 28 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 30 of 81
1 94. With respect to the services purportedly provided by LifeLock, CW1
2 stated that one thinks because they have signed up that their identity information is
3 actively being monitored somehow, when it really is not.
4
5 95. In fact, CW1 stated that monitoring is not much more than a loose
6 association between your name and Social Security number.
7 96. During CW1’s tenure, from 2011 to 2013, LifeLock was incapable of 8
monitoring every activity using a customer’s social security number or other identity 9
10 information, CW1 said. In fact, many transactions, including fraudulent ones, could
11 occur without any alerts made to LifeLock or the customer. Accordingly to CW1, if 12
someone types in their name, account, and credit card number (as a LifeLock 13
14 customer), they are led to believe that it is being actively monitored, and that if
15 anyone tries to steal the information, LifeLock will alert the customer no matter
16 where it is. But no one can actually do that. You’d have to have every single
17
18 Internet entity in your network, and nobody can do that.
19
97. CW1 further noted that only a “handful” of financial institutions agreed
20 to participate in LifeLock’s network, which is a network of shared data that the
21
22 Company uses to monitor activity on customers’ identity information, such as Social
23
Security numbers. Bank of America, Discover, and AT&T credit cards were the only
24 large financial institutions that participated in the network during the time of CW1’s
25
26 employment.
27
98. CW1 stated that if an institution did not participate in the network,
28
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 29 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 31 of 81
1 LifeLock had no means to monitor any transactions in real time at that institution
2
I using LifeLock’s customers’ identities. LifeLock could not report a transaction the
3 moment they happened, as it advertises. For example, if someone applied for a credit
4
5 card at Chase Bank, and Chase is not in the network, LifeLock would have never
6
I received the information about that application, even if it were done fraudulently
7 using a LifeLock customer’s Social Security number. 8
99. CW1 asserted that the only activity LifeLock could monitor was 9
10 activity that occurred at the institutions participating in LifeLock’s network. But even
11 those institutions didn’t always alert LifeLock to activity on a customers’ identity. 12
100. CW1 said that when an institution ran a customer’s identity information 13
14 through LifeLock’s network to check its authenticity, it did so most of the time
15
because that institution had already detected something suspicious and would on its
16 own identify the fraudulent activity without LifeLock’s assistance.
17
18 101. CW1 stated that LifeLock’s true function is as a marketing services
19 company, selling data on people, i.e., LifeLock’s customers, who provide the
20 company with their personal information, financial accounts, social security numbers
21
22 and other personal information.
23
102. CW1 described LifeLock’s business as having substantial customer
24 data which the Company can market. Indeed, CW1 described LifeLock as a
25
26 marketing engine, where the Company sells this data over and over and over again.
27 103. Even though the Settlement Order, signed in 2010, states that all
28
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 30 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 32 of 81
1 I employees that deal with the stipulations addressed in the Order must be provided
2
I with the order, CW1 said she never received a copy of the Order, nor did her
3 superiors at LifeLock tell her about the provisions of the Order.
4
5 104. CW1 states that the FTC investigation was well known at the
6
I Company, and she understood that some changes to advertising were required, but
7 she did not have more details about what types of advertising was prohibited. 8
105. CW1 stated that the only FTC-related changes she was aware of 9
10 involved a $1 million guarantee. Specifically, CW1 heard that LifeLock had to stop
11 guaranteeing customers they would receive $1 million in insurance if their identity 12
was stolen, and that the Company’s advertisements began to say instead that 13
14 LifeLock would pay for up to $1 million to help customer recover from the damages
15 caused by an identity theft.
16 106. CW1 said that CEO Davis was “very involved” in the company and
17
18 that he personally participated in marketing plans. Indeed, CW1 stated that Davis
19 reviewed plans and strategy documents. After the ID Analytics acquisition, CW1
20 and other employees were in Tucson and Davis popped into a marketing review
21
22 meeting to and took part in the review of the marketing plans.
23
107. CW2 was a Customer Relationship Management (“CRM”)
24 Administrator at LifeLock from March 2012 to November 2012. CW2 reported to
25
26 Pat Pendleton (“Pendleton”), Chief Information Officer.
27 108. CW2 states that LifeLock did not have a Network Operations Center
28
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 31 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 33 of 81
1 (“NOC”) that monitored the company’s internal computer systems to ensure that it
2 was functioning properly and to catch problems, security breaches, and failures when
3 they occurred. CW2 described NOC as a computer system that uses software
4
5 programs and human monitoring to detect problems, security breaches, or failures in
6
I the company’s data networks and servers .
7 109. According to CW2, LifeLock had an automated computer processing
8
9 system that was set up by an employee who subsequently left the Company, and no
10 one at LifeLock was managing the system or even knew how to manage the system.
11 110. Due to the lack of a NOC and the unmanaged automated processing
12
13 system, files at LifeLock were not always processed in a timely manner. This
14 included alerts to customers about activity on their credit cards and membership
15 enrollment in LifeLock’s alert system. 16
111. Prior to the IPO, the Company’s Chief Information Officer (“CIO”) 17
18 was preparing to implement a NOC and train employees to manage the automated
19 processing system. Immediately after the IPO in October 2012, the CIO was let go 20
and the plans for improving the company’s internal systems were dropped. 21
22 112. CW2 said companies like LifeLock that boast large internal data and
23 processing systems typically have an NOC, which is managed and overseen by a
24 group of employees dedicated to ensuring that a company’s internal data and
25
26 processing systems are working correctly.
27
113. When CW2 began working at LifeLock, he realized the company did
28
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 32 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 34 of 81
1 not have an NOC, and he began to recommend that it develop one. He said he
2
I pushed for the NOC because LifeLock’s system regularly had delays and failures of
3 the company’s automated system to process files in a timely manner.
4
5 114. With an NOC, the company could catch these problems quickly and
6
I alert the proper employees who could immediately begin to deal with fixing it. If a
7 server was having a hardware malfunction or low memory, somebody needed to be 8
able to catch that stuff before it can cause a problem and affect coverage. CW2 rated 9
10 the importance of LifeLock having a NOC as very high. Because of the nature of
11 what LifeLock does, the importance is definitely an 8 or 9 (out of 10). Knowing 12
whether or not LifeLock has a server that’s going to crash is important. It is 13
14 customer-affecting, because LifeLock claimed it did 24-hour monitoring, so it had to
15
be sure that its system was up full time.
16 115. As noted above, LifeLock had an automated processing system during
17
18 the Class Period. CW2 said this system was designed to automatically process files
19
that came into the company’s data network on a regular schedule. For example, new
20 enrollments in LifeLock would come into the network and the system was supposed
21
22 to process those enrollments within 24 hours. Yet sometimes the system would fail
23
to do so. In such instances, employees would only be alerted to the failure at the time
24 of the next scheduled processing.
25
26 116. CW2 said that if a certain type of file was scheduled to be processed
27
I every Thursday, but the system failed to process a batch, no one at the Company
28
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 33 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 35 of 81
1 would know the files were not processed until a next set was supposed to be
2 processed the following Thursday.
3 117. CW2 said the files not processed were things that would affect sales,
4
5 things that would affect support. For instance, the problems could affect alerts about
6 activity on a customer’s’ credit card.
7 118. CW2 said the problem delayed alerts about activity on personal credit 8
cards. Alerts were supposed to be processed within 24 hours of improper activity 9
10 involving customers’ credit cards.
11 119. CW2 personally noticed that LifeLock alerts about activity on his own 12
credit cards often didn’t arrive until 2 or 3 days after he knew he had activity on his 13
14 credit cards. This was due to problems with the automated system, which is still on-
15 going.
16 120. CW2 discussed the need to improve the automated processing system,
17
18 train employees on how to use it, and develop a NOC with CIO Pendleton.
19
Pendleton agreed with CW2’s recommendations and, in the months prior to
20 LifeLock’s initial public offering, Pendleton and CW2 began planning the
21
22 development of such a system.
23
121. However, immediately after the IPO in October 2012, LifeLock let
24 Pendleton go. “No one had no warning, and everybody was on the same page of
25
26 being surprised.” After Pendleton left the Company, all the plans to improve the
27 automated system, train employees to use the automated system and install a NOC
28
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 34 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 36 of 81
1 evaporated. Moreover, CW2 said plans to fix a problem with LifeLock receiving
2 enrollment information from new customers who signed up through AOL.com were
3 also scuttled with Pendleton’s ouster.
4
5 122. CW3 was a Manager, Member Services, at LifeLock from September
6 2012 to July 2013. CW3 reported to Eric Blomgren (“Blomgren”), Team Manager,
7 Member Services. 8
123. CW3 worked as a manager in the call center located in Tempe, 9
10 Arizona, and has many years of experience working at other large companies’ call
11 centers. 12
124. CW3 saw many problems at LifeLock’s call center and addressed the 13
14 problems with CW3’s superiors. CW3 characterized the call center as a lot of chaos,
15 no conformity, no efficiency. People were flying by the seat of their pants and didn’t
16 know what they were doing.
17
18 125. CW3 resigned after approximately nine months because LifeLock
19 managers resisted any complaints about the problems at the call center.
20 126. When CW3 began working at the Company, the call center was
21
22 understaffed. The Company was in the process of hiring many people, but when the
23 call center began to receive high volumes of calls, LifeLock would turn off the alerts
24 going out to members informing them of activity on their credit.
25
26 127. Quite simply, the Company turned off alerts to control call volume
27
because the call center was understaffed. There would be a large queue (of calls),
28
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 35 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 37 of 81
1 I and all the sudden it would stop because the alerts were turned off.
2
128. The Company had a process in place for when call volume hit certain
3 levels, which were color-coded as yellow and red alerts. When calls reached a certain
4
5 volume, call center employees had to call the IT department and alert them. The IT
6
I department had the ability to turn off the alerts.
7 129. Blomgren often talked about how LifeLock was able to “manage” 8
alerts to lower calls volume, which meant turning them off. In staff meetings, where 9
10 all managers were present, Blomgren reported that the Company could control the
11 volume. On days when the call center was understaffed the alerts were turned off. 12
On holidays when many employees were not working, the alerts were turned off. 13
14 130. CW3 said LifeLock was not Payment Card Industry Data Security
15
Standard (“PCI DSS”) compliant during the time CW3 was at LifeLock, even though
16 that was a requirement for handling credit card information.
17
18 131. PCI DSS is a proprietary information security standard promulgated by
19
the Payment Card Industry Security Standards Council for organizations that handle
20 cardholder information. According to LifeLock, PCI DSS compliance ensures “that
21
22 important identity theft precautions have been taken on your behalf including
23
installing firewalls, monitoring for malware and other basic precautions ....”
24 132. CW3 said managed a team of new call center agents, none of whom
25
26 had gone through PCI compliance training. Nonetheless, these agents were handling
27 credit card information for LifeLock.
28
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 36 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 38 of 81
133. CW3 handled at least three calls from customers who called to 1
2
I complain that they had received access to someone else’s credit report instead of
3 their own. One customer had just upgraded to a higher level of service that gave
4
5 members full access to their credit report at all times. When the customer in question
6
I logged in and accessed the credit report, it was a credit report for someone else.
7 134. CW3 was unable to figure out why this happened and took the 8
complaint to Blomgren, who, while indicating that he was aware that this situation 9
10 happened sometimes, did nothing to fix the situation. According to CW3, Blomgren
11 acknowledged that it happened, but simply did nothing about it. 12
135. The Company did not have a fix for the problem, according to CW3. 13
14 Instead, CW3 was instructed to simply put the customer back into the lower level
15 service plan that did not have access to credit reports. There was no way to give that
16 customer their credit report. CW3 said the complaint was unresolved from the time it
17
18 was reported it until CW3’s resignation three months later. Whenever CW3 asked
19
Blomgren about it, he would respond that he was still working on it.
20 136. The other two customers who complained about the same problem
21
22 wanted their membership fees returned and cancelled the service because they no
23
longer believed LifeLock was protecting their information.
24 137. According to CW3, PCI compliance prohibits merchants from keeping
25
26 the recordings of consumer credit card numbers on recorded phone calls. LifeLock,
27
however, was not erasing the credit card numbers off of the phone calls it recorded,
28
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 37 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 39 of 81
1 I she said. CW3 listened to these recordings as part of CW3’s job. The credit card
2
I numbers were still on the recordings which is a violation of PCI compliance.
3 138. According to CW3, members also called in to complain about not
4
5 receiving an alert when they applied for credit or financing somewhere. The
6
I customers did not subsequently receive an alert from LifeLock about it. LifeLock
7 promotional materials stated that customers would receive alerts when an application 8
for credit was made with their identity information. When customers called to 9
10 complain about not receiving alerts, which was frequent, call center agents were
11 required to read off a prepared script, which misleadingly stated that some retailers or 12
financial institutions had their own internal credit approval process and that some 13
14 merchants offer their own internal financing, so they might not pull the members’
15 credit from the credit bureaus.
16 139. Often, after telling the customer this information, call center agent
17
18 would look at the member’s credit report and see that in fact their credit had been
19 pulled by the merchant in question. The agent would apologize to the customer and
20 say that some alerts take longer than others or that perhaps the credit bureau just
21
22 updated their credit information. It was LifeLock’s way of covering it, so they could
23 send the alert to them anytime.
24 140. CW3 said members who applied for credit at Macy’s and did not
25
26 subsequently receive an alert from LifeLock were a particularly problematic source
27 of complaints. The problem was that Macy’s was not a participating member of
28
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 38 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 40 of 81
1 LifeLock’s network so LifeLock did not receive the information from Macy’s about
2 the credit application. Nobody ever got an alert from Macy’s, CW3 said.
3 141. When members called to complain about this, call center employees
4
5 were not allowed to tell customers that Macy’s was not a participating merchant in
6 LifeLock’s network. The only thing LifeLock employees could tell members was that
7 it’s a possibility they are not in our participating network. 8
142. CW3 said LifeLock has a list of companies that participate in the 9
10 network, but they do not share it with consumers. LifeLock does not receive
11
information about credit applications from companies that are not part of the 12
network, so LifeLock cannot send those alerts out to members. 13
14 143. CW4 was a Member Services Manager at LifeLock from February
15
2012 to January 2014, based at the company’s call center headquarters in Tempe,
16 Arizona, and reported to Blomgren and David O’Neill, both Directors of Member
17
18 Services.
19
144. According to CW4, LifeLock’s credit monitoring service, which was a
20 selling point for its premium services, was extremely problematic during CW4’s
21
22 tenure.
23
145. The service allowed customers to check their credit score at any time,
24 which was supposedly a combination of all three credit bureau numbers. The number
25
26 that customers received from LifeLock, however, often was dramatically different
27 than the number that lenders would see when pulling the customers number to
28
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 39 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 41 of 81
consider a loan or credit. 1
2
146. For example, CW4 said a customer might check their credit before
3 applying for a car loan or home loan. For example, the score they would receive from
4
5 LifeLock might be 800, yet when the customer went to the car dealer or bank, the
6
I lender would pull the customer’s credit and see that the score was 700.
7 147. When customers complained about this to LifeLock, member service 8
agents were instructed to tell customers that the credit score they received from 9
10 LifeLock was a more accurate number than what the lenders received because it was
11
based on TransUnion credit bureau’s credit model called TransRisk. Call center 12
personnel were instructed to tell customers was that the TransRisk model was more 13
14 accurate than the model used to determine if they qualified for a car or a house loan.
15
148. Sometimes, however, customers checked their credit scores directly
16 with TransUnion and even then the number they had received from LifeLock was
17
18 different from TransUnion’s own score. At that point, CW4 said, it was difficult to
19
try to explain that away when customers complained about it, especially when
20 Lifleock advertised that it had a partnership with TransUnion.”
21
22 149. CW4 further stated that LifeLock’s internal computer system, which
23
I processed and sent out alerts to customers, often did not function as it was supposed
24 to and tens of thousands of alerts did not go out. It was not unusual for someone
25
26 from IT to come in and say that they just found 10,000 alerts that were not senr out
27
from six months ago, and ask what we should do about it. According to CW4, this
28
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 40 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 42 of 81
1 happened about once a month during the time CW4 was at LifeLock, and the amount
2 of alerts that did not go out went as high as 100,000.
3 150. When LifeLock discovered the huge files of alerts that had not gone
4
5 out, the Company would decide whether or not to even send the alerts out to
6 customers. Usually, it was a collaborative effort with respect to the decision.
7 151. CW4 stated that Blomgren, along with Rob Ryan, Vice President 8
Member Services, and Michael Hargis (“Hargis”), the Senior Vice President of 9
10 Member Services discussed whether to send out the missed alerts and if so, to which
11 customers, with Hargis, who reported to LifeLock’s top executives, making the final 12
decision. 13
14 152. In deciding whether to send out missed alerts, CW4 said the Company
15 weighed how old the alerts were, how many people were impacted and whether the
16 customers subscribed to basic or premium service. He said if the customers were in
17
18 premium service, the company was more likely to send the alerts out. There were
19
times when they decided not to alert customers; half the time they did and half time
20 they didn’t.
21
22 153. The problem stemmed from an ineffectual IT department. One thing
23
LifeLock never had going for it was a good IT tech team. They had a really poor IT
24 and software team. The Company always had problems.
25
26 154. CW4 stated that it was “common practice” at LifeLock to suppress
27 alerts from going out on the weekends because the call center was not staffed to
28
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 41 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 43 of 81
1 handle the calls from customers. This was in violation of the contract with CSI, a
2 third party company that provided the alerts to LifeLock, there was no indication that
3 CSI was not aware that LifeLock was suppressing alerts from going out when they
4
should. 5
6 155. During CW4’s tenure, LifeLock also suppressed alerts during the week
7 when the call volume surpassed what the call center could handle. If there a large 8
backlog of alerts had accumulated, the Company would decide to suppress alerts for 9
10 a week, then another week, and before you knew it, it was three months of
11 suppressions. 12
156. When the Company decided to suppress alerts, elderly customers were 13
14 often the victims according to CW4. Although not commented on by CW4, this
15
“throttling” of older users has the potential to affect a large segment of LifeLock’s
16 customer base, which, as Chief Marketing Officer Seth Greenberg admitted at a
17
18 March 12, 2014 Investor Day, skews older and more male than the general
19 population.
20 157. CW4 stated that the thinking at the Company, and under Hargis’s
21
22 instructions, was that elderly people are less-savvy internet users and would therefore
23 not miss receiving the alert. Elderly people also did not fully understand their service
24 plans, the thinking went, and were often confused by the alerts and frustrated with the
25
26 service prompting them to cancel.
27 158. LifeLock had the ability to pinpoint the date of birth of its customers
28
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 42 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 44 of 81
1 I and, using that information, not send out alerts to people with birth years prior to
2
1940. The elderly were sold on a product they didn’t understand, and when they got
3 these alerts, they’d call in and didn’t know what was going on. The Company got a
4
5 lot of cancelations and were trying to avoid elderly people calling in and losing their
6 I business.
7 159. CW4 stated that in 2013, Davis and Schneider held a number of 8
meetings at LifeLock’s call center in Tempe to discuss the company’s internal 9
10 computer system problems with Member Service agents. At these meetings, which
11 CW4 recalled as having occurred in the first half of 2013, Davis and Schneider let 12
employees know they were aware that the system was failing to send out tens of 13
14 thousands of alerts when it was supposed to and that when those alerts did eventually
15 go out late, the call center might be overwhelmed by customer calls. CW4 stated that
16 Davis and Schneider were aware of it 100 percent. Indeed, at these meetings, which
17
18 were held at several different times so that the executives could meet with all
19 employees on every shift, Davis and Schneider said that the company was working
20 on addressing the problems. They said they were very well aware of the system
21
22 issues, and they were bringing on new people and reorganizing the technology
23
department.
24 160. CW4 also stated that every Thursday at 10 a.m., LifeLock held a
25
26 companywide meeting called “Thoughtful Thursdays.” Either CEO Davis or
27 President Schneider hosted the meetings, in which CFO Power and other executives
28
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 43 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 45 of 81
1 participated. The meeting was simultaneously webcast to the Member Services call
2 center, which was in a separate building than the corporate offices at the time.
3 161. During these meetings, CW4 explained, Company employees were
4
5 allowed to submit anonymous questions to company leadership. When a question
6 was asked during the meeting, the appropriate department head would answer. On at
7 least one occasion, the issue of suppressing alerts came up at these meetings, and in 8
response, the senior executives, including Davis, Schneider and Power, said they 9
10 were aware of the practice of not sending out large files of alerts after it was
11
discovered that they had not gone out to customers months earlier when they should 12
have. 13
14 162. According to CW4, the Company initially tested what would happen if
15 they sent the alerts out months late, but the response to it from customers was bad –
16 many customers were upset about not receiving alerts in a timely manner, and
17
18 cancellations increased. The company became more reluctant to send out late alerts
19 after that initial test because the Company feared high rates of cancellations in
20 response.
21
22 163. CW5 was Director of Quality Assurance and Service Delivery at
23
LifeLock from May 2012 to October 2012. CW5 reported for the first three months
24 to CIO Pendleton. After Pendleton was fired, CW5 began to report to Connie Suoo
25
26 (“Suoo”), the Vice-President of Engineering.
27 164. CW5’s job was to ensure that the software the Company implemented
28
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 44 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 46 of 81
1 on its website for customer interfacing worked and was deployed correctly. During
2
I CW5’s time at LifeLock, the IT and computer infrastructure departments were in
3 “chaos.” It was a completely dysfunctional environment. There were all the basic
4
5 failures you see in organizations: lack of trust, people trying to protect their jobs,
6
I paranoia. There was out and out incompetence. CW5 described it as being totally
7 ridiculous. 8
165. CW5 said the departments that dealt with the computer systems 9
10 experienced a high turnover rate from firings and resignations. The disruptions and
11
dysfunctional environment impacted the Company’s ability to run a functional 12
computer system and delayed plans to make much-needed upgrades to its system. 13
14 166. As an example, when CW5 was hired, he reported to CIO Pendleton.
15
Similar to CW2, CW5 reports that Pendleton designed a strategy for upgrading the
16 Company’s computer infrastructure and system over time. But Pendleton was fired
17
18 before he could implement his strategy and the upgrades were delayed. Once Pat
19
Pendleton left, a vacuum was created. There was no one around to pick up the
20 strategy.
21
22 167. CW5 said the technology department’s disorder impacted the
23
I Company’s ability to operate a functional system on a day-to-day basis. Specifically,
24 CW5 stated the installation of new software on the Company’s website frequently
25
26 caused the system to shut down or fail to restart.
27 168. According to CW5, one high profile software project, called the SKU
28
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 45 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 47 of 81
1 project, was installed late at night and was expected to take 1 to 2 hours to deploy.
2
After the software was installed, however, the Company’s entire system failed to
3 restart. Approximately 50 employees, including senior executives, were up all night
4
5 trying to figure out what happened to the system. The engineers were about to back
6 the software off the system when they ultimately figured it out and got the system
7 started about at about 10 a.m. the next morning. The senior executives who were 8
involved in this incident included Prakesh Ramamurthy, the Chief Technology 9
10 Officer, and VP of Engineering Suoo.
11 169. CW5 said such system failures happened regularly. About two to 12
three times a month there would be some sort of failure in the IT infrastructure, and 13
14 when the system failed, he believes alerts could not go out.
15
Defendants’ False and Misleading Statements During The Class Period
16
170. On February 26, 2013, the Company filed its annual report for the 17
18 period ending December 31, 2012 with the SEC on Form 10-K (the “2012 10-K”),
19
its first such report since the IPO. The 2012 10-K stated that:
20 In March 2010, we and Todd Davis, our Chairman and Chief Executive
21
Officer, entered into a Stipulated Final Judgment and Order for
22 Permanent Injunction and Other Equitable Relief with the FTC, which
we refer to as the “FTC Order.” The FTC Order was the result of a 23 settlement of the allegations by the FTC that certain of our advertising
24 and marketing practices constituted deceptive acts or practices in
violation of the FTC Act, which settlement made no admission as to the 25 allegations related to such practices. The FTC Order imposes on us
26 and Mr. Davis certain injunctive provisions relating to our
advertising and marketing of our identity theft protection services, 27 such as enjoining us from making any misrepresentation of “the
28 means, methods, procedures, effects, effectiveness, coverage, or
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 46 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 48 of 81
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
scope of” our identity theft protection services. However, the bulk of the more specific injunctive provisions have no direct impact on the advertising and marketing of our current services because we have made significant changes in the nature of the services we offer to consumers since the investigation by the FTC in 2007 and 2008, including our adoption of new technology that permits us to provide proactive protection against identity theft and identity fraud. The FTC investigation of our advertising and marketing activities occurred during the time that we relied significantly on the receipt of fraud alerts from the credit reporting agencies for our members. The FTC believed that such alerts had inherent limitations in terms of coverage, scope, and timeliness. Many of the allegations in the FTC complaint, which accompanied the FTC Order, related to the inherent limitations of using credit report fraud alerts as the foundation for identity theft protection. Because the injunctive provisions in the FTC Order are tied to these complaint allegations, these injunctive provisions similarly relate significantly to our previous reliance on credit report fraud alerts as reflected in our advertising and marketing claims. The FTC Order also imposes on us and Mr. Davis certain injunctive provisions relating to our data security for members’ personally identifiable information . At the same time, we also entered into companion orders with 35 states’ attorneys general that impose on us similar injunctive provisions as the FTC Order relating to our advertising and marketing of our identity theft protection services.
Our or Mr. Davis’ failure to comply with these injunctive provisions could subject us to additional injunctive and monetary remedies as provided for by federal and state law. In addition, the FTC Order imposes on us and Mr. Davis certain compliance requirements, including the delivery of an annual compliance report. We and Mr. Davis have timely submitted these annual compliance reports, but the FTC has not accepted or approved them to date . If the FTC were to find that we or Mr. Davis have not complied with the requirements in the FTC Order, we could be subject to additional penalties and our business could be negatively impacted. (Bold added).
171. Moreover, the 2012 10-K stated that:
Our business and the information we use in our business is subject to a wide variety of federal, state, and local laws and regulations, including ... the FTC Act and comparable state laws that are patterned after the FTC Act, and similar laws. We also are subject to federal and state laws
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 47 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 49 of 81
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
and regulations relating to the channels in which we sell and market our services. In addition, our business is subject to the FTC Stipulated Final Judgment and Order for Permanent Injunction and Other Equitable Relief, as well as the companion orders with 35 states’ attorneys general that we entered into in March 2010. We incur significant costs to operate our business and monitor our compliance with these laws, regulations, and consent decrees. (Bold added).
172. The 2012 10-K also stated that: “We have received a PCI Level 1
certification in our consumer and enterprise businesses ....”
173. According to the 2012 10-K, “[a]s part of our consumer services, we
offer 24x7x365 member service support. If a member’s identity has been
compromised, our member service team and remediation specialists will assist the
member until the issue has been resolved.”
174. The 2012 10-K further stated that:
We regularly assess the effectiveness of our information security practices and technical controls. In addition to regular external audits, we conduct internal security testing to ensure current practices are effective against emerging threats. Additionally, outside penetration tests are conducted on a regular basis. We ensure that our systems are free from critical vulnerabilities by conducting regular vulnerability scans and penetration tests. We also remain aware of publicly disclosed vulnerabilities in commercial and open source products, and remediate issues in a timely manner. (Bold added).
175. In addition, the 2012 10-K stated that:
We protect our members by constantly monitoring identity-related events, such as new account openings and credit-related applications. If we detect that a member’s personally identifiable information is being used, we offer notifications and alerts, including proactive, near real-time, actionable alerts that provide our members peace of mind that we are monitoring use of their identity and allow our members to confirm valid or unauthorized identity use. (Bold added).
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 48 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 50 of 81
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
176. In the 2012 10-K, Defendants Davis and Power signed a certification
pursuant to Section 3602 of the Sarbanes Oxley Act of 2002 (the, “SOX
Certification”) whereby both Individual Defendants certified the following:
1. I have reviewed this Annual Report on Form 10-K of LifeLock, Inc.;
2. Based on my knowledge, this report does not contain any untrue statement of a material fact or omit to state a material fact necessary to make the statements made, in light of the circumstances under which such statements were made, not misleading with respect to the period covered by this report;
3. Based on my knowledge, the financial statements, and other financial information included in this report, fairly present in all material respects the financial condition, results of operations and cash flows of the registrant as of, and for, the periods presented in this report;
4. The registrant’s other certifying officer(s) and I are responsible for establishing and maintaining disclosure controls and procedures (as defined in Exchange Act Rules 13a-15(e) and 15d-15(e)) for the registrant and have:
a) Designed such disclosure controls and procedures, or caused such disclosure controls and procedures to be designed under our supervision, to ensure that material information relating to the registrant, including its consolidated subsidiaries, is made known to us by others within those entities, particularly during the period in which this report is being prepared;
b) Evaluated the effectiveness of the registrant’s disclosure controls and procedures and presented in this report our conclusions about the effectiveness of the disclosure controls and procedures, as of the end of the period covered by this report based on such evaluation; and
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 49 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 51 of 81
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
c) Disclosed in this report any change in the registrant’s internal control over financial reporting that occurred during the registrant’s most recent fiscal quarter (the registrant’s fourth fiscal quarter in the case of an annual report) that has materially affected, or is reasonably likely to materially affect, the registrant’s internal control over financial reporting; and
5. The registrant’s other certifying officer(s) and I have disclosed, based on our most recent evaluation of internal control over financial reporting, to the registrant’s auditors and the audit committee of the registrant’s board of directors (or persons performing the equivalent functions):
a) All significant deficiencies and material weaknesses in the design or operation of internal control over financial reporting which are reasonably likely to adversely affect the registrant’s ability to record, process, summarize and report financial information; and
b) Any fraud, whether or not material, that involves management or other employees who have a significant role in the registrant’s internal control over financial reporting.
177. The statements contained in Paragraphs 170-176 above were
materially false when made, and/or omitted material information necessary to make
the statements not misleading under the circumstances in which they were made,
because: (a) Defendants misrepresented “the means, methods, procedures, effects,
effectiveness, coverage, or scope of” Lifelock’s customer alerts in violation of the
Settlement Order; (b) LifeLock’s self-described “proactive, near real-time,
actionable alerts” were subject to regular delays and were actively disabled; (c)
Lifelock did not “constantly monitor[] identity-related events” or offer “24x7x365
member service support”; to the contrary, Defendants actively disabled customer
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 50 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 52 of 81
1 alerts on multiple occasions; (d) Defendants misrepresented “the means, methods,
2 procedures, effects, effectiveness, coverage, or scope of” Lifelock’s credit-
3 monitoring service, which provided inaccurate and/or misleading information to
4
5 customers; (e) Defendants failed to establish a comprehensive data security program
6 in violation of the Settlement Order; (f) Defendants had failed to assess the
7 effectiveness of their information security practices and technical controls; (g) 8
LifeLock failed to adequately monitor its compliance with the Settlement Order as 9
10 required by the FTC; and (h) LifeLock was not PCI-compliant, did not safeguard
11 customer credit card data, and had not trained its agents in PCI compliance. 12
178. On May 3, 2013, the Company filed its quarterly report for the period 13
14 ending March 31, 2013 with the SEC on Form 10-Q (the “Q1 2013 10-Q), which
15
incorporated by reference the “financial statements and notes included in” the 2012
16 10-K and informed investors that:
17
18 We protect our members by constantly monitoring identity-related
events, such as new account openings and credit-related applications. 19
If we detect that a member’s personally identifiable information is
20 being used, we offer notifications and alerts, including proactive,
near real-time, actionable alerts , that provide our members peace of 21 mind that we are monitoring use of their identity and allow our
22 members to confirm valid or unauthorized identity use. (Bold added).
23
179. The Q1 2013 10-Q also stated that “[a]s part of our consumer
24 services, we offer 24x7x365 member service support. If a member’s identity has
25
26 been compromised, our member service team and remediation specialists will assist
27
the member until the issue has been resolved.”
28
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 51 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 53 of 81
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
180. In addition, Defendants Davis and Power signed a certification similar
in form to the SOX Certification referenced in paragraph 176 above.
181. The statements contained in Paragraphs 178-180 above were
materially false when made, and/or omitted material information necessary to make
I the statements not misleading under the circumstances in which they were made,
because: (a) Defendants misrepresented “the means, methods, procedures, effects,
effectiveness, coverage, or scope of” Lifelock’s customer alerts in violation of the
Settlement Order; (b) LifeLock’s self-described “proactive, near real-time,
actionable alerts” were subject to regular delays and were actively disabled; (c)
Lifelock did not “constantly monitor[] identity-related events” or offer “24x7x365
member service support”; to the contrary, Defendants actively disabled customer
alerts on multiple occasions; and (d) Defendants misrepresented “the means,
methods, procedures, effects, effectiveness, coverage, or scope of” Lifelock’s
credit-monitoring service, which provided inaccurate and/or misleading information
to customers.
182. On August 2, 2013, the Company filed its quarterly report for the
period ended June 30, 2013 with the SEC on Form 10-Q (“the Q2 2013 10-Q”),
which incorporated by reference the “financial statements and notes included in”
the 2012 10-K and informed investors that:
We protect our members by constantly monitoring identity-related events, such as new account openings and credit-related applications. If we detect that a member’s personally identifiable information is being used, we offer notifications and alerts, including proactive,
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 52 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 54 of 81
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
near real-time, actionable alerts , that provide our members peace of mind that we are monitoring use of their identity and allow our members to confirm valid or unauthorized identity use. (Bold added).
183. The Q2 2013 10-Q also stated that “[a]s part of our consumer
services, we offer 24x7x365 member service support. If a member’s identity has
I been compromised, our member service team and remediation specialists will assist
the member until the issue has been resolved.”
184. In addition, Defendants Davis and Power signed a certification similar
in form to the SOX Certification referenced in paragraph 176 above.
185. The statements contained in Paragraphs 182-184 above were
materially false when made, and/or omitted material information necessary to make
the statements not misleading under the circumstances in which they were made,
because: (a) Defendants misrepresented “the means, methods, procedures, effects,
effectiveness, coverage, or scope of” Lifelock’s customer alerts in violation of the
Settlement Order; (b) LifeLock’s self-described “proactive, near real-time,
actionable alerts” were subject to regular delays and were actively disabled; (c)
Lifelock did not “constantly monitor[] identity-related events” or offer “24x7x365
member service support”; to the contrary, Defendants actively disabled customer
alerts on multiple occasions; and (d) Defendants misrepresented “the means,
methods, procedures, effects, effectiveness, coverage, or scope of” Lifelock’s
credit-monitoring service, which provided inaccurate and/or misleading information
to customers.
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 53 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 55 of 81
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
186. On October 29, 2013, Defendant held a Q3 2013 Conference Call,
during which Defendant Power stated that:
this quarter in particular, we saw some nice benefit in terms of economies of scale, really along two fronts. The first was our internal call center, where we've been able to – one of the benefits of growing the ultimate and the higher ARPU, growing those both is that from a support perspective, we get some nice scalability within our call center
187. The statements contained in Paragraph 186 above were materially false
when made, and/or omitted material information necessary to make the statements
not misleading under the circumstances in which they were made, because (a)
LifeLock’s internal call center had not become more “scalable”; (b) LifeLock’s call
center was understaffed and overburdened; and (c) LifeLock’s call center was only
able to manage call volume by turning customer alerts off in violation of the
Settlement Order.
188. On October 31, 2013, the Company filed its quarterly report for the
period ended September 30, 2013 with the SEC on Form 10-Q (the “Q3 2013 10-
Q”), which incorporated by reference the “financial statements and notes included
in” the 2012 10-K and informed investors that:
We protect our members by constantly monitoring identity-related events, such as new account openings and credit-related applications. If we detect that a member’s personally identifiable information is being used, we offer notifications and alerts, including proactive, near real-time, actionable alerts , that provide our members peace of mind that we are monitoring use of their identity and allow our members to confirm valid or unauthorized identity use. (Bold added).
189. The Q3 2013 10-Q also stated that “[a]s part of our consumer
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 54 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 56 of 81
1 services, we offer 24x7x365 member service support. If a member’s identity has
2
I been compromised, our member service team and remediation specialists will assist
3 the member until the issue has been resolved.”
4
5 190. In addition, Defendants Davis and Power signed a certification similar
6 in form to the SOX Certification referenced in paragraph 176 above.
7 191. The statements contained in Paragraphs 188-190 above were 8
materially false when made, and/or omitted material information necessary to make 9
10 the statements not misleading under the circumstances in which they were made,
11
because: (a) Defendants misrepresented “the means, methods, procedures, effects, 12
effectiveness, coverage, or scope of” Lifelock’s customer alerts in violation of the 13
14 Settlement Order; (b) LifeLock’s self-described “proactive, near real-time,
15 actionable alerts” were subject to regular delays and were actively disabled; (c)
16 Lifelock did not “constantly monitor[] identity-related events” or offer “24x7x365
17
18 member service support”; to the contrary, Defendants actively disabled customer
19 alerts on multiple occasions; and (d) Defendants misrepresented “the means,
20 methods, procedures, effects, effectiveness, coverage, or scope of” Lifelock’s
21
22 credit-monitoring service, which provided inaccurate and/or misleading information
23
to customers.
24
The Truth Slowly Emerges 25
26 192. On February 19, 2014, the Company filed its annual report for the
27 period ending December 31, 2012 with the SEC on Form 10-K (the “2013 10-K”).
28
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 55 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 57 of 81
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
The 2013 10-K stated that:
On December 11, 2013, we acquired mobile wallet innovator Lemon, Inc., or Lemon, for approximately $42.4 million in cash and launched our new LifeLock Wallet mobile application. The LifeLock Wallet mobile application allows consumers to replicate and store a digital copy of their personal wallet contents on their smart device for records backup, as well as transaction monitoring and mobile use of items such as credit, identification, ATM, insurance, and loyalty cards. The LifeLock Wallet mobile application also offers our members one-touch access to our identity theft protection services.
193. In the 2013 10-K, LifeLock revealed that it had met with the FTC
regarding its compliance with the terms of the Settlement Order after a
whistleblower had discussed certain violations thereof with the FTC. The Company
stated, in relevant part:
On January 17, 2014, we met with FTC Staff, at our request, to discuss issues regarding allegations that have been asserted in a whistleblower claim against us relating to our compliance with the FTC Order. Following this meeting, we expect to receive either a formal or informal investigatory request from the FTC for documents and information regarding our policies, procedures, and practices for our services and business activities. Given the heightened public awareness of data breaches and well as attention to identity theft protection services like ours, it is also possible that the FTC, at any time, may commence an unrelated inquiry or investigation of our business practices and our compliance with the FTC Order. We endeavor to comply with all applicable laws and believe we are in compliance with the requirements of the FTC Order. We believe the increased regulatory scrutiny will continue in our industry for the foreseeable future and could lead to additional meetings or inquiries or investigations by the agencies that regulate our business, including the FTC.
194. Significantly, the renewed FTC investigation, which could potentially
result in significant fines against the Company, was not announced in a press
release or highlighted in the Company’s 10-K. Instead, it was buried in the middle
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 56 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 58 of 81
1 I of a paragraph under the section “Government Regulation.” Market analysts,
2
I however, did find the information and within a few days had disseminated the
3 import of the reference in the Form 10-K on Seeking Alpha, noting the buried
4
5 disclosure, with an article entitled: “Lifelock: Pending FTC Investigation Revealed
6 in 10-K.”
7 195. The Seeking Alpha article expressed surprise “that [the FTC 8
investigation] was not included in the company's earnings press release or 9
10 mentioned on the earnings call” and went on to state that:
11 LOCK leads potential customers to believe that it will alert them in the
12 event that a credit check is done on them (if a person applied for a loan
or credit card). However, given that LOCK does not own a credit
13
bureau (unlike competitor ProtectMyID which is owned by Experian),
14 it is unclear how LOCK would be able to provide such a service.
Talking to some customers of Lifelock, I learned that while they
15 expected to be notified of a credit check by Lifelock, many
16 purchased cars on credit or applied for credit cards without
receiving such notifications .... 17
18 196. On this news, shares of LifeLock fell from $21.79 to $20.32, more
19
I than 6%, on unusually heavy trading volume on February 24, 2014. In addition,
20 this drop was notable for taking place at a time when other data security stocks were 21
soaring higher. 22
23 197. The 2013 10-K, while revealing the FTC investigation, nonetheless
24
I continued to deceive investors in regard to Defendants’ ongoing non-compliance 25
with the Settlement Order. 26
27
28
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 57 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 59 of 81
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
198. For example, regarding the Company’s entering into the Settlement
Order, and its compliance thereto, the 2013 10-K stated that:
In March 2010, we and Todd Davis, our Chairman and Chief Executive Officer, entered into a Stipulated Final Judgment and Order for Permanent Injunction and Other Equitable Relief with the FTC, which we refer to as the “FTC Order.” The FTC Order was the result of a settlement of the allegations by the FTC that certain of our advertising and marketing practices constituted deceptive acts or practices in violation of the FTC Act, which settlement made no admission as to the allegations related to such practices. The FTC Order imposes on us and Mr. Davis certain injunctive provisions relating to our advertising and marketing of our identity theft protection services, such as enjoining us from making any misrepresentation of “the means, methods, procedures, effects, effectiveness, coverage, or scope of” our identity theft protection services. However, the bulk of the more specific injunctive provisions have no direct impact on the advertising and marketing of our current services because we have made significant changes in the nature of the services we offer to consumers since the investigation by the FTC in 2007 and 2008, including our adoption of new technology that permits us to provide proactive protection against identity theft and identity fraud. The FTC investigation of our advertising and marketing activities occurred during the time that we relied significantly on the receipt of fraud alerts from the credit reporting agencies for our members. The FTC believed that such alerts had inherent limitations in terms of coverage, scope, and timeliness. Many of the allegations in the FTC complaint, which accompanied the FTC Order, related to the inherent limitations of using credit report fraud alerts as the foundation for identity theft protection. Because the injunctive provisions in the FTC Order are tied to these complaint allegations, these injunctive provisions similarly relate significantly to our previous reliance on credit report fraud alerts as reflected in our advertising and marketing claims. The FTC Order also imposes on us and Mr. Davis certain injunctive provisions relating to our data security for members’ personally identifiable information . At the same time, we also entered into companion orders with 35 states’ attorneys general that impose on us similar injunctive provisions as the FTC Order relating to our advertising and marketing of our identity theft protection services.
Our or Mr. Davis’ failure to comply with these injunctive provisions could subject us to additional injunctive and monetary remedies as
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 58 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 60 of 81
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
provided for by federal and state law. In addition, the FTC Order imposes on us and Mr. Davis certain compliance requirements, including the delivery of an annual compliance report. We and Mr. Davis have timely submitted these annual compliance reports, but the FTC has not accepted or approved them to date . If the FTC were to find that we or Mr. Davis have not complied with the requirements in the FTC Order, we could be subject to additional penalties and our business could be negatively impacted. (Bold added).
199. Moreover, the 2013 10-K stated that:
Our business and the information we use in our business is subject to a wide variety of federal, state, and local laws and regulations, including ... the FTC Act and comparable state laws that are patterned after the FTC Act, and similar laws. We also are subject to federal and state laws and regulations relating to the channels in which we sell and market our services. In addition, our business is subject to the FTC Stipulated Final Judgment and Order for Permanent Injunction and Other Equitable Relief, as well as the companion orders with 35 states’ attorneys general that we entered into in March 2010. We incur significant costs to operate our business and monitor our compliance with these laws, regulations, and consent decrees.
200. The 2013 10-K also stated that: “We have received a PCI Level 1
certification in our consumer and enterprise businesses ....”
201. According to the 2013 10-K, “[a]s part of our consumer services, we
offer 24x7x365 member service support. If a member’s identity has been
compromised, our member service team and remediation specialists will assist the
member until the issue has been resolved.”
202. The 2013 10-K further stated that:
We regularly assess the effectiveness of our information security practices and technical controls. In addition to regular external audits, we conduct internal security testing to ensure current practices are effective against emerging threats. Additionally, outside penetration
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 59 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 61 of 81
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
tests are conducted on a regular basis. We ensure that our systems are free from critical vulnerabilities by conducting regular vulnerability scans and penetration tests. We also remain aware of publicly disclosed vulnerabilities in commercial and open source products, and remediate issues in a timely manner. (Bold added).
203. Finally, the 2013 10-K stated that:
On December 11, 2013, we acquired mobile wallet innovator Lemon, Inc., or Lemon, for approximately $42.4 million in cash and launched our new LifeLock Wallet mobile application. The LifeLock Wallet mobile application allows consumers to replicate and store a digital copy of their personal wallet contents on their smart device for records backup, as well as transaction monitoring and mobile use of items such as credit, identification, ATM, insurance, and loyalty cards. The LifeLock Wallet mobile application also offers our members one-touch access to our identity theft protection services.
204. In addition, Defendants Davis and Power signed a certification similar
in form to the SOX Certification referenced in paragraph 176 above.
205. That same day, the Company held its Q4 2013 Earnings Call, during
which CEO Davis stated that:
As you know, we acquired Lemon, Inc. late in the fourth-quarter. With that transaction, we've got an excellent team that is now running our mobile efforts along with an innovative mobile wallet application. The reaction to-date has been very positive, as this is a great way for us to engage with consumers. The combination of functionality is a logical extension for us. We can now help organize what's in your wallet and protect it as well.
206. The statements contained in Paragraphs 198-205 above were materially
false when made, and/or omitted material information necessary to make the
statements not misleading under the circumstances in which they were made,
because: (a) Defendants misrepresented “the means, methods, procedures, effects,
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 60 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 62 of 81
1 effectiveness, coverage, or scope of” Lifelock’s customer alerts in violation of the
2
Settlement Order; (b) LifeLock’s self-described “proactive, near real-time, actionable
3 alerts” were subject to regular delays and were actively disabled; (c) Lifelock did not
4
5 “constantly monitor[] identity-related events” or offer “24x7x365 member service
6 support”; to the contrary, Defendants actively disabled customer alerts on multiple
7 occasions; (d) Defendants misrepresented “the means, methods, procedures, effects, 8
effectiveness, coverage, or scope of” Lifelock’s credit-monitoring service, which 9
10 provided inaccurate and/or misleading information to customers; (e) Defendants
11
failed to establish a comprehensive data security program in violation of the 12
Settlement Order; (f) Defendants had failed to assess the effectiveness of their 13
14 information security practices and technical controls; (g) LifeLock failed to
15 adequately monitor its compliance with the Settlement Order as required by the FTC;
16 (h) LifeLock was not PCI-compliant, did not safeguard customer credit card data, and
17
18 had not trained its agents in PCI compliance; and (i) LifeLock’s “innovative mobile
19 wallet application” was not PCI-compliant.
20 207. On February 24, 2014, LifeLock told an analyst from Deutsche Bank
21
22 Market Research (“DBMR”) that it “ha[d] settled a whistleblower lawsuit filed with
23
the FTC by an ex-employee of the company for a modest amount, in the last
24 month.” LifeLock told DBMR that “[t]hey favored settling the lawsuit to avoid
25
26 potentially higher litigation fees.” DBMR’s credulous takeaway was that “[w]e
27 view LifeLock’s meeting with the FTC, and subsequent 10-k disclosure as an effort
28
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 61 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 63 of 81
1 to be more transparent with investors.” On this basis, DBMR reiterated its “Buy”
2 rating.
3 208. The statements contained in Paragraph 207 above were materially
4
5 false when made, and/or omitted material information necessary to make the
6 statements not misleading under the circumstances in which they were made,
7 because: regardless of the disposition of the Burke complaint, the Peters 8
whistleblower complaint, filed in August 2013, had not been settled in any respect 9
10 and remained active.
11 209. On March 12, 2014, the Company held an Investor and Analyst Day, 12
during which CEO Davis publicly and directly addressed the renewed FTC 13
14 investigation of LifeLock:
15
Before we get to the first question, there was one item I would like to
16 address that coming out there, Simon, we've seen it. And that's about
our recent disclosures in our 10-K, about our meetings with the Federal
17
Trade Commission. I want to make sure we took that head up,
18 because as we've discussed in the past, we regularly meet with
regulators. So understand that we trade [ sic] our compliance to all
19 applicable laws regulations extremely seriously. So, we chose to share
20 this information, right about our ongoing conversations with the
FTC in our 10-K because we want to be proactive in [ sic]
21
transparent about the ongoing discussions. As I reiterate, we're
22 capable to do that, we want to do that because we take [e]xtreme care to
make sure that our advertising is accurate and comply with all laws and
23 all legal requirements.
24 So we had a couple of different meeting, I want to make sure I outline
25 each one of those. But first, as part of the ongoing dialog, we met with
the FTC in December of 2013 in relation to ID Analytics and FTC's
26 research into that industry. But that was not about specific business
27 practices of ID Analytics.
28
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 62 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 64 of 81
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
In addition to that, we pro-actively requested and met with the FTC in January of this year to discuss some acquisitions [sic] that had been made by terminated employee. It's important to understand that we have then settled that matter favorably for LifeLock with the former employee and that former employee has now come back and agreed that we were not violating any laws for the term of the agreement with the FTC. And we have shared that information with the FTC. Now what we expect that we may be asking more questions from the FTC or be asked to provide more additional information relating to those items, we have not yet been asked to do that. But if we are or as we are, I want everyone to understand we'll do as we've always done, which will continue to fully cooperate, continue to be transparent and continue to work with them to make sure we resolve the matter.
210. Also at the Investor and Analyst Day, Defendant Schneider stated:
We acquired Lemon, a leading mobile wallet to expand our go-to-market efforts and accelerate our product pipeline. The acquisition of Lemon significantly expands LifeLock's ability to touch the lives of our addressable market. The Mobile Wallet represent a new channel with convenience solutions to store everything about your identity in a single LifeLock app.
211. As speakers hyped the new mobile Wallet app, CEO Davis further
stated that:
We have continually invested knowing that the credibility hit to our brand if we have a data compromise is meaningful and material. So we, our standard is in just the PCI level 1 certification that we're proud to have, which courses [sic] the data handling, data security certification that all your major financial institution, the highest level of certification you can have.
Certainly we're proud to have the monitor PCI level 1 but know that's not the bar that we said is [ sic] just to achieve PCI level 1. It is to make sure that we are constantly looking at were there points of vulnerability, points of attack, new and innovative threats . And we're constantly investing on that front to make sure that we are protecting that enterprise and consumer data . So that we can maintain our trusted relationship with the brand.
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 63 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 65 of 81
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
212. The statements contained in Paragraphs 209-211 above were
I materially false when made, and/or omitted material information necessary to make
the statements not misleading under the circumstances in which they were made,
because: (a) Defendants were in violation of the Settlement Order; (b) Defendants’
I January 2014 meeting with the FTC due to the renewed complaint was not part of a
“regular” pattern of meeting with the regulators, but was specifically relevant to the
serious allegations raised by Burke and/or Peters; (c) Defendants did not “choose”
to share information about their contact with the FTC, but were required to do so
because had made repeated statements with respect to their compliance with the
Settlement Order and were obligated to be complete and truthful; (d) Regardless of
the disposition of the Burke complaint, Defendants did not “settle” terminated
employee Peters’ claims in a manner “favorable” to LifeLock; (e) Peters never
agreed that LifeLock had “not violat[ed] any laws for the term of the agreement
with the FTC; (f) LifeLock’s mobile Wallet app was not PCI-compliant; (g)
LifeLock’s operations were not PCI-compliant in general; and (h) Defendants had
failed to protect consumer data in direct contravention of the Settlement Order.
213. Less than a week later, on March 17, 2014, LifeLock filed a
I Regulation FD Disclosure stating, in pertinent part, that:
On March 13, 2014, LifeLock received, as expected, a request from the FTC for documents and information related to LifeLock’s compliance with the FTC Stipulated Final Judgment and Order for Permanent Injunction and Other Equitable Relief that LifeLock entered into in March 2010. LifeLock intends to cooperate with the FTC in these requests.
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 64 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 66 of 81
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
214. On March 20, 2014, the Peters Complaint was filed, levying shocking
allegations that the Company had repeatedly violated the Settlement Order. See ¶¶
81-90, supra.
215. LifeLock shares dropped from $20.10 to bottom out on March 19 at
$17.11 before the stock finally reversed course on April 1 – a more than 15% drop,
on unusually heavy trading volume.
216. On May 2, 2014, the Company filed its quarterly report for the period
ending March 31, 2014 with the SEC on Form 10-Q (the “Q1 2014 10-Q”), which
incorporated by reference the “financial statements and notes included in” the 2013
10-K and stated that:
We protect our members by constantly monitoring identity-related events, such as new account openings and credit-related applications. If we detect that a member’s personally identifiable information is being used, we offer notifications and alerts, including proactive, near real-time, actionable alerts , that provide our members peace of mind that we are monitoring use of their identity and allow our members to confirm valid or unauthorized identity use. (Bold added).
217. The Q1 2014 10-Q also stated that “[a]s part of our consumer
services, we offer 24x7x365 member service support. If a member’s identity has
been compromised, our member service team and remediation specialists will assist
the member until the issue has been resolved.”
218. Finally, the Q1 2014 10-Q stated that:
On December 11, 2013, we acquired mobile wallet innovator Lemon for approximately $42.4 million in cash and launched our new LifeLock Wallet mobile application. The LifeLock Wallet mobile application allows consumers to replicate and store a digital copy of
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 65 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 67 of 81
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
their personal wallet contents on their smart device for records backup, as well as transaction monitoring and mobile use of items such as credit, identification, ATM, insurance, and loyalty cards. The LifeLock Wallet mobile application also offers our members one-touch access to our identity theft protection services.
219. In addition, Defendants Davis and Power signed a certification similar
in form to the SOX Certification referenced in paragraph 176 above.
220. The statements contained in Paragraphs 216-219 above were
materially false when made, and/or omitted material information necessary to make
the statements not misleading under the circumstances in which they were made,
because: (a) Defendants misrepresented “the means, methods, procedures, effects,
effectiveness, coverage, or scope of” Lifelock’s customer alerts in violation of the
Settlement Order; (b) LifeLock’s self-described “proactive, near real-time,
actionable alerts” were subject to regular delays and were actively disabled; (c)
Lifelock did not “constantly monitor[] identity-related events” or offer “24x7x365
member service support”; to the contrary, Defendants actively disabled customer
alerts on multiple occasions; (d) Defendants misrepresented “the means, methods,
procedures, effects, effectiveness, coverage, or scope of” Lifelock’s credit-
monitoring service, which provided inaccurate and/or misleading information to
customers; and (e) LifeLock’s mobile wallet app was not PCI-compliant.
221. On Friday, May 16, 2014, LifeLock filed a Form 8-K after the market
closed announcing that it would pull its vaunted Wallet mobile app, which
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 66 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 68 of 81
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Defendants had aggressively promoted at the Investor and Analyst Day just two
weeks prior:
We have determined that certain aspects of the Lemon Wallet (now called the LifeLock Wallet mobile application), which we acquired as part of our acquisition of Lemon, Inc., are not fully compliant with applicable payment card industry (PCI) security standards . As a result, we have temporarily suspended the Wallet mobile application, and are deleting the data (encrypted or otherwise) from our servers, until we can operate the Wallet mobile application in accordance with those standards. We have no indication that the data included in the Wallet mobile application servers was compromised. The Wallet mobile application storage processes are separate and independent from LifeLock’s core identity theft protection services business, including the enrollment and related credit card storage processes used in our standard LifeLock® service and our LifeLock UltimateTM service. As such, we do not expect the suspension of the Wallet mobile application to impact in any manner the core functionality or utility of the identity theft protection services we provide to our members.
Our consent order with the Federal Trade Commission (FTC) sets forth certain requirements for the security practices of LifeLock and all of its subsidiaries and for our representations to consumers about those practices. On May 15, 2014, on our own initiative, we informed the FTC Staff of these issues, and we expect to receive further requests for information from the FTC about these issues. It is possible that this PCI non-compliance of the Wallet mobile application could result in a determination by the FTC that we are not in full compliance with our FTC consent order.
222. LifeLock shares fell on this news, dropping from $12.98 to $10.70, or
more than 17%, on unusually heavy trading volume in the days following the
disclosure.
223. At the site 24/7 Wall St ., Jon C. Ogg noted on May 19 that:
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 67 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 69 of 81
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
LifeLock’s catalyst for a 15% drop was the news that the identity theft service is suspending its LifeLock Wallet mobile app. Apparently it failed to meet some security standards.
224. At the Q2 2014 Earnings Call held on July 30, 2014, Davis attempted
to spin the loss of the Wallet app in the Company’s favor:
We currently anticipate that we will have a wallet application PCI certified and back in the market before the end of this year. We hold ourselves to a high standard. A too high standard and I can assure that the product will be fully audited and secured before we launch it into the market place. We remain committed to this channel and continue to believe that it is an important part of our future growth plan.
225. It remains unclear how LifeLock’s actually obtaining the PCI
certification that the Company previously stated that it possessed throughout the
Class Period amounts to holding the Company to “too high a standard.”
226. Shares have recovered slightly, but, to date, and after being battered
by the litany of disclosures discussed above, LifeLock has not come close to
recapturing anything approaching its pre-Class Period, all-time closing high of
$22.62 of February 13, 2014.
PLAINTIFF’S CLASS ACTION ALLEGATIONS
227. Plaintiff brings this action as a class action pursuant to Federal Rule
of Civil Procedure 23(a) and (b)(3) on behalf of a Class, consisting of all those who
purchased or otherwise acquired LifeLock securities during the Class Period (the
“Class”); and were damaged upon the revelation of the alleged corrective
disclosures. Excluded from the Class are defendants herein, the officers and
directors of the Company, at all relevant times, members of their immediate
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 68 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 70 of 81
1 families and their legal representatives, heirs, successors or assigns and any entity in
2 which defendants have or had a controlling interest.
3 228. The members of the Class are so numerous that joinder of all
4
5 members is impracticable. Throughout the Class Period, LifeLock securities were
6 actively traded on the NYSE. While the exact number of Class members is
7 unknown to Plaintiff at this time and can be ascertained only through appropriate 8
discovery, Plaintiff believes that there are hundreds or thousands of members in the 9
10 proposed Class. Record owners and other members of the Class may be identified
11
from records maintained by LifeLock or its transfer agent and may be notified of 12
the pendency of this action by mail, using the form of notice similar to that 13
14 customarily used in securities class actions.
15
229. Plaintiff’s claims are typical of the claims of the members of the
16 Class as all members of the Class are similarly affected by defendants’ wrongful
17
18 conduct in violation of federal law that is complained of herein.
19
230. Plaintiff will fairly and adequately protect the interests of the
20 members of the Class and has retained counsel competent and experienced in class
21
22 and securities litigation. Plaintiff has no interests antagonistic to or in conflict with
23
those of the Class.
24 231. Common questions of law and fact exist as to all members of the
25
26 Class and predominate over any questions solely affecting individual members of
27 the Class. Among the questions of law and fact common to the Class are:
28
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 69 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 71 of 81
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
• whether the federal securities laws were violated by Defendants’ acts as alleged herein;
• whether statements made by the Individual Defendants to the investing public during the Class Period misrepresented and/or omitted material facts about the business, prospects, and operations of LifeLock, specifically in regard to LifeLock’s compliance (or lack thereof) with the Settlement Order;
• whether Defendants acted knowingly or recklessly (i.e., with scienter) in issuing false and misleading financial statements;
• whether the prices of LifeLock securities during the Class Period were artificially inflated because of the Defendants’ conduct complained of herein; and
• whether the members of the Class have sustained damages and, if so, what is the proper measure of damages.
232. A class action is superior to all other available methods for the fair
I and efficient adjudication of this controversy since joinder of all members is
I impracticable. Furthermore, as the damages suffered by individual Class members
may be relatively small, the expense and burden of individual litigation make it
impossible for members of the Class to individually redress the wrongs done to
them. There will be no difficulty in the management of this action as a class action.
APPLICABILITY OF PRESUMPTION OF RELIANCE: FRAUD-ON-THE-MARKET DOCTRINE
233. Plaintiff will rely, in part, upon the presumption of reliance
established by the fraud-on-the-market doctrine in that:
• Defendants made public misrepresentations or failed to disclose material facts during the Class Period;
• the omissions and misrepresentations were material; CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION
OF THE FEDERAL SECURITIES LAWS
- 70 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 72 of 81
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
• the Company’s stock met the requirements for listing, and was listed and actively traded on the NYSE, a highly efficient and automated market;
• the Company’s shares were liquid and traded with moderate to heavy volume during the Class Period;
• as a regulated issuer, the Company filed with the SEC periodic reports during the Class Period;
• the Company regularly communicated with public investors via established market communication mechanisms, including regular disseminations of press releases on the national circuits of major newswire services and other wide-ranging public disclosures, such as communications with the financial press and other similar reporting services;
• the Company was followed by multiple securities analysts employed by major brokerage firms who wrote reports that were distributed to the sales force and certain customers of their respective brokerage firms during the Class Period; these reports was publicly available and entered the public marketplace;
• news about the Company was reflected in and incorporated into the Company’s stock price during the Class Period.
234. Under the fraud-on-the-market presumption, reliance is presumed
upon a showing that a plaintiff purchased shares on an open and developed market.
235. Based upon the foregoing, Plaintiff and the members of the Class are
entitled to a presumption of reliance upon the integrity of the market.
236. Alternatively, Plaintiff and the members of the Class are entitled to
the presumption of reliance established by the Supreme Court in Affiliated Ute
Citizens of the State of Utah v. United States , 406 U.S. 128, 92 S. Ct. 2430 (1972),
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 71 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 73 of 81
as Defendants omitted material information in their Class Period statements in 1
2
I violation of a duty to disclose such information, as detailed above.
3 COUNT I
4
Violation of § 10(b) of the Exchange Act, and Rule 10b-5
5
Promulgated Thereunder, Against LifeLock, and the Individual Defendants 6
7 237. Plaintiff repeats and realleges the allegations contained above as if fully
8 set forth herein.
9 238. Throughout the Class Period, defendants LifeLock and the Individual 10
Defendants, in pursuit of their scheme and continuous course of conduct to inflate the 11
12 market price of LifeLock common stock, had the ultimate authority for making, and
13
knowingly or recklessly made, materially false or misleading statements or failed to 14
disclose material facts necessary to make the statements made, in light of the 15
16 circumstances under which they were made, not misleading.
17
239. During the Class Period, defendants LifeLock and the Individual
18 Defendants, and each of them, carried out a plan, scheme, and course of conduct
19
20 using the instrumentalities of interstate commerce and the mails, which was intended
21
to and, throughout the Class Period did: (a) artificially inflate and maintain the
22 market price of LifeLock common stock; (b) deceive the investing public, including
23
24 plaintiff and other Class members, as alleged herein; (c) cause plaintiff and other
25 members of the Class to purchase LifeLock common stock at inflated prices; and (d)
26 cause them losses when the truth was revealed. In furtherance of this unlawful
27
28 scheme, plan and course of conduct, defendants LifeLock and the Individual
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 72 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 74 of 81
1 I Defendants, and each of them, took the actions set forth herein, in violation of §10(b)
2
I of the Exchange Act and Rule 10b-5, 17 C.F.R. § 240.10b-5. All defendants are sued
3 either as primary participants in the wrongful and illegal conduct charged herein or as
4
5 controlling persons as alleged below.
6 240. In addition to the duties of full disclosure imposed on defendants
7 LifeLock and the Individual Defendants as a result of their affirmative false and 8
misleading statements to the investing public, the Individual Defendants had a duty, 9
10 upon the sale of any LifeLock securities during the Class Period, to concurrently
11
disseminate truthful information with respect to LifeLock’s business, operations and 12
performance that would be material to investors, refrain from making any trades. 13
14 The Individual Defendants were motivated to disseminate materially false and/or
15 misleading statements and omissions, and refrain from making full and complete
16 disclosures of material information in order to maximize the return on sales of
17
18 LifLock common stock from their personal portfolios.
19
241. Defendants LifeLock and the Individual Defendants had actual
20 knowledge of the misrepresentations and omissions of material facts set forth herein
21
22 or acted with reckless disregard for the truth in that they failed to ascertain and
23
disclose such facts, even though such facts were either known or readily available to
24 them.
25
26 242. As a result of the dissemination of the materially false and misleading
27 I information and failure to disclose material facts as set forth above, the market price
28
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 73 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 75 of 81
1 of LifeLock common stock was artificially inflated during the Class Period. In
2
I ignorance of the fact that the market price of LifeLock common stock was artificially
3 inflated, and relying directly or indirectly on the false and misleading statements
4
5 made knowingly or with deliberate recklessness by defendants LifeLock and the
6
I Individual Defendants, or upon the integrity of the market in which the shares traded,
7 plaintiff and other members of the Class purchased LifeLock stock during the Class 8
Period at artificially high prices and, when the truth was revealed, were damaged 9
10 thereby.
11 243. Had plaintiff and the other members of the Class and the marketplace 12
known of the true facts, which were knowingly or recklessly concealed by defendants 13
14 LifeLock and the Individual Defendants, plaintiff and the other members of the Class
15 would not have purchased or otherwise acquired their LifeLock shares during the
16 Class Period, or if they had acquired such shares during the Class Period, they would
17
18 not have done so at the artificially inflated prices which they paid.
19
244. As a direct and proximate result of LifeLock’s and the Individual
20 Defendants’ wrongful conduct, Plaintiff and the other members of the Class suffered
21
22 damages in connection with their purchases of LifeLock shares during the Class
23
Period.
24 245. By virtue of the foregoing, defendants LifeLock and the Individual
25
26 Defendants have violated § 10(b) of the Exchange Act and Rule 10b-5 promulgated
27 thereunder. 17 C.F.R. § 240.10-5.
28
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 74 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 76 of 81
COUNT II 1
2
Violation of § 20(a) of the Exchange Act Against the Individual Defendants
3
4
246. Plaintiff repeats and realleges the allegations contained above as if fully
5 set forth herein.
6
7 247. During the Class Period, the Individual Defendants, as senior executive
8 officers and/or directors of LifeLock, were privy to confidential and proprietary
9
information concerning LifeLock, its operations, finances, financial condition and 10
11 present and future business prospects. The Individual Defendants also had access to
12 material adverse non-public information concerning LifeLock, as detailed in this
13 Complaint. Because of their positions within LifeLock, the Individual Defendants
14
15 had access to non-public information about the business, finances, products, markets
16 and present and future business prospects of LifeLock via internal corporate
17 documents, conversations and connections with other corporate officers and 18
employees, attendance at management and/or board of directors meetings and 19
20 committees thereof and via reports and other information provided to them in
21 connection therewith. Because of their possession of such information, the 22
Individual Defendants knew or recklessly disregarded that the adverse facts specified 23
24 herein had not been disclosed to, and were being concealed from, the investing
25 public.
26 248. The Individual Defendants are liable as direct participants in the
27
28 wrongs complained of herein. In addition, the Individual Defendants, by reason of
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 75 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 77 of 81
1 I their status as senior executive officers and/or directors, were “controlling persons”
2
I within the meaning of § 20(a) of the Exchange Act and had the power and influence
3 to cause LifeLock to engage in the unlawful conduct complained of herein. Because
4
5 of their positions of control, the Individual Defendants were able to and did, directly
6 or indirectly, control the conduct of the business of LifeLock.
7 249. The Individual Defendants, because of their positions with LifeLock, 8
controlled and/or possessed the authority to control the contents of LifeLock’s 9
10 reports, press releases and presentations to securities analysts and through them, to
11 the investing public. The Individual Defendants were provided with copies of 12
LifeLock’s reports and press releases alleged herein to be misleading, prior to or 13
14 shortly after their issuance and had the ability and opportunity to prevent their
15
issuance or cause them to be corrected. Thus, the Individual Defendants had the
16 opportunity to commit the fraudulent acts alleged herein.
17
18 250. The Individual Defendants, as senior executive officers and/or directors
19 and as controlling persons of a publicly traded company whose common stock was,
20 and is, governed by the federal securities laws and is registered with the NYSE, had a
21
22 duty to promptly disseminate accurate and truthful information with respect to
23
LifeLock’s financial condition, cash flow, performance, growth, operations,
24 financial statements, business, products, markets, management, earnings and present
25
26 and future business prospects, and to correct any previously issued statements that
27
had become materially misleading or untrue, so that the market price of LifeLock
28
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 76 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 78 of 81
1 shares would be based upon truthful and accurate information. The Individual
2
Defendants’ misrepresentations and omissions during the Class Period violated these
3 specific requirements and obligations.
4
5 251. The Individual Defendants acted as controlling persons of LifeLock
6 within the meaning of Section 20(a) of the Exchange Act as alleged herein. By
7 reason of their positions as officers and/or directors of LifeLock, and their ownership 8
of LifeLock shares, the Individual Defendants had the power and authority to cause 9
10 LifeLock to engage in the wrongful conduct complained of herein. By reason of such
11 conduct, the Individual Defendants are liable pursuant to Section 20(a) of the 12
Exchange Act. 13
14 PRAYER FOR RELIEF
15
WHEREFORE , Plaintiff demands judgment as follows:
16 A. Determining that the instant action may be maintained as a class
17
18 action under Rule 23 of the Federal Rules of Civil Procedure, and certifying
19
Plaintiff as the Class representative;
20 B. Awarding compensatory damages in favor of Plaintiff and the other
21
22 Class members against all defendants, jointly and severally, for all damages
23 sustained as a result of defendants’ wrongful acts and misconduct as alleged herein,
24 in an amount to be proven at trial;
25
26
27
28
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 77 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 79 of 81
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
C. Awarding Plaintiff and the other members of the Class prejudgment
and post-judgment interest, as well as their reasonable attorneys’ fees, expert fees
and other costs; and
D. Awarding such other and further relief as this Court may deem just
and proper.
DEMAND FOR TRIAL BY JURY
Plaintiff hereby demands a trial by jury.
Dated: August 15, 2014
Respectfully submitted,
MARTIN & BONNETT, PLLC
By: /s/ Susan Martin Susan Martin (AZ #014226) 1850 N. Central Ave. Suite 2010 Phoenix, Arizona 85004 Telephone: (602) 240-6900 [email protected]
POMERANTZ LLP Patrick V. Dahlstrom, pro hac vice Louis C. Ludwig, pro hac vice Ten South LaSalle Street, Suite 3505 Chicago, Illinois 60603 Telephone: (312) 377-1181 Facsimile: (312) 377-1184 [email protected] [email protected]
POMERANTZ LLP Jeremy A. Lieberman, pro hac vice 600 Third Avenue, 20th Floor New York, New York 10016
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 78 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 80 of 81
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Telephone: (212) 661-1100 Facsimile: (212) 661-8665 [email protected] [email protected]
Attorneys for Lead Plaintiff and the Class
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 79 -
Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 Page 81 of 81
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
CERTIFICATE OF SERVICE
I hereby certify that on August 15, 2014, I electronically filed the attached document to the Clerk’s Office using the CM/ECF System for filing and transmittal of a Notice of Electronic Filing to the following CM/ECF registrants:
Cynthia A. Ricketts Katherine L. Pappas-Benveniste Sacks, Ricketts & Case LLP 2800 North Central Avenue, Suite 1230 Phoenix, AZ 85004
Boris Feldman Elizabeth Catherine Peterson Brian Danitz Wilson Sonsini Goodrich & Rosati, P.C. 650 Page Mill Road Palo Alto, CA 94304-1050
Attorneys for Defendants
/s/T. Mahabir
CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS
- 80 -