In re Lifelock Inc. Securities Litigation 14-CV-00416-Consolidated Amended Class Action

Case 2:14-cv-00416-SRB Document 42 Filed 08/15/14 of 81

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

SUSAN MARTIN (AZ#014226) MARTIN & BONNETT, PLLC 1850 N. Central Ave. Suite 2010 Phoenix, Arizona 85004 Telephone: (602) 240-6900 [email protected]

POMERANTZ LLP Patrick V. Dahlstrom (pro hac vice) Louis C. Ludwig (pro hac vice) Ten South La Salle Street, Suite 3505 Chicago, Illinois 60603 Telephone: (312) 377-1181 Facsimile: (312) 377-1184 [email protected] [email protected]

Attorneys for Plaintiff

[Additional Counsel on Signature Page]

UNITED STATES DISTRICT COURT DISTRICT OF ARIZONA

In re Lifelock Inc. Securities Litigation Case No. 2:14-cv-00416-SRB

THIS DOCUMENT RELATES TO: CLASS ACTION

ALL ACTIONS

Hon. Susan R. Bolton

CONSOLIDATED AMENDED CLASS ACTION COMPLAINT FOR VIOLATIONS OF FEDERAL SECURITIES LAWS

DEMAND FOR JURY TRIAL

CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION OF THE FEDERAL SECURITIES LAWS


1 Lead Plaintiff Chet K. Gray (“Plaintiff”), individually and on behalf of all

2

I other persons similarly situated, by his undersigned attorneys, for his complaint

3 against defendants, alleges the following based upon personal knowledge as to

4

5 himself and his own acts, and information and belief as to all other matters, based

6

I upon, inter alia, the investigation conducted by and through his attorneys, which

7 included, among other things, a review of the defendants’ public documents, 8

conference calls and announcements made by defendants, United States Securities 9

10 and Exchange Commission (“SEC”) filings, wire and press releases published by

11 and regarding LifeLock, Inc. (“LifeLock” or the “Company”), analysts’ reports and 12

advisories about the Company, interviews with Confidential Witnesses (“CWs”), 13

14 and information readily obtainable on the Internet.

15

NATURE OF THE ACTION

16 1. This is a federal securities class action on behalf of a class consisting

17

18 of all persons and entities that purchased or otherwise acquired LifeLock common

19 stock between February 26, 2013 and May 16, 2014, both dates inclusive (the

20 “Class Period”), seeking to recover damages caused by defendants’ violations of the 21

federal securities laws and to pursue remedies under §§ 10(b) and 20(a) of the 22

23 Securities Exchange Act of 1934 (the “Exchange Act”) and Rule 10b-5

24 promulgated thereunder against the Company and certain of its top officials. 25

2. Throughout the Class Period, defendants represented that the 26

27 Company was in compliance with a settlement it had entered into with the Federal

28


- 1 -


1 I Trade Commission (“FTC”) regarding the Company’s advertising and other

2

I representations about its business and services. Moreover, the Defendants

3 maintained that their settlement with the FTC was based on earlier practices and

4

5 technology employed by the Company and, therefore, only related to the earlier

6

I practices. The Defendants gave the impression that the Company was in full

7 compliance with the settlement with the FTC and that its present technology and 8

services supported the representations made by the Company in its advertising. 9

10 3. In fact, during the Class Period, the Company was not in compliance

11 with its FTC settlement, nor did the technology employed by the Company support 12

the claims in the Company’s advertising. Through selective misstatements and 13

14 omissions, the Defendants materially misrepresented to the market that it was in

15 compliance with the FTC settlement and that it had changed its practices to stay in

16 compliance and offer the protection against identity theft and identity fraud that the

17

18 Company advertised.

19

4. Towards the end of the Class Period, through a series of partial

20 disclosures of the Company’s materially false representations and the

21

22 materialization of the risk in omitting the truth about the Company’s services and

23 compliance with the FTC settlement, the price of LifeLock common stock declined

24 by statistically significant amounts, causing economic losses to Plaintiff and other

25

26 members of the Class who purchased LifeLock common stock during the Class

27 Period in violation of the Exchange Act.

28


- 2 -


INTRODUCTION 1

2

5. Founded in 2005, LifeLock is a self-proclaimed provider of proactive

3 identity theft protection, and provides services to consumers and enterprises.

4

5 6. LifeLock’s initial business model involved placing 90-day fraud alerts

6 on hundreds of thousands of its clients’ credit files maintained by the major credit

7 agencies. Essentially, LifeLock charged customers $10 a month to act as a 8

middleman for services that the credit agencies are required to provide to consumers 9

10 for free.

11 7. After one of those credit agencies, Experian, sued LifeLock for 12

allegedly forcing it to process large numbers of frivolous fraud alerts and to mail 13

14 mandatory notices to customers, the Company was forced to agree to abandon this

15 practice.

16

8. LifeLock resorted to aggressive marketing and advertising with its 17

18 CEO Todd Davis (“Davis”) appearing in a number of advertisements in which

19

Davis publicly revealed his Social Security number and dared anyone to steal his

20 financial information.

21

22 9. Despite the ads’ claim that LifeLock would all but thwart any attempt

23 on Davis’ data, enterprising identity thieves took the CEO up on his dare, and stole

24 his identity some 13 times. By this time, LifeLock’s predilection for making

25

26 outlandish claims on behalf of their products had drawn the notice of the FTC.

27

28


- 3 -


1 10. On March 8, 2010, the FTC revealed in a press release that it had

2 pursued claims against LifeLock and Davis in complaints alleging, inter alia, that

3 the Company issued dramatically misleading advertisements and guarantees to

4

5 customers regarding its identity theft protection services. The FTC alleged that the

6 Company’s aggressive advertising campaigns misled consumers into believing that

7 the Company provided certain services and benefits which, in fact, were not 8

provided. The FTC further alleged that the Company misled consumers to believe 9

10 that LifeLock’s protection services “provided complete protection against all forms

11 of identity theft by making customers’ personal information useless to identity 12

thieves.” 13

14 11. The FTC complaint highlighted the following specific fraudulent and

15 misleading advertisements and statements by the Company:

16

• “MY SOCIAL SECURITY # IS XXX-XX-5462. I’m Todd Davis,

17

CEO of LifeLock, and this really is my social security number. I give it

18 just to prove how safe your identity can be with LifeLock.”

19 • “Do you ever worry about identity theft? If so, it’s time you got to

20 know LifeLock. We work to stop identity theft before it happens.

We’re so confident, we back our clients with a $1 million guarantee.” 21

22 • “We aim to stop identity theft before it happens. . . . Every three

seconds an identity is stolen. We’re here to make sure it doesn’t happen

23

to you.”

24

• “My social security number is XXX-XX-5462. I’m Todd Davis, CEO

25 of LifeLock, and yes, that’s my real social security number. Identity

26 theft is one of the fastest growing crimes in America, victimizing over

10 million people a year and costing billions of dollars. So why publish

27 my social security number? Because I’m absolutely confident

28


- 4 -


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

LifeLock is protecting my good name and personal information, just like it will yours.”

• “By now you’ve heard about individuals whose identities have been stolen by identity thieves . . . . LifeLock protects against this ever happening to you. Guaranteed .”

• “LifeLock doesn’t just report unauthorized use of credit information, we prevent it by working with the top four credit bureaus to make sure you’re contacted to approve any credit transaction before it takes place .”

• “LifeLock clients are contacted every time someone attempts to open credit in their name or change an address.” (Bold added).

12. The FTC also alleged that after LifeLock collected sensitive,

personally identifiable information regarding consumers, such as names, addresses,

email addresses, telephone numbers, social security numbers, and credit card

I information, it failed to adequately and reasonably protect this information and

misled consumers regarding the nature of its data protection.

13. In February 2010, as a result of its fraudulent advertising practices

and false claims about safeguarding customer data, the Company and Davis entered

into the Stipulated Final Judgment and Order for Permanent Injunction and Other

Equitable Relief as to Defendants Lifelock and Davis (the “Settlement Order”),

whereby the Company and Davis settled allegations by the FTC that certain of the

Company’s advertising and marketing practices constituted deceptive acts or

practices in violation of the Federal Trade Commission Act of 1914 (15 U.S.C §§

41-58, as amended).


- 5 -


1 14. The Settlement Order imposed on the Company and Davis certain

2

I injunctive provisions relating to advertising and marketing of LifeLock’s identity

3 theft protection services, such as enjoining LifeLock from making any

4

5 misrepresentation of “the means, methods, procedures, effects, effectiveness,

6

I coverage, or scope of” the Company’s identity theft protection services.

7 15. At the time it entered into the Settlement Order, LifeLock also entered 8

into companion orders with 35 states’ attorneys general that imposed on the 9

10 Company similar injunctive provisions as the Settlement Order relating to

11 LifeLock’s advertising and marketing of identity theft protection services. The 12

Settlement Order provided for a consumer redress payment of $11 million, which 13

14 the Company made in 2010 to the FTC for distribution to the Company’s members.

15

The Settlement Order also provided for an additional consumer redress payment of

16 $24 million in the event of a default by the Company.

17

18 16. Despite the Settlement Order, Lifelock continued to pursue a range of

19

deceptive practices with respect to its products and services.

20 17. For example, one of LifeLock’s main selling points involves its

21

22 promise to keep its customers timely informed by alerting them through “alerts”

23 anytime a customer’s credit is run, such as when credit is applied for in the name of

24 the customer. Indeed, LifeLock’s website states as follows:

25

26 Alerts When You Need Them

27 With our patented LifeLock Identity Alert ® system, as soon as we

28 detect a threat to your identity, you’ll be notified by text, phone or


- 6 -


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

email, to help stop thieves before they do damage ... So while you’re out there connecting to the world, we’ll be here helping to keep your personal information safe. (Bold added).

18. To the contrary, as explained in more detail below, LifeLock, without

any warning, would turn off or reduce these alerts in order to reduce the call volume

received by its customer support center. Moreover, elderly customers were

specifically targeted for this treatment based on their supposed lack of technological

savvy. Indeed, thousands, if not hundreds of thousands, of alerts were never sent to

LifeLock’s customers by any means of communication.

19. Consequently, four years after entering into the Settlement Order, the

Company buried in a Form 10-K filed with the SEC on February 19, 2014, that it

had met with the FTC regarding its alleged non-compliance with the terms of the

Settlement Order, after what the Company called a “whistleblower” had alleged

certain violations of the Settlement Order in a complaint. The Company stated, in

relevant part:

On January 17, 2014, we met with FTC Staff, at our request, to discuss issues regarding allegations that have been asserted in a whistleblower claim against us relating to our compliance with the FTC Order . Following this meeting, we expect to receive either a formal or informal investigatory request from the FTC for documents and information regarding our policies, procedures, and practices for our services and business activities. Given the heightened public awareness of data breaches and well as attention to identity theft protection services like ours, it is also possible that the FTC, at any time, may commence an unrelated inquiry or investigation of our business practices and our compliance with the FTC Order. We endeavor to comply with all applicable laws and believe we are in compliance with the requirements of the FTC Order. We believe the increased regulatory scrutiny will continue in our industry for the foreseeable future and


- 7 -


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

could lead to additional meetings or inquiries or investigations by the agencies that regulate our business, including the FTC. (Bold added.)

20. Significantly, the renewed FTC investigation, which could potentially

I result in significant fines against the Company and threaten its future financial

viability, was not announced in a press release, listed under legal proceedings, or in

any way highlighted in the Company’s Form 10-K. Instead, it was buried in the

middle of a paragraph under the section “Government Regulation.” Market

watchers, however, found the reference and ultimately recognized its significance.

Within days, an article published on Seeking Alpha , a crowd-sourced content

service for financial markets, explained the import of the buried disclosure in an

article entitled: “Lifelock: Pending FTC Investigation Revealed in 10-K . ”

21. On this news of LifeLock stating in a filing with the SEC that a

“whistleblower” claimed that LifeLock had not complied with the Settlement Order,

LifeLock common stock fell from $21.79 to $20.32 per share, more than 6%, on

unusually heavy trading volume on the next trading day.

22. Although LifeLock referenced “a” whistleblower claim in its Form

10-K, Defendants knew in February 2014 that the Company had already settled one

whistleblower complaint under Arizona’s wrongful termination statute, and that a

second whistleblower under Sarbanes-Oxley had been filed alleging similar

violations of the Settlement Order.

23. Indeed, when the second whistleblower action was revealed to the

public regarding, among other things, non-compliance with the Settlement Order


- 8 -


1 I and turning off or reducing the number of alerts sent to customers in violation of the

2

I Settlement Order, the price of LifeLock common stock fell again, this time from

3 $20.10 to $17.11 per share, or more than a 15% decline.

4

5 24. LifeLock shares declined once again on the news that the Company’s

6

I technology did not support the claims the Company had made in its advertising

7 because it was not in compliance with security standards. Upon this further 8

revelation of non-compliance with the Settlement Order and additional violations 9

10 under FTC regulations, LifeLock common stock dropped from $12.98 to $10.70 per

11 share, a more than 17% decline. 12

25. Throughout the Class Period, defendants made materially false and 13

14 misleading statements regarding the Company’s business, operational and

15 compliance policies. Specifically, defendants made false and/or misleading

16 statements about and/or failed to disclose, inter alia, that: (a) Defendants

17

18 misrepresented “the means, methods, procedures, effects, effectiveness, coverage,

19 or scope of” Lifelock’s customer alerts in violation of the Settlement Order; (b)

20 LifeLock’s self-described “proactive, near real-time, actionable alerts” were subject

21

22 to regular delays and were actively disabled; (c) Lifelock did not “constantly

23 monitor[] identity-related events” or offer “24x7x365 member service support”; to

24 the contrary, Defendants actively disabled customer alerts on multiple occasions;

25

26 (d) Defendants misrepresented “the means, methods, procedures, effects,

27 effectiveness, coverage, or scope of” Lifelock’s credit-monitoring service, which

28


- 9 -


1 I provided inaccurate and/or misleading information to customers; (e) Defendants

2

I failed to establish a comprehensive data security program in violation of the

3 Settlement Order; (f) Defendants had failed to assess the effectiveness of their

4

5 information security practices and technical controls; (g) LifeLock failed to

6

I adequately monitor its compliance with the Settlement Order as required by the

7 FTC; (h) LifeLock and its operations were non-compliant with basic, industry-wide 8

credit card security standards, did not safeguard customer credit card data, and had 9

10 not trained its agents in such compliance; and (i) Defendants’ January 2014 meeting

11 with the FTC due to the renewed allegations against it was not part of a “regular” 12

pattern of meeting with the regulators, but was specifically relevant to the serious 13

14 allegations raised by wrongful termination and/or whistleblower complaints.

15

JURISDICTION AND VENUE 16

26. The claims asserted herein arise under and pursuant to §§ 10(b) and 17

18 20(a) of the Exchange Act (15 U.S.C. § 78j(b) and 78t(a)) and Rule 10b-5

19 promulgated thereunder (17 C.F.R. § 240.10b-5).

20 27. This Court has jurisdiction over the subject matter of this action 21

pursuant to § 27 of the Exchange Act (15 U.S.C. § 78aa) and 28 U.S.C. § 1331. 22

23 28. Venue is proper in this District pursuant to § 27 of the Exchange Act,

24 15 U.S.C. § 78aa and 28 U.S.C. § 1391(b), as LifeLock’s principal place of 25

business is located within this District and a substantial part of the conduct 26

27 complained of herein occurred in this District.

28


- 10 -


1 29. In connection with the acts, conduct and other wrongs alleged in this

2

Complaint, defendants, directly or indirectly, used the means and instrumentalities

3 of interstate commerce, including but not limited to, the United States mail,

4

5 interstate telephone communications and the facilities of the national securities

6 exchange.

7 PARTIES 8

30. Plaintiff, as set forth in the attached Certification submitted with his 9

10 motion for appointment as Lead Plaintiff (Dkt. No. 34-2), acquired LifeLock

11 securities at artificially inflated prices during the Class Period, and has been

12 damaged upon the announcement of partial disclosures and the materialization of

13

the risk related to Defendants’ material omissions. 14

15

31. Defendant LifeLock is a Delaware corporation with its principal

16 executive offices located at 60 East Rio Salado Parkway, Suite 400, Tempe,

17

Arizona 85281. LifeLock’s common stock trades on the New York Stock 18

19 Exchange under the ticker symbol “LOCK.”

20 32. Defendant Todd Davis (“Davis”) has served as the Company’s 21

Chairman and Chief Executive Officer at all relevant times. Between April 2, 2013 22

23 and March 19, 2014, Davis sold approximately 300,000 shares of LifeLock.

24 33. Defendant Hilary Schneider (“Schneider”) has served as the 25

Company’s President at all relevant times. Between January 13, 2014 and May 15, 26

27 2014, Schneider sold more than 90,000 shares of LifeLock.

28


- 11 -


1 34. Defendant Chris Power (“Power”) has served as the Company’s Chief

2

Financial Officer at all relevant times. Between June 17, 2013 and April 17, 2014,

3 Power sold nearly 150,000 shares of LifeLock.

4

5 35. The defendants named in ¶¶ 32-34 above are sometimes referred to

6 herein as the “Individual Defendants.”

7 SUBSTANTIVE ALLEGATIONS 8

Background and Marketing 9

10 36. LifeLock, which bills itself as “an industry leader in identity theft

11 protection and presents identity theft,” began offering services to the public in 2005. 12

LifeLock’s initial public offering (“IPO”) occurred in October, 2012. 13

14 37. Initially, LifeLock was founded as a simple fix to a perceived gap in

15

identity theft protection, namely the fact that every 90 days the major credit bureau

16 erased fraud alerts on customers’ credit accounts, even if questionable transactions

17

18 had recently occurred.

19

38. In response, customers began paying LifeLock $10 a month to call a

20 credit bureau every three months and put a fraud alert on their accounts. As the

21

22 Phoenix (Arizona) New Times explained in 2007, “[b]y law, if one bureau is

23 notified, it must alert the other two. LifeLock also offers insurance. If a customer

24 becomes a victim despite the service, LifeLock says it will pay losses (if the claim

25

26 holds up to scrutiny) of up to $1 million.”

27 39. During the Class Period, LifeLock offered Standard, Advantage,

28


- 12 -


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Ultimate and Junior monitoring subscriptions, ranging in price from $109.89 to

$329.89 annually, and boasting what LifeLock claims are varying levels of

technological sophistication. LifeLock Standard is advertised as including identity

theft detection and alerts within its network, lost wallet protection, address change

I verification, black market website surveillance, and reduced pre-approved credit

card offers. LifeLock Advantage claims to add Credit Alerts, Data Breach

Notification, Fictitious Identity Monitoring, Court Records Scanning, and online

annual credit reports and scores to the LifeLock Standard menu. LifeLock Ultimate

allegedly includes bank account takeover alerts within its network, enhanced credit

application alerts, and online credit reports and scores on top of the Standard

features. Lifelock’s Junior protection (aimed at children) purports to provide

identity theft detection and alerts, credit file verification, black market website

surveillance, and file sharing network searches.

40. All of LifeLock’s service plans feature the LifeLock Identity Alert ®

System: “[w]hen we find something suspicious, we’ll let you know through our

patented LifeLock Identity Alert® system.” The Identity Alert system is described

by the Company as follows:

Our technology searches for potential misuse of your Social Security number, name, address or date of birth in applications for credit and services. You can choose alerts by text, phone, email or mobile app and respond immediately to confirm if the activity is fraudulent with our proprietary Not Me ® verification technology.

41. Indeed, LifeLock’s website boasts (and boasted during the Class


- 13 -


1 Period) that “LifeLock actively monitors applications within an extensive network

2

for attempts to use your personal information. Whenever suspicious activity is

3 detected, you will receive an alert via email or phone. ” (Bold added).

4

5 42. During the Class Period, this actually involved little more than

6 LifeLock receiving files from one or more of the major credit bureaus that

7 contained information about activity on a customer’s credit card, and LifeLock’s 8

processing these files and sending alerts out to the customer about the activity. 9

10 43. LifeLock buries the limitations on its capabilities in its fine print. For

11 example, the pitch for LifeLock Ultimate PlusTM, which promises in full-sized print 12

that “We’ll issue alerts for merchant and lender inquiries being made against your 13

14 credit file so you can act quickly to help resolve fraudulent activity” is modified by

15 a small-font footnote warning vaguely that the “[n]etwork does not cover all

16 transactions[.]” See, e.g., http://www.lifelock.com/services/lifelock-ultimate-plus/

17

18 (Accessed Aug. 4, 2014).

19

44. The following graphic demonstrates how LifeLock promotes its

20 services as superior to traditional identify theft safeguards, i.e. , card issuers and

21

22 credit bureaus:

23

24

25

26

27

28


- 14 -


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

0 LifeLock

LifeLock Offers Comprehensive Proactive Protection

0 LifeLock

In fact, consumers can, as commenters have noted, “handle many of the services

LifeLock provides – such as credit reports and cancelling cards in lost wallets – on

their own with a couple of (free) phone calls.” See “LifeLock’s Protection Leaves

Much to be Desired,” truthinadvertising.org (Apr. 9, 2013).

45. Furthermore, unlike some of its competitors, LifeLock does not own a

credit bureau. As a result, it is unclear how LifeLock would be able to provide

services such as alerting customers in the event that a credit check is done on them

unless a credit bureau advises LifeLock.

46. Nevertheless, Lifelock has successfully promoted its services with


Black Market Wbzite Surveillance

File-Sharing Network SeMches

Sex Offender Registry Reports

Reduced Pre-Approved Credit Card Offers

Lost Wallet ProedIo,i

Bank Account Thkeover Alerts?

Checking and Savings Account AppLicatiQn Aletht

Non-Credit Report Alerts*

Now C dIt/1oanAppIItIon Alrt

Address Change Verification

New Credit Card Application from Other RankjIssuers*

New Credit Card App1icdtIol from Exisling Bank/Issuers

Monitor Existing Credit Card Tr n.action

- 15 -


1 aggressive marketing tactics that, in addition to publishing CEO Davis’ Social

2

Security number on flyers, billboards, ads, and the side of a truck, have included

3 television commercials with Davis challenging anyone to try and use his personal

4

information. 5

6 47. LifeLock has also partnered with major banks, national corporations

7 and boasts celebrity endorsers. In addition to television, LifeLock advertises 8

heavily on the Internet and radio – its ads have been featured on Rush Limbaugh 9

10 broadcasts. Celebrity spokespersons for LifeLock have included Howard Stern,

11 Mark Levin, Rudy Giuliani, and Rush Limbaugh. 12

48. These tactics have proved successful. Currently, LifeLock boasts 13

14 more than 3 million members to its monthly service, $369.65 million in annual

15 revenue (for 2013), and 675 employees. According to the Company’s proxy, the

16 top six executives were paid more than $18 million in 2013 alone.

17

18 Litigation and the FTC Settlement

19 49. In February 2008, Experian, a major U.S. credit bureau, sued

20

21 LifeLock, alleging that LifeLock's practice of setting fraud alerts for consumers

22

harmed it. It also argued that LifeLock’s repeated renewal of the fraud alerts

23 clogged its system with bogus alerts, diminishing their effectiveness. LifeLock had 24

25 used fraud alerts to place nearly perpetual 90-day warnings on its customers’ credit

26 reports.

27 50. The Experian lawsuit was settled confidentially in October 2009. 28


- 16 -


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

I According to Experian, LifeLock was “permanently restrained” from either directly

or indirectly filing alerts to any credit reporting agency on the behalf of its

customers, gutting the core of LifeLock’s original business model.

51. Around the same time, it was revealed that a marketing gimmick in

I which CEO Davis widely published his Social Security number, daring identity

thieves to take it, had backfired disastrously – Davis’ identity was stolen at least 13

times in the aftermath of the campaign. Thieves used Davis’ information to open

utility accounts, credit cards, and cell-phone service, racking up thousands of

dollars’ worth of debt in his name.

52. On March 8, 2010, the FTC announced that LifeLock had entered into

a settlement with the FTC for complaints against the Company and Defendant Todd

Davis alleging, inter alia, that the Company issued dramatically misleading

advertisements and guarantees to customers regarding its identity theft protection

services.

53. According to the FTC’s complaint, LifeLock had claimed:

• “By now you’ve heard about individuals whose identities have been stolen by identity thieves . . . LifeLock protects against this ever happening to you. Guaranteed .”

• “Please know that we are the first company to prevent identity theft from occurring .”

• “Do you ever worry about identity theft? If so, it’s time you got to know LifeLock. We work to stop identity theft before it happens .” (Bold added).


- 17 -


1 54. The FTC’s complaint further alleged that LifeLock also claimed that it

2 would prevent unauthorized changes to customers’ address information, that it

3 constantly monitored activity on customer credit reports, and that it would ensure that

4

5 a customer always would receive a telephone call from a potential creditor before a

6 new account was opened. The FTC charged that those claims were false or

7 deceptive. 8

55. The FTC’s complaint charged that the fraud alerts that LifeLock placed 9

10 on customers’ credit files protected only against certain forms of identity theft and

11 gave them no protection against the misuse of existing accounts, the most common 12

type of identity theft. It also allegedly provided no protection against medical 13

14 identity theft or employment identity theft, in which thieves use personal information

15 to get medical care or apply for jobs. And even for types of identity theft for which

16 fraud alerts are most effective, LifeLock does not provide complete protection. They

17

18 alert creditors opening new accounts to take reasonable measures to verify that the

19

individual applying for credit actually is who he or she claims to be, but in some

20 instances, identity thieves can thwart even reasonable precautions.

21

22 56. As then-FTC Chairman Jon Leibowitz summed it up, “The protection

23

[LifeLock] actually provided left enough holes that you could drive a truck through it

24 ...”

25

26 57. In addition to its deceptive identity theft protection claims, LifeLock

27 allegedly made claims about its own data security that were not true. According to

28


- 18 -


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

the FTC, LifeLock routinely collected sensitive information from its customers,

including their Social Security numbers and credit card numbers. The Company

claimed:

• “Only authorized employees of LifeLock will have access to the data that you provide to us, and that access is granted only on a ‘need to know’ basis.”

• “All stored personal data is electronically encrypted.”

• “LifeLock uses highly secure physical, electronic, and managerial procedures to safeguard the confidentiality and security of the data you provide to us.”

58. The FTC charged that LifeLock’s data was not encrypted, and

sensitive consumer information was not shared only on a “need to know” basis. In

fact, the agency charged, the company’s data system was vulnerable and could have

been exploited by those seeking access to customer information.

59. To settle the FTC complaint, LifeLock agreed, inter alia, to pay $11

million to the FTC, pay $1 million to a group of 35 state attorneys general, and

submit to continuing terms of compliance with the Settlement Order, including

biannual reporting obligations to extend for 20 years post-Settlement.

60. An “avalanche clause” for the full amount of judgment ($35 million)

plus interest would be triggered by any default in payment.

61. At the time, the FTC billed the settlement as one of the largest joint

FTC-state settlements on record.


- 19 -


1 62. In particular, the Settlement Order prohibits LifeLock from

2 misrepresenting “the means, methods, procedures, effects, effectiveness, coverage, or

3 scope of such product, service, or program” of any Company “product, service, or

4

5 program designed for the purpose of preventing, mitigating, or recovering from any

6 form of identity theft .... includ[ingj but ... not limited to, the placement of fraud

7 alerts on behalf of consumers, searching the internet for consumers' personal 8

data, monitoring commercial transactions for consumers' personal data, identity 9

10 theft protection for minors, and guarantees of any such products, services, or

11 programs.” (Bold added). 12

63. The Settlement Order also expressly bars LifeLock from 13

14 “misrepresenting in any manner, expressly or by implication, the manner or extent to

15 which they maintain and protect the privacy, confidentiality, or security of any

16 personal information collected from or about consumers.”

17

18 64. In addition, the Settlement Order required that LifeLock establish a

19 comprehensive data security program.

20

65. After the IPO, and prior to the disclosing events, LifeLock repeatedly, 21

22 albeit falsely, assured investors of its compliance with the Settlement Order.

23

66. Additionally, in 2012, LifeLock expanded its business dramatically

24 through its acquisitions of ID Analytics, described by LifeLock as “a leader in

25

26 enterprise identity risk management,” and Lemon, Inc., the creator of a “mobile

27 wallet” application that LifeLock marketed as part of its existing mobile service.

28


- 20 -

.1 1p

I IN


1 67. LifeLock also continued its growth in subscribers and business :

2

3 Cumulative Ending Members

(in thousands)

4

3,221 3.250

5 3.cwx

6 2.750

7 2.5lX

8 2.250

9

2,000 10

11

12

13

68. LifeLock’s success proved to be a double edged sword, however.

14 LifeLock lacked the personnel and technical ability necessary to avoid

15

16 misrepresenting their services to customers, as well as to safeguard those customers’

17 personal information.

18 69. For example, according to one insider who worked at the Company 19

throughout the Class Period, “there was constantly something going on with keeping 20

21 the system maintained and updating code that could and did cause issues.”

22

Accordingly, “when we were doing a lot of code changes, there was a higher

23 occurrence of when we had to shut things down and fix it.” These problems would

24

25 cause delays in alerts going out as well as delays in other types of customer notices.

26

Each time a problem was fixed, a large backlog of alerts and notices went out at

27 once, causing the call volume to dramatically increase.

28


- 21 -


1 70. The Company’s solution was to cut corners in both service and

2

I security. LifeLock deliberately turned off alerts to customers – in particular, elderly

3 subscribers – in order to lower call volume to its overburdened call center. Likewise,

4

5 LifeLock’s steps toward product expansion recklessly failed to protect customers’

6

I sensitive information, a supreme irony given LifeLock’s status as a self-styled

7 protector of such data. In the process, Defendants flagrantly violated the terms of the 8

Settlement Order, as well as misrepresented its services and abilities in its marketing 9

10 and advertising in violation of FTC regulations.

11 71. Defendants’ misrepresentations and omissions also were in violation of 12

Federal Securities laws as well as the Company’s own Code of Business Conduct and 13

14 Ethics, which enshrines the right of investors to “honest, accurate and consistent

15

information” while requiring LifeLock employees to “communicate truthfully and

16 completely.”

17

18 Wrongful Termination, the Whistleblower

Complaint, and the Renewed FTC Investigation 19

20 72. On July 8, 2013, Stephen P. Burke (“Burke”), a Senior Financial

21 Analyst and Cross Business Analytics Analyst at LifeLock, filed a complaint in the

22 United States District Court for the District of Arizona for wrongful termination 23

under Arizona state law. See Burke v. LifeLock, Inc. , No. 13-CV-1355 (D. Ariz.) 24

25 (Dkt. No. 1) (the “Burke Compl.”).

26 73. Burke alleged that, while working for LifeLock between February 2010 27

and March 2013, he learned that LifeLock 28


- 22 -


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

... had and continues to have widespread system problems in processing [] alerts and sending them out to the customers as promised in its national marketing campaigns. The problem of timely informing customers that their credit information was accessed is so widespread that Defendant instituted a code freeze. In essence, Defendant is deliberately “stepping on the brakes” with regard to sending this critical information to customers on a timely basis, and worse, often choosing not to send these alerts out at all. This practice has been referred to as “throttling.”

Burke Compl., ¶ 13 (Bold added).

74. Specifically, Burke alleged that he “first learned of an issue with

[Lifelock]’s alert notification services to customers through an e-mail chain

forwarded to him in late November 2012 by John Lenstrohm [(“Lenstrohm”)],

[Lifelock]’s Director, Direct Response.” Id. , ¶ 15.

75. Subsequently, Burke discussed his concerns regarding the delaying of

alerts, the diminished alert notification service, the effects of not sending out alerts,

and “throttling of alerts,” i.e., not sending out alerts to customers anytime anyone did

anything with the customer’s name, with numerous LifeLock personnel, including

Lenstrohm, Vice President of Marketing Erick Dickens, Senior Manager Amanda

Mellon, Manager Brent Hazel, Melinda Keels (Finance), and Burke’s own

supervisor, Gregory Lim (“Lim”). Id. , ¶¶ 16-19.

76. Perhaps most significantly, Burke expressed his concern in the course

of these discussions that “throttling” might violate the Settlement Order as LifeLock

was engaged in false and misleading advertising regarding the alerts. Id. , ¶¶ 16, 19.

77. In support of this view, Burke highlighted the following unequivocal


- 23 -


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

I representation made by the Company on its website as of July 2013 (and which has

since been taken down):

Responding to Identity Theft

With LkLock' identity theft poIec6ozL we a1i you by o - maL phone or xi niesage i f we detect that your personal information otay hae been tLed -

mi v.ilI hear tTroiii W, oitiv when aiecesai-v.

T1killg Ft Ai lion

We r -iew each at tempt o 1111 StT yom ideiitiy. and proac com a Ct yot uivtiine we detect an exposure or threat. L1eLock U1thnate protection sues oiie iep furt1ir—if we detect a change to the coiitct infomia tion on yotu uk

accotlnTc. venll coillact you to help correct the siflti on tit

I See Burke Compl., ¶ 13.

78. Burke told Lim, his supervisor, that LifeLock “should adjust its

marketing messaging to reflect this diminished service ....” Id. , ¶ 19.

79. In response to Burke expressing his concerns to Lim, he was

terminated. Adding insult to injury, LifeLock did not follow up on Burke’s concerns

regarding customer alerts. ¶¶ 20-25.

80. Ultimately, LifeLock settled Burke’s wrongful termination suit under

Arizona state law for an undisclosed amount in February 2014, just as a true

whistleblower complaint under federal law against the Company was set to become

public.

81. On March 20, 2014, Michael D. Peters (“Peters”), LifeLock’s former

Chief Information Security Officer (“CISO”), filed a complaint in the United States

District Court for the District of Arizona pursuant to the whistleblower protection CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION

OF THE FEDERAL SECURITIES LAWS

- 24 -


1 provisions of the Sarbanes-Oxley Act, 18 U.S.C. § 1514A (“SOX”), and the Dodd-

2

Frank Act, 15 U.S.C. § 78u-6(h)(1)(A). See Peters v. LifeLock, Inc. et al. , No. 14-

3 CV-00576 (D. Ariz.) (Dkt. No. 1) (the “Peters Compl.”). Earlier, on August 19,

4

5 2013, Peters filed complaints with the FTC and the SEC, and filed a whistleblower

6

I complaint under SOX with the Department of Labor on August 23, 2013.

7 82. Peters was certified as Chief Information Security Officer (“CISO”), 8

Information System Security Professional, Information Security Manager, and 9

10 Computer Examiner in Risk and Information Systems Control. Peters Compl., ¶ 6.

11 83. On or about July 1, 2013, Peters began work as LifeLock’s CISO 12

following “an intense screening and vetting process by LifeLock [that] included more 13

14 than twelve face-to-face interviews, numerous telephonic interviews, drug testing, a

15 thorough review of eight years of Peters’s tax returns, thorough criminal and civil

16 background checks, and background checks on his education and employment.”

17

18 Peters Compl., ¶¶ 12, 16.

19

84. Peters alleges that upon commencing work at LifeLock, he

20 immediately began an initial risk assessment at LifeLock. Before his hiring,

21

22 LifeLock had never conducted a bona fide risk assessment. Even in the preliminary

23 stages of the risk assessment, Peters began to discover many instances of illegal and

24 incompetent practices that constituted fraud against LifeLock’s shareholders.

25

26 According to Peters, these included, but were not limited to, the following:

27 a. LifeLock’s manager of database administration, Jacqueline Hufford-

28 Jensen, signed a Sarbanes-Oxley audit verifying that the information


- 25 -


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

contained in that audit was true and correct even though the time period she was attesting to predated her hiring date at LifeLock.

b. LifeLock’s director of internal audits, Tony Valentine, had “collected” evidence from the information security team that existed prior to Peters’s arrival related to access logging, audit logging, audit log reviews, network security controls, and data leakage controls that either (1) did not truly exist because the technology was still in boxes; or (2) LifeLock lacked the staff to keep track of everything; or (3) such reviews were not actually conducted.

c. LifeLock employee Dave Bridgman told Peters that LifeLock’s current practice was to manipulate the customer alerts sent to its elderly customers. LifeLock would turn off or reduce the services alerting elderly customers to reduce the call volume received by LifeLock’s customer support center. Peters believed this was fraudulent since it sold its services to the general public without any disclosure that alert services would be limited for certain segments of the population.

d. LifeLock was in the process of finalizing a new product offering called PassLock. This system was designed to allow customers to include their passwords for up to ten accounts. PassLock would then crawl through hundreds of internet sites to check the username and password supplied by the customer and report back to the customer. The problem was that the database was not being protected with industry-grade encryption. The database was predicted to contain millions of customer credentials that would be devastating to consumers if a breach occurred. Moreover, the system was going to utilize a third-party cloud hosting business without that third party’s knowledge or consent. Technically, the PassLock crawling would be identified by most service providers as intrusive, illegal, illegitimate, and then blacklist the source address. The unknowing third-party cloud hosting service would suffer significant business damage and LifeLock could face significant liability thereby damaging its shareholders.

Peters Compl, ¶ 17 (bold added).

85. Furthermore, Peters alleges that “LifeLock’s security posture was at

high risk.” In particular, “Peters determined that LifeLock’s internal capacity for

governance implemented (policies, audit plan, change controls, architectural review,

etc.) was at 47% of the minimum to protect LifeLock’s customers and their sensitive


- 26 -


1 information. If a security breach occurred, LifeLock’s shareholders would be

2

damaged.” Id. , ¶ 18.

3 86. Peters also “determined that LifeLock’s technological security

4

5 readiness (intrusion prevention, data leakage, data encryption, access controls,

6 physical security, etc.) was only at 27% of the minimum to protect LifeLock’s

7 customers and their sensitive information.” Id. , ¶ 19. Again, “[i]f a security breach 8

occurred, LifeLock’s shareholders would be damaged.” Id. 9

10 87. Additionally, Peters “determined that LifeLock’s security vigilance

11

(vulnerability testing, auditing, monitoring, awareness education, event logging, 12

incident management, etc.) was at 0% of the minimum to protect LifeLock’s 13

14 customers and their sensitive information.” Id. , ¶ 20. Accordingly, “[i]f a security

15

breach occurred, LifeLock’s shareholders would be damaged.” Id.

16 88. Peters attributes the above-discussed problems, in part, to a lack of

17

18 qualified personnel: “LifeLock only had two people responsible for security. One

19

individual lacked technical skill and only had minimal security experience; the other

20 was fresh out of college and had technical skills, but lacked experience if a data

21

22 breach occurred.” Id. , ¶ 21. Based on this, “Peters concluded that millions of

23 customers were at risk given the data LifeLock possesses and is incapable of

24 protecting.” Id.

25

26 89. Peters alleges that when he advised LifeLock management, including

27 Defendant Power, of all of these problems, as well as the imminent need to hire at

28


- 27 -


1 least 12 information security professionals, LifeLock, rather than seeking responsive

2 solutions, fired Peters on a trumped-up charge of lying on his employment

3 application, despite his having already passed the Company’s intensive and invasive

4

5 vetting process with flying colors. See id. , ¶¶ 22-31.

6 90. After his firing, Peters filed a whistleblower complaint with the FTC on

7 August 19, 2013. ¶ 33. The FTC’s investigation remains ongoing. On July 31, 2014, 8

the Company admitted in a public filing that it had “received a request from the 9

10 Federal Trade Commission, or the FTC, for documents and information related to our

11 compliance with the FTC Order” as of March 13, 2014. 12

Confidential Witnesses 13

14 91. The allegations in the Burke and Peters complaints are corroborated by

15 Confidential Witnesses who worked at LifeLock during the Class Period in positions 16

that provided them a basis to observe the facts they provided, including meetings 17

18 with the Individual Defendants.

19

92. CW1 was a product manager at LifeLock’s San Diego office from the 20

time her employer, ID Analytics, was acquired by LifeLock in December 2011 until 21

22 May 2013. CW1 reported to Eric Rosado, VP of Consumer Products.

23

93. CW1’s job involved working on ID Analytics website and its

24 integration into LifeLock after acquisition in late 2011. CW1 was specifically

25

26 instructed remove some of the language on the ID Analytics website “so we didn’t

27 compete with LifeLock’s product offerings.”

28


- 28 -


1 94. With respect to the services purportedly provided by LifeLock, CW1

2 stated that one thinks because they have signed up that their identity information is

3 actively being monitored somehow, when it really is not.

4

5 95. In fact, CW1 stated that monitoring is not much more than a loose

6 association between your name and Social Security number.

7 96. During CW1’s tenure, from 2011 to 2013, LifeLock was incapable of 8

monitoring every activity using a customer’s social security number or other identity 9

10 information, CW1 said. In fact, many transactions, including fraudulent ones, could

11 occur without any alerts made to LifeLock or the customer. Accordingly to CW1, if 12

someone types in their name, account, and credit card number (as a LifeLock 13

14 customer), they are led to believe that it is being actively monitored, and that if

15 anyone tries to steal the information, LifeLock will alert the customer no matter

16 where it is. But no one can actually do that. You’d have to have every single

17

18 Internet entity in your network, and nobody can do that.

19

97. CW1 further noted that only a “handful” of financial institutions agreed

20 to participate in LifeLock’s network, which is a network of shared data that the

21

22 Company uses to monitor activity on customers’ identity information, such as Social

23

Security numbers. Bank of America, Discover, and AT&T credit cards were the only

24 large financial institutions that participated in the network during the time of CW1’s

25

26 employment.

27

98. CW1 stated that if an institution did not participate in the network,

28


- 29 -


1 LifeLock had no means to monitor any transactions in real time at that institution

2

I using LifeLock’s customers’ identities. LifeLock could not report a transaction the

3 moment they happened, as it advertises. For example, if someone applied for a credit

4

5 card at Chase Bank, and Chase is not in the network, LifeLock would have never

6

I received the information about that application, even if it were done fraudulently

7 using a LifeLock customer’s Social Security number. 8

99. CW1 asserted that the only activity LifeLock could monitor was 9

10 activity that occurred at the institutions participating in LifeLock’s network. But even

11 those institutions didn’t always alert LifeLock to activity on a customers’ identity. 12

100. CW1 said that when an institution ran a customer’s identity information 13

14 through LifeLock’s network to check its authenticity, it did so most of the time

15

because that institution had already detected something suspicious and would on its

16 own identify the fraudulent activity without LifeLock’s assistance.

17

18 101. CW1 stated that LifeLock’s true function is as a marketing services

19 company, selling data on people, i.e., LifeLock’s customers, who provide the

20 company with their personal information, financial accounts, social security numbers

21

22 and other personal information.

23

102. CW1 described LifeLock’s business as having substantial customer

24 data which the Company can market. Indeed, CW1 described LifeLock as a

25

26 marketing engine, where the Company sells this data over and over and over again.

27 103. Even though the Settlement Order, signed in 2010, states that all

28


- 30 -


1 I employees that deal with the stipulations addressed in the Order must be provided

2

I with the order, CW1 said she never received a copy of the Order, nor did her

3 superiors at LifeLock tell her about the provisions of the Order.

4

5 104. CW1 states that the FTC investigation was well known at the

6

I Company, and she understood that some changes to advertising were required, but

7 she did not have more details about what types of advertising was prohibited. 8

105. CW1 stated that the only FTC-related changes she was aware of 9

10 involved a $1 million guarantee. Specifically, CW1 heard that LifeLock had to stop

11 guaranteeing customers they would receive $1 million in insurance if their identity 12

was stolen, and that the Company’s advertisements began to say instead that 13

14 LifeLock would pay for up to $1 million to help customer recover from the damages

15 caused by an identity theft.

16 106. CW1 said that CEO Davis was “very involved” in the company and

17

18 that he personally participated in marketing plans. Indeed, CW1 stated that Davis

19 reviewed plans and strategy documents. After the ID Analytics acquisition, CW1

20 and other employees were in Tucson and Davis popped into a marketing review

21

22 meeting to and took part in the review of the marketing plans.

23

107. CW2 was a Customer Relationship Management (“CRM”)

24 Administrator at LifeLock from March 2012 to November 2012. CW2 reported to

25

26 Pat Pendleton (“Pendleton”), Chief Information Officer.

27 108. CW2 states that LifeLock did not have a Network Operations Center

28


- 31 -


1 (“NOC”) that monitored the company’s internal computer systems to ensure that it

2 was functioning properly and to catch problems, security breaches, and failures when

3 they occurred. CW2 described NOC as a computer system that uses software

4

5 programs and human monitoring to detect problems, security breaches, or failures in

6

I the company’s data networks and servers .

7 109. According to CW2, LifeLock had an automated computer processing

8

9 system that was set up by an employee who subsequently left the Company, and no

10 one at LifeLock was managing the system or even knew how to manage the system.

11 110. Due to the lack of a NOC and the unmanaged automated processing

12

13 system, files at LifeLock were not always processed in a timely manner. This

14 included alerts to customers about activity on their credit cards and membership

15 enrollment in LifeLock’s alert system. 16

111. Prior to the IPO, the Company’s Chief Information Officer (“CIO”) 17

18 was preparing to implement a NOC and train employees to manage the automated

19 processing system. Immediately after the IPO in October 2012, the CIO was let go 20

and the plans for improving the company’s internal systems were dropped. 21

22 112. CW2 said companies like LifeLock that boast large internal data and

23 processing systems typically have an NOC, which is managed and overseen by a

24 group of employees dedicated to ensuring that a company’s internal data and

25

26 processing systems are working correctly.

27

113. When CW2 began working at LifeLock, he realized the company did

28


- 32 -


1 not have an NOC, and he began to recommend that it develop one. He said he

2

I pushed for the NOC because LifeLock’s system regularly had delays and failures of

3 the company’s automated system to process files in a timely manner.

4

5 114. With an NOC, the company could catch these problems quickly and

6

I alert the proper employees who could immediately begin to deal with fixing it. If a

7 server was having a hardware malfunction or low memory, somebody needed to be 8

able to catch that stuff before it can cause a problem and affect coverage. CW2 rated 9

10 the importance of LifeLock having a NOC as very high. Because of the nature of

11 what LifeLock does, the importance is definitely an 8 or 9 (out of 10). Knowing 12

whether or not LifeLock has a server that’s going to crash is important. It is 13

14 customer-affecting, because LifeLock claimed it did 24-hour monitoring, so it had to

15

be sure that its system was up full time.

16 115. As noted above, LifeLock had an automated processing system during

17

18 the Class Period. CW2 said this system was designed to automatically process files

19

that came into the company’s data network on a regular schedule. For example, new

20 enrollments in LifeLock would come into the network and the system was supposed

21

22 to process those enrollments within 24 hours. Yet sometimes the system would fail

23

to do so. In such instances, employees would only be alerted to the failure at the time

24 of the next scheduled processing.

25

26 116. CW2 said that if a certain type of file was scheduled to be processed

27

I every Thursday, but the system failed to process a batch, no one at the Company

28


- 33 -


1 would know the files were not processed until a next set was supposed to be

2 processed the following Thursday.

3 117. CW2 said the files not processed were things that would affect sales,

4

5 things that would affect support. For instance, the problems could affect alerts about

6 activity on a customer’s’ credit card.

7 118. CW2 said the problem delayed alerts about activity on personal credit 8

cards. Alerts were supposed to be processed within 24 hours of improper activity 9

10 involving customers’ credit cards.

11 119. CW2 personally noticed that LifeLock alerts about activity on his own 12

credit cards often didn’t arrive until 2 or 3 days after he knew he had activity on his 13

14 credit cards. This was due to problems with the automated system, which is still on-

15 going.

16 120. CW2 discussed the need to improve the automated processing system,

17

18 train employees on how to use it, and develop a NOC with CIO Pendleton.

19

Pendleton agreed with CW2’s recommendations and, in the months prior to

20 LifeLock’s initial public offering, Pendleton and CW2 began planning the

21

22 development of such a system.

23

121. However, immediately after the IPO in October 2012, LifeLock let

24 Pendleton go. “No one had no warning, and everybody was on the same page of

25

26 being surprised.” After Pendleton left the Company, all the plans to improve the

27 automated system, train employees to use the automated system and install a NOC

28


- 34 -


1 evaporated. Moreover, CW2 said plans to fix a problem with LifeLock receiving

2 enrollment information from new customers who signed up through AOL.com were

3 also scuttled with Pendleton’s ouster.

4

5 122. CW3 was a Manager, Member Services, at LifeLock from September

6 2012 to July 2013. CW3 reported to Eric Blomgren (“Blomgren”), Team Manager,

7 Member Services. 8

123. CW3 worked as a manager in the call center located in Tempe, 9

10 Arizona, and has many years of experience working at other large companies’ call

11 centers. 12

124. CW3 saw many problems at LifeLock’s call center and addressed the 13

14 problems with CW3’s superiors. CW3 characterized the call center as a lot of chaos,

15 no conformity, no efficiency. People were flying by the seat of their pants and didn’t

16 know what they were doing.

17

18 125. CW3 resigned after approximately nine months because LifeLock

19 managers resisted any complaints about the problems at the call center.

20 126. When CW3 began working at the Company, the call center was

21

22 understaffed. The Company was in the process of hiring many people, but when the

23 call center began to receive high volumes of calls, LifeLock would turn off the alerts

24 going out to members informing them of activity on their credit.

25

26 127. Quite simply, the Company turned off alerts to control call volume

27

because the call center was understaffed. There would be a large queue (of calls),

28


- 35 -


1 I and all the sudden it would stop because the alerts were turned off.

2

128. The Company had a process in place for when call volume hit certain

3 levels, which were color-coded as yellow and red alerts. When calls reached a certain

4

5 volume, call center employees had to call the IT department and alert them. The IT

6

I department had the ability to turn off the alerts.

7 129. Blomgren often talked about how LifeLock was able to “manage” 8

alerts to lower calls volume, which meant turning them off. In staff meetings, where 9

10 all managers were present, Blomgren reported that the Company could control the

11 volume. On days when the call center was understaffed the alerts were turned off. 12

On holidays when many employees were not working, the alerts were turned off. 13

14 130. CW3 said LifeLock was not Payment Card Industry Data Security

15

Standard (“PCI DSS”) compliant during the time CW3 was at LifeLock, even though

16 that was a requirement for handling credit card information.

17

18 131. PCI DSS is a proprietary information security standard promulgated by

19

the Payment Card Industry Security Standards Council for organizations that handle

20 cardholder information. According to LifeLock, PCI DSS compliance ensures “that

21

22 important identity theft precautions have been taken on your behalf including

23

installing firewalls, monitoring for malware and other basic precautions ....”

24 132. CW3 said managed a team of new call center agents, none of whom

25

26 had gone through PCI compliance training. Nonetheless, these agents were handling

27 credit card information for LifeLock.

28


- 36 -


133. CW3 handled at least three calls from customers who called to 1

2

I complain that they had received access to someone else’s credit report instead of

3 their own. One customer had just upgraded to a higher level of service that gave

4

5 members full access to their credit report at all times. When the customer in question

6

I logged in and accessed the credit report, it was a credit report for someone else.

7 134. CW3 was unable to figure out why this happened and took the 8

complaint to Blomgren, who, while indicating that he was aware that this situation 9

10 happened sometimes, did nothing to fix the situation. According to CW3, Blomgren

11 acknowledged that it happened, but simply did nothing about it. 12

135. The Company did not have a fix for the problem, according to CW3. 13

14 Instead, CW3 was instructed to simply put the customer back into the lower level

15 service plan that did not have access to credit reports. There was no way to give that

16 customer their credit report. CW3 said the complaint was unresolved from the time it

17

18 was reported it until CW3’s resignation three months later. Whenever CW3 asked

19

Blomgren about it, he would respond that he was still working on it.

20 136. The other two customers who complained about the same problem

21

22 wanted their membership fees returned and cancelled the service because they no

23

longer believed LifeLock was protecting their information.

24 137. According to CW3, PCI compliance prohibits merchants from keeping

25

26 the recordings of consumer credit card numbers on recorded phone calls. LifeLock,

27

however, was not erasing the credit card numbers off of the phone calls it recorded,

28


- 37 -


1 I she said. CW3 listened to these recordings as part of CW3’s job. The credit card

2

I numbers were still on the recordings which is a violation of PCI compliance.

3 138. According to CW3, members also called in to complain about not

4

5 receiving an alert when they applied for credit or financing somewhere. The

6

I customers did not subsequently receive an alert from LifeLock about it. LifeLock

7 promotional materials stated that customers would receive alerts when an application 8

for credit was made with their identity information. When customers called to 9

10 complain about not receiving alerts, which was frequent, call center agents were

11 required to read off a prepared script, which misleadingly stated that some retailers or 12

financial institutions had their own internal credit approval process and that some 13

14 merchants offer their own internal financing, so they might not pull the members’

15 credit from the credit bureaus.

16 139. Often, after telling the customer this information, call center agent

17

18 would look at the member’s credit report and see that in fact their credit had been

19 pulled by the merchant in question. The agent would apologize to the customer and

20 say that some alerts take longer than others or that perhaps the credit bureau just

21

22 updated their credit information. It was LifeLock’s way of covering it, so they could

23 send the alert to them anytime.

24 140. CW3 said members who applied for credit at Macy’s and did not

25

26 subsequently receive an alert from LifeLock were a particularly problematic source

27 of complaints. The problem was that Macy’s was not a participating member of

28


- 38 -


1 LifeLock’s network so LifeLock did not receive the information from Macy’s about

2 the credit application. Nobody ever got an alert from Macy’s, CW3 said.

3 141. When members called to complain about this, call center employees

4

5 were not allowed to tell customers that Macy’s was not a participating merchant in

6 LifeLock’s network. The only thing LifeLock employees could tell members was that

7 it’s a possibility they are not in our participating network. 8

142. CW3 said LifeLock has a list of companies that participate in the 9

10 network, but they do not share it with consumers. LifeLock does not receive

11

information about credit applications from companies that are not part of the 12

network, so LifeLock cannot send those alerts out to members. 13

14 143. CW4 was a Member Services Manager at LifeLock from February

15

2012 to January 2014, based at the company’s call center headquarters in Tempe,

16 Arizona, and reported to Blomgren and David O’Neill, both Directors of Member

17

18 Services.

19

144. According to CW4, LifeLock’s credit monitoring service, which was a

20 selling point for its premium services, was extremely problematic during CW4’s

21

22 tenure.

23

145. The service allowed customers to check their credit score at any time,

24 which was supposedly a combination of all three credit bureau numbers. The number

25

26 that customers received from LifeLock, however, often was dramatically different

27 than the number that lenders would see when pulling the customers number to

28


- 39 -


consider a loan or credit. 1

2

146. For example, CW4 said a customer might check their credit before

3 applying for a car loan or home loan. For example, the score they would receive from

4

5 LifeLock might be 800, yet when the customer went to the car dealer or bank, the

6

I lender would pull the customer’s credit and see that the score was 700.

7 147. When customers complained about this to LifeLock, member service 8

agents were instructed to tell customers that the credit score they received from 9

10 LifeLock was a more accurate number than what the lenders received because it was

11

based on TransUnion credit bureau’s credit model called TransRisk. Call center 12

personnel were instructed to tell customers was that the TransRisk model was more 13

14 accurate than the model used to determine if they qualified for a car or a house loan.

15

148. Sometimes, however, customers checked their credit scores directly

16 with TransUnion and even then the number they had received from LifeLock was

17

18 different from TransUnion’s own score. At that point, CW4 said, it was difficult to

19

try to explain that away when customers complained about it, especially when

20 Lifleock advertised that it had a partnership with TransUnion.”

21

22 149. CW4 further stated that LifeLock’s internal computer system, which

23

I processed and sent out alerts to customers, often did not function as it was supposed

24 to and tens of thousands of alerts did not go out. It was not unusual for someone

25

26 from IT to come in and say that they just found 10,000 alerts that were not senr out

27

from six months ago, and ask what we should do about it. According to CW4, this

28


- 40 -


1 happened about once a month during the time CW4 was at LifeLock, and the amount

2 of alerts that did not go out went as high as 100,000.

3 150. When LifeLock discovered the huge files of alerts that had not gone

4

5 out, the Company would decide whether or not to even send the alerts out to

6 customers. Usually, it was a collaborative effort with respect to the decision.

7 151. CW4 stated that Blomgren, along with Rob Ryan, Vice President 8

Member Services, and Michael Hargis (“Hargis”), the Senior Vice President of 9

10 Member Services discussed whether to send out the missed alerts and if so, to which

11 customers, with Hargis, who reported to LifeLock’s top executives, making the final 12

decision. 13

14 152. In deciding whether to send out missed alerts, CW4 said the Company

15 weighed how old the alerts were, how many people were impacted and whether the

16 customers subscribed to basic or premium service. He said if the customers were in

17

18 premium service, the company was more likely to send the alerts out. There were

19

times when they decided not to alert customers; half the time they did and half time

20 they didn’t.

21

22 153. The problem stemmed from an ineffectual IT department. One thing

23

LifeLock never had going for it was a good IT tech team. They had a really poor IT

24 and software team. The Company always had problems.

25

26 154. CW4 stated that it was “common practice” at LifeLock to suppress

27 alerts from going out on the weekends because the call center was not staffed to

28


- 41 -


1 handle the calls from customers. This was in violation of the contract with CSI, a

2 third party company that provided the alerts to LifeLock, there was no indication that

3 CSI was not aware that LifeLock was suppressing alerts from going out when they

4

should. 5

6 155. During CW4’s tenure, LifeLock also suppressed alerts during the week

7 when the call volume surpassed what the call center could handle. If there a large 8

backlog of alerts had accumulated, the Company would decide to suppress alerts for 9

10 a week, then another week, and before you knew it, it was three months of

11 suppressions. 12

156. When the Company decided to suppress alerts, elderly customers were 13

14 often the victims according to CW4. Although not commented on by CW4, this

15

“throttling” of older users has the potential to affect a large segment of LifeLock’s

16 customer base, which, as Chief Marketing Officer Seth Greenberg admitted at a

17

18 March 12, 2014 Investor Day, skews older and more male than the general

19 population.

20 157. CW4 stated that the thinking at the Company, and under Hargis’s

21

22 instructions, was that elderly people are less-savvy internet users and would therefore

23 not miss receiving the alert. Elderly people also did not fully understand their service

24 plans, the thinking went, and were often confused by the alerts and frustrated with the

25

26 service prompting them to cancel.

27 158. LifeLock had the ability to pinpoint the date of birth of its customers

28


- 42 -


1 I and, using that information, not send out alerts to people with birth years prior to

2

1940. The elderly were sold on a product they didn’t understand, and when they got

3 these alerts, they’d call in and didn’t know what was going on. The Company got a

4

5 lot of cancelations and were trying to avoid elderly people calling in and losing their

6 I business.

7 159. CW4 stated that in 2013, Davis and Schneider held a number of 8

meetings at LifeLock’s call center in Tempe to discuss the company’s internal 9

10 computer system problems with Member Service agents. At these meetings, which

11 CW4 recalled as having occurred in the first half of 2013, Davis and Schneider let 12

employees know they were aware that the system was failing to send out tens of 13

14 thousands of alerts when it was supposed to and that when those alerts did eventually

15 go out late, the call center might be overwhelmed by customer calls. CW4 stated that

16 Davis and Schneider were aware of it 100 percent. Indeed, at these meetings, which

17

18 were held at several different times so that the executives could meet with all

19 employees on every shift, Davis and Schneider said that the company was working

20 on addressing the problems. They said they were very well aware of the system

21

22 issues, and they were bringing on new people and reorganizing the technology

23

department.

24 160. CW4 also stated that every Thursday at 10 a.m., LifeLock held a

25

26 companywide meeting called “Thoughtful Thursdays.” Either CEO Davis or

27 President Schneider hosted the meetings, in which CFO Power and other executives

28


- 43 -


1 participated. The meeting was simultaneously webcast to the Member Services call

2 center, which was in a separate building than the corporate offices at the time.

3 161. During these meetings, CW4 explained, Company employees were

4

5 allowed to submit anonymous questions to company leadership. When a question

6 was asked during the meeting, the appropriate department head would answer. On at

7 least one occasion, the issue of suppressing alerts came up at these meetings, and in 8

response, the senior executives, including Davis, Schneider and Power, said they 9

10 were aware of the practice of not sending out large files of alerts after it was

11

discovered that they had not gone out to customers months earlier when they should 12

have. 13

14 162. According to CW4, the Company initially tested what would happen if

15 they sent the alerts out months late, but the response to it from customers was bad –

16 many customers were upset about not receiving alerts in a timely manner, and

17

18 cancellations increased. The company became more reluctant to send out late alerts

19 after that initial test because the Company feared high rates of cancellations in

20 response.

21

22 163. CW5 was Director of Quality Assurance and Service Delivery at

23

LifeLock from May 2012 to October 2012. CW5 reported for the first three months

24 to CIO Pendleton. After Pendleton was fired, CW5 began to report to Connie Suoo

25

26 (“Suoo”), the Vice-President of Engineering.

27 164. CW5’s job was to ensure that the software the Company implemented

28


- 44 -


1 on its website for customer interfacing worked and was deployed correctly. During

2

I CW5’s time at LifeLock, the IT and computer infrastructure departments were in

3 “chaos.” It was a completely dysfunctional environment. There were all the basic

4

5 failures you see in organizations: lack of trust, people trying to protect their jobs,

6

I paranoia. There was out and out incompetence. CW5 described it as being totally

7 ridiculous. 8

165. CW5 said the departments that dealt with the computer systems 9

10 experienced a high turnover rate from firings and resignations. The disruptions and

11

dysfunctional environment impacted the Company’s ability to run a functional 12

computer system and delayed plans to make much-needed upgrades to its system. 13

14 166. As an example, when CW5 was hired, he reported to CIO Pendleton.

15

Similar to CW2, CW5 reports that Pendleton designed a strategy for upgrading the

16 Company’s computer infrastructure and system over time. But Pendleton was fired

17

18 before he could implement his strategy and the upgrades were delayed. Once Pat

19

Pendleton left, a vacuum was created. There was no one around to pick up the

20 strategy.

21

22 167. CW5 said the technology department’s disorder impacted the

23

I Company’s ability to operate a functional system on a day-to-day basis. Specifically,

24 CW5 stated the installation of new software on the Company’s website frequently

25

26 caused the system to shut down or fail to restart.

27 168. According to CW5, one high profile software project, called the SKU

28


- 45 -


1 project, was installed late at night and was expected to take 1 to 2 hours to deploy.

2

After the software was installed, however, the Company’s entire system failed to

3 restart. Approximately 50 employees, including senior executives, were up all night

4

5 trying to figure out what happened to the system. The engineers were about to back

6 the software off the system when they ultimately figured it out and got the system

7 started about at about 10 a.m. the next morning. The senior executives who were 8

involved in this incident included Prakesh Ramamurthy, the Chief Technology 9

10 Officer, and VP of Engineering Suoo.

11 169. CW5 said such system failures happened regularly. About two to 12

three times a month there would be some sort of failure in the IT infrastructure, and 13

14 when the system failed, he believes alerts could not go out.

15

Defendants’ False and Misleading Statements During The Class Period

16

170. On February 26, 2013, the Company filed its annual report for the 17

18 period ending December 31, 2012 with the SEC on Form 10-K (the “2012 10-K”),

19

its first such report since the IPO. The 2012 10-K stated that:

20 In March 2010, we and Todd Davis, our Chairman and Chief Executive

21

Officer, entered into a Stipulated Final Judgment and Order for

22 Permanent Injunction and Other Equitable Relief with the FTC, which

we refer to as the “FTC Order.” The FTC Order was the result of a 23 settlement of the allegations by the FTC that certain of our advertising

24 and marketing practices constituted deceptive acts or practices in

violation of the FTC Act, which settlement made no admission as to the 25 allegations related to such practices. The FTC Order imposes on us

26 and Mr. Davis certain injunctive provisions relating to our

advertising and marketing of our identity theft protection services, 27 such as enjoining us from making any misrepresentation of “the

28 means, methods, procedures, effects, effectiveness, coverage, or


- 46 -


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

scope of” our identity theft protection services. However, the bulk of the more specific injunctive provisions have no direct impact on the advertising and marketing of our current services because we have made significant changes in the nature of the services we offer to consumers since the investigation by the FTC in 2007 and 2008, including our adoption of new technology that permits us to provide proactive protection against identity theft and identity fraud. The FTC investigation of our advertising and marketing activities occurred during the time that we relied significantly on the receipt of fraud alerts from the credit reporting agencies for our members. The FTC believed that such alerts had inherent limitations in terms of coverage, scope, and timeliness. Many of the allegations in the FTC complaint, which accompanied the FTC Order, related to the inherent limitations of using credit report fraud alerts as the foundation for identity theft protection. Because the injunctive provisions in the FTC Order are tied to these complaint allegations, these injunctive provisions similarly relate significantly to our previous reliance on credit report fraud alerts as reflected in our advertising and marketing claims. The FTC Order also imposes on us and Mr. Davis certain injunctive provisions relating to our data security for members’ personally identifiable information . At the same time, we also entered into companion orders with 35 states’ attorneys general that impose on us similar injunctive provisions as the FTC Order relating to our advertising and marketing of our identity theft protection services.

Our or Mr. Davis’ failure to comply with these injunctive provisions could subject us to additional injunctive and monetary remedies as provided for by federal and state law. In addition, the FTC Order imposes on us and Mr. Davis certain compliance requirements, including the delivery of an annual compliance report. We and Mr. Davis have timely submitted these annual compliance reports, but the FTC has not accepted or approved them to date . If the FTC were to find that we or Mr. Davis have not complied with the requirements in the FTC Order, we could be subject to additional penalties and our business could be negatively impacted. (Bold added).

171. Moreover, the 2012 10-K stated that:

Our business and the information we use in our business is subject to a wide variety of federal, state, and local laws and regulations, including ... the FTC Act and comparable state laws that are patterned after the FTC Act, and similar laws. We also are subject to federal and state laws


- 47 -


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

and regulations relating to the channels in which we sell and market our services. In addition, our business is subject to the FTC Stipulated Final Judgment and Order for Permanent Injunction and Other Equitable Relief, as well as the companion orders with 35 states’ attorneys general that we entered into in March 2010. We incur significant costs to operate our business and monitor our compliance with these laws, regulations, and consent decrees. (Bold added).

172. The 2012 10-K also stated that: “We have received a PCI Level 1

certification in our consumer and enterprise businesses ....”

173. According to the 2012 10-K, “[a]s part of our consumer services, we

offer 24x7x365 member service support. If a member’s identity has been

compromised, our member service team and remediation specialists will assist the

member until the issue has been resolved.”

174. The 2012 10-K further stated that:

We regularly assess the effectiveness of our information security practices and technical controls. In addition to regular external audits, we conduct internal security testing to ensure current practices are effective against emerging threats. Additionally, outside penetration tests are conducted on a regular basis. We ensure that our systems are free from critical vulnerabilities by conducting regular vulnerability scans and penetration tests. We also remain aware of publicly disclosed vulnerabilities in commercial and open source products, and remediate issues in a timely manner. (Bold added).

175. In addition, the 2012 10-K stated that:

We protect our members by constantly monitoring identity-related events, such as new account openings and credit-related applications. If we detect that a member’s personally identifiable information is being used, we offer notifications and alerts, including proactive, near real-time, actionable alerts that provide our members peace of mind that we are monitoring use of their identity and allow our members to confirm valid or unauthorized identity use. (Bold added).


- 48 -


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

176. In the 2012 10-K, Defendants Davis and Power signed a certification

pursuant to Section 3602 of the Sarbanes Oxley Act of 2002 (the, “SOX

Certification”) whereby both Individual Defendants certified the following:

1. I have reviewed this Annual Report on Form 10-K of LifeLock, Inc.;

2. Based on my knowledge, this report does not contain any untrue statement of a material fact or omit to state a material fact necessary to make the statements made, in light of the circumstances under which such statements were made, not misleading with respect to the period covered by this report;

3. Based on my knowledge, the financial statements, and other financial information included in this report, fairly present in all material respects the financial condition, results of operations and cash flows of the registrant as of, and for, the periods presented in this report;

4. The registrant’s other certifying officer(s) and I are responsible for establishing and maintaining disclosure controls and procedures (as defined in Exchange Act Rules 13a-15(e) and 15d-15(e)) for the registrant and have:

a) Designed such disclosure controls and procedures, or caused such disclosure controls and procedures to be designed under our supervision, to ensure that material information relating to the registrant, including its consolidated subsidiaries, is made known to us by others within those entities, particularly during the period in which this report is being prepared;

b) Evaluated the effectiveness of the registrant’s disclosure controls and procedures and presented in this report our conclusions about the effectiveness of the disclosure controls and procedures, as of the end of the period covered by this report based on such evaluation; and


- 49 -


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

c) Disclosed in this report any change in the registrant’s internal control over financial reporting that occurred during the registrant’s most recent fiscal quarter (the registrant’s fourth fiscal quarter in the case of an annual report) that has materially affected, or is reasonably likely to materially affect, the registrant’s internal control over financial reporting; and

5. The registrant’s other certifying officer(s) and I have disclosed, based on our most recent evaluation of internal control over financial reporting, to the registrant’s auditors and the audit committee of the registrant’s board of directors (or persons performing the equivalent functions):

a) All significant deficiencies and material weaknesses in the design or operation of internal control over financial reporting which are reasonably likely to adversely affect the registrant’s ability to record, process, summarize and report financial information; and

b) Any fraud, whether or not material, that involves management or other employees who have a significant role in the registrant’s internal control over financial reporting.

177. The statements contained in Paragraphs 170-176 above were

materially false when made, and/or omitted material information necessary to make

the statements not misleading under the circumstances in which they were made,

because: (a) Defendants misrepresented “the means, methods, procedures, effects,

effectiveness, coverage, or scope of” Lifelock’s customer alerts in violation of the

Settlement Order; (b) LifeLock’s self-described “proactive, near real-time,

actionable alerts” were subject to regular delays and were actively disabled; (c)

Lifelock did not “constantly monitor[] identity-related events” or offer “24x7x365

member service support”; to the contrary, Defendants actively disabled customer


- 50 -


1 alerts on multiple occasions; (d) Defendants misrepresented “the means, methods,

2 procedures, effects, effectiveness, coverage, or scope of” Lifelock’s credit-

3 monitoring service, which provided inaccurate and/or misleading information to

4

5 customers; (e) Defendants failed to establish a comprehensive data security program

6 in violation of the Settlement Order; (f) Defendants had failed to assess the

7 effectiveness of their information security practices and technical controls; (g) 8

LifeLock failed to adequately monitor its compliance with the Settlement Order as 9

10 required by the FTC; and (h) LifeLock was not PCI-compliant, did not safeguard

11 customer credit card data, and had not trained its agents in PCI compliance. 12

178. On May 3, 2013, the Company filed its quarterly report for the period 13

14 ending March 31, 2013 with the SEC on Form 10-Q (the “Q1 2013 10-Q), which

15

incorporated by reference the “financial statements and notes included in” the 2012

16 10-K and informed investors that:

17

18 We protect our members by constantly monitoring identity-related

events, such as new account openings and credit-related applications. 19

If we detect that a member’s personally identifiable information is

20 being used, we offer notifications and alerts, including proactive,

near real-time, actionable alerts , that provide our members peace of 21 mind that we are monitoring use of their identity and allow our

22 members to confirm valid or unauthorized identity use. (Bold added).

23

179. The Q1 2013 10-Q also stated that “[a]s part of our consumer

24 services, we offer 24x7x365 member service support. If a member’s identity has

25

26 been compromised, our member service team and remediation specialists will assist

27

the member until the issue has been resolved.”

28


- 51 -


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

180. In addition, Defendants Davis and Power signed a certification similar

in form to the SOX Certification referenced in paragraph 176 above.



I the statements not misleading under the circumstances in which they were made,







alerts on multiple occasions; and (d) Defendants misrepresented “the means,

methods, procedures, effects, effectiveness, coverage, or scope of” Lifelock’s

credit-monitoring service, which provided inaccurate and/or misleading information

to customers.

182. On August 2, 2013, the Company filed its quarterly report for the

period ended June 30, 2013 with the SEC on Form 10-Q (“the Q2 2013 10-Q”),

which incorporated by reference the “financial statements and notes included in”

the 2012 10-K and informed investors that:

We protect our members by constantly monitoring identity-related events, such as new account openings and credit-related applications. If we detect that a member’s personally identifiable information is being used, we offer notifications and alerts, including proactive,


- 52 -


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

near real-time, actionable alerts , that provide our members peace of mind that we are monitoring use of their identity and allow our members to confirm valid or unauthorized identity use. (Bold added).


services, we offer 24x7x365 member service support. If a member’s identity has

I been compromised, our member service team and remediation specialists will assist













alerts on multiple occasions; and (d) Defendants misrepresented “the means,

methods, procedures, effects, effectiveness, coverage, or scope of” Lifelock’s

credit-monitoring service, which provided inaccurate and/or misleading information

to customers.


- 53 -


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

186. On October 29, 2013, Defendant held a Q3 2013 Conference Call,

during which Defendant Power stated that:

this quarter in particular, we saw some nice benefit in terms of economies of scale, really along two fronts. The first was our internal call center, where we've been able to – one of the benefits of growing the ultimate and the higher ARPU, growing those both is that from a support perspective, we get some nice scalability within our call center

187. The statements contained in Paragraph 186 above were materially false

when made, and/or omitted material information necessary to make the statements

not misleading under the circumstances in which they were made, because (a)

LifeLock’s internal call center had not become more “scalable”; (b) LifeLock’s call

center was understaffed and overburdened; and (c) LifeLock’s call center was only

able to manage call volume by turning customer alerts off in violation of the

Settlement Order.

188. On October 31, 2013, the Company filed its quarterly report for the

period ended September 30, 2013 with the SEC on Form 10-Q (the “Q3 2013 10-

Q”), which incorporated by reference the “financial statements and notes included

in” the 2012 10-K and informed investors that:

We protect our members by constantly monitoring identity-related events, such as new account openings and credit-related applications. If we detect that a member’s personally identifiable information is being used, we offer notifications and alerts, including proactive, near real-time, actionable alerts , that provide our members peace of mind that we are monitoring use of their identity and allow our members to confirm valid or unauthorized identity use. (Bold added).



- 54 -


1 services, we offer 24x7x365 member service support. If a member’s identity has

2

I been compromised, our member service team and remediation specialists will assist

3 the member until the issue has been resolved.”

4

5 190. In addition, Defendants Davis and Power signed a certification similar

6 in form to the SOX Certification referenced in paragraph 176 above.

7 191. The statements contained in Paragraphs 188-190 above were 8

materially false when made, and/or omitted material information necessary to make 9

10 the statements not misleading under the circumstances in which they were made,

11

because: (a) Defendants misrepresented “the means, methods, procedures, effects, 12

effectiveness, coverage, or scope of” Lifelock’s customer alerts in violation of the 13

14 Settlement Order; (b) LifeLock’s self-described “proactive, near real-time,

15 actionable alerts” were subject to regular delays and were actively disabled; (c)

16 Lifelock did not “constantly monitor[] identity-related events” or offer “24x7x365

17

18 member service support”; to the contrary, Defendants actively disabled customer

19 alerts on multiple occasions; and (d) Defendants misrepresented “the means,

20 methods, procedures, effects, effectiveness, coverage, or scope of” Lifelock’s

21

22 credit-monitoring service, which provided inaccurate and/or misleading information

23

to customers.

24

The Truth Slowly Emerges 25

26 192. On February 19, 2014, the Company filed its annual report for the

27 period ending December 31, 2012 with the SEC on Form 10-K (the “2013 10-K”).

28


- 55 -


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

The 2013 10-K stated that:

On December 11, 2013, we acquired mobile wallet innovator Lemon, Inc., or Lemon, for approximately $42.4 million in cash and launched our new LifeLock Wallet mobile application. The LifeLock Wallet mobile application allows consumers to replicate and store a digital copy of their personal wallet contents on their smart device for records backup, as well as transaction monitoring and mobile use of items such as credit, identification, ATM, insurance, and loyalty cards. The LifeLock Wallet mobile application also offers our members one-touch access to our identity theft protection services.

193. In the 2013 10-K, LifeLock revealed that it had met with the FTC

regarding its compliance with the terms of the Settlement Order after a

whistleblower had discussed certain violations thereof with the FTC. The Company

stated, in relevant part:

On January 17, 2014, we met with FTC Staff, at our request, to discuss issues regarding allegations that have been asserted in a whistleblower claim against us relating to our compliance with the FTC Order. Following this meeting, we expect to receive either a formal or informal investigatory request from the FTC for documents and information regarding our policies, procedures, and practices for our services and business activities. Given the heightened public awareness of data breaches and well as attention to identity theft protection services like ours, it is also possible that the FTC, at any time, may commence an unrelated inquiry or investigation of our business practices and our compliance with the FTC Order. We endeavor to comply with all applicable laws and believe we are in compliance with the requirements of the FTC Order. We believe the increased regulatory scrutiny will continue in our industry for the foreseeable future and could lead to additional meetings or inquiries or investigations by the agencies that regulate our business, including the FTC.

194. Significantly, the renewed FTC investigation, which could potentially

result in significant fines against the Company, was not announced in a press

release or highlighted in the Company’s 10-K. Instead, it was buried in the middle


- 56 -


1 I of a paragraph under the section “Government Regulation.” Market analysts,

2

I however, did find the information and within a few days had disseminated the

3 import of the reference in the Form 10-K on Seeking Alpha, noting the buried

4

5 disclosure, with an article entitled: “Lifelock: Pending FTC Investigation Revealed

6 in 10-K.”

7 195. The Seeking Alpha article expressed surprise “that [the FTC 8

investigation] was not included in the company's earnings press release or 9

10 mentioned on the earnings call” and went on to state that:

11 LOCK leads potential customers to believe that it will alert them in the

12 event that a credit check is done on them (if a person applied for a loan

or credit card). However, given that LOCK does not own a credit

13

bureau (unlike competitor ProtectMyID which is owned by Experian),

14 it is unclear how LOCK would be able to provide such a service.

Talking to some customers of Lifelock, I learned that while they

15 expected to be notified of a credit check by Lifelock, many

16 purchased cars on credit or applied for credit cards without

receiving such notifications .... 17

18 196. On this news, shares of LifeLock fell from $21.79 to $20.32, more

19

I than 6%, on unusually heavy trading volume on February 24, 2014. In addition,

20 this drop was notable for taking place at a time when other data security stocks were 21

soaring higher. 22

23 197. The 2013 10-K, while revealing the FTC investigation, nonetheless

24

I continued to deceive investors in regard to Defendants’ ongoing non-compliance 25

with the Settlement Order. 26

27

28


- 57 -


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

198. For example, regarding the Company’s entering into the Settlement

Order, and its compliance thereto, the 2013 10-K stated that:

In March 2010, we and Todd Davis, our Chairman and Chief Executive Officer, entered into a Stipulated Final Judgment and Order for Permanent Injunction and Other Equitable Relief with the FTC, which we refer to as the “FTC Order.” The FTC Order was the result of a settlement of the allegations by the FTC that certain of our advertising and marketing practices constituted deceptive acts or practices in violation of the FTC Act, which settlement made no admission as to the allegations related to such practices. The FTC Order imposes on us and Mr. Davis certain injunctive provisions relating to our advertising and marketing of our identity theft protection services, such as enjoining us from making any misrepresentation of “the means, methods, procedures, effects, effectiveness, coverage, or scope of” our identity theft protection services. However, the bulk of the more specific injunctive provisions have no direct impact on the advertising and marketing of our current services because we have made significant changes in the nature of the services we offer to consumers since the investigation by the FTC in 2007 and 2008, including our adoption of new technology that permits us to provide proactive protection against identity theft and identity fraud. The FTC investigation of our advertising and marketing activities occurred during the time that we relied significantly on the receipt of fraud alerts from the credit reporting agencies for our members. The FTC believed that such alerts had inherent limitations in terms of coverage, scope, and timeliness. Many of the allegations in the FTC complaint, which accompanied the FTC Order, related to the inherent limitations of using credit report fraud alerts as the foundation for identity theft protection. Because the injunctive provisions in the FTC Order are tied to these complaint allegations, these injunctive provisions similarly relate significantly to our previous reliance on credit report fraud alerts as reflected in our advertising and marketing claims. The FTC Order also imposes on us and Mr. Davis certain injunctive provisions relating to our data security for members’ personally identifiable information . At the same time, we also entered into companion orders with 35 states’ attorneys general that impose on us similar injunctive provisions as the FTC Order relating to our advertising and marketing of our identity theft protection services.

Our or Mr. Davis’ failure to comply with these injunctive provisions could subject us to additional injunctive and monetary remedies as


- 58 -


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

provided for by federal and state law. In addition, the FTC Order imposes on us and Mr. Davis certain compliance requirements, including the delivery of an annual compliance report. We and Mr. Davis have timely submitted these annual compliance reports, but the FTC has not accepted or approved them to date . If the FTC were to find that we or Mr. Davis have not complied with the requirements in the FTC Order, we could be subject to additional penalties and our business could be negatively impacted. (Bold added).

199. Moreover, the 2013 10-K stated that:

Our business and the information we use in our business is subject to a wide variety of federal, state, and local laws and regulations, including ... the FTC Act and comparable state laws that are patterned after the FTC Act, and similar laws. We also are subject to federal and state laws and regulations relating to the channels in which we sell and market our services. In addition, our business is subject to the FTC Stipulated Final Judgment and Order for Permanent Injunction and Other Equitable Relief, as well as the companion orders with 35 states’ attorneys general that we entered into in March 2010. We incur significant costs to operate our business and monitor our compliance with these laws, regulations, and consent decrees.

200. The 2013 10-K also stated that: “We have received a PCI Level 1

certification in our consumer and enterprise businesses ....”

201. According to the 2013 10-K, “[a]s part of our consumer services, we

offer 24x7x365 member service support. If a member’s identity has been

compromised, our member service team and remediation specialists will assist the

member until the issue has been resolved.”

202. The 2013 10-K further stated that:

We regularly assess the effectiveness of our information security practices and technical controls. In addition to regular external audits, we conduct internal security testing to ensure current practices are effective against emerging threats. Additionally, outside penetration


- 59 -


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

tests are conducted on a regular basis. We ensure that our systems are free from critical vulnerabilities by conducting regular vulnerability scans and penetration tests. We also remain aware of publicly disclosed vulnerabilities in commercial and open source products, and remediate issues in a timely manner. (Bold added).

203. Finally, the 2013 10-K stated that:

On December 11, 2013, we acquired mobile wallet innovator Lemon, Inc., or Lemon, for approximately $42.4 million in cash and launched our new LifeLock Wallet mobile application. The LifeLock Wallet mobile application allows consumers to replicate and store a digital copy of their personal wallet contents on their smart device for records backup, as well as transaction monitoring and mobile use of items such as credit, identification, ATM, insurance, and loyalty cards. The LifeLock Wallet mobile application also offers our members one-touch access to our identity theft protection services.



205. That same day, the Company held its Q4 2013 Earnings Call, during

which CEO Davis stated that:

As you know, we acquired Lemon, Inc. late in the fourth-quarter. With that transaction, we've got an excellent team that is now running our mobile efforts along with an innovative mobile wallet application. The reaction to-date has been very positive, as this is a great way for us to engage with consumers. The combination of functionality is a logical extension for us. We can now help organize what's in your wallet and protect it as well.

206. The statements contained in Paragraphs 198-205 above were materially

false when made, and/or omitted material information necessary to make the

statements not misleading under the circumstances in which they were made,



- 60 -


1 effectiveness, coverage, or scope of” Lifelock’s customer alerts in violation of the

2

Settlement Order; (b) LifeLock’s self-described “proactive, near real-time, actionable

3 alerts” were subject to regular delays and were actively disabled; (c) Lifelock did not

4

5 “constantly monitor[] identity-related events” or offer “24x7x365 member service

6 support”; to the contrary, Defendants actively disabled customer alerts on multiple

7 occasions; (d) Defendants misrepresented “the means, methods, procedures, effects, 8

effectiveness, coverage, or scope of” Lifelock’s credit-monitoring service, which 9

10 provided inaccurate and/or misleading information to customers; (e) Defendants

11

failed to establish a comprehensive data security program in violation of the 12

Settlement Order; (f) Defendants had failed to assess the effectiveness of their 13

14 information security practices and technical controls; (g) LifeLock failed to

15 adequately monitor its compliance with the Settlement Order as required by the FTC;

16 (h) LifeLock was not PCI-compliant, did not safeguard customer credit card data, and

17

18 had not trained its agents in PCI compliance; and (i) LifeLock’s “innovative mobile

19 wallet application” was not PCI-compliant.

20 207. On February 24, 2014, LifeLock told an analyst from Deutsche Bank

21

22 Market Research (“DBMR”) that it “ha[d] settled a whistleblower lawsuit filed with

23

the FTC by an ex-employee of the company for a modest amount, in the last

24 month.” LifeLock told DBMR that “[t]hey favored settling the lawsuit to avoid

25

26 potentially higher litigation fees.” DBMR’s credulous takeaway was that “[w]e

27 view LifeLock’s meeting with the FTC, and subsequent 10-k disclosure as an effort

28


- 61 -


1 to be more transparent with investors.” On this basis, DBMR reiterated its “Buy”

2 rating.

3 208. The statements contained in Paragraph 207 above were materially

4

5 false when made, and/or omitted material information necessary to make the

6 statements not misleading under the circumstances in which they were made,

7 because: regardless of the disposition of the Burke complaint, the Peters 8

whistleblower complaint, filed in August 2013, had not been settled in any respect 9

10 and remained active.

11 209. On March 12, 2014, the Company held an Investor and Analyst Day, 12

during which CEO Davis publicly and directly addressed the renewed FTC 13

14 investigation of LifeLock:

15

Before we get to the first question, there was one item I would like to

16 address that coming out there, Simon, we've seen it. And that's about

our recent disclosures in our 10-K, about our meetings with the Federal

17

Trade Commission. I want to make sure we took that head up,

18 because as we've discussed in the past, we regularly meet with

regulators. So understand that we trade [ sic] our compliance to all

19 applicable laws regulations extremely seriously. So, we chose to share

20 this information, right about our ongoing conversations with the

FTC in our 10-K because we want to be proactive in [ sic]

21

transparent about the ongoing discussions. As I reiterate, we're

22 capable to do that, we want to do that because we take [e]xtreme care to

make sure that our advertising is accurate and comply with all laws and

23 all legal requirements.

24 So we had a couple of different meeting, I want to make sure I outline

25 each one of those. But first, as part of the ongoing dialog, we met with

the FTC in December of 2013 in relation to ID Analytics and FTC's

26 research into that industry. But that was not about specific business

27 practices of ID Analytics.

28


- 62 -


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

In addition to that, we pro-actively requested and met with the FTC in January of this year to discuss some acquisitions [sic] that had been made by terminated employee. It's important to understand that we have then settled that matter favorably for LifeLock with the former employee and that former employee has now come back and agreed that we were not violating any laws for the term of the agreement with the FTC. And we have shared that information with the FTC. Now what we expect that we may be asking more questions from the FTC or be asked to provide more additional information relating to those items, we have not yet been asked to do that. But if we are or as we are, I want everyone to understand we'll do as we've always done, which will continue to fully cooperate, continue to be transparent and continue to work with them to make sure we resolve the matter.

210. Also at the Investor and Analyst Day, Defendant Schneider stated:

We acquired Lemon, a leading mobile wallet to expand our go-to-market efforts and accelerate our product pipeline. The acquisition of Lemon significantly expands LifeLock's ability to touch the lives of our addressable market. The Mobile Wallet represent a new channel with convenience solutions to store everything about your identity in a single LifeLock app.

211. As speakers hyped the new mobile Wallet app, CEO Davis further

stated that:

We have continually invested knowing that the credibility hit to our brand if we have a data compromise is meaningful and material. So we, our standard is in just the PCI level 1 certification that we're proud to have, which courses [sic] the data handling, data security certification that all your major financial institution, the highest level of certification you can have.

Certainly we're proud to have the monitor PCI level 1 but know that's not the bar that we said is [ sic] just to achieve PCI level 1. It is to make sure that we are constantly looking at were there points of vulnerability, points of attack, new and innovative threats . And we're constantly investing on that front to make sure that we are protecting that enterprise and consumer data . So that we can maintain our trusted relationship with the brand.


- 63 -


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28


I materially false when made, and/or omitted material information necessary to make


because: (a) Defendants were in violation of the Settlement Order; (b) Defendants’

I January 2014 meeting with the FTC due to the renewed complaint was not part of a

“regular” pattern of meeting with the regulators, but was specifically relevant to the

serious allegations raised by Burke and/or Peters; (c) Defendants did not “choose”

to share information about their contact with the FTC, but were required to do so

because had made repeated statements with respect to their compliance with the

Settlement Order and were obligated to be complete and truthful; (d) Regardless of

the disposition of the Burke complaint, Defendants did not “settle” terminated

employee Peters’ claims in a manner “favorable” to LifeLock; (e) Peters never

agreed that LifeLock had “not violat[ed] any laws for the term of the agreement

with the FTC; (f) LifeLock’s mobile Wallet app was not PCI-compliant; (g)

LifeLock’s operations were not PCI-compliant in general; and (h) Defendants had

failed to protect consumer data in direct contravention of the Settlement Order.

213. Less than a week later, on March 17, 2014, LifeLock filed a

I Regulation FD Disclosure stating, in pertinent part, that:

On March 13, 2014, LifeLock received, as expected, a request from the FTC for documents and information related to LifeLock’s compliance with the FTC Stipulated Final Judgment and Order for Permanent Injunction and Other Equitable Relief that LifeLock entered into in March 2010. LifeLock intends to cooperate with the FTC in these requests.


- 64 -


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

214. On March 20, 2014, the Peters Complaint was filed, levying shocking

allegations that the Company had repeatedly violated the Settlement Order. See ¶¶

81-90, supra.

215. LifeLock shares dropped from $20.10 to bottom out on March 19 at

$17.11 before the stock finally reversed course on April 1 – a more than 15% drop,

on unusually heavy trading volume.

216. On May 2, 2014, the Company filed its quarterly report for the period

ending March 31, 2014 with the SEC on Form 10-Q (the “Q1 2014 10-Q”), which

incorporated by reference the “financial statements and notes included in” the 2013

10-K and stated that:

We protect our members by constantly monitoring identity-related events, such as new account openings and credit-related applications. If we detect that a member’s personally identifiable information is being used, we offer notifications and alerts, including proactive, near real-time, actionable alerts , that provide our members peace of mind that we are monitoring use of their identity and allow our members to confirm valid or unauthorized identity use. (Bold added).


services, we offer 24x7x365 member service support. If a member’s identity has

been compromised, our member service team and remediation specialists will assist


218. Finally, the Q1 2014 10-Q stated that:

On December 11, 2013, we acquired mobile wallet innovator Lemon for approximately $42.4 million in cash and launched our new LifeLock Wallet mobile application. The LifeLock Wallet mobile application allows consumers to replicate and store a digital copy of


- 65 -


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

their personal wallet contents on their smart device for records backup, as well as transaction monitoring and mobile use of items such as credit, identification, ATM, insurance, and loyalty cards. The LifeLock Wallet mobile application also offers our members one-touch access to our identity theft protection services.












alerts on multiple occasions; (d) Defendants misrepresented “the means, methods,

procedures, effects, effectiveness, coverage, or scope of” Lifelock’s credit-

monitoring service, which provided inaccurate and/or misleading information to

customers; and (e) LifeLock’s mobile wallet app was not PCI-compliant.

221. On Friday, May 16, 2014, LifeLock filed a Form 8-K after the market

closed announcing that it would pull its vaunted Wallet mobile app, which


- 66 -


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Defendants had aggressively promoted at the Investor and Analyst Day just two

weeks prior:

We have determined that certain aspects of the Lemon Wallet (now called the LifeLock Wallet mobile application), which we acquired as part of our acquisition of Lemon, Inc., are not fully compliant with applicable payment card industry (PCI) security standards . As a result, we have temporarily suspended the Wallet mobile application, and are deleting the data (encrypted or otherwise) from our servers, until we can operate the Wallet mobile application in accordance with those standards. We have no indication that the data included in the Wallet mobile application servers was compromised. The Wallet mobile application storage processes are separate and independent from LifeLock’s core identity theft protection services business, including the enrollment and related credit card storage processes used in our standard LifeLock® service and our LifeLock UltimateTM service. As such, we do not expect the suspension of the Wallet mobile application to impact in any manner the core functionality or utility of the identity theft protection services we provide to our members.

Our consent order with the Federal Trade Commission (FTC) sets forth certain requirements for the security practices of LifeLock and all of its subsidiaries and for our representations to consumers about those practices. On May 15, 2014, on our own initiative, we informed the FTC Staff of these issues, and we expect to receive further requests for information from the FTC about these issues. It is possible that this PCI non-compliance of the Wallet mobile application could result in a determination by the FTC that we are not in full compliance with our FTC consent order.

222. LifeLock shares fell on this news, dropping from $12.98 to $10.70, or

more than 17%, on unusually heavy trading volume in the days following the

disclosure.

223. At the site 24/7 Wall St ., Jon C. Ogg noted on May 19 that:


- 67 -


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

LifeLock’s catalyst for a 15% drop was the news that the identity theft service is suspending its LifeLock Wallet mobile app. Apparently it failed to meet some security standards.

224. At the Q2 2014 Earnings Call held on July 30, 2014, Davis attempted

to spin the loss of the Wallet app in the Company’s favor:

We currently anticipate that we will have a wallet application PCI certified and back in the market before the end of this year. We hold ourselves to a high standard. A too high standard and I can assure that the product will be fully audited and secured before we launch it into the market place. We remain committed to this channel and continue to believe that it is an important part of our future growth plan.

225. It remains unclear how LifeLock’s actually obtaining the PCI

certification that the Company previously stated that it possessed throughout the

Class Period amounts to holding the Company to “too high a standard.”

226. Shares have recovered slightly, but, to date, and after being battered

by the litany of disclosures discussed above, LifeLock has not come close to

recapturing anything approaching its pre-Class Period, all-time closing high of

$22.62 of February 13, 2014.

PLAINTIFF’S CLASS ACTION ALLEGATIONS

227. Plaintiff brings this action as a class action pursuant to Federal Rule

of Civil Procedure 23(a) and (b)(3) on behalf of a Class, consisting of all those who

purchased or otherwise acquired LifeLock securities during the Class Period (the

“Class”); and were damaged upon the revelation of the alleged corrective

disclosures. Excluded from the Class are defendants herein, the officers and

directors of the Company, at all relevant times, members of their immediate


- 68 -


1 families and their legal representatives, heirs, successors or assigns and any entity in

2 which defendants have or had a controlling interest.

3 228. The members of the Class are so numerous that joinder of all

4

5 members is impracticable. Throughout the Class Period, LifeLock securities were

6 actively traded on the NYSE. While the exact number of Class members is

7 unknown to Plaintiff at this time and can be ascertained only through appropriate 8

discovery, Plaintiff believes that there are hundreds or thousands of members in the 9

10 proposed Class. Record owners and other members of the Class may be identified

11

from records maintained by LifeLock or its transfer agent and may be notified of 12

the pendency of this action by mail, using the form of notice similar to that 13

14 customarily used in securities class actions.

15

229. Plaintiff’s claims are typical of the claims of the members of the

16 Class as all members of the Class are similarly affected by defendants’ wrongful

17

18 conduct in violation of federal law that is complained of herein.

19

230. Plaintiff will fairly and adequately protect the interests of the

20 members of the Class and has retained counsel competent and experienced in class

21

22 and securities litigation. Plaintiff has no interests antagonistic to or in conflict with

23

those of the Class.

24 231. Common questions of law and fact exist as to all members of the

25

26 Class and predominate over any questions solely affecting individual members of

27 the Class. Among the questions of law and fact common to the Class are:

28


- 69 -


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

• whether the federal securities laws were violated by Defendants’ acts as alleged herein;

• whether statements made by the Individual Defendants to the investing public during the Class Period misrepresented and/or omitted material facts about the business, prospects, and operations of LifeLock, specifically in regard to LifeLock’s compliance (or lack thereof) with the Settlement Order;

• whether Defendants acted knowingly or recklessly (i.e., with scienter) in issuing false and misleading financial statements;

• whether the prices of LifeLock securities during the Class Period were artificially inflated because of the Defendants’ conduct complained of herein; and

• whether the members of the Class have sustained damages and, if so, what is the proper measure of damages.

232. A class action is superior to all other available methods for the fair

I and efficient adjudication of this controversy since joinder of all members is

I impracticable. Furthermore, as the damages suffered by individual Class members

may be relatively small, the expense and burden of individual litigation make it

impossible for members of the Class to individually redress the wrongs done to

them. There will be no difficulty in the management of this action as a class action.

APPLICABILITY OF PRESUMPTION OF RELIANCE: FRAUD-ON-THE-MARKET DOCTRINE

233. Plaintiff will rely, in part, upon the presumption of reliance

established by the fraud-on-the-market doctrine in that:

• Defendants made public misrepresentations or failed to disclose material facts during the Class Period;

• the omissions and misrepresentations were material; CONSOLIDATED AMENDED COMPLAINT FOR VIOLATION

OF THE FEDERAL SECURITIES LAWS

- 70 -


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

• the Company’s stock met the requirements for listing, and was listed and actively traded on the NYSE, a highly efficient and automated market;

• the Company’s shares were liquid and traded with moderate to heavy volume during the Class Period;

• as a regulated issuer, the Company filed with the SEC periodic reports during the Class Period;

• the Company regularly communicated with public investors via established market communication mechanisms, including regular disseminations of press releases on the national circuits of major newswire services and other wide-ranging public disclosures, such as communications with the financial press and other similar reporting services;

• the Company was followed by multiple securities analysts employed by major brokerage firms who wrote reports that were distributed to the sales force and certain customers of their respective brokerage firms during the Class Period; these reports was publicly available and entered the public marketplace;

• news about the Company was reflected in and incorporated into the Company’s stock price during the Class Period.

234. Under the fraud-on-the-market presumption, reliance is presumed

upon a showing that a plaintiff purchased shares on an open and developed market.

235. Based upon the foregoing, Plaintiff and the members of the Class are

entitled to a presumption of reliance upon the integrity of the market.

236. Alternatively, Plaintiff and the members of the Class are entitled to

the presumption of reliance established by the Supreme Court in Affiliated Ute

Citizens of the State of Utah v. United States , 406 U.S. 128, 92 S. Ct. 2430 (1972),


- 71 -


as Defendants omitted material information in their Class Period statements in 1

2

I violation of a duty to disclose such information, as detailed above.

3 COUNT I

4

Violation of § 10(b) of the Exchange Act, and Rule 10b-5

5

Promulgated Thereunder, Against LifeLock, and the Individual Defendants 6

7 237. Plaintiff repeats and realleges the allegations contained above as if fully

8 set forth herein.

9 238. Throughout the Class Period, defendants LifeLock and the Individual 10

Defendants, in pursuit of their scheme and continuous course of conduct to inflate the 11

12 market price of LifeLock common stock, had the ultimate authority for making, and

13

knowingly or recklessly made, materially false or misleading statements or failed to 14

disclose material facts necessary to make the statements made, in light of the 15

16 circumstances under which they were made, not misleading.

17

239. During the Class Period, defendants LifeLock and the Individual

18 Defendants, and each of them, carried out a plan, scheme, and course of conduct

19

20 using the instrumentalities of interstate commerce and the mails, which was intended

21

to and, throughout the Class Period did: (a) artificially inflate and maintain the

22 market price of LifeLock common stock; (b) deceive the investing public, including

23

24 plaintiff and other Class members, as alleged herein; (c) cause plaintiff and other

25 members of the Class to purchase LifeLock common stock at inflated prices; and (d)

26 cause them losses when the truth was revealed. In furtherance of this unlawful

27

28 scheme, plan and course of conduct, defendants LifeLock and the Individual


- 72 -


1 I Defendants, and each of them, took the actions set forth herein, in violation of §10(b)

2

I of the Exchange Act and Rule 10b-5, 17 C.F.R. § 240.10b-5. All defendants are sued

3 either as primary participants in the wrongful and illegal conduct charged herein or as

4

5 controlling persons as alleged below.

6 240. In addition to the duties of full disclosure imposed on defendants

7 LifeLock and the Individual Defendants as a result of their affirmative false and 8

misleading statements to the investing public, the Individual Defendants had a duty, 9

10 upon the sale of any LifeLock securities during the Class Period, to concurrently

11

disseminate truthful information with respect to LifeLock’s business, operations and 12

performance that would be material to investors, refrain from making any trades. 13

14 The Individual Defendants were motivated to disseminate materially false and/or

15 misleading statements and omissions, and refrain from making full and complete

16 disclosures of material information in order to maximize the return on sales of

17

18 LifLock common stock from their personal portfolios.

19

241. Defendants LifeLock and the Individual Defendants had actual

20 knowledge of the misrepresentations and omissions of material facts set forth herein

21

22 or acted with reckless disregard for the truth in that they failed to ascertain and

23

disclose such facts, even though such facts were either known or readily available to

24 them.

25

26 242. As a result of the dissemination of the materially false and misleading

27 I information and failure to disclose material facts as set forth above, the market price

28


- 73 -


1 of LifeLock common stock was artificially inflated during the Class Period. In

2

I ignorance of the fact that the market price of LifeLock common stock was artificially

3 inflated, and relying directly or indirectly on the false and misleading statements

4

5 made knowingly or with deliberate recklessness by defendants LifeLock and the

6

I Individual Defendants, or upon the integrity of the market in which the shares traded,

7 plaintiff and other members of the Class purchased LifeLock stock during the Class 8

Period at artificially high prices and, when the truth was revealed, were damaged 9

10 thereby.

11 243. Had plaintiff and the other members of the Class and the marketplace 12

known of the true facts, which were knowingly or recklessly concealed by defendants 13

14 LifeLock and the Individual Defendants, plaintiff and the other members of the Class

15 would not have purchased or otherwise acquired their LifeLock shares during the

16 Class Period, or if they had acquired such shares during the Class Period, they would

17

18 not have done so at the artificially inflated prices which they paid.

19

244. As a direct and proximate result of LifeLock’s and the Individual

20 Defendants’ wrongful conduct, Plaintiff and the other members of the Class suffered

21

22 damages in connection with their purchases of LifeLock shares during the Class

23

Period.

24 245. By virtue of the foregoing, defendants LifeLock and the Individual

25

26 Defendants have violated § 10(b) of the Exchange Act and Rule 10b-5 promulgated

27 thereunder. 17 C.F.R. § 240.10-5.

28


- 74 -


COUNT II 1

2

Violation of § 20(a) of the Exchange Act Against the Individual Defendants

3

4

246. Plaintiff repeats and realleges the allegations contained above as if fully

5 set forth herein.

6

7 247. During the Class Period, the Individual Defendants, as senior executive

8 officers and/or directors of LifeLock, were privy to confidential and proprietary

9

information concerning LifeLock, its operations, finances, financial condition and 10

11 present and future business prospects. The Individual Defendants also had access to

12 material adverse non-public information concerning LifeLock, as detailed in this

13 Complaint. Because of their positions within LifeLock, the Individual Defendants

14

15 had access to non-public information about the business, finances, products, markets

16 and present and future business prospects of LifeLock via internal corporate

17 documents, conversations and connections with other corporate officers and 18

employees, attendance at management and/or board of directors meetings and 19

20 committees thereof and via reports and other information provided to them in

21 connection therewith. Because of their possession of such information, the 22

Individual Defendants knew or recklessly disregarded that the adverse facts specified 23

24 herein had not been disclosed to, and were being concealed from, the investing

25 public.

26 248. The Individual Defendants are liable as direct participants in the

27

28 wrongs complained of herein. In addition, the Individual Defendants, by reason of


- 75 -


1 I their status as senior executive officers and/or directors, were “controlling persons”

2

I within the meaning of § 20(a) of the Exchange Act and had the power and influence

3 to cause LifeLock to engage in the unlawful conduct complained of herein. Because

4

5 of their positions of control, the Individual Defendants were able to and did, directly

6 or indirectly, control the conduct of the business of LifeLock.

7 249. The Individual Defendants, because of their positions with LifeLock, 8

controlled and/or possessed the authority to control the contents of LifeLock’s 9

10 reports, press releases and presentations to securities analysts and through them, to

11 the investing public. The Individual Defendants were provided with copies of 12

LifeLock’s reports and press releases alleged herein to be misleading, prior to or 13

14 shortly after their issuance and had the ability and opportunity to prevent their

15

issuance or cause them to be corrected. Thus, the Individual Defendants had the

16 opportunity to commit the fraudulent acts alleged herein.

17

18 250. The Individual Defendants, as senior executive officers and/or directors

19 and as controlling persons of a publicly traded company whose common stock was,

20 and is, governed by the federal securities laws and is registered with the NYSE, had a

21

22 duty to promptly disseminate accurate and truthful information with respect to

23

LifeLock’s financial condition, cash flow, performance, growth, operations,

24 financial statements, business, products, markets, management, earnings and present

25

26 and future business prospects, and to correct any previously issued statements that

27

had become materially misleading or untrue, so that the market price of LifeLock

28


- 76 -


1 shares would be based upon truthful and accurate information. The Individual

2

Defendants’ misrepresentations and omissions during the Class Period violated these

3 specific requirements and obligations.

4

5 251. The Individual Defendants acted as controlling persons of LifeLock

6 within the meaning of Section 20(a) of the Exchange Act as alleged herein. By

7 reason of their positions as officers and/or directors of LifeLock, and their ownership 8

of LifeLock shares, the Individual Defendants had the power and authority to cause 9

10 LifeLock to engage in the wrongful conduct complained of herein. By reason of such

11 conduct, the Individual Defendants are liable pursuant to Section 20(a) of the 12

Exchange Act. 13

14 PRAYER FOR RELIEF

15

WHEREFORE , Plaintiff demands judgment as follows:

16 A. Determining that the instant action may be maintained as a class

17

18 action under Rule 23 of the Federal Rules of Civil Procedure, and certifying

19

Plaintiff as the Class representative;

20 B. Awarding compensatory damages in favor of Plaintiff and the other

21

22 Class members against all defendants, jointly and severally, for all damages

23 sustained as a result of defendants’ wrongful acts and misconduct as alleged herein,

24 in an amount to be proven at trial;

25

26

27

28


- 77 -


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

C. Awarding Plaintiff and the other members of the Class prejudgment

and post-judgment interest, as well as their reasonable attorneys’ fees, expert fees

and other costs; and

D. Awarding such other and further relief as this Court may deem just

and proper.

DEMAND FOR TRIAL BY JURY

Plaintiff hereby demands a trial by jury.

Dated: August 15, 2014

Respectfully submitted,

MARTIN & BONNETT, PLLC

By: /s/ Susan Martin Susan Martin (AZ #014226) 1850 N. Central Ave. Suite 2010 Phoenix, Arizona 85004 Telephone: (602) 240-6900 [email protected]

POMERANTZ LLP Patrick V. Dahlstrom, pro hac vice Louis C. Ludwig, pro hac vice Ten South LaSalle Street, Suite 3505 Chicago, Illinois 60603 Telephone: (312) 377-1181 Facsimile: (312) 377-1184 [email protected] [email protected]

POMERANTZ LLP Jeremy A. Lieberman, pro hac vice 600 Third Avenue, 20th Floor New York, New York 10016


- 78 -


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Telephone: (212) 661-1100 Facsimile: (212) 661-8665 [email protected] [email protected]

Attorneys for Lead Plaintiff and the Class


- 79 -


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

CERTIFICATE OF SERVICE

I hereby certify that on August 15, 2014, I electronically filed the attached document to the Clerk’s Office using the CM/ECF System for filing and transmittal of a Notice of Electronic Filing to the following CM/ECF registrants:

Cynthia A. Ricketts Katherine L. Pappas-Benveniste Sacks, Ricketts & Case LLP 2800 North Central Avenue, Suite 1230 Phoenix, AZ 85004

Boris Feldman Elizabeth Catherine Peterson Brian Danitz Wilson Sonsini Goodrich & Rosati, P.C. 650 Page Mill Road Palo Alto, CA 94304-1050

Attorneys for Defendants

/s/T. Mahabir


- 80 -

In re Lifelock Inc. Securities Litigation 14-CV-00416-Consolidated Amended Class Action

Documents

Transcript of In re Lifelock Inc. Securities Litigation 14-CV-00416-Consolidated Amended Class Action