The Memos

LifeLock

We recommend that BVP invest $4.5m to lead the Series A round in LifeLock, an Arizona-based identity theft protection company. We have considered investments in this market for the last year as part of a consumer security roadmap. We believe that the company’s marketing-led strategy and early lead in consumer adoption will establish Lifelock as the industry leader.

We signed a term sheet with the company last week to invest $4.5m at a $17.85m pre-money valuation but we received 35% warrant coverage (pushing the EEV down to $13.8m), a fat option pool, and no cap on participation. In addition, the company expects to raise another $2m shortly after we close our deal at twice our effective price with junior preferences. This should both fund the advertising budget and comfort strategic partners inquiring about the balance sheet. And if the company doesn’t raise such a 2X junior round within 6 months, BVP will have the unilateral option to expand our investment by $1.5m (on our original terms).

When we introduced this company to BVP last month, we highlighted serious concerns with regulatory agencies and with the company’s founder, Robert Maynard. Since then, we have had positive signs regarding potential regulatory issues and we believe we understand Maynard well enough to recommend this investment.

Identity Theft

Surveys suggest that the annual cost of identity theft to consumers has remained steady for the last few years, but due to California laws requiring disclosure of data breaches, recent high-profile losses of personal information have focused attention on the issue. The Federal Trade Commission receives about 700,000 complaints a year regarding identity theft and credit fraud, but according to a Better Business Bureau study, there were 9 million victims of identity theft in the US last year (down from 10 million in 2003) costing $54 billion (steady from 2003). But in the last 16 months, there has been extensive reporting on the loss of 4 million Citibank customers’ information, the exposure of 40 million credit card accounts, and the theft of personal information for 26 million veterans from a computer a contractor left at home. (In fact, that recent theft of veterans’ information drove 30% of Life Lock’s new customers last month.)

In the current regulatory climate, consumers have three means of defense against credit application fraud.

  1. In some states, consumers can request a credit freeze that prevents a Credit Rating Agency (CRA) from sharing your information with creditors even if they have your name and social security number. But then in order to apply for credit, you’d need to manually unfreeze your account information with a CRA. This service is not available in all states, it is cumbersome to suspend when you do wish to share your credit profile, and the current draft of new federal credit legislation will restrict credit freezes to documented victims of identity theft.
  2. Thanks to the Fair and Accurate Credit Transaction Act of 2003 (FACTA), consumers can also demand credit fraud alerts by contacting a CRA in writing or over the phone, without charge. When a fraud alert is activated for a consumer, creditors are told that they must contact the consumer by telephone before extending credit, at the peril of being penalized with heavy federal fines. The fraud alert also entitles the consumer to a free credit report and, at the consumer’s option, bans pre-approved credit offers. But CRAs and creditors dislike fraud alerts. The CRAs convinced legislators that the fraud alerts need to be renewed every 90 days, and they have not made activation of fraud alerts across different CRAs a reliable process. Because it has not become a widespread practice, some creditors are unsure what a fraud alert actually means. In practice, about 80% of creditors confirm a consumer’s identity before extending credit.
  3. Credit monitoring and fraud resolution products are currently sold to mitigate damages from identity theft. But these fail to prevent fraud—they only help you deal with it after it has occurred.

Life Lock Approach

Life Lock’s product features manage fraud alerts for the consumer by handling interactions with the CRAs every 90 days. They also take the consumer off of most junk mailing lists. In addition, they provide telephone customer support if the consumer needs help explaining credit fraud alerts to confused creditors.

The CEO Todd Davis gives good interview, and he has been very effective at generating PR for the service. Provocatively, he is always quick to share his social security number on the air, drilling home the concept that our credentials are already public information. But with Life Lock, goes the pitch, thieves may know your SSN but they can’t do anything with the information.

Cleverly, Life Lock’s message to consumers doesn’t dwell on the mechanics of the fraud alert, but instead conveys confidence that Life Lock can protect consumers from identity theft. Specifically, if a client becomes a victim of identity theft, Life Lock guarantees it will spend up to $1 million to fix the problem. To back up its claim, Life Lock has bought $500,000 of insurance coverage from Lloyd’s of London.

Sales and Marketing*

Life Lock has spent the last year experimenting with many different forms of advertising. We believe that their emphasis on communicating a clear value proposition is an important part of their success.

To drive prospects to their website and call center, Life Lock initially focused on PR with local television, radio and print—Davis has completed over 150 media appearances. Life Lock has a PR person on staff to find new venues, which continues to drive most new traffic. As these appearances are basically free, this has been their most cost effective means of reaching customers.

The company has also experimented with radio advertising and plans a push before Christmas. They tried a number of smaller radio celebrities before finding some success with the conservative talk show host Sean Hannity. Life Lock would advertise with Hannity in three cities for a few months before moving on to another set of cities. While effective, these radio ads are not cheap and have average cost per order of $60. But Life Lock believes that these radio ads offer important brand promotion in addition to straightforward customer acquisition. In the next month, Life Lock plans to expand its radio advertising and move from Hannity to the more prominent Rush Limbaugh. The deal is expensive–$1.2m for 6 months worth of endorsements but Life Lock’s research into Limbaugh’s relative effectiveness over Hannity suggest it will be worthwhile.

More serendipitously, Life Lock bought editorial space on military.com after it was announced that potentially 26m veterans’ identities were exposed. That has yielded the same number of customers but at an average CPO of $10. Life Lock plans to continue testing a mix of broad media advertisements along with contributions to targeted communities. They will stop in October and then ramp up their advertising in January 2007.

Once the prospect calls or visits the web site, Life Lock has remarkable conversion ratios—12% on the web site, and 75% of people who call 1-877-LIFELOCK. While this is remarkable, TrustedID claimed a similarly high web conversion rate of 7%. It is too early to make too much of their other numbers, but churn is around 1%. Life Lock charges $10 per month for each adult in a subscribing household plus $10 per year for each minor, with a 10% discount for a one year prepayment. About 80% of customers choose the annual payment and they average 1.5 adults per order.

Since their launch in June 2005, they have had consistent double digit growth month to month. Even without their significant boost as a result of the veterans’ identity theft, they have double digit month-over-month growth. They expect that growth will slow in October as consumers focus on the Holidays but then plan to launch more marketing in the beginning of the new year.

Life Lock does not believe that selling direct to consumers will scale quickly enough. Instead, they want to leverage indirect channels through affiliate sales and partnerships with large institutions. Right now, 20% of their sales come from online and offline affiliates. They plan to raise that to 80% by expanding their number of affiliates. To date, about 10 affiliates have sold more than 50 customers. Recently, they signed up with Commission Junction to expand their affiliate base, and added another 400 affiliates. Life Lock lets affiliates price up to 10% less than direct rates. Affiliates get 30% of the first year’s revenue and then 10% of years two and three. They have had limited success in working with online affiliates and this exposed some weaknesses in their marketing team. We believe that Chini Krishnan, who will likely join the board, will be highly valuable here.

The company is also chasing larger affiliates. They have identified 8 types of large partnerships and have about 20 deals in their pipeline. These potential partnerships range from including a Life Lock flier in a Quicken Loans letter to automatically including Life Lock in the bill of a college student at Arizona State. They had a pilot deal with Home Depot to promote Life Lock and a deal with a paper shredder company. The Home Depot deal is on hold after Citibank, a more important Home Depot partner, objected to Life Lock promotion because they saw it as competitive to the fraud protection features of their credit card. They are also close to signing a promotional deal with Barclays Card. After AT&T exposed consumer data, we introduced Life Lock to their Chief Security Officer (thank you, Byron) and Life Lock is meeting with AT&T to discuss opportunities.

Even better, though, would be deals in which Life Lock was bundled with existing products with large consumer bases. They are currently working with Washington Mutual on a program to give Life Lock to up to half of its current 10 million credit card holders. This is attractive to WaMu because consumers view it as a value add and Wamu sees it as a legal way to keep competitors from offering consumers new, pre-approved credit cards. A deal like that would bring in 50X Life Lock’s projected subscriber growth for 2007, but at a price of only $12 per customer per year. As the company reaches scale, they expect this to be profitable. Currently, Life Lock is set to start a pilot of the program at $40 per customer. A member of Life Lock’s advisory board, Luke Helms, is a former executive at Bank of America and he plans to introduce Life Lock to Bank of America.

Technology/Operations

Life Lock has built a highly leveraged, scalable, fairly secure system that interfaces with credit rating agencies in a clever manner and with surprising capital efficiency. We initially thought it would be trivial to write interfaces with CRAs to manage fraud alerts but CRAs are uninterested in making the process easy. In 2005, CRAs made 20% of their profit from marketing consumer information to companies interested in extending credit. Fraud alerts prevent consumers from receiving pre-approved credit, thus reducing the number of consumers that CRAs can market and damaging a key revenue stream.

So Life Lock developed a scalable system to manage fraud alerts with CRAs. They built an IVR system to interface with a CRA’s IVR systems. That is, an automated telephone system talks to the CRAs’ automated telephone systems. Life Lock maps out each of the options that a CRA’s IVR system offers and uses the length of the CRA’s responses to determine status. Rather than using the internet and XML for machine to machine communications, Life Lock uses phone lines and touch tone. This allows them to use a CRA’s system without the CRA’s explicit consent. The interfaces are brittle and imperfect so they are constantly being tweaked, but LifeLock is usually able to achieve a 75% success rate with each CRA. Since they only need to successfully activate a credit fraud alert with one CRA (which must by law inform the others), Life Lock need manually intervene ~5% of the time. Life Lock believes that its approach is not patentable but considers it a trade secret.

Life Lock developed the IVR interface but they rely on an outside agency to run the process. In fact, their entire system is highly reliant on SaaS products. They use salesforce.com to manage partners and affiliates; RightNow to manage sensitive customer information; Prosodie to manage their IVR interface; a local service to handle secure mailings; and PayPal’s PayFlow to manage payment. This architecture should allow them to scale up quickly, although it also makes them much more dependent on outside vendors.

Life Lock is upgrading their system and processes to satisfy potential large partners. While individual components may be secure, they are still a startup and sensitive customer information is not quite as secure as it should be. Consumers can’t see the systems and feel comfort from the $1 million guarantee, but large partners are more sensitive to the PR implications of losing customer data. Barclays Card is planning to offer its customer Life Lock but Life Lock failed their first security audit. As a result, Life Lock is getting certified as compliant with ISO 27001—the relatively new Information Security Management System standards—and plans to move to a more secure location this October. Barclays has committed to proceed if Life Lock passes their next audit.

Currently, variable costs per adult are $12 per year (almost completely from support calls) but the company believes they can cut that in half as they reach scale.

Team*

Life Lock has 26 employees. 15 are work at home sales and customer service representatives, and the software development team currently works remotely. Due to concerns that came up during our initial diligence process, we retained an investigation company and an ex-FTC Commissioner to give us more information. Our diligence process also raised a potentially serious issue with the company.

CEO Todd Davis was an early Dell employee and has had sales and business development roles in a number of Arizona-based technology startups. Immediately before starting Life Lock, he ran a sports marketing company. We like Davis because he is an honest, clear communicator, a natural leader, and a good salesman. He is the public face of Life Lock and acts as head of sales. He travels around the country pitching the company to consumers through TV, radio and print while also pitching the company to potential partners and affiliates. As Davis will tell you himself, he expects that at some point the company will recruit a more experienced CEO.

COO and Founder Robert Maynard is a former US Marine and a serial entrepreneur with a mixed background. Based on Maynard’s disclosures about his own history and press accounts about his past, we were concerned enough to engage an investigation firm to run a background check on him.

In the early 1990’s Maynard founded National Credit Foundation, a credit repair company that grew to a $30 million potential revenue run-rate in its first few months. In the mid-90’s he was founder and CEO of Internet America, a Dallas-based ISP that went public in 1998. He then founded Dotsafe in 1998, a family friendly ISP, before its shutdown due to the burst of the dot com bubble in 2002.

Between the shutdown of Dotsafe in 2002 and the founding of LifeLock, Maynard was mostly incapacitated due to health problems but also started a precursor to LifeLock. He partnered with Paul Dvorscak, an Arizona entrepreneur, to found IDLock. Maynard and the IDLock team later left to start Life Lock.

References for Maynard emphasized his intelligence, energy, loyalty and occasional bad judgment. Press accounts describe Maynard bringing a gun to the office when laying off staff at NCF and friends talk about how he arrogantly blew off Mark Cuban and Sky Dayton when they approached him about merging with Internet America and his unwillingness to slow down his expansion plans for Dotsafe even in the face of a slowdown. These old friends also made vague inquiries into his health.

When we asked Maynard about this, he explained that he was unable to work steadily between 2001 and 2004 because he was bipolar and it took some time to diagnose and properly treat. He says that it is now under control with medical treatment, although he does have occasional bouts of depression. We share Maynard’s view that his mental health history should not in itself disqualify him from entrepreneurship. Maynard has found a way to be productive within the limitations of his health, and we wish all entrepreneurs shared his self-awareness and growth mindset.

Our background check mostly corroborated the timeline and incidents that Maynard described to us. He filed for bankruptcy in 1990 and 2004. He had a number of legal disputes with past employees and, famously, filed a criminal complaint against an “Internet stalker” who then sued him for libel. In addition, the Arizona Attorney General and the FTC sanctioned him at NCF in the early 90s for making it difficult for people to cancel their service. The FTC did not fine Maynard but did prohibit him from working in the “credit improvement” industry. We were obviously concerned that Maynard’s relationship with the FTC might affect LifeLock but the company should be fine as long it focuses on credit fraud prevention.

Maynard has continuously impressed us with his intellect and creativity. He clearly has the strengths and weaknesses of someone who is bipolar. He has asserted the same expectation that Davis did in terms of role flexibility, and has agreed not to serve on the board of directors.

VP Marketing Steve McGrady worked with Todd Davis in the past. He has experience in marketing and sales positions in technology and sports marketing companies.

CTO David Butler worked for Robert Maynard at Internet America and dotsafe. He is currently employed at Countrywide as an enterprise architect but he has been helping Life Lock 20 hours a week for the last few years out of loyalty to Maynard. He will soon join the company to work full time—although he will commute from Dallas as he is unable to move for personal reasons. The rather small development team is already distributed (one in Arizona and another in Indianapolis).

Although we also found Butler to be eccentric, he had the right mix of pragmatism and foresight to be a good technical architect. He is responsible for many of the clever, low-cost ways that they have built the system. He plans to add a middleware product to the system to ease the management of partner applications.

Competitors

There are many competitors that offer credit fraud protection. Credit monitoring solutions only help after an identity has been stolen and credit reports are not always updated in a timely fashion. Still, Intersections (NASDAQ: INTX) was able to go public based on this product. They sell monthly subscriptions for a credit monitoring service and had $165m in revenue last year. That was flat from the previous year and the company suffers from high churn so their market cap is $152m. We believe the churn is because they bundle their product in with new credit cards so consumers are often surprised to find it in their credit card bill.

Credit fraud resolution solutions are another alternative solution but suffer from a few business model problems. For example, Identity Theft 911 helps financial institutions resolve actual instances of identity theft. They are able to charge financial institutions recurring fees in order to help with resolving credit fraud after it happens. However, they are only able to charge a few dollars per year rather than $10 per month because the banks see it as a risk mitigation service, not a selling point to consumers.

There are a number of companies that offer credit fraud alerts. Most of them lack traction or good team. Last year, David and Justin looked at two companies that looked like they had potential. At the time, David even proposed that they should merge but one of the companies declined.

One of them was Trusted ID, a Redwood City startup. Compared to LifeLock, they have a more impressive team, a more elaborate technical architecture and a thoughtful approach to the market. They were initially focused on credit freezes, a more effective approach to fraud protection but one with many regulatory problems. Since then, Trusted ID received $5 million from DFJ and recently released a product called IDFreeze that drops the credit freeze feature and is almost identical to Life Lock (except with a $25,000 rather than a $1 million guarantee). In June, they had a website conversion ratio of 7% and about 2,000 customers paying $8 a month. We believe that Life Lock has benefited from releasing their product almost a year earlier and then spending their time refining their marketing position and PR.

The other startup, Debix, was even more impressive and had a better team. Last month, they launched iLock Credit, a very similar offering to LifeLock with a few key differences. They charge $10 a month for credit fraud alert service. They have built a telephone system (“the world’s first telephone-based Identity Protection Network”) that enables consumers to allow credit approvals with the press of a button rather than through a telephone conversation with a potential creditor. This is part of an elaborate technical infrastructure that Debix has built to work with consumers and credit rating agencies. Unfortunately, Debix’s entire marketing message revolves around this feature. We believe that consumers are not interested in specific details of how identity fraud protection might work. Instead, they are looking for a simple value proposition with a strong proof point.

It is possible that Debix’s strategy is actually to sell to financial institutions and their emphasis on their technical architecture is meant to market to potential partners rather than end consumers. It is also possible that Debix will extend the telephone network into other applications. However, we have not seen any evidence of that strategy succeeding yet.

Both Debix and Trusted ID are currently fundraising. Trusted ID is now raising an $8 million Series B based around a $20 million pre-money valuation. NEA is considering an investment in Debix. We believe that their emphasis on features and later entry put them at a disadvantage compared to Life Lock.

Risks

Market Risks

Initially, we believed that Life Lock’s credit fraud protection service would be too easy to duplicate and financial institutions would decide to build it themselves. Having seen the system, we now believe it is complicated enough that it is a reasonable suggestion to buy rather than build. In addition, the ability to keep other firms from offering your customers new credit applications is valuable and it is a service that financial institutions could not offer by themselves.

We are also less concerned about how Life Lock threatens a substantial portion of the CRAs’ revenue stream. As it is, Life Lock has been successful because they have found a clever way to interface with credit rating agencies without their direct consent. While clever, the automated phone interfaces are also quite brittle. If the credit rating agencies wanted to disrupt Life Lock, perhaps they can adjust their systems to make it difficult for Life Lock to use their phone APIs. But this issue is longer term and, if successful, Life Lock can leverage its consumer base and strike a deal with Transunion, the smallest of the major CRAs.

However, we remain concerned about pricing pressure. While the company believes that nobody else has discovered their low cost way of installing credit fraud protection through automated IVRs, Trusted ID charges 20% less and Debix hints that they have a similar interface. At scale, Life Lock expects annual costs per customer to drop below $7.

Regulatory Risks

Consumer credit is highly regulated and Life Lock faces three regulatory risks.

First, a state insurance agency may rule that the Company is illegally offering insurance. While Life Lock believes that their $1 million guarantee should be viewed as a warranty rather than insurance, three state insurance agencies have made inquiries. If they were judged to be insurance, then they would need to work with the 50 state insurance agencies and face potential fines. Life Lock would likely then eliminate the guarantee, losing one of their more successful marketing messages. When we first talked to Life Lock, Oklahoma, Florida and New York all made inquiries. Since then, Oklahoma has dropped its inquiry and Florida has concluded that the $1m guarantee is a warranty not insurance.

Second, Congress is currently rewriting consumer credit regulations. It seems that the credit rating agencies will be successful in making it more difficult for consumers to learn about identity theft or to apply for credit freezes. For such a small company, Life Lock has aggressively monitored the process and lobbied against changes that would hurt them. They believe that consumers will continue to be able to apply for fraud alerts under the same conditions. Davis has the latest draft of the bill and it does not include language unfavorable to Life Lock. However, when this regulation was first introduced in 2003, the credit rating agencies lobbied very hard to make it more difficult for consumers to ask for fraud alerts. It would be surprising if they were not trying to do this again. This remains an issue.

Third, the Federal Trade Commission pays close attention to claims revolving around consumer credit. In the past, as Maynard knows, the FTC has cracked down on companies that made what the FTC considered deceptive promises around consumer credit. When we asked an ex-FTC Commissioner, she initially thought that Life Lock’s promises might be overblown and attract undue attention. Upon closer reading, she found that, with a few modifications, Life Lock’s claims were legitimate and even compelling. We will ask Life Lock to make those changes but no longer consider this a major risk.

Team Risks*

Maynard has said many times that he does not imagine being COO long term and has explicitly tried to keep a low profile.

Now that we understand he is bipolar, we believe that it is a risk that we will be able to manage. David has had a number of candid discussions with Maynard about his condition and ways to make him most effective.

Legal Risks*

As mentioned in our diligence on Maynard, Paul Dvorscak has made vague references to “possible pending legal matters.” Dvorscak, who funded a similar startup that Maynard founded, has said that he will not say more but we will clearly want to understand this situation before we close the deal.

Security Risk*

The risk of data breach is very low, but the outcome would be disastrous for Life Lock. It’s hard to imagine anyone would expose personal credentials to an anti-fraud service that had to disclose its own compromise of consumer data.

The Deal

The warrant coverage on our investment means that we are effectively buying about a quarter of the company for $4.5m. Our security participates without a cap. In addition, we have an option to invest $1.5m on the same terms unless the company raises $1.5m within six months at a 2X step-up, with junior, non-participating preferences.

Although we have been impressed by the team’s scrappiness, they have been somewhat sloppy with their records (a lot has to be cleaned up prior to Closing). We have full anti-dilution protection if it turns out that the company has more liabilities, or outstanding shares, than it has represented to us.

Scenario Analysis*

Conclusion*

Life Lock is executing very well on a business plan we have been trying to fund in consumer security. The company has a strong, publicly traded business role model in Intersections. With scrappy IT systems and field tested marketing campaigns, Life Lock has leaped well ahead of the pack in this emerging market. We recommend an investment.