LegalZoom (LZ) Risk Factors

Our success depends on continued innovation to provide features that make our platform useful for existing and prospective customers. We have invested and intend to continue to invest resources in technology and development in order to continue improving the simplicity and effectiveness of our platform. In addition, we have introduced and intend to continue to introduce significant changes to our platform and to our product offerings, including the offering of free or even lower cost products. We have also developed and introduced new and unproven services, including using technologies with which we have little or no prior development or operating experience, such as generative artificial intelligence, or AI. There is no assurance that our past or future investments in any of the foregoing changes, developments or new product introductions will provide us with the benefits we expect. In addition, because our platform is available over the internet or on mobile networks, we need to regularly modify and enhance our platform to keep pace with changes in internet-related hardware, software, communications and database technologies and standards. If we are unable to respond in a timely and cost-effective manner to these rapid technological developments and changes in standards, our platform may become less marketable, less competitive or obsolete, and our business, results of operations, financial condition and future prospects would be harmed. If new technologies emerge that are able to deliver competitive services at lower prices, more efficiently, more conveniently or more securely than LegalZoom, such technologies could adversely impact our ability to compete. Our platform must also integrate with a variety of network, hardware, mobile, and software platforms and technologies, and we need to frequently modify and enhance our services to adapt to changes and innovation in these technologies. Any failure of our platform to operate effectively with current or future infrastructure platforms and technologies could reduce the demand for our platform. If we are unable to respond to these changes in a cost-effective manner, our platform may become less marketable, less competitive or obsolete, and our business, results of operations, financial condition and future prospects may be adversely affected.

We rely and expect to continue to rely on confidentiality and license agreements with our employees, consultants and third-parties, and on trademark, copyright, trade secret and domain name protection laws, to protect our proprietary rights. Third-parties may knowingly or unknowingly infringe on or challenge our proprietary rights, and pending and future trademark or other intellectual property applications may not be approved. In addition, effective intellectual property protection may not be available in every country in which we operate or intend to operate our business. In these cases, we may expend significant time and expense to prevent infringement and enforce our rights. We cannot assure you that others will not offer services or concepts that are substantially similar to ours and compete with our business. If the protection of our proprietary rights is inadequate to prevent unauthorized use or appropriation, the value of our brand and other intangible assets may be diminished and competitors may be able to more effectively mimic our services, business practices or operations, which may have an adverse effect on our business, results of operations, financial condition and future prospects.

We collect, use, store, transmit and otherwise process data and information about our customers, employees and others, some of which may be sensitive, personal and/or confidential. Any actual or perceived breach of our security measures or those of our service providers could adversely affect our business, operations and future prospects. Circumvention of our security measures or those of our service providers may result in access, misappropriation, deletion, alteration, publication, modification or other compromise of our information, which could cause interruptions in our business and operations, fraud or loss to third-parties, regulatory enforcement actions, litigation, indemnity obligations and other possible liabilities, as well as negative publicity. Widespread negative publicity may also result from real, threatened or perceived security compromises affecting our industry, competitors and customers. Concerns regarding data privacy and security could cause some of our customers to stop using our services and fail to renew their subscriptions. This discontinuance in use and failure to renew could harm our business, results of operations, financial condition and future prospects. Our internal information systems, cloud-based computing services, and those of our current and any future service providers are vulnerable to a variety of evolving threats. Cyberattacks and other malicious internet-based activity, such as computer malware, hacking and phishing attempts, continue to increase. In addition to traditional computer "hackers," sophisticated nation-state and nation-state supported actors now engage in similar attacks (including advanced persistent threat intrusions). Other threats include malicious code (such as viruses, worms and ransomware), social engineering attacks (such as through deep fakes and phishing attacks, cyber extortion, personnel error or malfeasance (including theft and misuse), malware, denial-of-service attacks, supply-chain attacks, software bugs, information systems malfunctions and failures, data loss, and other similar threats are evolving. In particular, severe ransomware attacks are becoming increasingly prevalent and can lead to significant interruptions in our operations, ability to provide our products and services, loss of sensitive data and income, reputational harm, and diversion of funds. Extortion payments may alleviate the negative impact of a ransomware attack, but we may be unwilling or unable to make such payments due to, for example, applicable laws or regulations prohibiting such payments. We have adopted a remote-first policy, which permits personnel to work remotely or virtually indefinitely unless the nature of the personnel's job requires their in-office presence. This policy, which results in a predominantly remote workforce, poses additional data security risks to our information technology systems and data, as more of our personnel work from home and utilize network connections outside our premises. Additionally, future or past business transactions (such as acquisitions or integrations) could expose us to additional cybersecurity risks and vulnerabilities, as our systems could be negatively affected by vulnerabilities present in acquired or integrated entities' systems and technologies. Any of the previously identified or similar threats could cause a security breach or other interruption. A security breach or other interruption could result in unauthorized, unlawful, or accidental acquisition, modification, destruction, loss, alteration, encryption, disclosure of, or access to our sensitive information. We may expend significant resources or modify our business activities to try to protect against security breaches. In addition, certain data privacy and security obligations have required and may in the future require us to implement and maintain specific security measures, industry-standard or reasonable security measures to protect our information technology systems and sensitive information, including contractually. We cannot guarantee that our security measures to protect customer information and prevent data loss and other security breaches will be sufficient to protect against unauthorized access to, or other compromise of, personal information, or confidential, proprietary or otherwise sensitive information. The techniques used to sabotage or to obtain unauthorized access to our platform, systems, networks and/or physical facilities in which data is stored or through which data is transmitted change frequently, and we have not always been able in the past and may be unable in the future to anticipate such techniques or implement adequate preventative measures or stop security breaches that may arise from such techniques. As a result, our safeguards and preventive measures may not be adequate to prevent past, current or future cyberattacks and security breaches, including security breaches that may remain undetected for extended periods of time, which can substantially increase the potential for a material adverse impact resulting from the breach. Further, we may experience delays in developing and deploying remedial measures designed to address any such identified vulnerabilities. Like many companies, we rely on service providers to operate critical business systems to process sensitive information in a variety of contexts, including, without limitation, providers of cloud-based infrastructure, employee email, customer service and other functions. We may share or receive sensitive information with or from third-parties. Our ability to monitor these third-parties' information security practices is limited, and these third-parties may not have adequate information security measures in place, which could lead to a breach in our information. If we, or third-parties upon which we rely, experience or are perceived to have experienced (in the past or future) a security breach, we may experience adverse consequences. While we may be entitled to damages if our service providers fail to satisfy their privacy or security-related obligations to us, any award or other recovery may be insufficient to cover our damages. We implement and maintain security measures designed to protect against security breaches and other compromise. However, there can be no assurance these measures will be effective. For example, we take steps designed to detect, mitigate and remediate vulnerabilities in our information systems (such as our hardware and software, including of third parties upon which we rely). We may not, however, detect and remediate all such vulnerabilities on a timely and effective basis. We may expend significant resources or modify our business activities to try to protect against security incidents. Certain data privacy and security obligations may require us to implement and maintain specific security measures or industry-standard or reasonable security measures designed to protect our information technology systems and information. Applicable data privacy and security obligations may require us to notify relevant stakeholders, which may include affected individuals, regulatory authorities, or customers of security breaches. We operate in an industry that is prone to cyberattacks. We have experienced security breaches (such as unauthorized access to customer information) for which we may have been or were legally required to notify individuals, customers, regulators, the media and others. Data breach notification disclosures are costly, time consuming, and could lead to adverse consequences. In addition, the costs to respond to a cybersecurity event or to mitigate any security vulnerabilities that may be identified could be significant, including costs for remediating the effects of such an event, paying a ransom, restoring data from backups and conducting data analysis to determine what data may have been affected by the breach. In addition, our efforts to contain or remediate a security breach or any vulnerability exploited to cause a breach may be unsuccessful, and efforts and any related failures to contain or remediate them could result in interruptions, delays, loss in customer trust, harm to our reputation and increases to our insurance coverage. Our contracts may not contain limitations of liability, and even where they do, there can be no assurance that limitations of liability in our contracts are sufficient to protect us from liabilities, damages, or claims related to our data privacy and security obligations, including under the recently expanded private right of action in the CCPA. We may not have adequate insurance coverage for security incidents or breaches, including fines, judgments, settlements, penalties, costs, attorney fees and other impacts that arise out of such breaches. We cannot assure you that our cyber liability insurance coverage will be adequate to cover liabilities actually incurred or that insurance will continue to be available to us on economically reasonable terms, or at all. The successful assertion of one or more large claims against us that exceeds our available insurance coverage, or results in changes to our insurance policies (including premium increases or the imposition of large deductible or co-insurance requirements), could have an adverse effect on our business. Our risks are likely to increase as we continue to expand, grow our customer base, and process, increasingly large amounts of sensitive information. In addition to experiencing a security incident, third parties may gather, collect, or infer sensitive information about us from public sources, data brokers, or other means that reveals competitively sensitive details about our organization and could be used to undermine our competitive advantage or market position.

We are susceptible to various legal claims, lawsuits, arbitration, regulatory action or other proceedings, including those related to the unauthorized practice of law, patent, trademark, trade secret and other intellectual property matters, taxes, labor and employment, competition and antitrust, privacy, data use, data protection, data security, network security, wiretapping, consumer protection and product liability, unfair business practices, breach of contract and other matters. We have been and may in the future become subject to various claims which, if resolved adversely, could have a material adverse effect on our financial position, results of operations, or cash flows. We anticipate that we will continue to be a target for such lawsuits in the future. The plaintiffs in these actions generally seek monetary damages, penalties, and/or injunctive relief. We cannot predict the outcome of such proceedings or the amount of time and expense that will be required to resolve such proceedings. If such claims are made against us, there can be no assurances that favorable final outcomes will be obtained; if such claims were to be determined adversely to our interests, or if we were forced to settle such matters for a significant amount, such resolutions or settlements may result in changes to or discontinuance of some of our services, potential liabilities or additional costs. Defending these claims is also costly and can impose a significant burden on management and employees, and we may receive unfavorable preliminary or interim rulings in the course of litigation. Any litigation to which we are currently or may in the future be a party may result in an onerous or unfavorable judgment that may not be reversed upon appeal, or we may decide to settle lawsuits on unfavorable terms. Any such negative outcome could result in payments of substantial monetary damages or fines, injunctive relief, adverse effects on the market price of our common stock or changes to our products or business practices, and accordingly, our brand and reputation, business, results of operations, financial condition or future prospects could be materially and adversely affected. We also may encounter future claims. For example, our United Kingdom, or U.K. subsidiary previously operated as an alternative business structure, or ABS, which allows corporate entities to become licensed providers of reserved legal activities in that jurisdiction. Similarly, our U.S. subsidiary, LZ Legal Services, LLC, was licensed in September 2021 as an Arizona ABS and became operational in July 2022. As a result, these subsidiaries may be susceptible to potential claims from clients, such as breach of contract, product liability, negligence or other claims. Any such claims could result in reputational damage or an adverse effect on our results of operations. The professional liability insurance held by these subsidiaries and limiting their respective liability in accordance with engagement letters with clients may not insure or protect against all potential claims or sufficiently indemnify us or either subsidiary for all liability that may be incurred. Any such liability, inclusive of the costs and expenses that may be incurred in defending any such claims, that exceeds the insurance coverage could have a material adverse effect on our business, results of operations, financial condition, or future prospects.

In the ordinary course of business, we collect and otherwise process information from and about our customers and others, which may include personal information and other data. As a result, aspects of our business are subject to laws, rules, regulations and other obligations (such as contracts and privacy notices) relating to privacy and the collection, use and security of personal information. In the United States, federal, state and local governments have enacted or introduced comprehensive data privacy laws and regulations, including the California Consumer Privacy Act of 2018, or CCPA. Other U.S. states, such as Virginia, Colorado, Connecticut, and Utah, have similarly enacted comprehensive privacy laws that impose certain obligations on covered businesses, including providing specific disclosures in privacy notices and affording residents with certain rights concerning their personal data. The exercise of these rights may impact our business and ability to provide our products and services. Outside the U.S., an increasing number of laws, regulations and industry standards govern data privacy and security. For example, we are also subject to the European Union's General Data Protection Regulation, or GDPR. In addition, we are subject to the terms of our privacy policies and obligations to third-parties related to privacy, data protection and information security. Any actual or perceived failure by us or third-parties working on our behalf to comply with applicable privacy and data security laws, rules and regulations, including the GDPR and the CCPA or related contractual or other obligations, or any perceived privacy rights violation, could lead to investigations, claims, and proceedings by governmental entities and private parties, damages for contract breaches, additional reporting obligations and other significant costs, penalties, and other liabilities, as well as harm to our reputation and market position. In addition, the global regulatory framework for privacy and data security issues is rapidly evolving and privacy and data security laws have been and may in the future be enacted by other U.S. states and countries in which we do business. As a result, interpretation of applicable privacy and data security laws, rules and regulations is ongoing, may not be fully determined at this time and may conflict across jurisdictions. In our efforts to meet the various data privacy obligations that apply to us, we have made and continue to make certain operational changes to our products and business practices. Preparing for and complying with these obligations requires significant time and resources and may necessitate further changes to our information technologies, systems, and practices and to those of our customers, and of any third-parties that process personal information on our behalf. In addition, these obligations may require us to change our business model. In addition, a growing number of legislative and regulatory bodies have adopted consumer notification and other requirements in the event that consumer information (such as personal information) is actually or reasonably believed to be compromised, and additional regulations regarding the use, access, accuracy, and security of such data are possible. In the U.S., state laws provide for disparate data breach notification regimes. If our practices are deemed to be a violation of applicable data privacy or security obligations, whether or not consistent with current or future regulations and industry practices, we may be subject to public criticism, private class actions, reputational harm, or claims by regulators, which could disrupt our business and expose us to increased liability. Our failure to comply with these obligations, or any future obligations of a similar nature, could result in substantial regulatory penalties, litigation expense, and loss of revenue. Further, certain jurisdictions have enacted data localization laws and cross-border personal data transfer laws, which may make it more difficult for us to transfer personal data across jurisdictions (such as transferring or receiving personal data that originates in the EU or in other foreign jurisdictions). Existing mechanisms that facilitate cross-border personal data transfers may change or be invalidated. For example, the GDPR generally prohibits the transfer of personal information to countries outside of the European Economic Area that the European Commission does not consider to provide an adequate level of privacy and data security, such as the U.S., absent appropriate safeguards. In addition, certain countries outside Europe have also passed or are considering laws requiring local data residency or otherwise impeding the transfer of personal data across borders, any of which could increase the cost and complexity of doing business. If we cannot implement a valid compliance mechanism for cross-border data transfers, we may face increased exposure to regulatory actions, substantial fines, and injunctions against processing personal data from Europe or other foreign jurisdictions. The inability to import personal data to the U.S. could significantly and negatively impact our business operations, limit our ability to collaborate with parties that are subject to cross-border data transfer or localization laws, or require us to increase our data processing capabilities and infrastructure in foreign jurisdictions at significant expense.

We operate in a very competitive industry. We face intense competition from law firms and solo attorneys, online legal document services, legal plans, secretaries of state, tax preparation companies and other service providers. The online legal solutions market is evolving rapidly and is becoming increasingly competitive. New market entrants that provide technologies that improve the delivery of legal solutions, such as generative AI and machine learning, could also increase the level of competition in the market. Other companies that focus on the online legal document services market or business formations, including law firms that may elect to pursue the online legal document services market, can and do directly compete with us. Law firms and solo attorneys, who provide in-person consultations and are able to provide direct legal advice that we generally cannot offer due to laws and regulations regarding the unauthorized practice of law, or UPL, compete with us offline and have developed and may continue to develop competing online legal services. We also compete in the registered agent services business with several companies that target small businesses, and these competitors have extensive experience in this market. In addition, if U.S. state or federal agencies increase their offerings to our target customers or if their offerings become more attractive to our target customers, including through free and easy-to-use business formation services or other document filing portals, it could have a significant adverse effect on our business, financial condition or results of operations. For example, certain U.S. states offer online portals where consumers may file their articles of organization for free, other than filing fees. We also compete in the tax advisory and preparation services business with several companies, many of which are larger and more experienced. To the extent we are unable to compete, our business, results of operations, financial condition or future prospects may be harmed. Any of our existing competitors, or other potential competitors that have not yet entered the market, may also develop innovative and cost-effective services, including automated corporate formation document processing, that target our existing and potential customers. Some of our competitors and potential competitors are larger and have greater name recognition, longer operating histories, more established customer relationships, larger budgets, and significantly greater resources than we do. As a result, our competitors may be able to respond more quickly and effectively than we can to new or changing opportunities, technologies, standards, or customer requirements. We expect to face increasing competition from offline and online legal services providers in our market, including through their use of generative AI, and our failure to effectively compete with these providers could result in revenue reductions, reduced margins, or loss of market share, any of which could materially and adversely affect our business, results of operations, financial condition and future prospects.

For the past few years, a significant amount of our revenue has been derived from our subscriptions for small businesses and individuals. In 2023, approximately 62% of our revenue came from subscriptions. Subscriptions have primarily originated from transactional customers who opted to become subscribers. For us to maintain or improve our operating results, it is important that we convert transactional customers into subscribers, retain our existing subscribers and that our subscribers renew their subscriptions with us when the existing subscription term expires. However, subscriptions may be terminated at any time, and the rate at which we retain our subscribers may decline or fluctuate as a result of a number of factors, including subscribers' satisfaction or dissatisfaction with our platform, the effectiveness of our customer support services, the quality and perceived quality of the services provided by our tax professionals and the independent attorneys who participate in our legal plan network, our pricing and the pricing of competing products or services, the lifecycle of our customers' businesses and their evolving needs, and the effects of global economic conditions, regulatory changes and reductions in subscribers' discretionary income and spending levels. As a result, we cannot accurately predict subscription renewal rates or the number of our existing or new customers that will subscribe to our subscription services, including whether customers will continue to subscribe at the same rate as they have historically. If we are unable to continue to convert our transactional customers to subscribers, retain our existing subscribers or our existing subscribers do not expand the use of our platform, our business, results of operations, financial condition and future prospects would be adversely affected. If the growth of our subscription business falls below the expectations of the public market, securities analysts or investors, the price of our common stock could also be harmed.

We believe our brand has contributed to the success of our business and we have made substantial investments to build and strengthen our brand and reputation. Maintaining and enhancing the LegalZoom brand and our reputation is critical to growing and retaining our customer base. Regulatory proceedings, consumer claims, false and misleading advertising claims, litigation, customer complaints or negative publicity through word-of-mouth, social media outlets, blogs, the Better Business Bureau and other sources related to our business practices, as well as customer care, data privacy or security issues, irrespective of their validity, could diminish confidence in our services and adversely affect our brand and reputation and our ability to attract and retain customers. In addition, our services, as well as those of our competitors, are regularly reviewed and commented upon by online and social media sources. Negative reviews, or reviews in which our competitors' services are rated more highly than ours, irrespective of their accuracy, could negatively affect our brand and reputation. We have in the past received negative reviews wherein our customers expressed dissatisfaction with our services, including dissatisfaction with our customer support, our billing policies and the way our subscriptions operate, and we expect to receive similar reviews in the future. If we do not handle customer complaints effectively, our brand and reputation may suffer. We may lose our customers' confidence, they may choose not to renew their subscriptions or purchase additional services from us, and we may fail to attract new customers. In addition, maintaining and enhancing our brand and reputation may require us to incur significant expenses and make substantial investments, which may not be successful. If we fail to successfully promote and maintain our brand and reputation, or if we incur excessive expenses in doing so, our business, results of operations, financial condition and future prospects may be adversely affected. Furthermore, our brand and reputation are in part reliant on third-parties, including the independent attorneys and accountants who participate in our and our partners' networks. The failure or perceived failure of these attorneys and accountants to satisfy customer expectations could negatively impact our brand and reputation.

We rely on third parties to fulfill portions of the services we offer and to support our operations. For example, we rely on government agencies, including secretary of state offices, the U.S. Internal Revenue Service and the U.S. Patent and Trademark Office, to process business formation documents, tax filings and intellectual property applications. These agencies have in the past and may in the future be unable or refuse to process submissions in a timely manner, including as a result of any government shutdowns, slowdowns or staffing shortages. To the extent we are unable to process submissions or filings in a timely manner, our brand and reputation may be adversely affected, or our customers may seek other avenues for their business formation, tax or intellectual property needs. We also utilize third parties in connection with the fulfillment and distribution of our services, including the independent attorneys in our legal plan network, the accountants and tax professionals through our subscription plans, and a third party to support our registered agent subscription services. We also outsource certain operational functions. As a result, we rely on third parties to ensure that our and our customers' needs are sufficiently met. While we select third party providers carefully, we have limited control over their actions. If these third party providers encounter difficulties, or if we have difficulty communicating with them, our business operations could be adversely affected. This reliance on third party providers also subjects us to risks arising from the loss of control over processes, and potentially, termination of these services by the third parties. A failure of our third party providers to perform services in a satisfactory manner may have a significant adverse effect on our business. In addition, our platform interoperates with certain third party sites. As a result, our results may be affected by the performance of those parties and the interoperability of our platform with other sites. If certain third parties limit certain integration functionality, change their treatment of our services at any time, or experience quality issues, such as bugs and defects, our revenue, results of operations and future prospects may be adversely affected. We also utilize various types of data, technology, intellectual property and services licensed or otherwise obtained from unaffiliated third parties in order to provide certain elements of our solutions. For example, we rely on cloud computing infrastructure, particularly from Amazon Web Services, or AWS, to host our platform and support our operations. We exercise limited, if any, control over these third parties, including AWS, which increases our vulnerability to problems with the services they provide for us and to security incidents or breaches affecting the data and information they hold or process on our behalf. Any errors, defects, bugs or other vulnerabilities in any third party data or other technology could result in errors in our solutions that could harm our business, damage our reputation and result in losses in revenue, and we could be required to undertake substantial additional research and expend significant development resources to fix any problems that arise. In addition, licensed data, technology, intellectual property and services may not continue to be available on commercially reasonable terms, or at all. Any loss of the right to use any of these services on commercially reasonable terms, or at all, could result in delays in producing or delivering our solutions until equivalent data, technology, intellectual property or services are identified and integrated, which delays could harm our business. In this situation we would be required to either redesign our solutions to function with such equivalent data, technology, intellectual property or services available from other parties or to develop these components or services ourselves, which would result in increased costs and potential delays in service. Furthermore, we might be forced to limit the features available in our current or future solutions. If we fail to maintain or renegotiate any of these data, technology or intellectual property licenses or services, we could face significant delays and diversion of resources in attempting to develop similar or replacement technology, or to license and integrate a functional equivalent of the relevant data, technology, intellectual property or service. The occurrence of any of these events may have an adverse effect on our business, financial condition, results of operations and future prospects.