Deloitte Data Breach Full Notice

This is a Court approved Legal Notice. This is not an advertisement.

Culbertson v. Deloitte Consulting LLP

UNITED STATES DISTRICT COURT FOR THE SOUTHERN DISTRICT OF NEW YORK

PUA DATA SECURITY INCIDENT CLASS ACTION SETTLEMENT

TO: All individuals in Illinois, Colorado, and Ohio who were notified by State Agencies between approximately May 18, 2020 and May 21, 2020 that personal information they submitted to their respective states in connection with pandemic-related unemployment claims may have been inadvertently exposed as a result of a data security incident.

A Class Action Settlement has been proposed in litigation against Deloitte Consulting LLP (“Deloitte Consulting”) relating to a potential data exposure that Illinois Department of Employment Security, Colorado Department of Labor and Employment, and Ohio Department of Job and Family Services (collectively “State Agencies”) disclosed between approximately May 18, 2020 and May 21, 2020 (“PUA Data Security Incident”). You are receiving the notice because you may be a “Settlement Class Member” entitled to benefits from a class action settlement. The easiest way to submit a claim under the settlement is online at www.PUAsettlement.com

Under the terms of the Settlement, Deloitte Consulting has agreed to establish a nonreversionary fund of

$4,950,000.00 that will be used to pay for the following forms of relief:

• Reimbursement for Out-of-Pocket Losses: The Settlement Fund will be used to reimburse Settlement Class Members for certain expenses related to addressing the effects of the PUA Data Security Incident such as the purchase of identity protection or credit monitoring services, up to $120.00 per individual (“Out-of-Pocket Losses”).
• Compensation for Self-Certified and Documented Time: The Settlement Fund will be used to compensate Settlement Class Members for time spent dealing with issues related to the PUA Data Security Class Members can make a claim for up to four (4) hours of undocumented self-certified time (“Attested Time”) at $20.00 per hour and up to eight (8) additional hours at $20.00 per hour for “Documented Time”.
• Cash Payments: Should funds remain in the Settlement Fund after the amounts claimed, attorneys’ fees, costs, service awards, and administration costs, then each Settlement Class Member’s valid claim shall be proportionately increased on a pro rata basis (in other words, in equal amounts to each claimant) for an additional sum up to $200.00 per Settlement Class
• Remedial Measures and Security Enhancements: In addition to the Settlement Fund, Deloitte undertook certain remedial measures and security enhancements as described in the Settlement Agreement which is available at PUAsettlement.com. These specific measures included the following for the State Agencies’ PUA systems:
  • Reviewed the role-to-function mappings in the PUA applications to confirm users have only necessary authorizations;
  • Conducted data minimization reviews of the PUA applications to reduce the display of personal data and minimized the display of certain personal

The Court still must decide whether to approve the settlement. No payments will be made until after the Court grants final approval of the settlement and all appeals, if any, are resolved. Your legal rights are affected whether you respond or not. Read the notice carefully. 

YOUR LEGAL RIGHTS AND OPTIONS IN THIS SETTLEMENT

• File a claim for out-of-pocket losses and lost time
  • You must submit a claim in order to receive reimbursement for Out- of-Pocket Losses and/or loss of time. You may claim Out-of-Pocket Losses, Documented Time and Attested Time under the Settlement.
  • For more detailed information, see Questions 6, 8, and 10. DEADLINE DATE: 1/17/2022
• Exclude yourself
  • You can exclude yourself from the Settlement by informing the Settlement Administrator that you want to “opt-out” of the Settlement. If the Settlement becomes final, this is the only option that allows you to retain your rights to separately sue Deloitte Consulting for claims related to the PUA Data Security Incident. If you opt-out, you may not make a claim for benefits under the Settlement as described in the Settlement Agreement which is available at www.PUAsettlement.com
  • For more detailed information, see Question 15. DEADLINE DATE: 1/3/2022
• Object or comment on the settlement
  • You may object to the Settlement by writing to the Settlement Administrator and explaining why you don’t think the Settlement should be approved. If you object, you will remain a Settlement Class Member, and if the Settlement is approved, you will be eligible for the benefits of the Settlement and give up your right to sue on certain claims described in the Settlement Agreement which is available at www.PUAsettlement.com
  • For more detailed information, see Question 16. DEADLINE DATE: 1/3/2022
• Do nothing            
  • If you do nothing, you will not be eligible to receive reimbursement for Out-Of-Pocket Losses, Documented Time or Attested Time. If the Settlement becomes final, you will give up your rights to sue Deloitte separately relating to the Data Breach.
  • For more detailed information, see Question 12. No deadline.

What this Notice Contains

BASIC INFORMATION AND OVERVIEW…………………………………………………………………………….. 3

1. Why did I get a notice?……………………………………………………………………………………………….. 3
2. What is this lawsuit about?………………………………………………………………………………………….. 3
3. Why is this a class action?…………………………………………………………………………………………… 4
4. Why is there a settlement?…………………………………………………………………………………………… 4

WHO IS PART OF THE SETTLEMENT…………………………………………………………………………………. 4

5. How do I know if I am part of the Settlement?………………………………………………………………. 4

THE SETTLEMENT BENEFITS…………………………………………………………………………………………….. 4

6. What does the Settlement provide?………………………………………………………………………………. 4
7. Will Deloitte Consulting or my State Agency know if I submit a claim for settlement benefits?……………………………………………………………………………………………………………………. 5
8. How will the Settlement compensate me for identity theft and fraud I have already suffered

or expenses I have already paid to protect myself?………………………………………………………….. 5

9. Did Deloitte Consulting make any changes to the State Agencies’ data security program?…… 6

HOW TO GET SETTLEMENT BENEFITS……………………………………………………………………………… 6

10. How do I file a claim for Reimbursement of Out-of-Pocket Losses, Documented Time, and/or Attested Time…………………………………………………………………………………………………… 6
11. When and how will I receive the benefits I claim from the settlement?………………………………. 6

LEGAL RIGHTS RESOLVED THROUGH THE SETTLEMENT…………………………………………….. 6

12. What happens if I do nothing and what am I giving up to stay in the settlement class?………… 6

THE LAWYERS REPRESENTING YOU…………………………………………………………………………………. 7

13. Do I have a lawyer in this case?……………………………………………………………………………………. 7
14. How will these lawyers be paid?…………………………………………………………………………………… 7

EXCLUDING YOURSELF FROM THE SETTLEMENT………………………………………………………….. 7

15. How do I exclude myself from the Settlement?………………………………………………………………. 7

OBJECTING OR COMMENTING ON THE SETTLEMENT…………………………………………………… 8

16. How do I tell the Court that I don’t like the Settlement?………………………………………………….. 8

GETTING MORE INFORMATION…………………………………………………………………………………………. 9

17. Where can I get more information?……………………………………………………………………………….. 9

BASIC INFORMATION AND OVERVIEW

1.   Why did I get a Notice?

You received the notice because the Ohio Department of Job and Family Services, the Illinois Department of Employment Security, or the Colorado Department of Labor and Employment (collectively, the State Agencies”) sent you notice that your personal information may have been compromised during the PUA Data Security Incident. A Court authorized the notice because you have a right to know how the proposed settlement may affect your rights. The notice explains the nature of the litigation, the general terms of the proposed settlement and what it may mean to you. The notice also explains the ways you may participate in, object to, or exclude yourself from, the Settlement.

2.   What is this lawsuit about?

In response to the onset of the COVID-19 pandemic in Spring 2020, Congress passed the Coronavirus Aid, Relief, and Economic Security (“CARES”) Act. One feature of the CARES Act was the Pandemic Unemployment Assistance (“PUA”) program. The PUA program enhanced states’ ability to provide unemployment benefits to workers impacted by the negative economic effects of the pandemic. The CARES Act provided for administration of the PUA program by the states.  In turn, the Ohio Department of Job and Family Services, the Illinois Department of Employment Security, and the Colorado Department of Labor and Employment (collectively, the “State Agencies”) engaged Deloitte Consulting to assist them in creating websites through which individuals could apply for PUA benefits.

Between May 18, 2020 and May 21, 2020, State Agencies disclosed that some of the claimants on the State Agencies’ systems were mistakenly able to view certain personal information of other claimants. This information may have included claimants’ names, Social Security numbers, and addresses. Upon learning of

the issue, Deloitte Consulting promptly worked with the State Agencies and corrected the misconfiguration for all of the State Agencies that led to the PUA Data Security Incident.

The State Agencies notified approximately 237,000 individuals that their personal information may have been impacted.

Thereafter, five class action lawsuits were filed by individuals who allege that they were affected by the PUA Data Security Incident and were consolidated in the United States District Court for the Southern District of New York. The judge overseeing the case is the Honorable Lewis J. Liman. The Court consolidated the cases to proceed together under the caption Culbertson et al. v. Deloitte Consulting LLC, No. 1:20-cv-03962. The individuals who sued are called “Plaintiffs.” Deloitte Consulting is the “Defendant.” Plaintiffs contend that Deloitte Consulting did not adequately protect their personal information. Plaintiffs assert claims including: negligence; negligence per se; breach of contract; breach of implied contract; invasion of privacy; unjust enrichment; bailment; breach of implied covenant of good faith and fair dealing; breach of confidence; violations of the NY General Business Law; violations of the Colorado Consumer Protection Act; violations of Illinois Uniform Deceptive Trade Practices Act; injunctive relief; and declaratory relief. The consolidated complaint filed in the lawsuit, which describes the specific legal claims alleged by the Plaintiffs, is available at www.PUAsettlement.com.

Deloitte Consulting denies any wrongdoing, and no court or other entity has made any judgment or other determination of any wrongdoing.

3.   Why is this a class action?

In a class action, one or more people called “class representatives” sue on behalf of themselves and other people with similar claims. All of these people together are the “class” or “class members.” Because this is a class action settlement, persons who did not file their own lawsuit can obtain relief from harm that may have been caused by the PUA Data Security Incident, except for those individuals who timely exclude themselves from the Settlement Class.

4.   Why is there a settlement?

The Court has not decided in favor of Plaintiffs or Deloitte Consulting. Instead, both sides agreed to a settlement. Settlements avoid the costs and uncertainty of a trial and related appeals, while more quickly providing benefits to members of the Settlement Class. The class representatives appointed to represent the class and the attorneys for the Settlement Class (“Class Counsel,” see Question 13) believe that the Settlement is in the best interests of the Settlement Class Members.

WHO IS PART OF THE SETTLEMENT

5.   How do I know if I am part of the settlement?

You are a member of the Settlement Class if you received notice between approximately May 18, 2020 and May 21, 2020 from your respective State Agency that your personal information was or may have been inadvertently exposed in the PUA Data Security Incident. Excluded from the Settlement Class are: (1) the judges presiding over this Action, and members of their direct families; (2) the Defendant, its subsidiaries, parent companies, successors, predecessors, and any entity in which the Defendant or its parents have a controlling interest and their current or former officers, directors, and employees; and (3) Settlement Class Members who submit a valid Request for Exclusion prior to the Opt-Out Deadline (see Question 15).

If you are not sure whether you are included in the Settlement Class, call 1 (833) 352-1116.

THE SETTLEMENT BENEFITS 

6.   What does the Settlement provide?

Under the Settlement, Deloitte Consulting will pay $4,950,000.00 into a nonreversionary Settlement Fund that will be used to provide the following benefits:

• Cash reimbursement for Out-of-Pocket Losses fairly traceable to the PUA Data Security Incident (see Question 10);
• Cash reimbursement for Documented Time spent remedying issues related to the PUA Data Security Incident (see Question 10);
• Cash reimbursement for undocumented Attested Time spent remedying issues related to the PUA Data Security Incident (see Question 10);
• Additional Cash Payments from monies remaining in the Settlement Fund as set forth in paragraph 14(b) of Exhibit A to the Settlement Agreement;
• Attorneys’ fees and expenses as approved by the Court (see Question 14), service awards as approved by the Court (Question 14), and the costs of notifying the class and administering the

Depending on the number of valid claims, the costs of settlement administration, and the amount awarded by the Court for attorney’s fees and costs and service payments, payments for certain benefits may be reduced proportionally or withheld as set forth in paragraph 14(a) of Exhibit A to the Settlement Agreement.

7.   Will Deloitte Consulting or my State Agency know if I submit a claim for settlement benefits?

No. All claims will be handled by the Settlement Administrator. Neither Deloitte Consulting nor your respective State Agency will have access to the identities of Settlement Class Members who make claims for any of the benefits provided by this Settlement.

8.   How will the Settlement compensate me for identity theft and fraud I have already auffered or expenses I have already paid to protect myself?

Settlement Benefit: Payment for Unreimbursed Out-of-Pocket Losses: If you spent money to purchase credit monitoring or identity theft protection services between the date you received Notice of the PUA Data Security Incident and August 30, 2020, then you can submit a claim for reimbursement up to $120. YOU MUST BE ABLE TO DOCUMENT YOUR CLAIM.

The Settlement Administrator has the sole authority to determine the validity of claims for Out-Of-Pocket Losses. Only valid claims will be paid. The deadline to file a claim for Out-of-Pocket Losses is January 17, 2022 (this is the last day to file online and the postmark deadline for mailed claims).

Settlement Benefit: Reimbursement for Lost Time:

You can make a claim to recover up to 4 hours of undocumented Attested Time and up to 8 hours of Documented Time, paid out at $20 per hour.

• Attested Time: If you spent time dealing with fraud or identity theft or to protect yourself from future harm that is fairly traceable to the PUA Data Security Incident, then you may make a claim for All Settlement Class Members may submit a claim for reimbursement of undocumented Attested Time up to four (4) hours at $20.00 per hour for self-certified undocumented Attested Time. The deadline to file a claim for Attested Time is January 17, 2022.
• Documented Time: If you spent time dealing with fraud or identity theft or to protect yourself from future harm that is fairly traceable to the PUA Data Security Incident and can provide Reasonable Documentation of your claim, then you may make a claim for reimbursement for up to eight (8) additional hours at $20 per hour, up to a total of eight (8) hours ($160). Reasonable Documentation includes documents such as receipts, telephone records, or contemporaneous correspondence. The Settlement Administrator has the authority to determine the validity and sufficiency of documents submitted for claims for Documented Time. Only valid claims will be paid. The deadline to file a claim for Documented Time is January 17, 2022.

• Participating Settlement Class Members may submit claims for reimbursement of Attested Time, reimbursement of Documented Time, and Out-of-Pocket

9.   Did Deloitte Consulting make any changes to the State Agencies’ data security program?

Settlement Benefit: Remediation and Security Enhancements: Upon learning of the PUA Data Security Incident, Deloitte Consulting promptly undertook the following measures to enhance the security of the State Agencies’ PUA systems:

• Deloitte Consulting determined that a small number of claimants performed searches on a Correspondence Query page that was designed to be used only by PUA staff due to a role-to- function mapping Working with the State Agencies, Deloitte Consulting corrected the errant mapping within an hour. This step was completed on May 15, 2020 and removed the ability for a claimant to run searches on the Correspondence Query page.
• Deloitte Consulting also determined that a small number of claimants were incorrectly being presented with the option to navigate to the Correspondence Query page because the system lost context and defaulted to assuming that the user was a staff Working with the State Agencies, Deloitte Consulting remediated this by configuring the system to default to an error when it loses user type context about the user type and claimants can no longer navigate to the Correspondence Query page. This step was completed on May 18, 2020.
• In addition to these remediation measures, Deloitte Consulting, working with the State Agencies, also took the following security measures to protect the states’ PUA systems:
  • Reviewed the role-to-function mappings in the PUA applications to confirm users have only necessary
  • Conducted data minimization reviews of the PUA applications to reduce the display of personal data and minimized the display of certain personal

HOW TO GET SETTLEMENT BENEFITS 

10.   How do I file a claim for Out-Of-Pocket Losses, Documented Time, and/or Arrested Time?

To submit a claim for Out-of-Pocket Losses, Documented Time, and/or undocumented Attested Time fairly traceable to the PUA Data Security Incident, you will need to file a claim form. There are two options for filing claims:

• File Online: You may fill out and submit the claim form online at PUAsettlement.com. This is the quickest way to file a claim.

• File by Mail: Alternatively, you may fill out the claim form attached to the notice and mail it to the address on the form with supporting documentation, if If you lost or did not otherwise receive a claim form, you can download a hard copy of the claim form (available at www.PUAsettlement.com), or ask the Settlement Administrator to mail a claim form to you by calling (833) 352-1116. Fill out your claim form and mail it (including postage) to:
  • Deloitte Consulting PUA Data Security Incident Litigation c/o Settlement Administrator, 1650 Arch Street, Suite 2210, Philadelphia, PA 19103.

The deadline to file a claim is January 17, 2022 (this is the last day to file online and/or the postmark deadline for mailed claims).

11.   When and how will I receive the benefits I claim from the Settlement?

Payments will be made after the Court enters the Final Approval Order and Judgment and the Settlement becomes final. This process may take several months or longer if there is an appeal; please be patient. Once there is a Final Approval Order and Judgment, it will be posted at www.PUAsettlement.com.

Checks for valid claims for Out-of-Pocket Losses, Documented Time, Attested Time, and Additional Cash Payments either will be mailed by the Settlement Administrator to the mailing address that you provide, or will be provided through PayPal or Venmo at your election.

LEGAL RIGHTS RESOLVED THROUGH THE SETTLEMENT

12.   What happens if I do nothing and what I am giving up to stay in the settlement case?

If you make a claim under the Settlement, or if you do nothing, you will be releasing all of your legal claims against Deloitte Consulting arising out of the issues this Settlement resolves. Unless you exclude yourself from the Settlement (see Question 15), all of the decisions by the Court will bind you. The specific claims you are giving up against Deloitte Consulting are described in Section VIII of the Settlement Agreement. The Settlement Agreement is available at www.PUAsettlement.com. You will be releasing Deloitte Consulting and all related people as described in Section VIII of the Settlement Agreement.

The Settlement Agreement describes the released claims with specific descriptions, so read it carefully. If you have any questions regarding the release, you may contact Class Counsel as provided for in Question 13.

THE LAWYERS REPRESENTING YOU

13.   Do I have a lawyer in the case?

Yes. The Court appointed attorneys to represent you and other Settlement Class Members as “Class Counsel.” Class Counsel can be reached at:

Jeffrey S. Goldenberg  GOLDENBERG SCHNEIDER, L.P.A.

4445 Lake Forest Drive, Suite 490

Cincinnati, OH 45242

Phone: (513) 345-8291

Fax:    (513) 345-8294

[email protected]

You will not be directly charged by these lawyers for their work on the case. Any fees approved by the Court to be paid to Class Counsel will be paid from the Settlement Fund. If you want to be represented by your own lawyer, you may hire one at your own expense. If you have questions about how to submit a claim or if you need to update your address information, please contact the Settlement Administrator (see Question 17).

14.   How will these lawyers be paid?

Class Counsel have undertaken this case on a contingency-fee basis and have not been paid any money in relation to their work on this case to date. Accordingly, Class Counsel will ask the Court for an award of

attorneys’ fees not to exceed one-third (33.33%) of the Settlement Fund, or $1,649,835.00, and reimbursement of expenses not to exceed $25,000.00. Plaintiffs will also seek approval of a Service Award for their work on the case, in an amount not to exceed $2,000 each. The Court will decide the amount of fees, costs and service awards to be paid. Class Counsel’s request for attorneys’ fees and costs, and Plaintiffs’ service awards (which must be approved by the Court) will be filed on November 29, 2021 and will be available to view on the settlement website at www.PUAsettlement.com

EXCLUDING YOURSELF FROM THE SETTLEMENT 

15.   How do I exclude myself from the Settlement?

If you are a member of the settlement class but do not want to remain in the class, you may exclude yourself from the class (also known as “opting out”). If you exclude yourself, you will lose any right to object to or participate in the Settlement, including any right to receive the benefits outlined in the Notice.

If you decide on this option, you may keep any rights you have, if any, against Deloitte Consulting and you may file your own suit against Deloitte Consulting based upon the same legal claims that are asserted in this lawsuit, but you will need to find your own attorney at your own cost to represent you in that lawsuit. If you are considering this option, you may want to consult an attorney to determine your options.

To exclude yourself from the Settlement, you must mail a request for exclusion, postmarked no later than January 3, 2022, to:

Deloitte Consulting PUA Data Security Incident Class Action Settlement Administrator Attn: Exclusion

Culbertson et al. v. Deloitte Consulting LLP c/o

Settlement Administrator

1650 Arch Street, Suite 2210, Philadelphia, PA 19103 

This statement must contain the following information:

• The name of this proceeding (Culbertson et v Deloitte Consulting LLC, No.1:20-cv-3962 or similar identifying words such as “Deloitte PUA Data Security Incident Lawsuit”);
• Your full name and address;
• The words “Request for Exclusion” or a comparable statement that you do not wish to participate in the settlement at the top of the communication; and
• Your

If you do not comply with these procedures and the deadline for exclusions, you will lose any opportunity to exclude yourself from the settlement class and will be bound by the settlement if it is approved by the Court.

OBJECTING OR COMMENTING ON THE SETTLEMENT 

16.   How do I tell the Court that I don’t like the Settlement?

If you are a Settlement Class Member, you can object to the Settlement if you don’t think it is fair, reasonable, or adequate, including Class Counsel’s motion for an award of attorneys’ fees, costs and expenses, and service awards to the Settlement Class Representatives. The Court cannot order a larger settlement or award you more based on your individual circumstances; the Court can only approve or deny the Settlement as it is presented.

To object, you must send a letter stating that you object to the Settlement. Your objection must include:

• The name of this proceeding (Culbertson et v Deloitte Consulting LLC, No.1:20-cv-3962 or similar identifying words such as “Deloitte PUA Data Security Incident Lawsuit ”);
• Your full name, address, and telephone number;
• State with specificity the grounds for the objection, as well as any documents supporting the objection;
• The name and address of any attorneys representing you with respect to the objection;
• A statement regarding whether you or your attorney intend to appear at the Final Approval Hearing; and
• You or your attorney’s

To be considered by the Court, your objection must be mailed, postmarked no later than January 3, 2022, to the following address:

Deloitte Consulting PUA Data Security Incident Class Action Settlement Administrator Attn: Objections

Culbertson et al. v. Deloitte Consulting LLC c/o

Settlement Administrator

1650 Arch Street, Suite 2210, Philadelphia, PA 19103 

You must not submit your objections directly to the Court. If you do not comply with these procedures and the deadline for objections, you may lose any opportunity to have your objection considered at the Final Approval Hearing or otherwise to contest the approval of the Settlement or to appeal from any orders or judgments entered by the Court in connection with the proposed settlement. You will still be eligible to receive settlement benefits if the Settlement becomes final even if you object to the Settlement.

The Court has scheduled a Final Approval Hearing to listen to and consider whether the Settlement is fair, adequate, and reasonable. If there are objections, the Court will consider them.

The hearing will take place on January 31, 2022 at 11 am Eastern before the Honorable Lewis J. Liman, at the United States District Court for the Southern District of New York, 500 Pearl St., New York, NY 10007- 1312. This hearing date and time may be moved or may be conducted telephonically or by video conference. Please refer to the settlement website (www.puasettlement.com) for notice of any changes.

GETTING MORE INFORMATION 

17.   Where can I get more information?

The notice summarizes the Settlement. More details are in the Settlement Agreement itself. You can get a copy of the Settlement Agreement and other case documents at www.puasettlement.com. If you have questions about this Notice or the Settlement, you may contact the Settlement Administrator by calling 1- 833-352-1116, emailing to [email protected] or by mail at Deloitte Consulting PUA Data Security Incident Litigation c/o Settlement Administrator, 1650 Arch Street, Suite 2210 Philadelphia, PA 19103. If you wish to communicate directly with Class Counsel, you may contact them (contact information noted above in Question 13). You may also seek advice and guidance from your own private attorney at your own expense, if you wish to do so.

The status of the settlement, any appeals, and the date of payments will be posted on the Settlement website. The Final Approval Hearing is currently scheduled for January 31, 2022 at 11 am Eastern and will be posted on the Settlement website. Please check the Settlement website to see if the Court makes any changes to the date or time of the Final Approval Hearing.

The Court cannot respond to any questions regarding this Notice, the lawsuit, or the proposed settlement.

Please do not contact the Court or its Clerk with questions about the Settlement.