Culbertson v. Deloitte Consulting LLP

Case No. 1:20-cv-03962

UNITED STATES DISTRICT COURT FOR THE SOUTHERN DISTRICT OF NEW YORK

Frequently Asked Questions

  1. BASIC INFORMATION AND OVERVIEW

  2. Why did I get a notice?

    You received the notice because the Ohio Department of Job and Family Services, the Illinois Department of Employment Security, or the Colorado Department of Labor and Employment (collectively, the State Agencies”) sent you notice that your personal information may have been compromised during the PUA Data Security Incident. A Court authorized the notice because you have a right to know how the proposed settlement may affect your rights. The notice explains the nature of the litigation, the general terms of the proposed settlement and what it may mean to you. The notice also explains the ways you may participate in, object to, or exclude yourself from, the Settlement.

  3. What is this lawsuit about?

    In response to the onset of the COVID-19 pandemic in Spring 2020, Congress passed the Coronavirus Aid, Relief, and Economic Security (“CARES”) Act. One feature of the CARES Act was the Pandemic Unemployment Assistance (“PUA”) program. The PUA program enhanced states’ ability to provide unemployment benefits to workers impacted by the negative economic effects of the pandemic. The CARES Act provided for administration of the PUA program by the states. In turn, the Ohio Department of Job and Family Services, the Illinois Department of Employment Security, and the Colorado Department of Labor and Employment (collectively, the “State Agencies”) engaged Deloitte Consulting to assist them in creating websites through which individuals could apply for PUA benefits.

    Between May 18, 2020 and May 21, 2020, State Agencies disclosed that some of the claimants on the State Agencies’ systems were mistakenly able to view certain personal information of other claimants. This information may have included claimants’ names, Social Security numbers, and addresses. Upon learning of the issue, Deloitte Consulting promptly worked with the State Agencies and corrected the misconfiguration for all of the State Agencies that led to the PUA Data Security Incident.

    The State Agencies notified approximately 237,000 individuals that their personal information may have been impacted.

    Thereafter, five class action lawsuits were filed by individuals who allege that they were affected by the PUA Data Security Incident and were consolidated in the United States District Court for the Southern District of New York. The judge overseeing the case is the Honorable Lewis J. Liman. The Court consolidated the cases to proceed together under the caption Culbertson et al. v. Deloitte Consulting LLC, No. 1:20-cv-03962. The individuals who sued are called “Plaintiffs.” Deloitte Consulting is the “Defendant.” Plaintiffs contend that Deloitte Consulting did not adequately protect their personal information. Plaintiffs assert claims including: negligence; negligence per se; breach of contract; breach of implied contract; invasion of privacy; unjust enrichment; bailment; breach of implied covenant of good faith and fair dealing; breach of confidence; violations of the NY General Business Law; violations of the Colorado Consumer Protection Act; violations of Illinois Uniform Deceptive Trade Practices Act; injunctive relief; and declaratory relief. The consolidated complaint filed in the lawsuit, which describes the specific legal claims alleged by the Plaintiffs, is available on the Important Documents page.

    Deloitte Consulting denies any wrongdoing, and no court or other entity has made any judgment or other determination of any wrongdoing.

  4. Why is this a class action?

    In a class action, one or more people called “class representatives” sue on behalf of themselves and other people with similar claims. All of these people together are the “class” or “class members.” Because this is a class action settlement, persons who did not file their own lawsuit can obtain relief from harm that may have been caused by the PUA Data Security Incident, except for those individuals who timely exclude themselves from the Settlement Class.

  5. Why is there a settlement?

    The Court has not decided in favor of Plaintiffs or Deloitte Consulting. Instead, both sides agreed to a settlement. Settlements avoid the costs and uncertainty of a trial and related appeals, while more quickly providing benefits to members of the Settlement Class. The class representatives appointed to represent the class and the attorneys for the Settlement Class (“Class Counsel,” see Question 13) believe that the Settlement is in the best interests of the Settlement Class Members.

  6. WHO IS PART OF THE SETTLEMENT

  7. How do I know if I am part of the Settlement?

    You are a member of the Settlement Class if you received notice between approximately May 18, 2020 and May 21, 2020 from your respective State Agency that your personal information was or may have been inadvertently exposed in the PUA Data Security Incident. Excluded from the Settlement Class are: (1) the judges presiding over this Action, and members of their direct families; (2) the Defendant, its subsidiaries, parent companies, successors, predecessors, and any entity in which the Defendant or its parents have a controlling interest and their current or former officers, directors, and employees; and (3) Settlement Class Members who submit a valid Request for Exclusion prior to the Opt-Out Deadline (see Question 15).

    If you are not sure whether you are included in the Settlement Class, call 1 (833) 352-1116.

  8. THE SETTLEMENT BENEFITS

  9. What does the Settlement provide?

    Under the Settlement, Deloitte Consulting will pay $4,950,000.00 into a nonreversionary Settlement Fund that will be used to provide the following benefits:

    • Cash reimbursement for Out-of-Pocket Losses fairly traceable to the PUA Data Security Incident (see Question 10);
    • Cash reimbursement for Documented Time spent remedying issues related to the PUA Data Security Incident (see Question 10);
    • Cash reimbursement for undocumented Attested Time spent remedying issues related to the PUA Data Security Incident (see Question 10);
    • Additional Cash Payments from monies remaining in the Settlement Fund as set forth in paragraph 14(b) of Exhibit A to the Settlement Agreement;
    • Attorneys’ fees and expenses as approved by the Court (see Question 14), service awards as approved by the Court (Question 14), and the costs of notifying the class and administering the Settlement.

    Depending on the number of valid claims, the costs of settlement administration, and the amount awarded by the Court for attorney’s fees and costs and service payments, payments for certain benefits may be reduced proportionally or withheld as set forth in paragraph 14(a) of Exhibit A to the Settlement Agreement.

  10. Will Deloitte Consulting or my State Agency know if I submit a claim for settlement benefits?

    No. All claims will be handled by the Settlement Administrator. Neither Deloitte Consulting nor your respective State Agency will have access to the identities of Settlement Class Members who make claims for any of the benefits provided by this Settlement.

  11. How will the Settlement compensate me for identity theft and fraud I have already suffered or expenses I have already paid to protect myself?

    Settlement Benefit: Payment for Unreimbursed Out-of-Pocket Losses: If you spent money to purchase credit monitoring or identity theft protection services between the date you received Notice of the PUA Data Security Incident and August 30, 2020, then you can submit a claim for reimbursement up to $120. YOU MUST BE ABLE TO DOCUMENT YOUR CLAIM.

    The Settlement Administrator has the sole authority to determine the validity of claims for Out-Of-Pocket Losses. Only valid claims will be paid. The deadline to file a claim for Out-of-Pocket Losses is January 17, 2022 (this is the last day to file online and the postmark deadline for mailed claims).

    Settlement Benefit: Reimbursement for Lost Time:
    You can make a claim to recover up to 4 hours of undocumented Attested Time and up to 8 hours of Documented Time, paid out at $20 per hour.

    • Attested Time: If you spent time dealing with fraud or identity theft or to protect yourself from future harm that is fairly traceable to the PUA Data Security Incident, then you may make a claim for reimbursement. All Settlement Class Members may submit a claim for reimbursement of undocumented Attested Time up to four (4) hours at $20.00 per hour for self-certified undocumented Attested Time. The deadline to file a claim for Attested Time is January 17, 2022.
    • Documented Time: If you spent time dealing with fraud or identity theft or to protect yourself from future harm that is fairly traceable to the PUA Data Security Incident and can provide Reasonable Documentation of your claim, then you may make a claim for reimbursement for up to eight (8) additional hours at $20 per hour, up to a total of eight (8) hours ($160). Reasonable Documentation includes documents such as receipts, telephone records, or contemporaneous correspondence. The Settlement Administrator has the authority to determine the validity and sufficiency of documents submitted for claims for Documented Time. Only valid claims will be paid. The deadline to file a claim for Documented Time is January 17, 2022.
    • Participating Settlement Class Members may submit claims for reimbursement of Attested Time, reimbursement of Documented Time, and Out-of-Pocket Losses.
  12. Did Deloitte Consulting make any changes to the State Agencies’ data security program?

    Settlement Benefit: Remediation and Security Enhancements: Upon learning of the PUA Data Security Incident, Deloitte Consulting promptly undertook the following measures to enhance the security of the State Agencies’ PUA systems:

    1. Deloitte Consulting determined that a small number of claimants performed searches on a Correspondence Query page that was designed to be used only by PUA staff due to a role-to-function mapping error. Working with the State Agencies, Deloitte Consulting corrected the errant mapping within an hour. This step was completed on May 15, 2020 and removed the ability for a claimant to run searches on the Correspondence Query page.
    2. Deloitte Consulting also determined that a small number of claimants were incorrectly being presented with the option to navigate to the Correspondence Query page because the system lost context and defaulted to assuming that the user was a staff member. Working with the State Agencies, Deloitte Consulting remediated this by configuring the system to default to an error when it loses user type context about the user type and claimants can no longer navigate to the Correspondence Query page. This step was completed on May 18, 2020.
    3. In addition to these remediation measures, Deloitte Consulting, working with the State Agencies, also took the following security measures to protect the states’ PUA systems:
      1. Reviewed the role-to-function mappings in the PUA applications to confirm users have only necessary authorizations.
      2. Conducted data minimization reviews of the PUA applications to reduce the display of personal data and minimized the display of certain personal data.
  13. HOW TO GET SETTLEMENT BENEFITS

  14. How do I file a claim for Reimbursement of Out-of-Pocket Losses, Documented Time, and/or Attested Time

    To submit a claim for Out-of-Pocket Losses, Documented Time, and/or undocumented Attested Time fairly traceable to the PUA Data Security Incident, you will need to file a claim form. There are two options for filing claims:

    1. File Online: You may fill out and submit the claim form online. This is the quickest way to file a claim.
    2. File by Mail: Alternatively, you may fill out the claim form attached to the notice and mail it to the address on the form with supporting documentation, if any. If you lost or did not otherwise receive a claim form, you can download a hard copy of the claim form (available at www.PUAsettlement.com), or ask the Settlement Administrator to mail a claim form to you by calling (833) 352-1116. Fill out your claim form and mail it (including postage) to: Deloitte Consulting PUA Data Security Incident Litigation c/o Settlement Administrator, 1650 Arch Street, Suite 2210, Philadelphia, PA 19103.

    The deadline to file a claim is January 17, 2022 (this is the last day to file online and/or the postmark deadline for mailed claims).

  15. When and how will I receive the benefits I claim from the settlement?

    Payments will be made after the Court enters the Final Approval Order and Judgment and the Settlement becomes final. This process may take several months or longer if there is an appeal; please be patient. Once there is a Final Approval Order and Judgment, it will be posted on the Important Documents page.

    Checks for valid claims for Out-of-Pocket Losses, Documented Time, Attested Time, and Additional Cash Payments either will be mailed by the Settlement Administrator to the mailing address that you provide, or will be provided through PayPal or Venmo at your election.

  16. LEGAL RIGHTS RESOLVED THROUGH THE SETTLEMENT

  17. What happens if I do nothing and what am I giving up to stay in the settlement class?

    If you make a claim under the Settlement, or if you do nothing, you will be releasing all of your legal claims against Deloitte Consulting arising out of the issues this Settlement resolves. Unless you exclude yourself from the Settlement (see Question 15), all of the decisions by the Court will bind you. The specific claims you are giving up against Deloitte Consulting are described in Section VIII of the Settlement Agreement. You will be releasing Deloitte Consulting and all related people as described in Section VIII of the Settlement Agreement.

    The Settlement Agreement describes the released claims with specific descriptions, so read it carefully. If you have any questions regarding the release, you may contact Class Counsel as provided for in Question 13.

  18. THE LAWYERS REPRESENTING YOU

  19. Do I have a lawyer in this case?

    Yes. The Court appointed attorneys to represent you and other Settlement Class Members as “Class Counsel.” Class Counsel can be reached at:

    Jeffrey S. Goldenberg
    GOLDENBERG SCHNEIDER, L.P.A.
    4445 Lake Forest Drive, Suite 490
    Cincinnati, OH 45242
    Phone: (513) 345-8291
    Fax: (513) 345-8294
    jgoldenberg@gs-legal.com

    You will not be directly charged by these lawyers for their work on the case. Any fees approved by the Court to be paid to Class Counsel will be paid from the Settlement Fund. If you want to be represented by your own lawyer, you may hire one at your own expense. If you have questions about how to submit a claim or if you need to update your address information, please contact the Settlement Administrator (see Question 17).

  20. How will these lawyers be paid?

    Class Counsel have undertaken this case on a contingency-fee basis and have not been paid any money in relation to their work on this case to date. Accordingly, Class Counsel will ask the Court for an award of attorneys’ fees not to exceed one-third (33.33%) of the Settlement Fund, or $1,649,835.00, and reimbursement of expenses not to exceed $25,000.00. Plaintiffs will also seek approval of a Service Award for their work on the case, in an amount not to exceed $2,000 each. The Court will decide the amount of fees, costs and service awards to be paid. Class Counsel’s request for attorneys’ fees and costs, and Plaintiffs’ service awards (which must be approved by the Court) will be filed on November 29, 2021 and will be available to view on the Important Documents page.

  21. EXCLUDING YOURSELF FROM THE SETTLEMENT

  22. How do I exclude myself from the Settlement?

    If you are a member of the settlement class but do not want to remain in the class, you may exclude yourself from the class (also known as “opting out”). If you exclude yourself, you will lose any right to object to or participate in the Settlement, including any right to receive the benefits outlined in the Notice.

    If you decide on this option, you may keep any rights you have, if any, against Deloitte Consulting and you may file your own suit against Deloitte Consulting based upon the same legal claims that are asserted in this lawsuit, but you will need to find your own attorney at your own cost to represent you in that lawsuit. If you are considering this option, you may want to consult an attorney to determine your options.

    To exclude yourself from the Settlement, you must mail a request for exclusion, postmarked no later than January 3, 2022, to:

    Deloitte Consulting PUA Data Security Incident Class Action Settlement Administrator
    Attn: Exclusion
    Culbertson et al. v. Deloitte Consulting LLP
    c/o
    Settlement Administrator
    1650 Arch Street, Suite 2210, Philadelphia, PA 19103

    This statement must contain the following information:

    1. The name of this proceeding (Culbertson et al. v Deloitte Consulting LLC, No.1:20-cv-3962 or similar identifying words such as “Deloitte PUA Data Security Incident Lawsuit”);
    2. Your full name and address;
    3. The words “Request for Exclusion” or a comparable statement that you do not wish to participate in the settlement at the top of the communication; and
    4. Your signature.

    If you do not comply with these procedures and the deadline for exclusions, you will lose any opportunity to exclude yourself from the settlement class and will be bound by the settlement if it is approved by the Court.

  23. OBJECTING OR COMMENTING ON THE SETTLEMENT

  24. How do I tell the Court that I don’t like the Settlement?

    If you are a Settlement Class Member, you can object to the Settlement if you don’t think it is fair, reasonable, or adequate, including Class Counsel’s motion for an award of attorneys’ fees, costs and expenses, and service awards to the Settlement Class Representatives. The Court cannot order a larger settlement or award you more based on your individual circumstances; the Court can only approve or deny the Settlement as it is presented.

    To object, you must send a letter stating that you object to the Settlement. Your objection must include:

    1. The name of this proceeding (Culbertson et al. v Deloitte Consulting LLC, No.1:20-cv-3962 or similar identifying words such as “Deloitte PUA Data Security Incident Lawsuit ”);
    2. Your full name, address, and telephone number;
    3. State with specificity the grounds for the objection, as well as any documents supporting the objection;
    4. The name and address of any attorneys representing you with respect to the objection;
    5. A statement regarding whether you or your attorney intend to appear at the Final Approval Hearing; and
    6. You or your attorney’s signature.

    To be considered by the Court, your objection must be mailed, postmarked no later than January 3, 2022, to the following address:

    Deloitte Consulting PUA Data Security Incident Class Action Settlement Administrator
    Attn: Objections
    Culbertson et al. v. Deloitte Consulting LLC
    c/o
    Settlement Administrator
    1650 Arch Street, Suite 2210, Philadelphia, PA 19103

    You must not submit your objections directly to the Court. If you do not comply with these procedures and the deadline for objections, you may lose any opportunity to have your objection considered at the Final Approval Hearing or otherwise to contest the approval of the Settlement or to appeal from any orders or judgments entered by the Court in connection with the proposed settlement. You will still be eligible to receive settlement benefits if the Settlement becomes final even if you object to the Settlement.

    The Court has scheduled a Final Approval Hearing to listen to and consider whether the Settlement is fair, adequate, and reasonable. If there are objections, the Court will consider them.

    The hearing will take place on January 31, 2022 at 11 am Eastern before the Honorable Lewis J. Liman, at the United States District Court for the Southern District of New York, 500 Pearl St., New York, NY 10007-1312. This hearing date and time may be moved or may be conducted telephonically or by video conference. Please refer to this website for notice of any changes.

  25. GETTING MORE INFORMATION

  26. Where can I get more information?

    The notice summarizes the Settlement. More details are in the Settlement Agreement itself. You can get a copy of the Settlement Agreement and other case documents on the Important Documents page. If you have questions about this Notice or the Settlement, you may contact the Settlement Administrator by calling 1-833-352-1116, emailing to info@puasettlement.com or by mail at Deloitte Consulting PUA Data Security Incident Litigation c/o Settlement Administrator, 1650 Arch Street, Suite 2210 Philadelphia, PA 19103. If you wish to communicate directly with Class Counsel, you may contact them (contact information noted above in Question 13). You may also seek advice and guidance from your own private attorney at your own expense, if you wish to do so.

    The status of the settlement, any appeals, and the date of payments will be posted on the Settlement website. The Final Approval Hearing is currently scheduled for January 31, 2022 at 11 am Eastern and will be posted on the Settlement website. Please check the Settlement website to see if the Court makes any changes to the date or time of the Final Approval Hearing.

    The Court cannot respond to any questions regarding the Notice, the lawsuit, or the proposed settlement.
    Please do not contact the Court or its Clerk with questions about the Settlement.