Case 1:17-md-02800-TWT Document 739 Filed 07/22/19 Page 1 of 7 UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF GEORGIA ATLANTA DIVISION In re: Equifax Inc. Customer Data Security Breach Litigation MDL Docket No. 2800 No. 1:17-md-2800-TWT CONSUMER ACTIONS Chief Judge Thomas W. Thrash, Jr. PLAINTIFFS’ MOTION TO DIRECT NOTICE OF PROPOSED SETTLEMENT TO THE CLASS Plaintiffs move for entry of an order directing notice of the proposed class action settlement the parties to this action have reached and scheduling a hearing to approve final approval of the settlement. Plaintiffs are simultaneously filing a supporting memorandum of law and its accompanying exhibits, which include the Settlement Agreement. For the reasons set forth in that memorandum, Plaintiffs respectfully request grant the Court enter the proposed order that is attached as an exhibit to this motion. The proposed order has been approved by both Plaintiffs and Defendants. For ease of reference, the capitalized terms in this motion and the accompanying memorandum have the meaning set forth in the Settlement Agreement. Case 1:17-md-02800-TWT Document 739 Filed 07/22/19 Page 2 of 7 Respectfully submitted this 22nd day of July, 2019. /s/ Kenneth S. Canfield Kenneth S. Canfield Ga Bar No. 107744 DOFFERMYRE SHIELDS CANFIELD & KNOWLES, LLC 1355 Peachtree Street, N.E. Suite 1725 Atlanta, Georgia 30309 Tel. 404.881.8900 kcanfield@dsckd.com /s/ Amy E. Keller Amy E. Keller DICELLO LEVITT GUTZLER LLC Ten North Dearborn Street Eleventh Floor Chicago, Illinois 60602 Tel. 312.214.7900 akeller@dicellolevitt.com /s/ Norman E. Siegel Norman E. Siegel STUEVE SIEGEL HANSON LLP 460 Nichols Road, Suite 200 Kansas City, Missouri 64112 Tel. 816.714.7100 siegel@stuevesiegel.com Consumer Plaintiffs’ Co-Lead Counsel 2 Case 1:17-md-02800-TWT Document 739 Filed 07/22/19 Page 3 of 7 /s/ Roy E. Barnes Roy E. Barnes Ga. Bar No. 039000 BARNES LAW GROUP, LLC 31 Atlanta Street Marietta, Georgia 30060 Tel. 770.227.6375 roy@barneslawgroup.com David J. Worley Ga. Bar No. 776665 EVANGELISTA WORLEY LLC 8100A Roswell Road Suite 100 Atlanta, Georgia 30350 Tel. 404.205.8400 david@ewlawllc.com Consumer Plaintiffs’ Co-Liaison Counsel Andrew N. Friedman COHEN MILSTEIN SELLERS & TOLL PLLC 1100 New York Avenue, NW Suite 500 Washington, D.C. 20005 Tel. 202.408.4600 afriedman@cohenmilstein.com Eric H. Gibbs GIBBS LAW GROUP 505 14th Street Suite 1110 Oakland, California 94612 Tel. 510.350.9700 ehg@classlawgroup.com 3 Case 1:17-md-02800-TWT Document 739 Filed 07/22/19 Page 4 of 7 James Pizzirusso HAUSFELD LLP 1700 K Street NW Suite 650 Washington, D.C. 20006 Tel. 202.540.7200 jpizzirusso@hausfeld.com Ariana J. Tadler TADLER LAW LLP One Pennsylvania Plaza New York, New York 10119 Tel. 212.946.9453 atadler@tadlerlaw.com John A. Yanchunis MORGAN & MORGAN COMPLEX LITIGATION GROUP 201 N. Franklin Street, 7th Floor Tampa, Florida 33602 Tel. 813.223.5505 jyanchunis@forthepeople.com William H. Murphy III MURPHY, FALCON & MURPHY 1 South Street, 23rd Floor Baltimore, Maryland 21224 Tel. 410.539.6500 hassan.murphy@murphyfalcon.com 4 Case 1:17-md-02800-TWT Document 739 Filed 07/22/19 Page 5 of 7 Jason R. Doss Ga. Bar No. 227117 THE DOSS FIRM, LLC 36 Trammell Street, Suite 101 Marietta, Georgia 30064 Tel. 770.578.1314 jasondoss@dossfirm.com Consumer Plaintiffs’ Steering Committee Rodney K. Strong GRIFFIN & STRONG P.C. 235 Peachtree Street NE, Suite 400 Atlanta, Georgia 30303 Tel. 404.584.9777 rodney@gspclaw.com Consumer Plaintiffs’ State Court Coordinating Counsel 5 Case 1:17-md-02800-TWT Document 739 Filed 07/22/19 Page 6 of 7 CERTIFICATE OF COMPLIANCE I hereby certify that this motion and the accompanying memorandum of law have been prepared in compliance with Local Rules 5.1 and 7.1. /s/ Roy E. Barnes BARNES LAW GROUP, LLC 6 Case 1:17-md-02800-TWT Document 739 Filed 07/22/19 Page 7 of 7 CERTIFICATE OF SERVICE I hereby certify that a copy of the foregoing was filed with this Court via its CM/ECF service, which will send notification of such filing to all counsel of record this 22nd day of July, 2019. /s/ Roy E. Barnes BARNES LAW GROUP, LLC 31 Atlanta Street Marietta, Georgia 30060 Tel. 770.227.6375 roy@barneslawgroup.com 7 Case 1:17-md-02800-TWT Document 739-1 Filed 07/22/19 Page 1 of 30 UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF GEORGIA ATLANTA DIVISION In re: Equifax Inc. Customer Data Security Breach Litigation MDL Docket No. 2800 No. 1:17-md-2800-TWT CONSUMER ACTIONS Chief Judge Thomas W. Thrash, Jr. PLAINTIFFS’ MEMORANDUM IN SUPPORT OF THEIR MOTION TO DIRECT NOTICE OF PROPOSED SETTLEMENT After nearly two years of hard fought negotiations, the parties have reached an historic settlement to resolve consumer claims arising out of the 2017 Equifax data breach. The Settlement creates a non-reversionary fund of $380.5 million to pay benefits to the class, including cash compensation, credit monitoring, and help with identity restoration. If needed, Equifax will pay another $125 million for cash compensation and potentially much more if the number of class members who sign up for credit monitoring exceeds 7 million. Equifax also must spend a minimum of $1 billion to improve its data security. The total cost to Equifax thus is at least $1.38 billion and might be significantly more. The benefit to the class is even greater. The retail cost of buying the same credit monitoring services for the entire class alone would exceed $282 billion ($1,920 times 147 million class members). Case 1:17-md-02800-TWT Document 739-1 Filed 07/22/19 Page 2 of 30 The Settlement also has an innovative notice program, which takes advantage of tools used in modern commercial and political advertising to maximize engagement and participation, and an easy-to-use claims program. Both programs were designed with input from the Federal Trade Commission, the Consumer Financial Protection Bureau, and representatives of 50 Attorneys General, who have entered into their own settlements with Equifax and agreed that the fund in this case – as originally negotiated by Class Counsel and as supplemented by relief the regulators obtained – will be the vehicle for all consumer redress necessitated by the breach. The Settlement is fair, reasonable, and adequate and meets the requirements of Rule 23(e). Plaintiffs thus move for an order directing class notice and scheduling a final approval hearing. In support of the motion, Plaintiffs submit the Settlement Agreement (Ex. 1); a proposed order directing notice that has been approved by Equifax (Ex. 2); and declarations from Class Counsel (Ex. 3), the proposed Notice Provider (Signal Interactive Media LLC) (Ex. 4), the proposed Settlement Administrator (JND Legal Administration) (Ex. 5), Mary Frantz, a cybersecurity expert (Ex. 6), James Van Dyke, a credit monitoring expert (Ex. 7) and Layn Phillips, the retired federal judge who mediated the settlement. (Ex. 8) 2 Case 1:17-md-02800-TWT Document 739-1 Filed 07/22/19 Page 3 of 30 FACTUAL BACKGROUND A. Overview of the Litigation On September 7, 2017, Equifax – one of the country’s three major credit reporting agencies – announced criminals had stolen from its computer networks personal information pertaining to about 147 million Americans. More than 300 class actions filed against Equifax were consolidated and transferred to this Court, which established separate tracks for the consumer and financial institution claims and appointed separate legal teams to lead each track. (Ex. 3, ¶¶ 9-10) In the consumer track, on May 14, 2018, Plaintiffs filed a 559-page consolidated amended complaint, which named 96 class representatives and asserted common law and statutory claims under both state and federal law. Equifax moved to dismiss the complaint in its entirety, arguing inter alia that Georgia law does not impose a legal duty to safeguard personal information, Plaintiffs’ alleged injuries were not legally cognizable, and no one could plausibly prove an injury caused by this data breach as opposed to another breach. The motion was exhaustively briefed during the summer and early fall of 2018 and, on December 14, 2018, was orally argued. On January 28, 2019, the Court largely denied the motion. Equifax answered on February 25, 2019. (Id., ¶¶ 11-14) While the motion was pending, the parties spent a great deal of time 3 Case 1:17-md-02800-TWT Document 739-1 Filed 07/22/19 Page 4 of 30 preparing the way for formal discovery and, beginning shortly after the answer was filed, began producing extensive documents and electronic information. By the end of March, 2019, Plaintiffs had reviewed in excess of 500,000 documents and noticed depositions of Equifax and several key former employees. Aggressive discovery efforts continued up until the case settled. (Id., ¶¶ 16-17) B. Mediation and Settlement In late September, 2017, Equifax’s counsel contacted several lawyers who had filed cases in this Court to discuss the possibility of an early settlement. Those contacts led to the formation of a team made up of many of the nation’s most experienced data breach lawyers that later applied for and was appointed by the Court to lead the consumer track and serve as Interim Consumer Class Counsel pursuant to Fed. R. Civ. P. 23(g). (Id., ¶ 18) The parties retained Layn Phillips, a former federal judge, to serve as mediator. Judge Phillips is perhaps the country’s preeminent mediator in major civil litigation and has successfully mediated several data breach cases, including In re Anthem Customer Data Breach Security Litigation, the largest consumer data breach settlement until this one. (Id., ¶ 19) After receiving detailed mediation statements from each side setting out their views of the facts and law, Judge Phillips convened the first mediation on November 27 and 28, 2017 in California. 4 Case 1:17-md-02800-TWT Document 739-1 Filed 07/22/19 Page 5 of 30 The session ended with the parties being far apart and little prospect of an early settlement, but with a framework for a future dialog. (Ex. 8, ¶¶ 9-10) Following the Court’s appointment order, the parties renewed discussions, both directly and with the assistance of Judge Phillips, in an attempt to resolve such issues as the benefits that would be provided to class members, the size of a settlement fund, and the extensive business practice changes needed to reduce the risk of another data breach. In this process, Class Counsel were advised by leading cybersecurity experts, consulted with consumer advocates, and benefitted from significant informal discovery Equifax provided, including face-to-face meetings with both side’s experts to discuss how the breach occurred and Equifax’s remedial efforts. (Ex. 3, ¶¶ 22-23) During the course of 2018, Class Counsel collectively spent more than a thousand hours preparing for and participating in settlement talks, struggling to reach agreement with Equifax on a comprehensive term sheet. (Id., ¶ 21) Mediation sessions on May 25, 2018, August 9, 2018, and November 16, 2018, resulted only in incremental movement. According to Judge Phillips: [W]hile productive in some respects, these additional sessions were, like the first session, difficult and adversarial, and the session on November 16, 2018 ended with a substantial chasm remaining between the parties’ respective settlement positions. (Ex. 8, ¶ 10) In late 2018, the parties informed Judge Phillips they were at impasse 5 Case 1:17-md-02800-TWT Document 739-1 Filed 07/22/19 Page 6 of 30 and settlement talks ceased. (Id., ¶ 11) In February, 2019, after this Court’s ruling on Equifax’s motion to dismiss, the parties restarted negotiations. Judge Phillips convened what proved to be the final mediation session in California on March 30, 2019. After getting consensus on the non-monetary terms, the parties reached an impasse on the amount of the settlement fund. Late in the evening, Judge Phillips made a double-blind “mediator’s proposal,” which both sides accepted, and the parties executed a binding Term Sheet at about 11 p.m., subject to approval by Equifax’s board of directors, which was received the following day. (Id., ¶ 12; Ex. 3, ¶¶ 27-31) In the March 30 Term Sheet, the parties committed to cooperate in drafting a comprehensive agreement containing more detail and usual provisions; to present any disputes to Judge Phillips for final determination; and to submit the agreement to the Court for preliminary approval 90 days later. The parties also agreed to allow Equifax to share the Term Sheet with federal and state regulators and to consider in good faith – but without having to accept – any changes the regulators proposed. (Ex. 3, ¶ 32) This provision is consistent with guidance provided by the Federal Judicial Center regarding solicitation of the views of federal and state regulators regarding class action settlements. See Federal Judicial Center, Managing Class Action Litigation: A Pocket Guide for Judges (2010) at 26-27. 6 Case 1:17-md-02800-TWT Document 739-1 Filed 07/22/19 Page 7 of 30 The regulators proposed several changes to the substantive terms of the Term Sheet. A few were relatively minor (making clear that consumers could recover for time in 15 minute intervals and increasing the dollar amount of one benefit) while others provided additional relief ($70.5 million for the fund that included money another year of 3-bureau monitoring and, if needed, $125 million more to pay excess out-of-pocket claims; 6 years of 1-bureau monitoring through Equifax; and expansion of the Extended Claims Period). Plaintiffs accepted all those proposals. However, Plaintiffs opposed other proposed changes Class Counsel believed would be the subject of criticism and, in certain instances, might lessen the class benefits in the Term Sheet they had negotiated. (Ex. 3, ¶ 33) The provisions Plaintiffs opposed triggered a new round of difficult negotiations with Equifax that lasted over two months and delayed submitting an agreement to the Court. Several weeks ago, after the issues were satisfactorily resolved, Plaintiffs focused on working with Equifax and the regulators to refine the notice and claims programs. After numerous conferences with Equifax and the regulators, and an “all hands” meeting in Washington D.C. on July 16, the parties were finally able to execute the Settlement Agreement. (Id., ¶ 34) C. The Terms of the Proposed Settlement The following are the material terms of the Settlement: 7 Case 1:17-md-02800-TWT Document 739-1 Filed 07/22/19 Page 8 of 30 1. The Settlement Class The proposed Settlement Class is defined as follows: The approximately 147 million U.S. consumers identified by Equifax whose personal information was compromised as a result of the cyberattack and data breach announced by Equifax Inc. on September 7, 2017. Excluded are Equifax, its affiliated entities and individuals, the Court and its staff, their immediate families, and anyone who validly opts out. (Ex. 1 at 7) 2. The Settlement Fund Equifax initially will pay $380.5 million into the fund for class benefits, fees, expenses, service awards, and notice and administration costs; up to an additional $125 million if needed to satisfy excessive claims for Out-of-Pocket losses; and potentially $2 billion more if all 147 million class members were to sign up for credit monitoring (at a rate of about $16.4 million per million enrollees over 7 million). (Ex. 3, ¶ 37) No proceeds will revert to Equifax. (Ex. 1 at 15) The specific benefits available to class members include:  Compensation of up to 20 hours at $25 per hour for time spent taking preventative measures or dealing with identity theft. Ten hours can be self-certified, requiring no documentation.  Reimbursement of up to $20,000 for documented losses fairly traceable to the breach, such as the cost of freezing or unfreezing a credit file; buying credit monitoring services; out of pocket losses from identity theft or fraud, including professional fees and other remedial expenses; and 25 percent of any money paid to Equifax for 8 Case 1:17-md-02800-TWT Document 739-1 Filed 07/22/19 Page 9 of 30 credit monitoring or identity theft protection subscription products in the year before the breach.  Four years of three-bureau credit monitoring and identity protection services through Experian ($1,200 value) and an additional six years of one-bureau credit monitoring through Equifax (valued at $720).  Alternative compensation of $125 for class members who already have credit monitoring or protection services in place.  Identity restoration services through Experian to help class members victimized by identity theft for seven years, including access to a U.S. based call center, assignment of a certified identity theft restoration specialist, and step by step assistance in dealing with credit bureaus, companies and government agencies. (Ex. 3, ¶ 38) Class members will have six months to claim benefits, but need not file a claim to access identity restoration services. If money remains in the fund, there will be a four-year Extended Claims Period during which class members may recover for Out-Of-Pocket losses and time spent rectifying identity theft that occurs after the end of the Initial Claims Period. Any money that is not claimed in the Extended Claims Period will first be used to purchase up to three years of additional identity restoration services (for a total of ten years) and then to extend the length of credit monitoring for those who signed up for it. (Id., ¶ 43) 3. Proposed Injunctive Relief Equifax has agreed to entry of a consent order requiring the company to spend a minimum of $1 billion for cybersecurity over five years and to comply 9 Case 1:17-md-02800-TWT Document 739-1 Filed 07/22/19 Page 10 of 30 with comprehensive data security requirements Plaintiffs negotiated with the assistance of Mary Frantz, a renowned expert. Equifax’s compliance will be audited by independent experts and subject to this Court’s enforcement powers. (Ex. 3, ¶ 44) This relief is substantial and significant. According to Ms. Frantz: [I]mplementation of the proposed business practice changes should substantially reduce the likelihood that Equifax will suffer another data breach in the future. These changes address serious deficiencies in Equifax’s information security environment. Had they been in place on or before 2017 per industry standards, it is unlikely the Equifax data breach would ever have been successful. These measures provide a substantial benefit to the Class Members that far exceeds what has been achieved in any similar settlements. (Ex. 6, ¶ 66) Ms. Frantz describes the specifics in her declaration. (Id.) 4. Proposed Notice and Claims Program A key feature of the settlement is a first-of-its-kind Notice Program (Ex. 6 to the Settlement Agreement) that uses modern testing, targeting, and messaging techniques to more effectively engage the class and increase participation. The program, developed by Class Counsel and Signal with input from JND and regulators, consists of: (1) four emails sent to those whose class members’ email addresses can be found with reasonable effort, which is expected to exceed 75 percent of the class; (2) an aggressive digital and social media campaign designed to reach 90 percent of the class an average of eight times before the Notice Date and six more times by the end of the Initial Claims Period; (3) radio advertising 10 Case 1:17-md-02800-TWT Document 739-1 Filed 07/22/19 Page 11 of 30 and a full-page ad in USA Today to reach those who have limited online presence; and (4) continued digital advertising for seven years during the Extended Claims Period and until identity restoration services are no longer available. (Ex. 3, ¶ 46) The proposed emails and ads (attached as exhibits to the Notice Plan) will be tested for effectiveness by using focus groups, conducting a national survey of 1,600 likely class members, and sampling their impact on small subsets of the class. And, the ads will be targeted based on testing results, demographics, and other data. (Ex. 4, ¶¶ 23-28) Once the full-scale digital campaign is launched, Signal will use available empirical data to continuously adjust the ads and where the ads are placed to maximize their impact and drive claims. (Id., ¶ 5) If the empirical data shows additional measures are needed, the notice program will be supplemented with the Court’s approval. (Id., ¶ 44) The claims process similarly draws upon the most up-to-date techniques to facilitate participation, incorporating input from regulators, including a link to a settlement website (which has been optimized for use on mobile devices as well as personal computers) in all emails and digital advertising; the ability to file claims and check on the status of those claims electronically; and a call-center with a chat feature to assist class members. (Id., ¶ 31, 35; Ex. 5, ¶¶ 29, 31) JND, the proposed Settlement Administrator, is a widely-regarded expert with the experience to 11 Case 1:17-md-02800-TWT Document 739-1 Filed 07/22/19 Page 12 of 30 handle a case of this magnitude. (Id., ¶¶ 6-10; Ex. 3, ¶ 48) 5. Attorneys’ Fees and Expenses and Service Awards Class Counsel may request a fee of up to $77.5 million, which represents 25 percent of the original settlement fund as specified in the Term Sheet, without consideration of the additional relief obtained by regulators, and reimbursement of up to $3 million in litigation expenses. Services awards totaling no more than $250,000 also may be requested. Equifax does not oppose these requests. Class Counsel will move for fees, expenses and service awards at least 21 days before the Objection Date. (Id., ¶ 49) 6. Releases The class will release Equifax from claims that were or could have been asserted in this case and in turn Equifax will release the class from certain claims. The releases are detailed in the settlement agreement. (Ex. 1 at 20-22) ARGUMENT I. The Court Should Direct Notice to the Class Approval of a proposed settlement is a two-step process. First, the court decides whether the proposed settlement is “within the range of possible approval,” Fresco v. Auto Data Direct, Inc., 2007 WL 2330895, at *4 (S.D. Fla. May 11, 2007), to decide “whether to direct notice … to the class, invite the class’s 12 Case 1:17-md-02800-TWT Document 739-1 Filed 07/22/19 Page 13 of 30 reaction, and schedule a final fairness hearing.” 4 Newberg on Class Actions § 13:10 (5th ed. 2015). Second, at the final approval hearing, the court decides if the settlement is fair, reasonable, and adequate. Id. A court has broad discretion over this process. See, e.g., In re Motorsports Merchandise Antitrust Litig., 112 F. Supp. 2d 1329, 1333 (N.D. Ga. 2000). In exercising this discretion, some courts in the Eleventh Circuit have authorized notice “where the proposed settlement is the result of the parties’ good faith negotiations, there are no obvious deficiencies and the settlement falls within the range of reason.” See In re Checking Account Overdraft Litig., 275 F.R.D. 654, 61 (S.D. Fla. 2011). Other courts have considered the so-called Bennett factors customarily used at the final approval stage.1 See, e.g., Columbus Drywall & Insulation, Inc. v. Masco Corp., 258 F.R.D. 545, 558-59 (N.D. Ga. 2007). The December, 2018 amendments to Rule 23 provide explicit new instructions, requiring notice be issued if the court is “more likely than not” to finally approve the settlement and certify a settlement class. Rule 23(e)(1)(B). The amendments specify that before finally approving a settlement, a court should 1 The Bennett factors include: (1) the likelihood of success at trial; (2) the range of possible recovery; (3) the range of possible recovery at which a settlement is fair, adequate, and reasonable; (4) the anticipated complexity, expense, and duration of litigation; (5) the opposition to the settlement; and (6) the stage of proceedings at which the settlement was achieved. 13 Case 1:17-md-02800-TWT Document 739-1 Filed 07/22/19 Page 14 of 30 consider whether (1) the class was adequately represented; (2) the settlement was negotiated at arm’s length; (3) the relief is adequate, taking into account the costs, risks, and delay of trial and appeal, how the relief will be distributed, the terms governing attorneys’ fees; and any side agreements; and (4) whether class members are treated equitably relative to each other. Id. Since the 2018 amendments, the few courts in this Circuit that have addressed the issue consider both new Rule 23(e) and the Bennett factors. See Grant v. Ocwen Loan Servicing, LLC, 2019 WL 367648, at *5 (M.D. Fla. Jan. 30, 2019); Gumm v. Ford, 2019 WL 479506, at *4 (M.D. Ga. Jan. 17, 2019). In this brief, Plaintiffs will analyze the new Rule 23(e)(2) factors and rely on case law interpreting the Bennett factors, which are substantially similar. Regardless of what factors are used, notice of this settlement is appropriate. A. The Class Was Adequately Represented Adequacy of representation is an issue traditionally considered in connection with class certification and involves two questions: “(1) whether the class representatives have interests antagonistic to the interests of other class members; and (2) whether the proposed class’ counsel has the necessary qualifications and experience to lead the litigation.” Columbus Drywall & Insulation, Inc., 258 F.R.D. at 555. Here, the class representatives have the same interests as other class 14 Case 1:17-md-02800-TWT Document 739-1 Filed 07/22/19 Page 15 of 30 members as they are asserting the same claims and share the same injuries. Further, the Court has already recognized Class Counsel’s experience and qualifications in appointing them to lead the consumer track, and the record shows Class Counsel worked diligently to bring this case to resolution. (Ex. 3, ¶ 61) B. The Proposed Settlement Was Negotiated at Arm’s Length The Court can safely conclude this settlement was negotiated at arm’s length, without collusion, based on the terms of the settlement itself; the length and difficulty of the negotiations; Judge Phillips’ oversight, his description of what happened and the fact that the final fund amount resulted from a mediator’s proposal; and the regulators’ review and involvement. See generally Ingram v. The Coca-Cola Co., 200 F.R.D. 685, 693 (N.D. Ga. 2001) (“The fact that the entire mediation was conducted under the auspices of . . . a highly experienced mediator, lends further support to the absence of collusion.”). C. The Relief Is Fair, Reasonable, and Adequate The Settlement is the largest and most comprehensive recovery in a data breach case by several orders of magnitude. (Ex. 3, ¶ 52) Not only does the size of the fund dwarf all previous data breach settlements, the specific benefits compare favorably to what has been previously obtained, including:  A sizeable, $20,000 cap on out of pocket losses. 15 Case 1:17-md-02800-TWT Document 739-1 Filed 07/22/19 Page 16 of 30  Compensation for up to 20 hours of lost time at $25 per hour.  Four years of three-bureau credit monitoring that would cost each class member $1,200.  An additional six years of one-bureau monitoring that would cost each class member $720.  $125 in alternative compensation to those who already have monitoring.  Reimbursement of 25 percent of the price paid by class members who bought identity protection services from Equifax in the year before the breach (notwithstanding that their claims were dismissed by this Court).  Access to seven years of assisted identity restoration services. (Ex. 3, ¶¶ 38, 52) The Settlement also provides extraordinary injunctive relief, far beyond that obtained in any other similar case. (Id., ¶52, Ex. 6, ¶ 66) Class Counsel, a group with extraordinary experience in leading major data breach class actions, strongly believe that the relief is fair, reasonable, and adequate. (Ex. 3, ¶¶ 7-8, 60) The Court may rely upon such experienced counsel’s judgment. See, e.g., Nelson v. Mead Johnson & Johnson Co., 484 F. App’x 429, 434 (11th Cir. 2012) (“Absent fraud, collusion, or the like, the district court should be hesitant to substitute its own judgment for that of counsel.”) The Court should also consider Judge Phillips’ view after overseeing the negotiations: 16 Case 1:17-md-02800-TWT Document 739-1 Filed 07/22/19 Page 17 of 30 Based on my experience as a litigator, a former U.S. District Judge and a mediator, I believe that this settlement represents a reasonable and fair outcome given the parties’ strongly held positions throughout the 16 months of negotiations. As such, I strongly support the approval of the settlement in all respects. (Ex. 8, ¶ 13). That the relief is fair, reasonable, and adequate is further confirmed by considering the four specific factors enumerated in new Rule 23(e)(2). (1) The Risks, Costs, and Delay of Continued Litigation The cost and delay of continued litigation are obviously substantial. This is one of the most complex and involved civil actions pending in the federal courts. But for the Settlement, the parties will incur tens of millions of dollars in legal fees and expenses in discovery and motions practice. Trial likely will not occur until at least 2021 and appeals would delay a final resolution for another year. The risks are also substantial. If the Settlement is not approved, Equifax will surely renew its arguments under Georgia law that there is no legal duty to safeguard personal information after the recent decision in Georgia Dep't of Labor v. McConnell, 828 S.E.2d 352, 358 (Ga. 2019), which held under different facts that no such duty exists, and that Plaintiffs have not alleged any compensable injuries. See Collins v. Athens Orthopedic Clinic, 347 Ga. App. 13, 16 (2018), cert. granted (Apr. 29, 2019) (presenting the issue of whether a data breach victim may 17 Case 1:17-md-02800-TWT Document 739-1 Filed 07/22/19 Page 18 of 30 recover damages without proof of actual identity theft). Even if Plaintiffs prevail on those legal issues, they face the risk that causation cannot be proved, discovery will not support their factual allegations, a jury might find for Equifax, and an appellate court might reverse a Plaintiffs’ judgment. (2) The Method of Distributing Relief is Effective The distribution process, developed with regulators’ help, will be efficient and effective. Class members can easily file claims, but a claim is not needed for identity restoration services. Documentation requirements are not onerous, and not even required for many benefits. Class members can file claims in the Extended Claims Period to recover for losses that have not yet occurred; and, there is a friendly appeal process if a claim is denied. (Ex. 3, ¶¶ 39-40) (3) The Terms Relating to Attorneys’ Fees are Reasonable Class Counsel will request 25 percent of the $310 million settlement fund they negotiated in the Term Sheet. This request is consistent with Camden I Condominium Ass’n, Inc. v. Dunkle, 946 F.2d 768 (11th Cir. 1991), which mandates use of the percentage method and noted 25 percent was then viewed as the “bench mark.” Following Camden I, fee awards in this Circuit average around one-third. See Wolff v. Cash 4 Titles, 2012 WL 5290155 at *5-6 (S.D. Fla. Sept. 26, 2012) (“The average percentage award in the Eleventh Circuit mirrors that of 18 Case 1:17-md-02800-TWT Document 739-1 Filed 07/22/19 Page 19 of 30 awards nationwide—roughly one-third”); George v. Acad. Mortg. Corp. (UT), 2019 WL 1324023, at *17 (N.D. Ga. Mar. 20, 2019); Eisenberg, Attorneys’ Fees in Class Actions: 2009-2013, 92 N.Y.U. LAW REV. 937, 951 (2017) (empirical study showing the median award in 11th Circuit is 33 percent). The fee is also supported by the value of the significant injunctive relief Class Counsel negotiated, as well as the tremendous value conferred on the class. See, e.g., Camden I¸ 946 F.2d at 774. (4) Agreements Required to be Identified By Rule 23(e)(3) The parties are submitting to the Court in camera the specific terms of the provisions allowing termination of the settlement if more than a certain number of class members opt out and a cap on notice spending is exceeded. Also, vendors providing services are subject to contracts relating to their obligations under the settlement. These provisions do not affect the adequacy of the relief. D. Class Members are Treated Equitably Relative to Each Other The proposed class members treat all class members equally. Each class member is eligible to receive the same benefits as other class members and no class members are favored over others. (Ex. 3, ¶ 59) II. The Court Should Certify the Proposed Settlement Class To issue notice under Rule 23(e), the Court should decide the proposed settlement class likely will be certified. Such a decision should not be difficult. 19 Case 1:17-md-02800-TWT Document 739-1 Filed 07/22/19 Page 20 of 30 Settlement classes are routinely certified in consumer data breach cases, as this Court did in approving settlement in Home Depot. See, e.g., In re Home Depot, Inc. Customer Data Sec. Breach Litig., 2016 WL 6902351 (N.D. Ga. Aug. 23, 2016); In re Anthem, Inc. Data Breach Litig., 327 F.R.D. 299 (N.D. Ga. 2018); In re Heartland Payment Systems, Inc. Customer Data Sec. Breach Litig., 851 F.Supp.2d 1040 (S.D. Tex. 2012). There is nothing different about this case, which is demonstrated by examining the requirements of Rule 23(a) and (b). A. The Rule 23(a) Requirements Are Satisfied Numerosity: The proposed class consists of more than 147 million U.S. Consumers, indisputably rendering individually joinder impracticable. Commonality: “Commonality requires the plaintiff to demonstrate that the class members have suffered the same injury, such that all their claims can productively be litigated at once.” Wal-Mart Stores, Inc. v. Dukes, 564 U.S. 338, 349-350 (2011) (internal citations omitted). All class members suffered the same injury – exposure of their personal data in the Equifax breach – and are asserting the same legal claims. Accordingly, common questions of law and fact abound. See, e.g., Home Depot, 2016 WL 6902351, at *2; Anthem, 327 F.R.D. at 309. Typicality: This requirement is readily satisfied in data breach cases. The class representatives’ claims are typical of other class members because they arise 20 Case 1:17-md-02800-TWT Document 739-1 Filed 07/22/19 Page 21 of 30 from the same data breach and involve the same legal theories. See, e.g., Id.; Home Depot, 2016 WL 6902351, at *2. Adequacy of Representation: Plaintiffs do not have any interests antagonistic to other class members and have retained lawyers who are abundantly qualified and experienced, satisfying the adequacy requirement. (Ex. 3, ¶ 59) B. The Requirements of Rule 23(b)(3) Are Satisfied Rule 23(b)(3) requires that “questions of law or fact common to class members predominate over any questions affecting only individual members,” and that class treatment is “superior to other available methods for fairly and efficiently adjudicating the controversy.” One part of the superiority analysis – manageability – is irrelevant for purposes of certifying a settlement class. Amchem Prods., Inc. v. Windsor, 521 U.S. 591, 620 (1997). Predominance: The predominance requirement “tests whether proposed classes are sufficiently cohesive to warrant adjudication by representation.” (Id. at 623) “Common issues of fact and law predominate if they have a direct impact on every class member’s effort to establish liability and on every class member’s entitlement to … relief.” Carriuolo v. GM Co., 823 F.3d 977, 985 (11th Cir. 2016). Here, as in other data breach cases, common questions predominate because all claims arise out of a common course of conduct by Equifax and the only 21 Case 1:17-md-02800-TWT Document 739-1 Filed 07/22/19 Page 22 of 30 significant individual issues involve damages, which rarely present predominance problems. See, e.g., Home Depot, 2016 WL 6902351 at *2; Anthem, 327 F.R.D. at 311-16; Brown v. Electrolux Home Products, Inc., 817 F.3d 1225, 1239 (11th Cir. 2016) (individualized damage generally do not defeat predominance). Superiority: “The inquiry into whether the class action is the superior method for a particular case focuses on increased efficiency.” Agan v. Katzman & Korr, P.A., 222 F.R.D. 692, 700 (S.D. Fla. 2004). Litigating the same claims of 147 million American through individual litigation would obviously be inefficient. The superiority requirement thus is satisfied. See Anthem, 327 F.R.D. at 315-16; Home Depot, 2016 WL 6902351, at *3. III. The Notice Plan and Administrator Should be Approved The Settlement is historic, not only because of the relief provided, but because of its unprecedented notice program. Traditionally, notice often consisted of a single letter, which class members frequently discarded unopened as junk mail, and newspaper advertising, which many class members never saw. In recent years, the rules have been broadened to permit electronic and digital notice programs, but their results commonly fall short. The notice program here seeks to improve on these past results by trying something different. (Ex. 4, ¶ 11) The notice program is outlined above and explained in detail by Jim 22 Case 1:17-md-02800-TWT Document 739-1 Filed 07/22/19 Page 23 of 30 Messina, Signal’s co-founder. (Id., ¶¶ 18-44) The underlying premise is that class members will be more aware of the settlement and their participation rates will increase if modern advertising techniques are properly used to select the most effective messaging and communication outlets. That using these techniques can do better than traditional notice efforts was shown in Pollard v. Remington Arms Company, 320 F.R.D. 198, 212 (W.D. Mo. 2017), a case in which Signal was retained to do supplemental notice after the court refused to approve a settlement because three months of direct mail, magazine publication, and social media advertising had resulted in a low claims rate. (Ex. 4, ¶ 16-18). The success of Signal’s supplemental notice program is illustrated by this chart: Citing Signal’s efforts, the court ultimately approved the settlement. (Id., ¶ 17) 23 Case 1:17-md-02800-TWT Document 739-1 Filed 07/22/19 Page 24 of 30 Under Signal’s plan in this case, by the Notice Date – set 60 days before the objection and opt out deadlines to give class members ample time to consider their options – almost all class members will be exposed to what is expected to be massive coverage of the settlement in television, digital, and print media; more than 75 percent of the class will receive at least one email containing all the information required by Rule 23; at least 90 percent will be reached on average eight times by digital advertisements; and class members less likely to use email or the internet will be reached by radio and newspaper advertising. (Id., ¶¶ 28, 37, 39) All notices will be pre-tested and targeted, their effectiveness monitored on an ongoing basis, and the campaign adjusted to maximize reach and response. (Id., ¶ 26) Further, notice will continue for seven years to remind class members of the available benefits, alert them to deadlines, and encourage claims. (Id., ¶¶ 41-42) Rule 23 requires the Court direct to class members “the best notice that is practicable under the circumstances” and specifies certain information that must be included in plain, easily understood language. Rule 23(c)(1)(B). The Due Process Clause also requires that class members be apprised of the action and afforded an opportunity to present objections. Phillips Petroleum Co. v. Shutts, 472 U.S. 797, 812 (1985). That the Notice Plan satisfies both of these requirements is confirmed by Signal, (Ex. 4, ¶¶ 8-44), and JND, an experienced class action notice provider in 24 Case 1:17-md-02800-TWT Document 739-1 Filed 07/22/19 Page 25 of 30 its own right (Ex. 5, ¶ 9, 13), and supported by regulators’ involvement. The Court thus should approve the plan. See, e.g., Rule 23(c)(1)(B) (authorizing notice by electronic or other appropriate means); Home Depot, 2016 WL 6902351, at *5 (notice reaching 75 percent of the class through email and internet advertising satisfied Rule 23 and due process); Morgan v. Public Storage, 301 F.Supp.3d 1237, 1261-66 (S.D. Fla. 2016) (notice primarily by email and newspaper advertising); In re Pool Products Distribution Market Antitrust Litig., 310 F.R.D. 300, 317-8 (E.D. La. 2015) (email, digital ads, and print publication); see generally Federal Judicial Center, “Judges’ Class Action Notice and Claims Process Checklist and Plain Language Guide” (2010) (recognizing the effectiveness of notice that reaches between 70 and 95 percent of the class); R. Klonoff, Class Actions in the Year 2026: A Prognosis, 65 Emory L. J. 1569, 1650 & n. 479 (2016) (“Courts have increasingly utilized social media … to notify class members of certification, settlement, or other developments”). CONCLUSION For the reasons set forth above, Plaintiffs request the Court enter the order proposed by the parties directing the class be notified of the proposed settlement in the manner set forth in the Notice Plan and schedule a final approval hearing. 25 Case 1:17-md-02800-TWT Document 739-1 Filed 07/22/19 Page 26 of 30 Dated: July 22, 2019 Respectfully submitted, /s/ Kenneth S. Canfield Kenneth S. Canfield Ga Bar No. 107744 DOFFERMYRE SHIELDS CANFIELD & KNOWLES, LLC 1355 Peachtree Street, N.E. Suite 1725 Atlanta, Georgia 30309 Tel. 404.881.8900 kcanfield@dsckd.com /s/ Amy E. Keller Amy E. Keller DICELLO LEVITT GUTZLER LLC Ten North Dearborn Street Eleventh Floor Chicago, Illinois 60602 Tel. 312.214.7900 akeller@dicellolevitt.com /s/ Norman E. Siegel Norman E. Siegel STUEVE SIEGEL HANSON LLP 460 Nichols Road, Suite 200 Kansas City, Missouri 64112 Tel. 816.714.7100 siegel@stuevesiegel.com Consumer Plaintiffs’ Co-Lead Counsel 26 Case 1:17-md-02800-TWT Document 739-1 Filed 07/22/19 Page 27 of 30 /s/ Roy E. Barnes Roy E. Barnes Ga. Bar No. 039000 BARNES LAW GROUP, LLC 31 Atlanta Street Marietta, Georgia 30060 Tel. 770.227.6375 roy@barneslawgroup.com David J. Worley Ga. Bar No. 776665 EVANGELISTA WORLEY LLC 8100A Roswell Road Suite 100 Atlanta, Georgia 30350 Tel. 404.205.8400 david@ewlawllc.com Consumer Plaintiffs’ Co-Liaison Counsel Andrew N. Friedman COHEN MILSTEIN SELLERS & TOLL PLLC 1100 New York Avenue, NW Suite 500 Washington, D.C. 20005 Tel. 202.408.4600 afriedman@cohenmilstein.com Eric H. Gibbs GIBBS LAW GROUP LLP 505 14th Street Suite 1110 Oakland, California 94612 Tel. 510.350.9700 ehg@classlawgroup.com 27 Case 1:17-md-02800-TWT Document 739-1 Filed 07/22/19 Page 28 of 30 James Pizzirusso HAUSFELD LLP 1700 K Street NW Suite 650 Washington, D.C. 20006 Tel. 202.540.7200 jpizzirusso@hausfeld.com Ariana J. Tadler TADLER LAW LLC One Pennsylvania Plaza New York, New York 10119 Tel. 212.594.5300 atadler@tadlerlaw.com John A. Yanchunis MORGAN & MORGAN COMPLEX LITIGATION GROUP 201 N. Franklin Street, 7th Floor Tampa, Florida 33602 Tel. 813.223.5505 jyanchunis@forthepeople.com William H. Murphy III MURPHY, FALCON & MURPHY 1 South Street, 23rd Floor Baltimore, Maryland 21224 Tel. 410.539.6500 hassan.murphy@murphyfalcon.com Jason R. Doss Ga. Bar No. 227117 THE DOSS FIRM, LLC 36 Trammell Street, Suite 101 Marietta, Georgia 30064 Tel. 770.578.1314 jasondoss@dossfirm.com 28 Case 1:17-md-02800-TWT Document 739-1 Filed 07/22/19 Page 29 of 30 Consumer Plaintiffs’ Steering Committee Rodney K. Strong GRIFFIN & STRONG P.C. 235 Peachtree Street NE, Suite 400 Atlanta, Georgia 30303 Tel. 404.584.9777 rodney@gspclaw.com Consumer Plaintiffs’ State Court Coordinating Counsel 29 Case 1:17-md-02800-TWT Document 739-1 Filed 07/22/19 Page 30 of 30 CERTIFICATE OF SERVICE I hereby certify that a copy of the foregoing was filed with this Court via its CM/ECF service, which will send notification of such filing to all counsel of record this 22nd of July, 2019. /s/ Roy E. Barnes 30 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 1 of 295 Exhibit 1 Settlement Agreement and Release In re: Equifax Inc. Customer Data Security Breach Litigation, No. 17-md-2800-TWT (N.D. Ga.) Plaintiffs’ Motion to Direct Notice of Proposed Settlement Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 2 of 295 UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF GEORGIA ATLANTA DIVISION In re: Equifax Inc. Customer Data Security Breach Litigation MDL Docket No. 2800 No. 1:17-md-2800-TWT CONSUMER ACTIONS Chief Judge Thomas W. Thrash, Jr. SETTLEMENT AGREEMENT AND RELEASE Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 3 of 295 EXHIBITS EXHIBIT 1 - LIST OF ACTIONS EXHIBIT 2 - BUSINESS PRACTICES COMMITMENTS EXHIBIT 3 - CONSENT ORDER EXHIBIT 4 - CREDIT MONITORING AND RESTORATION SERVICES EXHIBIT 5 - ORDER DIRECTING NOTICE EXHIBIT 6 - NOTICE PLAN EXHIBIT 7 - NOTICES A. LONG FORM B. SHORT FORM EXHIBIT 8 - CLAIM FORM EXHIBIT 9 - CLAIMS ADMINISTRATION PROTOCOL EXHIBIT 10 - SETTLEMENT CLASS REPRESENTATIVES Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 4 of 295 SETTLEMENT AGREEMENT AND RELEASE This Settlement Agreement and Release (“Agreement”) is made as of July 22, 2019, by and between, as hereinafter defined, (a) Settlement Class Representatives on behalf of themselves and the Settlement Class, and (b) Defendants (collectively, the “Parties”). This Agreement fully and finally compromises and settles any and all consumer claims that are, were, or could have been asserted in the litigation styled In re: Equifax, Inc. Customer Data Security Breach Litigation, Case No. 1:17-md-2800-TWT (N.D. Ga.). 1 RECITALS 1.1 In a series of announcements beginning in September 2017, Equifax Inc. announced that it had been the victim of a criminal cyberattack on its computer systems in which the attacker/s gained unauthorized access to the personal information of approximately 147 million U.S. individuals. 1.2 After announcement of the Data Breach (as hereinafter defined), multiple putative class action lawsuits were filed by consumers against Equifax alleging it had failed to properly protect personal information in accordance with its duties, had inadequate data security, and improperly delayed notifying potentially impacted individuals. 1.3 On December 7, 2017, the Judicial Panel on Multidistrict Litigation transferred more than 200 putative class action lawsuits to the Honorable Thomas W. Thrash in the United States District Court for the Northern District of Georgia (the “Court”) for coordinated pretrial proceedings. 1.4 Additional lawsuits against Equifax were also transferred to, filed in, or otherwise assigned to the Court and included in coordinated pretrial proceedings as part of In re: Equifax Inc. Customer Data Security Breach Litigation, Case No. 1:17-md-2800-TWT (N.D. Ga.). 1.5 On February 12, 2018, the Court appointed leadership for consumer plaintiffs and interim class counsel pursuant to Federal Rule of Civil Procedure 23(g). 1.6 Class Counsel filed a Consolidated Consumer Class Action Complaint (“Complaint”) in In re: Equifax Inc. Customer Data Security Breach 1 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 5 of 295 Litigation, Equifax moved to dismiss the Complaint, and the Court denied in part and granted in part the motion by Order dated January 28, 2019. 1.7 Beginning in September 2017, the Parties engaged in arm’s-length settlement negotiations overseen by former United States District Court Judge Layn R. Phillips. The Parties engaged in five in-person mediation sessions, on November 27 and 28, 2017, May 25, 2018, August 9, 2018, November 16, 2018, and March 30, 2019, under the direction of Judge Phillips. The last mediation session resulted in the Parties executing a binding term sheet, to be superseded by this Agreement. 1.8 Class Counsel has investigated the facts relating to the Data Breach with the assistance of consultants and experts in cybersecurity and identity theft, interviewed witnesses, reviewed Congressional testimony, analyzed the evidence adduced during pretrial and confirmatory discovery, including over a half-million pages of documents, spreadsheets, and other native files produced by Equifax, and researched the applicable law with respect to Plaintiffs’ claims against Equifax and the potential defenses thereto. 1.9 Defendants (as hereinafter defined) deny any wrongdoing whatsoever, and this Agreement shall in no event be construed or deemed to be evidence of or an admission or concession on the part of any Defendant with respect to any claim of any fault or liability or wrongdoing or damage whatsoever, any infirmity in the defenses that Defendants have asserted or would assert, or to the requirements of Federal Rule of Civil Procedure 23 and whether Plaintiffs satisfy those requirements. 1.10 Based upon their investigation, pretrial discovery, confirmatory discovery, and legal motion practice, as set forth above, Class Counsel have concluded that the terms and conditions of this Agreement are fair, reasonable and adequate to Plaintiffs and Settlement Class Members and are in their best interests, and have agreed to settle the consumer claims asserted in In re: Equifax Inc. Customer Data Security Breach Litigation pursuant to the terms and provisions of this Agreement. 1.11 It is the intention of the Parties to resolve the disputes and claims which they have between them on the terms set forth below. 2 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 6 of 295 NOW, THEREFORE, in consideration of the promises, covenants, and agreements herein described and for other good and valuable consideration acknowledged by each of them to be satisfactory and adequate, and intending to be legally bound, the Parties do hereby mutually agree, as follows: 2 DEFINITIONS As used in this Agreement, the following terms shall have the meanings indicated: 2.1 “Action” or “Actions” means all the actions listed in Exhibit 1, which are consumer cases that have been filed in, transferred to, or otherwise assigned to the Court and included in coordinated or consolidated pretrial proceedings as part of In re: Equifax Inc. Customer Data Security Breach Litigation, Case No. 1:17-md-2800-TWT (N.D. Ga.). 2.2 “Administrative Costs” means all reasonable costs and expenses of the Settlement Administrator incurred in carrying out its duties under this Agreement, including, without limitation, validating Settlement Class Members and determining eligibility for benefits under the Settlement, administering, calculating, and distributing the Consumer Restitution Fund and its benefits to Settlement Class Members, and paying Taxes. 2.3 “Affiliate” means, with respect to any Entity, any other Entity that directly or indirectly controls or is controlled by, or is under common control with, such Entity. For purposes of this definition, “control” when used with respect to any Entity means an ownership interest of at least twenty-five percent (25%) and/or the power to direct the management and policies of such Entity, directly or indirectly, whether through the ownership of voting securities, by contract, or otherwise. 2.4 “Agreement” means this Settlement Agreement and Release. The terms of the Agreement are set forth herein including the exhibits hereto. 2.5 “Alternative Reimbursement Compensation” means compensation to Settlement Class Members as set forth in Section 7.5. 2.6 “Business Days” means Monday, Tuesday, Wednesday, Thursday, and Friday, excluding holidays observed by the federal government. 3 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 7 of 295 2.7 “Business Practices Commitments” means the measures provided for in Exhibit 2. 2.8 “Claim Form” means the form Settlement Class Members submit (either in paper form or via the Settlement Website) to claim benefits under the Settlement, attached hereto as Exhibit 8. 2.9 “Claims Administration Protocol” means the protocol to be followed by the Settlement Administrator in processing claims made under this Agreement, attached hereto as Exhibit 9. 2.10 “Class Counsel” means Kenneth S. Canfield of Doffermyre Shields Canfield & Knowles, LLC, Amy E. Keller of DiCello Levitt Gutzler LLC, Norman E. Siegel of Stueve Siegel Hanson LLP, and Roy E. Barnes of Barnes Law Group, LLC. 2.11 “Consumer Restitution Fund” means three hundred eighty million, five hundred thousand United States Dollars ($380,500,000), any interest on or other income or gains earned while such amount is held in the Consumer Restitution Fund Account, and such additional amounts that Equifax may be required to contribute under the terms of this Agreement. 2.12 “Consumer Restitution Fund Account” means the account described in Sections 3.1 and 3.3 through 3.10. 2.13 “Court” means the United States District Court for the Northern District of Georgia. 2.14 “Credit Monitoring Services” means the services described in Section 7.1. 2.15 “Data Breach” means the data breach announced by Equifax Inc. on or about September 7, 2017. 2.16 “Defendants” means Equifax Inc., Equifax Information Services, LLC, and Equifax Consumer Services LLC. 2.17 “Effective Date” means the date upon which the Settlement contemplated by this Agreement shall become effective as set forth in Section 17.1. 4 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 8 of 295 2.18 “Entity” means any corporation, partnership, limited liability company, association, trust, or other organization of any type. 2.19 “Equifax” means Equifax Inc., Equifax Information Services, LLC, and Equifax Consumer Services LLC. 2.20 “Extended Claims Period” means the period beginning with the end of the Initial Claims Period through 4 years after the end of the Initial Claims Period. 2.21 “Fairness Hearing” means the hearing to be conducted by the Court to determine the fairness, adequacy, and reasonableness of the Agreement pursuant to Federal Rule of Civil Procedure 23 and whether to issue the Final Approval Order and Judgment. 2.22 “Final Approval Order and Judgment” means an order and judgment that the Court enters after the Fairness Hearing, which finally approves the Agreement, certifies the Settlement Class, dismisses Defendants with prejudice, and otherwise satisfies the settlement-related provisions of Federal Rule of Civil Procedure 23 in all respects. 2.23 “Initial Claims Period” means the 6 months after the date of the entry of the Order Permitting Issuance of Notice of Class Action Settlement. 2.24 “Notice” means notice of the proposed class action settlement to be provided to Settlement Class Members pursuant to the Notice Plan approved by the Court in connection with its Order Permitting Issuance of Notice of Class Action Settlement, substantially in the forms attached hereto as Exhibits 6.A through 6.F and 7. 2.25 “Notice Costs” means all reasonable costs and expenses of the Notice Provider, including, without limitation, all expenses or costs associated with the Notice Plan and providing Notice to the Settlement Class. 2.26 “Notice Date” means 60 days after the Court enters the Order Permitting Issuance of Notice of Class Action Settlement. 5 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 9 of 295 2.27 “Notice Plan” means the settlement notice program developed by the Notice Provider substantially in the form attached hereto as Exhibit 6, as approved by the Court. 2.28 “Notice Provider” means Signal Interactive Media LLC. A different Notice Provider may be substituted if approved by the Court. 2.29 “Objection Deadline” means 60 days after the Notice Date. 2.30 “One-Bureau Credit Monitoring Services” means the services described in Section 7.4. 2.31 “Opt-Out Deadline” means 60 days after the Notice Date. 2.32 “Order Permitting Issuance of Notice of Class Action Settlement” means an order determining that the Court will likely be able to approve the Settlement under Federal Rule of Civil Procedure 23(e)(2) and will likely be able to certify the Settlement Class for purposes of judgment. Such order will include the forms and procedure for providing notice to the Settlement Class, establish a procedure for Settlement Class Members to object to or opt-out of the Settlement, and set a date for the Fairness Hearing, without material change to the Parties’ agreed-upon proposed order attached hereto as Exhibit 5. 2.33 “Out-of-Pocket Losses” means losses as defined in Section 6. 2.34 “Parent” means, with respect to any Entity, any other Entity that owns or controls, directly or indirectly, at least a majority of the securities or other interests that have by their terms ordinary voting power to elect a majority of the board of directors, or a majority of others performing similar function, of such Entity. 2.35 “Parties” means the Settlement Class Representatives, on behalf of themselves and the Settlement Class, and Defendants. 2.36 “Plaintiffs” means all plaintiffs named in the Consumer Consolidated Class Action Complaint filed in In re: Equifax Inc. Customer Data Security Breach Litigation, Case No. 1:17-md-2800-TWT (N.D. Ga.). 6 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 10 of 295 2.37 “Preventative Measures” means Out-of-Pocket Losses associated with freezing or unfreezing credit reports and purchasing credit monitoring services as set forth in Sections 6.2.2 and 6.2.4. 2.38 “Released Claim” means any claims, liabilities, rights, demands, suits, obligations, damages, including but not limited to consequential damages, losses or costs, punitive damages, attorneys’ fees and costs, action or causes of action, penalties, remedies, of every kind or description— whether known or Unknown (as the term “Unknown Claims” is defined herein), suspected or unsuspected, asserted or unasserted, liquidated or unliquidated, legal, administrative, statutory, or equitable—that relate to or arise from the Data Breach or the facts alleged in the Actions. 2.39 “Restoration Services” means the services described in Section 7.2. 2.40 “Service Awards” means compensation awarded and paid to Settlement Class Representatives in recognition of their role in this litigation, subject to Court approval, as set forth in Section 10. 2.41 “Settlement” means the settlement of the Actions by and between the Parties, and the terms thereof as stated in this Agreement. 2.42 “Settlement Administrator” means JND Legal Administration. A different Settlement Administrator may be substituted if approved by the Court. 2.43 “Settlement Class” means the approximately 147 million U.S. consumers identified by Equifax whose personal information was compromised as a result of the cyberattack and data breach announced by Equifax Inc. on September 7, 2017. Excluded from the Settlement Class are: (i) Defendants, any entity in which Defendants have a controlling interest, and Defendants’ officers, directors, legal representatives, successors, subsidiaries, and assigns; (ii) any judge, justice, or judicial officer presiding over this matter and the members of their immediate families and judicial staff; and (iii) any individual who timely and validly opts out of the Settlement Class. 2.44 “Settlement Class Member” means a member of the Settlement Class. 2.45 “Settlement Class Representatives” are the Plaintiffs listed in Exhibit 10. 7 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 11 of 295 2.46 “Settlement Website” means a website established by the Settlement Administrator to provide information about the Settlement including deadlines and case documents, and permit Settlement Class Members to electronically submit Claim Forms. 2.47 “Subsidiary” means, with respect to any Entity, any other Entity of which the first Entity owns or controls, directly or indirectly, at least a majority of the securities or other interests that have by their terms ordinary voting power to elect a majority of the board of directors, or others performing similar functions, of the other Entity. 2.48 “Successor” means, with respect to a natural person, that person’s heir, successors, and assigns, and, with respect to an Entity, any other Entity that through merger, buyout, assignment, or any other means or transaction, acquires all of the first Entity’s duties, rights, obligations, shares, debts, or assets. 2.49 “Taxes” means (i) any and all applicable taxes, duties and similar charges imposed by a government authority (including any estimated taxes, interest or penalties) arising in any jurisdiction, if any, with respect to the income or gains earned by or in respect of the Consumer Restitution Fund, including, without limitation, any taxes that may be imposed upon Defendants or their counsel with respect to any income or gains earned by or in respect of the Consumer Restitution Fund for any period while it is held in the Consumer Restitution Fund Account; (ii) any other taxes, duties and similar charges imposed by a government authority (including any estimated taxes, interest or penalties) relating to the Consumer Restitution Fund that the Settlement Administrator determines are or will become due and owing, if any; and (iii) any and all expenses, liabilities and costs incurred in connection with the taxation of the Consumer Restitution Fund (including without limitation, expenses of tax attorneys and accountants). 2.50 “Unknown Claims” means any and all Released Claims that any Settlement Class Representative or Settlement Class Member does not know or suspect to exist in his or her favor as of the Effective Date and which, if known by him or her, might have affected his or her decision(s) with respect to the Settlement. With respect to any and all 8 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 12 of 295 Released Claims, the Parties stipulate and agree that upon the Effective Date, Settlement Class Representatives and Settlement Class Members shall have waived any and all provisions, rights, and benefits conferred by any law of any state or territory of the United States, the District of Columbia, or principle of common law or otherwise, which is similar, comparable, or equivalent to Cal. Civ. Code § 1542, which provides: A GENERAL RELEASE DOES NOT EXTEND TO CLAIMS THAT THE CREDITOR OR RELEASING PARTY DOES NOT KNOW OR SUSPECT TO EXIST IN HIS OR HER FAVOR AT THE TIME OF EXECUTING THE RELEASE AND THAT, IF KNOWN BY HIM OR HER, WOULD HAVE MATERIALLY AFFECTED HIS OR HER SETTLEMENT WITH THE DEBTOR OR RELEASED PARTY. Settlement Class Representatives and Class Counsel acknowledge, and each Settlement Class Member by operation of law shall be deemed to have acknowledged, that the inclusion of “Unknown Claims” in the definition of Released Claims was separately bargained for and was a key element of the Settlement Agreement. 3 3.1 CREATION AND TREATMENT OF THE CONSUMER RESTITUTION FUND Equifax Inc. agrees to make a non-reversionary settlement payment of three hundred eighty million, five hundred thousand United States Dollars ($380,500,000) and deposit that settlement payment into the Consumer Restitution Fund Account as follows: (i) it shall deposit one hundred and fifty thousand United States Dollars ($150,000) into the Consumer Restitution Fund Account 5 Business Days after the date of this Agreement, to cover reasonable set-up costs of the Notice Provider; (ii) it shall deposit twenty-five million United States Dollars ($25,000,000) into the Consumer Restitution Fund Account 5 Business Days after the Court enters the Order Permitting Issuance of Notice of Class Action Settlement to cover reasonable Notice and Administrative Costs incurred prior to the Effective Date, and set-up costs for the Credit Monitoring and Restoration Services vendor; and (iii) it shall deposit the balance of the three hundred eighty million, five hundred thousand United States Dollars 9 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 13 of 295 ($380,500,000) into the Consumer Restitution Fund Account within 10 Business Days after the Effective Date. 3.2 Additional Amounts for Out-of-Pocket Losses: In addition to the Consumer Restitution Fund, Equifax Inc. agrees to pay up to one hundred twenty-five million United States Dollars ($125,000,000) in additional amounts for valid Out-of-Pocket Losses submitted during both the Initial Claims Period and the Extended Claims Period in the event the Consumer Restitution Fund is exhausted. Additional amounts (up to $125,000,000) will be paid by Equifax Inc. as needed on a monthly basis within 14 Business Days after receipt of written notification from the Settlement Administrator that there are insufficient funds remaining in the Consumer Restitution Fund to pay valid Out-of-Pocket Losses. These amounts will be paid only on an as-needed basis and may not be used for any purpose other than paying valid Out-of-Pocket Losses once the Consumer Restitution Fund no longer has any available funds to pay such claims. 3.3 The Consumer Restitution Fund Account shall be an account established at a financial institution approved by Class Counsel and Defendants and, pursuant to Section 3.9, shall be maintained as a qualified settlement fund pursuant to Treasury Regulation § 1.468B-1, et seq. 3.4 No amounts may be withdrawn from the Consumer Restitution Fund Account unless (i) expressly authorized by this Agreement or (ii) approved by the Court. Class Counsel may authorize the payment of actual reasonable Administrative Costs and Notice Costs from the Consumer Restitution Fund Account without further order of the Court. The Settlement Administrator shall provide Class Counsel and Defendants with notice of any withdrawal or other payment the Settlement Administrator proposes to make from the Consumer Restitution Fund Account before the Effective Date at least 5 Business Days prior to making such withdrawal or payment. 3.5 The Settlement Administrator, subject to such supervision and direction of the Court and Class Counsel as may be necessary or as circumstances may require, shall administer and oversee distribution of the Consumer Restitution Fund to Settlement Class Members pursuant to this Agreement. 10 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 14 of 295 3.6 The Settlement Administrator and Class Counsel are responsible for communicating with Settlement Class Members regarding the distribution of the Consumer Restitution Fund and amounts paid under the Settlement. 3.7 All funds held in the Consumer Restitution Fund Account relating to the Settlement shall be deemed to be in the custody of the Court until such time as the funds shall be distributed to Settlement Class Members or otherwise disbursed pursuant to this Agreement or further order of the Court. 3.8 Any funds in the Consumer Restitution Fund Account in excess of two hundred fifty thousand United States Dollars ($250,000) shall be invested in short term United States Agency or Treasury Securities, repurchase agreements collateralized by such instruments, or a mutual fund invested solely in such instruments, and shall collect and reinvest all earnings accrued thereon. Any funds held in the Consumer Restitution Fund Account in an amount of less than $250,000 may be held in an interestbearing account insured by the Federal Deposit Insurance Corporation (“FDIC”) or may be invested as funds in excess of $250,000 are invested. Funds may be placed in a non-interest-bearing account as may be reasonably necessary during the check clearing process. 3.9 The Parties agree that the Consumer Restitution Fund is intended to be maintained as a qualified settlement fund within the meaning of Treasury Regulation § 1.468B-1, and that the Settlement Administrator, within the meaning of Treasury Regulation § 1.468B-2(k)(3), shall be responsible for filing tax returns and any other tax reporting for or in respect of the Consumer Restitution Fund and paying from the Consumer Restitution Fund any Taxes owed with respect to the Consumer Restitution Fund. The Parties agree that the Consumer Restitution Fund shall be treated as a qualified settlement fund from the earliest date possible, and agree to any relation-back election required to treat the Consumer Restitution Fund as a qualified settlement fund from the earliest date possible. 3.10 All Taxes relating to the Consumer Restitution Fund shall be paid out of the Consumer Restitution Fund, shall be considered to be an Administrative Cost of the Settlement, and shall be timely paid by the Settlement Administrator without prior order of the Court. Further, the 11 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 15 of 295 Consumer Restitution Fund shall indemnify and hold harmless the Parties and their counsel for Taxes (including, without limitation, taxes payable by reason of any such indemnification payments). 3.11 The Parties and their respective counsel have made no representation or warranty with respect to the tax treatment by any Settlement Class Representative or any Settlement Class Member of any payment or transfer made pursuant to this Agreement or derived from or made pursuant to the Consumer Restitution Fund. 3.12 Each Settlement Class Representative and Settlement Class Member shall be solely responsible for the federal, state and local tax consequences to him, her or it of the receipt of funds from the Consumer Restitution Fund pursuant to this Agreement. 4 4.1 RELIEF PROVIDED OUTSIDE OF THE CONSUMER RESTITUTION FUND Business Practices Commitments. 4.1.1 Equifax will adopt, pay for, and implement, (or maintain where such Business Practices Commitments have been implemented) the Business Practices Commitments related to information security to safeguard Settlement Class Members’ “Personal Information” as defined and as set forth in Exhibit 2. 4.1.2 Equifax’s Business Practices Commitments will be memorialized in an order to be entered by the Court in connection with the Judgment and materially identical to the Proposed Consent Order attached as Exhibit 3 to this Agreement, and thereby will be subject to independent supervision and judicial enforcement. 4.1.3 From the Effective Date neither Equifax nor any of its Affiliates will use or seek to enforce any arbitration provision or class action waiver in any Equifax product or service that has been offered in response to the Data Breach as of the date of this Agreement, or that is otherwise provided by Equifax under this 12 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 16 of 295 Agreement, against consumers for claims related to or arising from the Data Breach. This provision cannot be superseded or modified by any agreement pertaining to any other Equifax product or service or any product or service offered by one of Equifax’s Affiliates, parents, successors, agents, subsidiaries, or assigns. 4.1.4 Equifax will implement a program to provide prompt notice of any future breaches of consumer information consistent with the requirements of all federal and state regulations. 4.1.5 Plaintiffs through Class Counsel began negotiating a potential resolution of the Actions in September 2017, which included proposed business practices commitments, and the settlement process continued over approximately 18 months resulting in the Business Practices Commitments as described in Exhibit 2, which were finalized as part of the Parties’ binding term sheet executed on March 30, 2019. 4.2 Credit Freezes and Unfreezes. Separate from and in addition to the Consumer Restitution Fund, and notwithstanding any provision of law related to payment for placement and removal of credit freezes, all Settlement Class Members will be eligible to place and remove credit freezes on their Equifax Information Services, LLC (“EIS”) credit files, free of charge, enforceable under this Agreement for 10 years without filing a claim. 4.3 Continuation of Monitoring. Separate from and in addition to the Consumer Restitution Fund, Equifax has provided Settlement Class Members who enrolled in TrustedID Premier monitoring provided by Equifax following the Data Breach with an additional one year of credit monitoring services known as IDNotify to allow for continuity of these services. 5 5.1 PAYMENTS FROM THE CONSUMER RESTITUTION FUND The Consumer Restitution Fund will be used to fund the consumer restitution and redress described in the Settlement provisions listed in 13 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 17 of 295 Sections 6, 7.1, 7.2, 7.5, 9, 10, and 11. Equifax will separately pay all other costs of the Settlement. 5.2 To the extent the aggregate amounts required to fund the Settlement provisions listed in Sections 6 and 7.5 exceed the amount of the Consumer Restitution Fund (and, for Out-of-Pocket Losses, exceeds the amounts available in Section 3.2 providing for Additional Amounts for Out-of-Pocket Losses) remaining after distributions are made to fund the Settlement provisions listed in Sections 7.1, 7.2, 9, 10, and 11 at the end of the Initial Claims Period, the cash payments provided in these provisions shall be reduced on a pro rata basis, meaning cash payments shall be allocated based on each claimant’s proportional share of the remainder of the Consumer Restitution Fund. 5.3 Payment of Approved Out-of-Pocket Loss Claims During Extended Claims Period. Subject to the requirements of Section 8.1.2, approved Out-of-Pocket Loss claims filed during the Extended Claims Period will be paid in full from the Consumer Restitution Fund on a rolling basis in the order that such claims are received by the Settlement Administrator, up to an amount that exhausts the Consumer Restitution Fund, and, if applicable, the Additional Amounts for Out-of-Pocket Losses available in Section 3.2. 5.4 Use of Remaining Amounts in the Consumer Restitution Fund. Any remaining funds in the Consumer Restitution Fund after the payments described in Sections 6, 7.1, 7.2, 7.5, 9, 10, and 11, and after the conclusion of the Extended Claims Period and payment of approved Outof-Pocket Loss claims filed during the Extended Claims Period, will be used as follows: 5.4.1 First, the caps in Sections 6.2.6 and 7.5 will be lifted (if applicable) and payments increased pro rata to Settlement Class Members with valid claims up to the full amount of the approved claim submitted under those Sections. 5.4.2 Second, if the payments described in Sections 5.4.1 do not exhaust the Consumer Restitution Fund, then any remaining funds shall be used to purchase up to 36 months of additional 14 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 18 of 295 Restoration Services (purchased in full-month increments). 5.4.3 5.5 6 Third, if the payments described in Sections 5.4.1 and 5.4.2 do not exhaust the Consumer Restitution Fund, remaining amounts in the Consumer Restitution Fund will be used to purchase additional Credit Monitoring Services (purchased in monthly, weekly, or daily increments to exhaust any remaining funds) for those Settlement Class Members who have enrolled in such services under Section 7.1. Use of Unclaimed Funds. Upon completion of the distributions identified in Sections 5.1 through 5.4, and after the Settlement Administrator completes its duties with respect to delivering settlement funds to Settlement Class Members with valid claims as set forth in Section 14.1.16, any remaining funds resulting from the failure of Settlement Class Members to timely negotiate a settlement check or to timely provide required tax information such that a settlement check could issue, shall be distributed to Settlement Class Members, or as otherwise ordered by the Court, for consumer restitution and redress but in no event shall any of the Consumer Restitution Fund revert to Equifax. REIMBURSEMENT FOR OUT-OF-POCKET LOSSES 6.1 The Settlement Administrator will use the Consumer Restitution Fund to compensate those Settlement Class Members who submit valid claims for Out-of-Pocket Losses. Settlement Class Members will be subject to an aggregate claims cap of twenty thousand United States Dollars ($20,000) paid directly from the Consumer Restitution Fund regardless of the number of claims submitted by the Settlement Class Member during the Initial Claims Period and Extended Claims Period. This provision does not prevent Settlement Class Members from submitting claims under applicable insurance policies. 6.2 “Out-of-Pocket Losses” are verifiable unreimbursed costs or expenditures that a Settlement Class Member actually incurred and that are fairly traceable to the Data Breach. Out-of-Pocket Losses may include, without limitation, the following: 15 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 19 of 295 6.2.1 unreimbursed costs, expenses, losses or charges incurred as a result of identity theft or identity fraud, falsified tax returns, or other alleged misuse of a Settlement Class Member’s personal information; 6.2.2 costs incurred on or after September 7, 2017, associated with placing or removing a credit freeze on a Settlement Class Member’s credit file with any credit reporting agency; 6.2.3 other miscellaneous expenses incurred related to any Out-ofPocket Loss such as notary, fax, postage, copying, mileage, and long-distance telephone charges; 6.2.4 credit monitoring costs that were incurred on or after September 7, 2017, through the date of the Settlement Class Member’s claim submission; 6.2.5 up to 25% reimbursement for costs incurred by a Settlement Class Member in connection with Equifax credit or identity monitoring subscription products in the 12 months preceding September 7, 2017; 6.2.6 subject to the provisions of Section 8.4 regarding Documented Time and Self-Certified Time and Section 8.1.2 regarding claims during the Extended Claims Period, up to 20 total hours for time spent taking Preventative Measures and time spent remedying fraud, identity theft, or other misuse of a Settlement Class Member’s personal information that is fairly traceable to the Data Breach at $25 per hour. Up to thirty-one million United States Dollars ($31,000,000) of the Consumer Restitution Fund will be used to compensate Settlement Class Members for time under this Section that is claimed during the Initial Claims Period. If the settlement payments for time claimed during the Initial Claims Period exceed this amount, then payments for time shall be distributed pro rata to those making valid claims for time during the Initial Claims Period. Approved claims for Documented Time and Self-Certified Time filed during the Extended Claims Period will be paid in 16 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 20 of 295 the order they are received and approved at the same pro rata rate (if applicable) as claims for Documented Time and SelfCertified Time filed during the Initial Claims Period, up to an aggregate cap for Documented Time and Self-Certified Time during both the Initial and Extended Claims Period of thirtyeight million United States Dollars ($38,000,000). After passage of the Extended Claims Period and payment of approved claims filed during the Extended Claims Period, claims for time spent may be subject to the provisions of Section 5.4.1, if applicable, in which case all approved claims for time will be paid at the same pro rata rate. 7 7.1 CREDIT MONITORING, RESTORATION SERVICES, ALTERNATIVE REIMBURSEMENT COMPENSATION AND All Settlement Class Members will be eligible to claim and enroll in at least 4 years of Credit Monitoring Services, a description of which is set forth in Exhibit 4. These services will be provided by Experian, which will be appointed by the Court as the provider of Credit Monitoring Services and be subject to the Court’s jurisdiction for enforcement of the terms of this Settlement. 7.1.1 Minors: For Settlement Class Members who were under the age of 18 on May 13, 2017, during the period when a Settlement Class Member is under the age of 18 the monitoring made available will be the minor monitoring services provided by Experian as described in Exhibit 4. 7.2 All Settlement Class Members (regardless of whether the Settlement Class Member makes any claim under the Settlement) will also be able to access Restoration Services, a description of which is set forth in Exhibit 4. These services will be provided by Experian. The Restoration Services include access to a U.S. based call center providing services relating to identity theft, fraud and identity restoration for a period of 7 years. 7.3 Equifax represents and warrants that it is not an Affiliate of Experian and has no financial interest in Experian. Equifax will not receive any monetary or other financial consideration for the Credit Monitoring 17 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 21 of 295 Services or Restoration Services made available under this Settlement. Equifax will provide its data necessary to carry out these services to Experian free of charge. 7.4 Settlement Class Members who elect to enroll in Credit Monitoring Services within the Initial Claims Period shall have the option to make a claim for One-Bureau Credit Monitoring Services at the same time they claim Credit Monitoring Services. The One-Bureau Credit Monitoring Services will be provided by Equifax for a period of no more than 6 years beginning after the date on which the Credit Monitoring Services described in Section 7.1 above (including any additional monthly increments provided pursuant to Section 5.4.3) expire. The aggregate term of the Credit Monitoring Services and the One-Bureau Credit Monitoring Services will equal 10 years. A description of the One Bureau Credit Monitoring Services is set forth in Exhibit 4. The cost of the One-Bureau Credit Monitoring Services will be paid separately by Equifax, not from the Consumer Restitution Fund. 7.4.1 7.5 Minors: For Settlement Class Members who were under the age of 18 on May 13, 2017, One-Bureau Credit Monitoring Services will be provided by Equifax for a period of no more than 14 years beginning after the date on which the Credit Monitoring Services described in Section 7.1 above expire. The aggregate term of the Credit Monitoring Services and the One Bureau Credit Monitoring Services will equal 18 years. During the period when a Settlement Class Member is under the age of 18, the monitoring made available will be the minor monitoring services provided by Equifax described in Exhibit 4. Settlement Class Members who already have some form of credit monitoring or protection and do not claim the Credit Monitoring Services available under Section 7.1 may file a claim for Alternative Reimbursement Compensation of $125. The Settlement Class Member must identify the monitoring service and certify that he or she has some form of credit monitoring or protection as of the date the Settlement Class Member submits the claim and will have such credit monitoring in place for a minimum of six (6) months from the claim date. Settlement Class 18 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 22 of 295 Members who elect to receive Alternative Reimbursement Compensation under this provision are not eligible to enroll in Credit Monitoring Services offered under Section 7.1 or to seek reimbursement, as Out-ofPocket Losses, for purchasing credit monitoring or protection services covering the six-month period after the claim date. Up to thirty-one million United States Dollars ($31,000,000) of the Consumer Restitution Fund will be used to provide Alternative Reimbursement Compensation to Settlement Class Members under this provision. If payments for Alternative Reimbursement Compensation under this provision exceed the cap set forth in the preceding sentence, then payments for such Alternative Reimbursement Compensation shall be distributed pro rata to those making valid claims for Alternative Reimbursement Compensation. After passage of the Extended Claims Period, claims for Alternative Reimbursement Compensation may be subject to the provisions of Section 5.4.1, if applicable. 7.6 Claims for Credit Monitoring Services and Alternative Reimbursement Compensation can be made only within the Initial Claims Period. 7.7 The Parties, Class Counsel, and Defendants’ Counsel shall not have any liability whatsoever with respect to any act or omission of Experian, or any of its respective designees or agents, in connection with its provision of Credit Monitoring Services or Restoration Services or the performance of its duties under this Agreement. 7.8 If, at the end of the Initial Claims Period, more than 7 million Settlement Class Members have enrolled in the Credit Monitoring Services, the following obligations apply: 7.8.1 If the total payments required under Sections 6, 7.2, 7.5, 9, and 10, plus the cost of providing the Credit Monitoring Services to 7 million Settlement Class Members (the “Costs”) are greater than or equal to Three Hundred Million Dollars ($300,000,000), Equifax Inc. shall pay into the Consumer Restitution Fund an amount equal to the cost of providing Credit Monitoring Services to enrollees above 7 million (the “Additional Credit Monitoring Cost”) 19 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 23 of 295 7.9 8 8.1 7.8.2 If the Costs are less than Two Hundred Fifty Six Million Five Hundred Thousand Dollars ($256,500,000) and the Additional Credit Monitoring Cost is greater than Forty Three Million Five Hundred Thousand Dollars ($43,500,000), Equifax Inc. shall pay into the Consumer Restitution Fund an amount equal to the Additional Credit Monitoring Cost less Forty Three Million Five Hundred Thousand Dollars ($43,500,000) 7.8.3 If (i) the Costs are greater than or equal to Two Hundred Fifty Six Million Five Hundred Thousand Dollars ($256,500,000), but less than Three Hundred Million Dollars ($300,000,000) and (ii) the Costs plus the Additional Credit Monitoring Costs are greater than or equal to Three Hundred Million Dollars ($300,000,000), Equifax Inc. shall pay into the Consumer Restitution Fund an amount equal to the Costs plus Additional Credit Monitoring Costs less Three Hundred Million Dollars ($300,000,000). If, during the Extended Claims Period, more than 7 million Settlement Class Members have enrolled in Credit Monitoring Services and either (i) the Costs are greater than or equal to Two Hundred Fifty Six Million Five Hundred Thousand Dollars ($256,500,000) or (ii) the Additional Credit Monitoring Costs are greater than Forty Three Million Five Hundred Thousand Dollars ($43,500,000) then, at least on a monthly basis, Equifax Inc. shall recalculate its obligations under Sections 7.8.1 through 7.8.3, and shall deposit any additional money into the Consumer Restitution Fund that would be required, less any amounts previously deposited pursuant to Sections 7.8.1 through 7.8.3, or previously under this Section. CLAIMS PERIODS AND PROCESS Claims Periods. There will be two claims periods: the Initial Claims Period and the Extended Claims Period. 8.1.1 The Initial Claims Period will run for 6 months after the Order Permitting Issuance of Notice of Class Action Settlement. 8.1.2 The Extended Claims Period will run for 4 years after the 20 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 24 of 295 conclusion of the Initial Claims Period. During the Extended Claims Period, Settlement Class Members can seek reimbursement for valid Out-of-Pocket Losses (excluding losses of money and time associated with Preventative Measures) incurred during the Extended Claims Period only if the Settlement Class Member provides a certification that he or she has not obtained reimbursement for the claimed expense through other means. 8.2 Claims Process. Settlement Class Members may submit Claim Forms to the Settlement Administrator electronically through the Settlement Website or physically by mail to the Settlement Administrator. Claim Forms must be submitted electronically or postmarked during the Initial Claims Period, or, where applicable, during the Extended Claims Period. Where applicable, the Settlement Administrator shall apply the Claims Administration Protocol, attached as Exhibit 9. 8.3 Claims for Reimbursement for Out-of-Pocket Losses under Section 6. The Settlement Administrator shall verify that each person who submits a Claim Form is a Settlement Class Member and shall be responsible for evaluating claims and making a determination as to whether claimed Outof-Pocket Losses are valid and fairly traceable to the Data Breach. Settlement Class Members with Out-of-Pocket Losses must submit Reasonable Documentation supporting their claims, except no documentation is required for claims for reimbursement for Equifax subscription products as provided in Section 6.2.5. As used herein, “Reasonable Documentation” means documentation supporting a claim, including but not limited to: credit card statements, bank statements, invoices, telephone records, and receipts. Except as expressly provided herein, personal certifications, declarations, or affidavits from the claimant do not constitute Reasonable Documentation but may be included to provide clarification, context or support for other submitted Reasonable Documentation. 8.3.1 In assessing what qualifies as “fairly traceable,” the Parties agree to instruct the Settlement Administrator to consider (i) the timing of the loss, including whether the loss occurred on or 21 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 25 of 295 after May 13, 2017, through the date of the Class Member’s claim submission; (ii) whether the loss involved the possible misuse of the type of personal information accessed in the Data Breach (i.e., name, address, birth date, Social Security Number, driver’s license number, payment card information); (iii) whether the personal information accessed in the Data Breach that is related to the Class Member is of the type that was possibly misused; (iv) the Class Member’s explanation as to how the loss is fairly traceable to the Data Breach; (v) the nature of the loss, including whether the loss was reasonably incurred as a result of the Data Breach; and (vi) any other factor that the Settlement Administrator considers to be relevant. The Settlement Administrator shall have the sole discretion and authority to determine whether claimed Out-of-Pocket Losses are valid and fairly traceable to the Data Breach. 8.3.2 8.4 Out-of-Pocket Losses associated with placing or removing credit freezes on credit files (Section 6.2.2.) and purchasing credit monitoring services (Section 6.2.4) (“Preventative Measures”), shall be deemed fairly traceable to the Data Breach if (i) they were incurred on or after September 7, 2017, through the date of the Settlement Class Member’s claim submission, and (ii) the claimant certifies that they incurred such Out-ofPocket Losses as a result of the Data Breach and not as a result of any other compromise of the Settlement Class Member’s information. Claims for Time. Settlement Class Members who spent time remedying fraud, identity theft, or other alleged misuse of the Settlement Class Member’s personal information fairly traceable to the Data Breach, or subject to Section 8.1.2, Settlement Class Members who spent time on Preventative Measures fairly traceable to the Data Breach, can receive reimbursement for such time expenditures subject to the following provisions. 8.4.1 Documented Time. Settlement Class Members with (i) Reasonable Documentation of fraud, identity theft, or other 22 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 26 of 295 alleged misuse of the Settlement Class Member’s personal information fairly traceable to the Data Breach and (ii) time spent remedying these issues, or time spent taking Preventative Measures, may submit a claim for up to 20 hours of such time to be compensated at $25 per hour. This documentation may overlap with documents submitted to support other Out-ofPocket Losses. In the event the Settlement Administrator does not approve a claim for Documented Time, that claim shall be treated as a claim for Self-Certified Time and be subject to the provisions of Section 8.4.2. 8.5 8.4.2 Self-Certified Time. Settlement Class Members who attest (i) to fraud, identity theft, or other alleged misuse of the Settlement Class Member’s personal information fairly traceable to the Data Breach, or Preventative Measures, and (ii) that they spent time remedying such misuse or taking Preventative Measures, but who cannot provide Reasonable Documentation of such issues may self-certify the amount of time they spent remedying the foregoing by providing a certified explanation of the misuse or Preventative Measures taken and how the time claimed was spent remedying the misuse or taking Preventative Measures. Settlement Class Members may file a claim for Self-Certified Time for up to 10 hours at $25 per hour. 8.4.3 Time Increments. Valid claims for both Documented Time and Self-Certified Time will be reimbursed in 15-minute increments, with a minimum reimbursement of 1-hour per valid Out-of-Pocket Loss claim for time. Disputes and Appeals. 8.5.1 To the extent the Settlement Administrator determines a claim for Out-of-Pocket Losses, Alternative Reimbursement Compensation, or Credit Monitoring Services is deficient in whole or part, within 14 days after making such a determination, the Settlement Administrator shall notify the Settlement Class Member in writing (including by e-mail where the Settlement Class Member selects e-mail as his or her 23 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 27 of 295 preferred method of communication) of the deficiencies and give the Settlement Class Member 30 days to cure the deficiencies. The notice shall inform the Settlement Class Member that he or she can either attempt to cure the deficiencies outlined in the notice, or dispute the determination in writing and request an appeal. If the Settlement Class Member attempts to cure the deficiencies but, in the sole discretion and authority of the Settlement Administrator fails to do so, the Settlement Administrator shall notify the Settlement Class Member of that determination within 14 days of the determination. The notice shall inform the Settlement Class Member of his or her right to dispute the determination in writing and request an appeal within 30 days. The Settlement Administrator shall have the sole discretion and authority to determine whether a claim for Out-of-Pocket Losses, Alternative Reimbursement Compensation, or Credit Monitoring Services is deficient in whole or part but may consult with the Parties in making individual determinations. 8.5.2 If a Settlement Class Member disputes a determination in writing (including by e-mail where the Settlement Class Member selects e-mail as his or her preferred method of communication) and requests an appeal, the Settlement Administrator shall provide Class Counsel and Defendants’ Counsel a copy of the Settlement Class Member’s dispute and Claim Form along with all documentation or other information submitted by the Settlement Class Member. Class Counsel and Defendants’ Counsel will confer regarding the claim submission, and their agreement on approval of the Settlement Class Member’s claim, in whole or part, will be final. If Class Counsel and Defendants’ Counsel cannot agree on approval of the Settlement Class Member’s claim, in whole or part, the dispute will be submitted to a mutually-agreeable neutral thirdparty who will serve as the claims referee. If no agreement is reached on selection of the claims referee, the Parties will submit proposals to the Court. The Court will have final, nonappealable decision-making authority over designating the 24 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 28 of 295 claims referee. The claims referee’s decision will be final and not subject to appeal or further review. 9 ADMINISTRATIVE COSTS AND NOTICE COSTS 9.1 The Administrative Costs and Notice Costs will be paid from the Consumer Restitution Fund. However, if the amount of Notice Costs exceeds more than a specified dollar amount, as agreed to by the Parties and submitted to the Court for in camera review, either of the Parties may terminate this Agreement. 10 SERVICE AWARDS 10.1 Settlement Class Representatives and Class Counsel may seek Service Awards for the Settlement Class Representatives. Any requests for such awards must be filed at least 21 days before the Objection Deadline. Equifax agrees not to oppose requests for such Service Awards to the extent they do not exceed two thousand five hundred United States Dollars ($2,500) per Settlement Class Representative. 10.2 The Settlement Administrator shall pay the Service Awards approved by the Court to the Settlement Class Representatives from the Consumer Restitution Fund, which shall not exceed two hundred and fifty thousand United States Dollars ($250,000) of the Consumer Restitution Fund. Such Service Awards shall be paid in the amount approved by the Court within 10 Business Days of the Effective Date. 10.3 In the event the Court declines to approve, in whole or in part, the payment of the Service Awards in the amounts requested, the remaining provisions of this Agreement shall remain in full force and effect. No decision by the Court, or modification or reversal or appeal of any decision by the Court, concerning the amount of Service Awards shall constitute grounds for cancellation or termination of this Agreement. 11 ATTORNEYS’ FEES AND EXPENSES 11.1 Plaintiffs, through Class Counsel, will request up to $77,500,000 of the Consumer Restitution Fund (representing 25% of the Settlement Fund negotiated as part of the March 30, 2019, term sheet) to pay reasonable 25 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 29 of 295 attorneys’ fees for work performed by Class Counsel or other counsel working at their direction in connection with this litigation, to be distributed as determined by Class Counsel. In addition to fees, plaintiffs will also request reimbursement of reasonable costs and expenses incurred in connection with the litigation up to three million United States Dollars ($3,000,000), which shall also be paid from the Consumer Restitution Fund. Class Counsel will make such applications as provided under the Federal Rules of Civil Procedure and Equifax agrees not to take a position on such applications. Any such applications must be filed at least 21 days before the Objection Deadline. 11.2 The Settlement Administrator shall pay the attorneys’ fees, costs, and expenses awarded by the Court, plus any interest accrued on the amount of the approved attorneys’ fees, to Class Counsel from the Consumer Restitution Fund. Such attorneys’ fees, costs, and expenses shall be paid in the amount approved by the Court within 10 Business Days of the Effective Date. 11.3 Defendants shall have no responsibility for, interest in, or liability whatsoever with respect to any payment or allocation of attorneys’ fees, costs, and expenses to or made by Class Counsel under this Agreement. 11.4 The finality or effectiveness of the Settlement will not be dependent on the Court awarding Class Counsel any particular amount of attorneys’ fees and costs. In the event the Court declines to approve, in whole or in part, the payment of the attorneys’ fees, costs, or expenses in the amounts requested, the remaining provisions of this Agreement shall remain in full force and effect. No decision by the Court, or modification or reversal or appeal of any decision by the Court, concerning the amount of attorneys’ fees, costs, and expenses shall constitute grounds for cancellation or termination of this Agreement. 12 PRESENTATION TO THE COURT 12.1 On or after July 15, 2019, Settlement Class Representatives and Class Counsel will file this Agreement and Exhibits, along with a motion for Order Permitting Issuance of Notice of Class Action Settlement pursuant to the requirements of Federal Rule of Civil Procedure 23(e)(1). 26 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 30 of 295 12.2 Class Counsel shall apply to the Court for entry of the Order Permitting Issuance of Notice of Class Action Settlement attached hereto as Exhibit 5. 13 CLASS NOTICE, OPT-OUTS, OBJECTIONS, AND CAFA NOTICE 13.1 Notice shall not be distributed or disseminated until after the Court enters the Order Permitting Issuance of Notice of Class Action Settlement. 13.2 The Notice Provider is responsible for distributing and disseminating the Notice in accordance with the Notice Plan, Exhibit 6 hereto. 13.3 Defendants shall provide the Settlement Administrator with the names, last known mailing address, date of birth, and last known e-mail addresses of Settlement Class Members to the extent reasonably available, no later than 5 Business Days after the date on which the Court enters the Order Permitting Issuance of Notice of Class Action Settlement. To the extent that Equifax has reasonably available names or other identifying information about Settlement Class Members, but not mailing or email addresses, those names and other identifying information shall also be provided to the Settlement Administrator for use in verifying the identity of Settlement Class Members. The Notice Provider and Settlement Administrator shall make all necessary efforts to ensure the security and privacy of Settlement Class Member information. 13.4 Class Counsel shall provide the Settlement Administrator with the names, last known mailing address, and last known email addresses of Settlement Class Representatives and any other putative class member who has reported updated address information to Class Counsel, no later than 5 Business Days after the date on which the Court enters the Order Permitting Issuance of Notice of Class Action Settlement. 13.5 The Notice shall explain the procedure for Settlement Class Members to opt-out and exclude themselves from the Settlement Class by notifying the Settlement Administrator in writing, postmarked no later than 60 days after the Notice Date (the “Opt-Out Deadline”). Each written request for exclusion must set forth the name of the individual seeking exclusion, be 27 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 31 of 295 signed by the individual seeking exclusion, and can only request exclusion for that one individual. 13.6 The Notice shall explain the procedure for Settlement Class Members to object to the Settlement by submitting written objections to the Court no later than 60 days after the Notice Date (the “Objection Deadline”). The written objection must include the objector’s name, address, personal signature, a statement of the specific grounds for the objection, a statement indicating the basis for the objector’s belief that he or she is a member of the Settlement Class, a statement of whether the objection applies only to the objector, to a specific subset of the Settlement Class, or to the entire Settlement Class, a statement identifying all class action settlements objected to by the Settlement Class Member in the previous 5 years, a statement whether the objector intends to appear at the Fairness Hearing, either in person or through counsel, and if through counsel, identifying counsel by name, address, and telephone number, and four dates between the Objection Deadline and a date two weeks before Fairness Hearing, during which the Settlement Class Member is available to be deposed by counsel for the Parties. In addition to the foregoing, if the Settlement Class Member is represented by counsel and such counsel intends to speak at the Fairness Hearing, the written objection must include a detailed statement of the specific legal and factual basis for each and every objection and a detailed description of any and all evidence the objecting Settlement Class Member may offer at the Fairness Hearing, including copies of any and all exhibits that the objecting Settlement Class Member may introduce at the Fairness Hearing. In addition to the foregoing, if the Settlement Class Member is represented by counsel, and such counsel intends to seek compensation for his or her services from anyone other than the Settlement Class Member, the objection shall contain the following information: (a) the identity of all counsel who represent the objector, including any former or current counsel who may be entitled to compensation for any reason related to the objection; (b) a statement identifying all instances in which the counsel or the counsel’s law firm have objected to a class action settlement within the preceding 5 years, giving the style and court in which the class action settlement was filed; (c) a statement identifying any and all agreements that relate to the objection or the process of objecting—whether written or oral—between 28 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 32 of 295 the Settlement Class Member, his or her counsel, and/or any other person or entity; (d) a description of the counsel’s legal background and prior experience in connection with class action litigation; and (e) a statement regarding whether fees to be sought will be calculated on the basis of a lodestar, contingency, or other method; an estimate of the amount of fees to be sought; the factual and legal justification for any fees to be sought; the number of hours already spent by the counsel and an estimate of the hours to be spent in the future; and the attorney’s hourly rate. 13.7 The Notice will also state that any Settlement Class Member who does not file a timely and adequate notice of intent in accordance with this Section waives the right to object or to be heard at the Fairness Hearing and shall be forever barred from making any objection to the Settlement. 13.8 Equifax will serve the notice required by the Class Action Fairness Act of 2005, 28 U.S.C. § 1715, no later than 10 days after this Agreement is filed with the Court. 14 DUTIES OF SETTLEMENT ADMINISTRATOR 14.1 The Settlement Administrator shall perform the functions as are specified in this Agreement and its Exhibits, including, but not limited to, overseeing administration of the Consumer Restitution Fund; operating the Settlement Website and a toll-free number; administering the claims processes; and distributing the Settlement benefits described herein. These functions may need to be performed in conjunction with the Notice Provider, as described herein. In addition to other responsibilities that are described in this Agreement, the duties of the Settlement Administrator include: 14.1.1 Reviewing, determining the validity of, and processing all claims submitted by Settlement Class Members; 14.1.2 Establishing a reasonably practical procedure, using information obtained from Equifax pursuant to Section 13.3, to verify that claimants are Settlement Class Members. 14.1.3 Establishing and maintaining a post office box for mailed 29 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 33 of 295 written objections and notifications of exclusion from the Settlement Class; 14.1.4 Establishing and maintaining the Settlement Website that, among other things, allows Settlement Class Members to submit Claims Forms electronically; 14.1.5 Responding to Settlement Class Member inquiries via U.S. mail, e-mail, and telephone; 14.1.6 Establishing and maintaining a toll-free telephone line for Settlement Class Members to call with Settlement-related inquiries, and answering the questions of Settlement Class Members who call with or otherwise communicate such inquiries; 14.1.7 Mailing to Settlement Class Members who request it paper copies of the Notice and Claim Forms; 14.1.8 Reviewing, determining the validity of, and processing all claims submitted by Settlement Class Members, pursuant to Section 8; 14.1.9 Paying Taxes; 14.1.10 Processing all objections and requests for exclusion from the Settlement Class; 14.1.11 Coordinating with Experian to receive and send activation codes for Credit Monitoring Services no later than 45 days after the Effective Date or the conclusion of the Initial Claims Period, whichever is later; 14.1.12 Receiving requests for exclusion and objections from Settlement Class Members and promptly providing copies thereof to Class Counsel and Defendants’ Counsel. If the Settlement Administrator receives any requests for exclusion, objections, or other requests from Settlement Class Members after the Opt-Out and Objection Deadlines, the Settlement 30 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 34 of 295 Administrator shall promptly provide copies thereof to Class Counsel and Defendants’ Counsel; 14.1.13 Providing, no later than 5 Business Days after the Opt-Out and Objection Deadlines, a final report to Class Counsel and Defendants’ Counsel that summarizes the number of written requests for exclusion, objections, and other pertinent information as requested by Class Counsel or Defendants’ Counsel; 14.1.14 Providing weekly reports and a final report to Class Counsel and Defendants’ Counsel that summarize the number of Claims since the prior reporting period, the total number of Claims received to date, the number of any Claims approved and denied since the prior reporting period, the total number of Claims approved and denied to date, and other pertinent information as requested by Class Counsel or Defendants’ Counsel. The Settlement Administrator shall also, as requested by Class Counsel or Defendants’ Counsel and from time to time, provide information about the amounts remaining in the Consumer Restitution Fund; 14.1.15 Making available for inspection by Class Counsel and Defendants’ Counsel the Claim Forms and any supporting documentation received by the Settlement Administrator at any time upon reasonable notice; 14.1.16 After the Effective Date, processing distributions to Settlement Class Members; 14.1.17 In advance of the Fairness Hearing, preparing an affidavit to submit to the Court that: (i) provides pertinent information relating to the claims process as requested by Class Counsel; and (ii) identifies each Settlement Class Member who timely and properly provided written notification of exclusion from the Settlement Class; and 14.1.18 Performing any function at the agreed-upon instruction of both 31 and transmitting Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 35 of 295 Class Counsel and Defendants’ Counsel, including, but not limited to, verifying that cash payments have been distributed in accordance with Section 5. 14.2 The Parties, Class Counsel, and Defendants’ Counsel shall not have any liability whatsoever with respect to (i) any act, omission or determination of the Settlement Administrator, or any of its respective designees or agents, in connection with the administration of the Settlement or otherwise; (ii) the management, investment or distribution of the Consumer Restitution Fund; (iii) the formulation, design or terms of the disbursement of the Consumer Restitution Fund; (iv) the determination, administration, calculation or payment of any claims asserted against the Consumer Restitution Fund; (v) any losses suffered by or fluctuations in the value of the Consumer Restitution Fund; or (vi) the payment or withholding of any Taxes, expenses or costs incurred in connection with the taxation of the Consumer Restitution Fund or the filing of any returns. 14.3 The Settlement Administrator shall indemnify and hold harmless the Parties, Class Counsel, and Defendants’ Counsel for (i) any act or omission or determination of the Settlement Administrator, or any of Settlement Administrator’s designees or agents, in connection with the administration of the Settlement; (ii) the management, investment or distribution of the Consumer Restitution Fund; (iii) the formulation, design or terms of the disbursement of the Consumer Restitution Fund; (iv) the determination, administration, calculation or payment of any claims asserted against the Consumer Restitution Fund; (v) any losses suffered by, or fluctuations in the value of the Consumer Restitution Fund; or (vi) the payment or withholding of any Taxes, expenses, or costs incurred in connection with the taxation of the Consumer Restitution Fund or the filing of any returns. 15 DUTIES OF NOTICE PROVIDER 15.1 The Notice Provider shall perform the functions as are specified in this Agreement and its Exhibits, including, but not limited to implementing the Notice Plan attached hereto as Exhibit 6, using the methods and forms of Notice approved by the Court. In addition to other responsibilities that 32 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 36 of 295 are described in this Agreement and the Notice Plan, the duties of the Notice Provider include: 15.1.1 Coordinating with the Settlement Administrator, Class Counsel, and Defendants’ Counsel to effectuate this Agreement. 15.1.2 Assisting the Settlement Administrator in creating and maintaining the Settlement Website. 15.1.3 Reporting to the Parties and the Court regarding the status and effectiveness of the Notice Plan. 15.2 The Parties, Class Counsel, and Defendants’ Counsel shall not have any liability whatsoever with respect to any act or omission of the Notice Provider, or any of its respective designees or agents, in connection with its implementation of the Notice Plan and performance of its duties under this Agreement. 15.3 The Notice Provider shall indemnify and hold harmless the Parties, Class Counsel, and Defendants’ Counsel for any liability arising from the Notice Provider’s implementation of the Notice Plan and performance of its duties under this Agreement. 16 RELEASE 16.1 As of the Effective Date, all Settlement Class Members and all Settlement Class Representatives, on behalf of themselves, their heirs, assigns, executors, administrators, predecessors, and Successors, and any other person purporting to claim on their behalf, hereby expressly, generally, absolutely and unconditionally release and discharge any and all Released Claims against Equifax and its current, former, and future Affiliates, Parents, Subsidiaries, representatives, officers, agents, directors, employees, insurers, Successors, assigns, and attorneys, except for claims relating to the enforcement of the Settlement or this Agreement. 16.2 As of the Effective Date, Equifax and its representatives, officers, agents, directors, Affiliates, Successors, Subsidiaries, Parents, employees, insurers, and attorneys absolutely and unconditionally release and discharge Settlement Class Members, Settlement Class Representatives, 33 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 37 of 295 and Class Counsel from any claims that arise out of or relate in any way to the institution, prosecution, or settlement of the claims against Defendants, except for claims relating to the enforcement of the Settlement or this Agreement, and for the submission of false or fraudulent claims for Settlement benefits. 16.3 The Parties understand that if the facts upon which this Agreement is based are found hereafter to be different from the facts now believed to be true, each Party expressly assumes the risk of such possible difference in facts, and agrees that this Agreement, including the releases contained herein, shall remain effective notwithstanding such difference in facts. The Parties agree that in entering this Agreement, it is understood and agreed that each Party relies wholly upon its own judgment, belief, and knowledge and that each Party does not rely on inducements, promises, or representations made by anyone other than those embodied herein. 16.4 Notwithstanding any other provision of this Agreement (including, without limitation, this Section), nothing in this Agreement shall be deemed to in any way impair, limit, or preclude the Parties’ rights to enforce any provision of this Agreement, or any court order implementing this Agreement, in a manner consistent with the terms of this Agreement. 17 EFFECTIVE DATE AND TERMINATION 17.1 The Effective Date of the Settlement shall be the first Business Day after all of the following conditions have occurred: 17.1.1 Defendants and Class Counsel execute this Agreement; 17.1.2 The Court enters the Order Permitting Issuance of Notice of Class Action Settlement, without material change to the Parties’ agreed-upon proposed order attached hereto as Exhibit 5; 17.1.3 Notice is provided to the Settlement Class consistent with the Order Permitting Issuance of Notice of Class Action Settlement; 17.1.4 The Court enters the Final Approval Order and Judgment; and 34 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 38 of 295 17.1.5 The Final Approval Order and Judgment has become final because (i) the time for appeal, petition, rehearing or other review has expired, or (ii) if any appeal, petition, request for rehearing or other review has been filed, the Final Approval Order and Judgment is affirmed without material change or the appeal is dismissed or otherwise disposed of, no other appeal, petition, rehearing or other review is pending, and the time for further appeals, petitions, requests for rehearing or other review has expired. 17.2 In the event that the Court declines to enter the Order Permitting Issuance of Notice of Class Action Settlement as specified in Section 17.1.2, declines to enter the Final Approval Order and Judgment in substantially similar form as submitted by the Parties, or the Final Approval Order and Judgment does not become final as specified in Section 17.1.5, the Parties shall have 60 days during which the Parties shall work together in good faith in considering, drafting, and submitting reasonable modifications to this Agreement to address any issues with the Settlement identified by the Court or that otherwise caused the Final Approval Order and Judgment not to become final. If such efforts are unsuccessful or the Court declines to approve the revised Settlement, Defendants and Plaintiffs may at their sole discretion terminate this Agreement on 5 Business Days written notice to Class Counsel or Defendants, respectively. For avoidance of doubt, neither Defendants nor Plaintiffs may terminate the Agreement while an appeal from an order granting approval of the Settlement is pending. 17.3 Defendants also may at their sole discretion terminate this Agreement on 5 Business Days written notice to Class Counsel if more than a specified number of individuals submit valid requests to exclude themselves from the Settlement Class, as agreed to by the Parties and submitted to the Court for in camera review. 17.4 In the event this Agreement is terminated pursuant to Sections 17.2 or 17.3, the Settlement Administrator, within 10 Business Days of receiving written notification of such event from counsel for Defendants, shall pay to Defendants an amount equal to the Consumer Restitution Fund together 35 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 39 of 295 with any interest or other income earned thereon, less (i) any Taxes paid or due with respect to such income, (ii) any reasonable Administrative Costs or Notice Costs actually incurred and paid or payable from the Consumer Restitution Fund as authorized in this Agreement. 17.5 Except as otherwise provided herein, in the event this Agreement is terminated, the Parties to this Agreement, including Settlement Class Members, shall be deemed to have reverted to their respective status in the Actions immediately prior to the execution of this Agreement and, except as otherwise expressly provided, the Parties shall proceed in all respects as if this Agreement and any related orders had not been entered. In addition, the Parties agree that in the event this Agreement is terminated: 17.5.1 Any Court orders approving certification of the Settlement Class and any other orders entered pursuant to this Agreement shall be deemed null and void and vacated and shall not be used in or cited by any person or entity in support of claims or defenses or in support or in opposition to a class certification motion; and 17.5.2 This Agreement shall become null and void, and the fact of this Settlement and that Defendants did not oppose certification of any class under this Settlement, shall not be used or cited by any person or entity, including in any contested proceeding relating to certification of any proposed class. 18 NO ADMISSION OF WRONGDOING 18.1 This Agreement, whether or not consummated, any communications and negotiations relating to this Agreement or the Settlement, and any proceedings taken pursuant to this Agreement: 18.1.1 Shall not be offered or received against any Defendant as evidence of or construed as or deemed to be evidence of any presumption, concession, or admission by any Defendant with respect to the truth of any fact alleged by any Plaintiff or the validity of any claim that has been or could have been asserted 36 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 40 of 295 in the Actions or in any litigation, or the deficiency of any defense that has been or could have been asserted in the Actions or in any litigation, or of any liability, negligence, fault, breach of duty, or wrongdoing of any Defendant; 18.1.2 Shall not be offered or received against any Defendant as evidence of a presumption, concession or admission of any fault, misrepresentation or omission with respect to any statement or written document approved or made by any Defendant; 18.1.3 Shall not be offered or received against any Defendant as evidence of a presumption, concession or admission with respect to any liability, negligence, fault, breach of duty, or wrongdoing, or in any way referred to for any other reason as against any Defendant, in any other civil, criminal or administrative action or proceeding, other than such proceedings as may be necessary to effectuate the provisions of this Agreement; provided, however, that if this Agreement is approved by the Court, the Parties may refer to it to effectuate the liability protection granted them hereunder; 18.1.4 Shall not be construed against any Defendant as an admission or concession that the consideration to be given hereunder represents the amount that could be or would have been recovered after trial; and 18.1.5 Shall not be construed as or received in evidence as an admission, concession or presumption against any Settlement Class Representative or any Settlement Class Member that any of their claims are without merit, or that any defenses asserted by any Defendants have any merit, or that damages recoverable under the Actions would not have exceeded the Consumer Restitution Fund, provided, however, that if this Agreement is approved by the Court, the Defendants may refer to it to enforce the release of claims granted to them hereunder. 37 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 41 of 295 19 REPRESENTATIONS 19.1 Each Party represents that (i) such Party has full legal right, power and authority to enter into and perform this Agreement, subject to Court approval, (ii) the execution and delivery of this Agreement by such Party and the consummation by such Party of the transactions contemplated by this Agreement have been duly authorized by such Party, (iii) this Agreement constitutes a valid, binding and enforceable agreement, and (iv) no consent or approval of any person or entity is necessary for such Party to enter into this Agreement. 20 NOTICES 20.1 All notices to Class Counsel provided for in this Agreement shall be sent by e-mail and First Class mail to the following: Amy E. Keller DICELLO LEVITT GUTZLER LLC Ten North Dearborn Street Eleventh Floor Chicago, Illinois 60602 Tel. 312.214.7900 akeller@dicellolevitt.com Kenneth S. Canfield DOFFERMYRE SHIELDS CANFIELD & KNOWLES, LLC 1355 Peachtree Street, N.E. Suite 1725 Atlanta, Georgia 30309 Tel. 404.881.8900 kcanfield@dsckd.com Norman E. Siegel STUEVE SIEGEL HANSON LLP 460 Nichols Road, Suite 200 Kansas City, Missouri 64112 Tel. 816.714.7100 siegel@stuevesiegel.com Roy E. Barnes THE BARNES LAW GROUP, LLC 31 Atlanta Street Marietta, GA 30060 Tel. 770.227.6375 roy@barneslawgroup.com 38 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 42 of 295 20.2 All notices to Defendants or counsel to Defendants provided for in this Agreement shall be sent by e-mail and First Class mail to the following: David L. Balser Phyllis B. Sumner S. Stewart Haskins II KING & SPALDING LLP 1180 Peachtree Street, N.E. Atlanta, Georgia 30309 Tel.: 404.572.4600 dbalser@kslaw.com psumner@kslaw.com shaskins@kslaw.com Michelle A. Kisloff Adam A. Cooke HOGAN LOVELLS US LLP Columbia Square 555 Thirteenth Street, N.W. Washington, D.C. 20004 Tel.: 202.637.5600 michelle.kisloff@hoganlovells.com adam.a.cooke@hoganlovells.com 20.3 All notices to the Settlement Administrator provided for in this Agreement shall be sent by e-mail and First Class mail to the following: Equifax Data Breach Settlement C/O JND Legal Administration P.O. Box 91318 Seattle, WA 98111 Info@EquifaxBreachSettlement.com 39 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 43 of 295 20.4 The notice recipients and addresses designated in this Section may be changed by written notice posted to the Settlement Website. 21 MISCELLANEOUS PROVISIONS 21.1 Further Steps. The Parties agree that they each shall undertake any required steps to effectuate the purposes and intent of this Agreement. 21.2 Representation by Counsel. The Settlement Class Representatives and Defendants represent and warrant that they have been represented by, and have consulted with, the counsel of their choice regarding the provisions, obligations, rights, risks, and legal effects of this Agreement and have been given the opportunity to review independently this Agreement with such legal counsel and agree to the particular language of the provisions herein. 21.3 Contact with Settlement Class Members. The Parties agree that Class Counsel may communicate with Settlement Class Members regarding the Settlement, and Equifax shall not otherwise interfere with such communications. 21.4 Contractual Agreement. The Parties understand and agree that all terms of this Agreement, including the Exhibits hereto, are contractual and are not a mere recital, and each signatory warrants that he or she is competent and possesses the full and complete authority to execute and covenant to this Agreement on behalf of the Party that he or she represents. 21.5 Integration. This Agreement constitutes the entire agreement among the Parties and no representations, warranties or inducements have been made to any Party concerning this Agreement other than the representations, warranties and covenants contained and memorialized herein. 21.6 Drafting. The Parties agree that no single Party shall be deemed to have drafted this Agreement, or any portion thereof, for purpose of the invocation of the doctrine of contra proferentem. This Agreement is a collaborative effort of the Parties and their attorneys. 40 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 44 of 295 21.7 Modification or Amendment. This Agreement may not be modified or amended, nor may any of its provisions be waived, except by a writing signed by the Parties who executed this Agreement or their successors-ininterest. 21.8 Waiver. The failure of a Party hereto to insist upon strict performance of any provision of this Agreement shall not be deemed a waiver of such Party’s rights or remedies or a waiver by such Party of any default by another Party in the performance or compliance of any of the terms of this Agreement. In addition, the waiver by one Party of any breach of this Agreement by any other Party shall not be deemed a waiver of any other prior or subsequent breach of this Agreement. 21.9 Severability. Should any part, term or provision of this Agreement be declared or determined by any court or tribunal to be illegal or invalid, the Parties agree that the Court may modify such provision to the extent necessary to make it valid, legal and enforceable. In any event, such provision shall be separable and shall not limit or affect the validity, legality or enforceability of any other provision hereunder. 21.10 Successors. This Agreement shall be binding upon and inure to the benefit of the heirs, Successors and assigns of the Parties thereto. 21.11 Survival. The Parties agree that the terms set forth in this Agreement shall survive the signing of this Agreement. 21.12 Governing Law. All terms and conditions of this Agreement shall be governed by and interpreted according to the laws of the State of Georgia, without reference to its conflict of law provisions, except to the extent the federal law of the United States requires that federal law governs. 21.13 Interpretation. 21.13.1 Definitions apply to the singular and plural forms of each term defined. 21.13.2 Definitions apply to the masculine, feminine, and neuter genders of each term defined. 41 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 45 of 295 21.13.3 Whenever the words “include,” “includes” or “including” are used in this Agreement, they shall not be limiting but rather shall be deemed to be followed by the words “without limitation.” 21.14 No Precedential Value. The Parties agree and acknowledge that this Agreement carries no precedential value. 21.15 Fair & Reasonable. The Parties and their counsel believe this Agreement is a fair and reasonable compromise of the disputed claims, in the best interest of the Parties, and have arrived at this Agreement as a result of extensive arms-length negotiations. 21.16 Retention of Jurisdiction. The administration and consummation of the Settlement as embodied in this Agreement shall be under the authority of the Court, and the Court shall retain jurisdiction over the Settlement and the Parties for the purpose of enforcing the terms of this Agreement. 21.17 Headings. Any headings contained herein are for informational purposes only and do not constitute a substantive part of this Agreement. In the event of a dispute concerning the terms and conditions of this Agreement, the headings shall be disregarded. 21.18 Exhibits. The Exhibits to this Agreement are expressly incorporated by reference and made part of the terms and conditions set forth herein. 21.19 Counterparts. This Agreement may be executed in one or more counterparts. All executed counterparts and each of them shall be deemed to be one and the same instrument provided that counsel for the Parties to this Agreement shall exchange among themselves original signed counterparts. 21.20 Facsimile and Electronic Mail. Transmission of a signed Agreement by facsimile or electronic mail shall constitute receipt of an original signed Agreement by mail. 42 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 46 of 295 IN WITNESS WHEREOF, the Parties have caused this Agreement to be duly executed by themselves or by their duly authorized counsel: Equifax Inc. Equifax Information Services LLC ent, Chief Legal Officer Equifax Consumer Services LLC Nam~~ Title: Corporate Vice President, Chief Legal Officer Date: 43 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 47 of 295 F OF THE SETTLEMENT CLASS Name: Norman E. Siegel Title: Co-Lead Plaintiffs' Counsel Date: "}. ~~- 11 44 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 48 of 295 EXHIBIT 1 LIST OF ACTIONS 1. In re Equifax, Inc. Customer Data Security Breach Litig. (N.D. Ga., Case No. 1:17-md-2800-TWT), Doc. 374, Consolidated Consumer Class Action Complaint. 2. Abraham v. Equifax, Inc. (N.D. Ga., Case No. 1:17-cv-03453) 3. Abramowitz, et al. v. Equifax Inc. (S.D.N.Y., Case No. 7:17-cv07642) (N.D. Ga., Case No. 1:17-cv-05533) 4. Abramson, et al. v. Equifax Inc. (C.D. Cal., Case No. 8:17-cv-02201) (N.D. Ga., Case No. 1:18-cv-01466) 5. Agosto, et al. v. Equifax Information Services, LLC (N.D. Ohio, Case No. 5:18-cv-00346) (N.D. Ga., Case No. 1:18-cv-01150) 6. Ahmed v. Equifax Inc. (E.D.N.Y., Case No. 2:17-cv-06576) (N.D. Ga., Case No. 1:17-cv-05407) 7. Alexander v. Equifax, Inc. (N.D. Cal., Case No. 5:17-cv-05230) (N.D. Ga., Case No. 1:17-cv-05038) 8. Alexander, et al. v. Equifax, Inc. (W.D. Mo., Case No. 4:17-cv-00788) (N.D. Ga., Case No. 1:17-cv-05413) 9. Allen, et al. v. Equifax, Inc. (N.D. Ga., Case No. 1:17-cv-04544) 10. Amadick, et al. v. Equifax (D. Minn., Case No. 0:17-cv-04196) (N.D. Ga., Case No. 1:17-cv-05027) 11. Amuial v. Equifax, Inc. (S.D. Fla., Case No. 1:17-cv-23405) (N.D. Ga., Case No. 1:17-cv-05285) Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 49 of 295 12. Anderson, et al. v. Equifax Inc., et al. (D.S.C., Case No. 2:17-cv02825) (N.D. Ga., Case No. 1:17-cv-05449) 13. Anderson v. Equifax, Inc. (E.D. Ky., Case No. 2:17-cv-00156) (N.D. Ga., Case No. 1:17-cv-05008) 14. Anderson, et al. v. Equifax Information Services, LLC (D. Nev., Case No. 2:18-cv-00592) (N.D. Ga., Case No. 1:18-cv-01591) 15. Appel, et al. v. Equifax, Inc. (D. Minn., Case No. 0:17-cv-04488) (N.D. Ga., Case No. 1:17-cv-05378) 16. Astor, et al. v. Equifax Inc., et al. (M.D. Fla., Case No. 6:17-cv01653) (N.D. Ga., Case No. 1:17-cv-05368) 17. Atiles, et al. v. Equifax, Inc., et al. (S.D.N.Y., Case No. 7:17-cv07493) (N.D. Ga., Case No. 1:17-cv-05532) 18. Austin v. Equifax, Inc., et al. (E.D. Pa., Case No. 2:17-cv-04045) (N.D. Ga., Case No. 1:17-cv-05129) 19. Avise v. Equifax Inc. (C.D. Cal., Case No. 8:17-cv-01563) (N.D. Ga., Case No. 1:17-cv-05022) 20. Ayala, et al. v. Equifax Incorporated, et al. (D. Ariz., Case No. 4:17cv-00462) (N.D. Ga., Case No. 1:17-cv-05221) 21. Bahnmaier v. Equifax, Inc. (N.D. Okla., Case No. 4:17-cv-00512) (N.D. Ga., Case No. 1:17-cv-05087) 22. Bailey v. Equifax Inc., et al. (S.D.W.Va., Case No. 3:17-cv-04211) (N.D. Ga., Case No. 1:17-cv-05440) 23. Baker v. Equifax, Inc. (D. Minn., Case No. 0:17-cv04655) (N.D. Ga., Case No. 1:17-cv-05380) 24. Bakken, et al. v. Equifax, Inc. (N.D. Ga., Case No. 1:17-cv-03676) 2 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 50 of 295 25. Bakko v. Equifax, Inc. (E.D. Mich., Case No. 2:17-cv-13992) (N.D. Ga., Case No. 1:17-cv-05442) 26. Bandoh-Aidoo v. Equifax, Inc., et al. (C.D. Cal., Case No. 2:17-cv06658) (N.D. Ga., Case No. 1:17-cv-05002) 27. Barker v. Equifax, Inc. (C.D. Cal., Case No. 8:17-cv-01560) (N.D. Ga., Case No. 1:17-cv-05007) 28. Barone v. Equifax, Inc. (N.D. Cal., Case No. 5:17-cv-05958) (N.D. Ga., Case No. 1:17-cv-05362) 29. Becker, et al. v. Equifax Inc. (W.D. Tex., Case No. 5:17-cv-00900) (N.D. Ga., Case No. 1:17-cv-05500) 30. Beekman, et al. v. Equifax Inc. (N.D. Ga., Case No. 1:17-cv-03492) 31. Belden v. Equifax, Inc. (N.D. Cal., Case No. 5:17-cv-05260) (N.D. Ga., Case No. 1:17-cv-05039) 32. Belfon v. Equifax Inc. (E.D.N.Y., Case No. 2:17-cv-06577) (N.D. Ga., Case No. 1:17-cv-05408) 33. Benavidez, et al. v. Equifax Inc., et al. (C.D. Ill., Case No. 4:17-cv04279) (N.D. Ga., Case No. 1:17-cv-05276) 34. Benson v. Equifax Inc. (W.D. Ky., Case No. 3:17-cv-00564) (N.D. Ga., Case No. 1:17-cv-05502) 35. Benway v. Equifax, Inc. (D. Md., Case No. 1:17-cv-03360) (N.D. Ga., Case No. 1:17-cv-05309) 36. Bethea, et al. v. Equifax, Inc., et al. (E.D. Va., Case No. 3:17-cv00648) (N.D. Ga., Case No. 1:18-cv-00055) 37. Biles v. Equifax, Inc. (N.D. Ill., Case No. 1:17-cv-08224) (N.D. Ga., Case No. 1:17-cv-05289) 3 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 51 of 295 38. Biorn v. Equifax Inc. (D. Mont., Case No. 2:17-cv-00071) (N.D. Ga. Case No. 1:17-cv-05412) 39. Bishop v. Equifax Inc. (S.D. Tex., Case No. 4:18-cv-02079) (N.D. Ga., Case No. 1:18-cv-03331) 40. Bitton v. Equifax Information Services, LLC, et al. (S.D.N.Y., Case No. 1:17-cv-06946) (N.D. Ga., Case No. 1:17-cv-05126) 41. Blake, et al. v. Equifax, Inc., et al. (D.N.J., Case No. 1:17-cv-07121) (N.D. Ga., Case No. 1:18-cv-00040) 42. Block v. Equifax, Inc., et al. (N.D. Cal., Case No. 5:17-cv-05367) (N.D. Ga., Case No. 1:17-cv-05341) 43. Bobbitt v. Equifax, Inc. (N.D. Ill., Case No. 1:17-cv-08631) (N.D. Ga., Case No. 1:18-cv-00142) 44. Bologna, et al. v. Equifax, Inc. (N.D. Ga., Case No. 1:17-cv-03578) 45. Boothman v. Equifax Credit Information Services, Inc. (E.D. Pa., Case No. 2:18-cv-01665) (N.D. Ga., Case No. 1:18-cv-02022) 46. Bordelon v. Equifax Information Services LLC (W.D. La., Case No. 6:18-cv-01137) (N.D. Ga., Case No. 1:18-cv-05609) 47. Boundy, et al. v. Equifax, Inc. (N.D. Ga., Case No. 1:17-cv-03480) 48. Bradley v. Equifax, Inc. (D.N.J., Case No. 1:17-cv-07276) (N.D. Ga., Case No. 1:18-cv-00042) 49. Branch v. Equifax Inc. (N.D. Cal., Case No. 5:17-cv-05429) (N.D. Ga., Case No. 1:17-cv-05343) 50. Brandon v. Equifax, Inc. (N.D. Ga., Case No. 1:17-cv-03454) 51. Brannan, et al. v. Equifax, Inc. (N.D. Ga., Case No. 1:17-cv-03708) 4 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 52 of 295 52. Breen, et al. v. Equifax Inc. (D.S.C., Case No. 4:17-cv-03395) (N.D. Ga., Case No. 1:18-cv-00134) 53. Brock, et al. v. Equifax Inc. (N.D. Ga., Case No. 1:17-cv-04510) 54. Broder v. Equifax, Inc. (N.D. Ga., Case No. 1:17-cv-03587) 55. Brodsky v. Equifax Inc. (E.D.N.Y., Case No. 2:17-cv-05528) (N.D. Ga., Case No. 1:17-cv-05405) 56. Brown v. Equifax, Inc. (N.D. Ga., Case No. 1:17-cv-03449) 57. Brown v. Equifax Information Services, LLC, (M.D., Fla., Case No. 6:18-cv-01162) (N.D. Ga., Case No. 1:18-cv-03977) 58. Brumfield v. Equifax, Inc. (E.D.N.Y., Case No. 1:17-cv-06459) (N.D. Ga., Case No. 1:17-cv-05399) 59. Burns v. Equifax, Inc. (D. Minn., Case No. 0:19-cv-00851) (N.D. Ga., Case No. 1:19-cv-01924) 60. Bussey v. Equifax Credit Bureau (M.D. Ga., Case No. 7:17-cv-00158) (N.D. Ga., Case No. 1:17-cv-05197) 61. Butler v. Equifax Inc. (S.D. Cal., Case No. 3:17-cv-02158) (N.D. Ga., Case No. 1:17-cv-05242) 62. Byas, et al. v. Equifax, Inc. (N.D. Miss., Case No. 4:17-cv-00130) (N.D. Ga., Case No. 1:17-cv-05025) 63. Cadwallader, et al. v. Equifax Inc., et al. (D. Minn., Case No. 0:17cv-04640) (N.D. Ga., Case No. 1:17-cv-05379) 64. 04389) Calderon, et al. v. Equifax Inc., et al. (N.D. Ga., Case No. 1:17-cv- 65. Campbell v. Equifax Inc. (W.D. Wash., Case No. 2:17-cv-01657) (N.D. Ga., Case No. 1:17-cv-05491) 5 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 53 of 295 66. Campos v. Equifax Inc. (E.D.N.Y., Case No. 1:17-cv-06579) (N.D. Ga., Case No. 1:17-cv-05397) 67. Caplan v. Equifax Information Services, LLC (E.D. Pa., Case No. 2:17-cv-04055) (N.D. Ga., Case No. 1:17-cv-05130) 68. Caraway v. Equifax, Inc. (N.D. Ohio, Case No. 4:18-cv-01388) (N.D. Ga., Case No. 1:18-cv-04753) 69. Carr, et al. v. Equifax Inc., et al. (D. Kan., Case No. 5:17-CV-04089) (N.D. Ga., Case No. 1:17-cv-05426) 70. 00626) Carter, et al. v. Equifax Inc., et al. (N.D. Ga., Case No. 1:18-cv- 71. Cary, et al. v. Equifax, Inc. (N.D. Ga., Case No. 1:17-cv-03433) 72. Casper v. Equifax, Inc. (M.D.N.C., Case No. 1:17-cv-01004) (N.D. Ga., Case No. 1:18-cv-01511) 73. Cederdahl v. Equifax Information Services, LLC (S.D. Iowa, Case No. 4:17-cv-00342) (N.D. Ga., Case No. 1:17-cv-05371) 74. Chehebar v. Equifax Inc. (D.N.J., Case No. 3:17-cv-11414) (N.D. Ga., Case No. 1:17-cv-05428) 75. Chehebar v. Equifax Inc. (D.N.J., Case No. 3:17-cv-11417) (N.D. Ga., Case No. 1:17-cv-05429) 76. Chenault v. Equifax, Inc. (N.D. Ga., Case No. 1:17-cv-03764) 77. Cherney, et al. v. Equifax, Inc. (E.D. Mich., Case No. 2:17-cv-12966) (N.D. Ga., Case No. 1:17-cv-05017) 78. Cho v. Equifax, Inc., et al. (C.D. Cal., Case No. 2:17-cv-08548) (N.D. Ga., Case No. 1:18-cv-00032) 6 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 54 of 295 79. Christen, et al. v. Equifax Inc. (D.N.J., Case No. 2:17-cv-06951) (N.D. Ga., Case No. 1:17-cv-05059) 80. Clark, et al. v. Equifax Inc. (N.D. Ga., Case No. 1:17-cv-03497) 81. Clark, et al. v. Equifax Inc. (D.N.M., Case No. 1:17-cv-01118) (N.D. Ga., Case No. 1:17-cv-05417) 82. Coade-Wingate v. Equifax Inc., et al. (N.D.N.Y., Case No. 1:17-cv01136) (N.D. Ga., Case No. 1:18-cv-00001) 83. Cofield, et al. v. Equifax Inc., et al. (D. Md., Case No. 1:17-cv-03119) (N.D. Ga., Case No. 1:18-cv-01550) 84. Cole v. Equifax Inc. (D. Mass., Case No. 1:17-cv-11712) (N.D. Ga., Case No. 1:17-cv-05015) 85. Cole, et al. v. Equifax Inc., et al. (D. Vt., Case No. 5:17-cv-00223) (N.D. Ga., Case No. 1:18-cv-00046) 86. Coleman v. Equifax, Inc. (M.D. Tenn., Case No. 3:18-cv-00004) (N.D. Ga., Case No. 1:18-cv-00329) 87. Collins v. Equifax, Inc. (C.D. Cal., Case No. 8:17-cv-01561) (N.D. Ga., Case No. 1:17-cv-05021) 88. Collins v. Equifax, Inc. (S.D. Tex., Case No. 1:17-cv-00187) (N.D. Ga., Case No. 1:17-cv-05088) 89. Cooper, et al. v. Equifax Incorporated, et al. (D. Ariz., Case No. 4:17CV-00490) (N.D. Ga., Case No. 1:17-cv-05222) 90. Cowherd v. Equifax, Inc. (S.D. Tex., Case No. 4:18-cv-02230) (N.D. Ga., Case No. 1:18-cv-04699) 91. Cox, et al. v. Equifax, Inc. (N.D. Ga., Case No. 1:17-cv-03586) 7 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 55 of 295 92. Crossett v. Equifax, Inc. (E.D. Mo., Case No. 4:17-cv-02434) (N.D. Ga., Case No. 1:17-cv-05452) 93. Crow, et al. v. Equifax, Inc. (N.D. Cal., Case No. 4:17-cv-05355) (N.D. Ga., Case No. 1:17-cv-05340) 94. Cuevas v. Equifax Inc., et al. (C.D. Cal., Case No. 2:17-cv-08604) (N.D. Ga., Case No. 1:18-cv-00033) 95. Cunniff v. Equifax, Inc. (N.D. Ga., Case No. 1:18-cv-01070) 96. Dash v. Equifax Information Services LLC (S.D.N.Y., Case No. 1:17cv-07076) (N.D. Ga., Case No. 1:17-cv-05529) 97. Dash v. Equifax Information Services LLC (W.D. Tex., Case No. 1:17-cv-00901) (N.D. Ga., Case No. 1:17-cv-05460) 98. Daughtery, et al. v. Equifax Inc. (E.D. Ark., Case No. 4:17-cv-00597) (N.D. Ga., Case No. 1:17-cv-05228) 99. Davis, et al. v. Equifax Inc. (N.D. Ala., Case No. 7:17-cv-01595) (N.D. Ga., Case No. 1:17-cv-05219) 100. Davis, et al. v. Equifax, Inc. (S.D.N.Y., Case No. 1:17-cv-06883) (N.D. Ga., Case No. 1:17-cv-05125) 101. Day v. Equifax Inc. (D. Colo., Case No. 1:18-cv-00042) (N.D. Ga., Case No. 1:18-cv-00364) 102. Dela Cruz v. Equifax Inc., et al. (C.D. Cal., Case No. 8:17-cv-02084) (N.D. Ga., Case No. 1:18-cv-00034) 103. Derby v. Equifax, Inc. (W.D. Pa., Case No. 2:17-cv-01186) (N.D. Ga., Case No. 1:17-cv-05068) 104. Dhuka, et al. v. Equifax, Inc. (W.D. Tex., Case No. 1:17-cv-00919) (N.D. Ga., Case No. 1:17-cv-05463) 8 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 56 of 295 105. Diaz v. Equifax Inc. (S.D.N.Y., Case No. 7:17-cv-08175) (N.D. Ga., Case No. 1:18-cv-00082) 106. DiMichele, et al. v. Equifax, Inc. (N.D. Cal., Case No. 5:17-cv-06527) (N.D. Ga., Case No. 1:18-cv-000648) 107. Dixon, et al. v. Equifax, Inc. (N.D. Ga., Case No. 1:17-cv-03809) 108. Domino, et al. v. Equifax, Inc. (S.D. Fla., Case No. 0:17-cv-61936) (N.D. Ga., Case No. 1:17-cv-05284) 109. Donnelly v. Equifax Inc. et al. (N.D. Ga., Case No. 1:18-cv-00361) 110. Dowgin v. Equifax, Inc. (D.N.J., Case No. 1:17-cv-06923) (N.D. Ga., Case No. 1:17-cv-05050) 111. Dremak v. Equifax, Inc. (S.D. Cal., Case No. 3:17-cv-01829) (N.D. Ga., Case No. 1:17-cv-05193) 112. Dreni v. Equifax Credit Information Services (M.D. Fla., Case No. 2:18-cv-00770) (N.D. Ga., Case No. 1:18-cv-05816) 113. Dressler v. U.S. Department of Education, et al. (M.D. Fla., Case No. 2:18-cv-00311) (N.D. Ga., Case No. 1:18-cv-04345) 114. Duke, et al. v. Equifax, Inc. (N.D. Ga., Case No. 1:17-cv-03765) 115. Duran, et al. v. Equifax, Inc., et al. (C.D. Cal., Case No. 8:17-cv01571) (N.D. Ga., Case No. 1:17-cv-05023) 116. Duran v. Equifax Inc. (E.D.N.Y., Case No. 1:17-cv-06584) (N.D. Ga., Case No. 1:17-cv-05396) 117. Durham v. Equifax, Inc., et al. (N.D. Ga., Case No. 1:17-cv-03452) 118. Earl v. Equifax, Inc., et al. (D.N.H., Case No. 1:17-cv-00513) (N.D. Ga., Case No. 1:17-cv-05418) 119. Eastman, et al. v. Equifax Inc. (N.D. Ga., Case No. 1:17-cv-03512) 9 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 57 of 295 120. Eaton v. Equifax Information Services LLC (S.D.N.Y., Case No. 7:18cv-01958) (N.D. Ga., Case No. 1:18-cv-01146) 121. Edwards v. Equifax Info. Services, LLC (D.N.J., Case No. 2:18-cv08748) (N.D. Ga., Case No. 1:18-cv-02314) 122. Englert, et al. v. Equifax, Inc. (N.D. Ga., Case No. 1:17-cv-03509) 123. Eppy v. Equifax, Inc. (S.D. Fla., Case No. 0:17-cv-61833) (N.D. Ga., Case No. 1:17-cv-05283) 124. Eustice v. Equifax Inc. (S.D. Tex., Case No. 4:19-cv-02247) (N.D. Ga., Case No. 1:19-cv-03128) 125. Eustice v. Equifax Inc. (S.D. Tex., Case No. 4:19-cv-02248) (N.D. Ga., Case No. 1:19-cv-03129) 126. Eustice v. Equifax Inc. (S.D. Tex., Case No. 4:19-cv-02249) (N.D. Ga., Case No. 1:19-cv-03130) 127. Evans v. Equifax, Inc. (N.D. Cal., Case No. 5:17-cv-05454) (N.D. Ga., Case No. 1:17-cv-05344) 128. Fail, et al. v. Equifax, Inc., et al. (S.D. Ind., Case No. 1:17-cv-03581) (N.D. Ga., Case No. 1:17-cv-05290) 129. Faillace v. Equifax, Inc. (C.D. Cal., Case No. 2:17-cv-06721) (N.D. Ga., Case No. 1:17-cv-05006) 130. Farinella v. Equifax Information Services, LLC (E.D.N.Y., Case No. 2:17-cv-05548) (N.D. Ga., Case No. 1:17-cv-05406) 131. Fausz v. Equifax Information Services, LLC (W.D. Ky., Case No. 3:17-cv-00576) (N.D. Ga., Case No. 1:17-cv-05503) 132. Feehrer, et al. v. Equifax, Inc. (D.N.J., Case No. 1:17-cv-07803) (N.D. Ga., Case No. 1:18-cv-00045) 133. Feied v. Equifax, Inc. (N.D. Cal., Case No. 5:17-cv005524) (N.D. Ga., Case No. 1:17-cv-05345) 10 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 58 of 295 134. Fiore v. Equifax, Inc. (N.D. Ga., Case No. 1:17-cv-03456) 135. Flores v. Equifax, Inc. (N.D. Ga., Case. No. 18-cv-00117) 136. Flores, et al. v. Equifax Inc. (S.D.N.Y., Case No. 7:17-cv-07088) (N.D. Ga., Case No. 1:17-cv-05530) 137. Forrest v. Equifax Inc. (S.D. Tex. 1:18-cv-00113) (N.D. Ga., Case No. 1:18-cv-02936) 138. Frank, et al. v. Equifax Inc., et al. (N.D. Ala., Case No. 5:17-cv01611) (N.D. Ga., Case No. 1:17-cv-05218) 139. Frank v. Equifax Information Svcs. (S.D.N.Y., Case No. 1:18-cv03913) (N.D. Ga., Case No. 1:18-cv-02331) 140. Frazier v. Equifax Inc. (E.D.N.Y., Case No. 1:17-cv-06587) (N.D. Ga., Case No. 1:17-cv-05395) 141. Fried v. Equifax Inc. (S.D. Cal., Case No. 3:17-cv-01955) (N.D. Ga., Case No. 1:17-cv-05240) 142. Friedman, et al. v. Equifax, Inc., et al. (D.N.J., Case No. 1:17-cv07022) (N.D. Ga., Case No. 1:17-cv-05060) 143. Fuhrman v. Equifax Inc., et al. (E.D. Mich., Case No. 2:17-cv-13508) (N.D. Ga., Case No. 1:17-cv-05312) 144. Gallant v. Equifax Inc. (D. Md., Case No. 8:17-cv-02712) (N.D. Ga., Case No. 1:17-cv-05024) 145. Galpern v. Equifax, Inc., et al. (N.D. Cal., Case No. 5:17-cv-05265) (N.D. Ga., Case No. 1:17-cv-05041) 146. Gastineau, et al. v. Equifax, Inc. (N.D. Ga., Case No. 1:17-cv-03769) 147. Gay v. Equifax, Inc. (D. Colo., Case No. 1:17-cv-02417) (N.D. Ga., Case No. 1:17-cv-05216) 148. Geller, et al. v. Equifax, Inc. (S.D. Fla., Case No. 9:17-cv-81056) (N.D. Ga., Case No. 1:17-cv-05288) 11 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 59 of 295 149. Gerstein, et al. v. Equifax Information Services, LLC (S.D. Ohio, Case No. 1:17-cv-00593) (N.D. Ga., Case No. 1:17-cv-05048) 150. Gersten, et al. v. Equifax, Inc. (S.D. Cal., Case No. 3:17-cv-01828) (N.D. Ga., Case No. 1:17-cv-05192) 151. Gettino v. Equifax, Inc. (N.D. Ga., Case No. 1:17-cv-04664) 152. Gibson v. Equifax, Inc. (D. Haw., Case No. 1:17-cv-00466) (N.D. Ga., Case No. 1:17-cv-05358) 153. Gibson, et al. v. Equifax, Inc. (W.D. Okla., Case No. 5:17-cv-00973) (N.D. Ga., Case No. 1:17-cv-05072) 154. Gladwell, et al. v. Equifax, Inc., et al. (S.D. W. Va., Case No. 5:17-cv04061) (N.D. Ga., Case No. 1:17-cv-05445) 155. Goldweber v. Equifax Inc. (N.D. Cal., Case No. 5:17-cv-05586) (N.D. Ga., Case No. 1:17-cv-05347) 156. Gottesman, et al. v. Equifax, Inc. (N.D. Ga., Case No. 1:17-cv-03498) 157. Gottlieb, et al. v. Equifax, Inc. (D.N.J., Case No. 1:17-cv-07615) (N.D. Ga., Case No. 1:18-cv-00044) 158. Gray, et al. v. Equifax Information Services, LLC (W.D. Ark., Case No. 6:17-cv-06095) (N.D. Ga., Case No. 1:17-cv-05171) 159. Green, et al. v. Equifax, Inc. (N.D. Ga., Case No. 1:17-cv-03487) 160. Greenlee v. Equifax, Inc. (C.D. Cal., Case No. 5:17-cv-01929) (N.D. Ga., Case No. 1:17-cv-05269) 161. Greenwald, et al. v. Equifax, Inc. (D.N.H., Case No. 1:17-cv-00438) (N.D. Ga., Case No. 1:17-cv-05411) 162. Groover v. Equifax Inc., et al. (S.D.N.Y., Case No. 1:17-cv-07082) (N.D. Ga., Case No. 1:17-cv-04511) 163. Grossberg, et al. v. Equifax Inc. (E.D.N.Y., Case No. 1:17-cv-05280) (N.D. Ga., Case No. 1:17-cv-05061) 12 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 60 of 295 164. Guillen v. Equifax, Inc. (N.D. Ga., Case No. 1:19-cv-01580) 165. Gulley v. Equifax Inc., et al. (W.D. Ark., Case No. 4:17-cv-04088) (N.D. Ga., Case No. 1:17-cv-05229) 166. Halpin v. Equifax, Inc. (N.D. Ga., Case No. 1:17-cv-03872) 167. Hamilton, et al. v. Equifax, Inc. (C.D. Cal., Case No. 2:17-cv-06899) (N.D. Ga., Case No. 1:17-cv-05266) 168. Hamre, et al. v. Equifax Information Services, LLC (D.N.D., Case No. 3:17-cv-00196) (N.D. Ga., Case No. 1:17-cv-05446) 169. Harper v. Equifax Inc., et al. (D. Mass., Case No. 1:17-cv-11785) (N.D. Ga., Case No. 1:17-cv-05453) 170. Hebrlee, et al. v. Equifax, Inc., et al. (N.D. Ill., Case No. 1:17-CV07120) (N.D. Ga., Case No. 1:17-cv-05493) 171. Henderson v. Equifax, Inc. (N.D. Ga., Case No. 1:17-cv-03829) 172. Henderson v. Equifax, Inc., et al. (D. Minn., Case No. 0:17-cv-04289) (N.D. Ga., Case No. 1:17-cv-05377) 173. Hensley v. Equifax, Inc., et al. (E.D. Pa., Case No. 5:17-cv-04105) (N.D. Ga., Case No. 1:17-cv-05131) 174. Highfield v. Equifax, Inc., et al. (N.D. Ala., Case No. 5:17-cv-01567) (N.D. Ga., Case No. 1:17-cv-4989) 175. Hogue v. Equifax, Inc. (N.D. Ga., Case No. 1:17-cv-03781) 176. Horne, et al. v. Equifax Inc. (N.D. Ga., Case No. 1:17-cv-03713) 177. House v. Equifax Inc., et al. (S.D. Iowa, Case No. 4:17-cv-00392) (N.D. Ga., Case No. 1:17-cv-05376) 178. House v. Equifax Inc. (D. Kan., Case No. 2:17-cv-02523) (N.D. Ga., Case No. 1:17-cv-05102) 13 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 61 of 295 179. Hyatt v. Equifax Information Services LLC, et al. (E.D. Wis., Case No. 1:17-cv-01670) (N.D. Ga., Case No. 1:17-cv-05441) 180. Ialacci v. Equifax Inc., et al. (N.D. Cal., Case No. 5:17-cv-05647) (N.D. Ga., Case No. 1:17-cv-05359) 181. Iraheta v. Equifax Information Services (W.D. La., Case No. 5:17-cv01363) (N.D. Ga., Case No. 1:18-cv-03792) 182. Irwin v. Equifax, Inc. (N.D. Cal., Case No. 5:17-cv-05735) (N.D. Ga., Case No. 1:17-cv-05360) 183. Jimenez v. Equifax, Inc. (N.D. Ga., Case No. 1:17-cv-03885) 184. Johns, et al. v. Equifax, Inc. (N.D. Cal., Case No. 5:17-cv-05372) (N.D. Ga., Case No. 1:17-cv-05342) 185. Johnson v. Equifax Inc. (D. Mont., Case No. 6:17-cv-00100) (N.D. Ga., Case No. 1:17-cv-05415) 186. Johnson, et al. v. Equifax, Inc., et al. (N.D. Tex., Case No. 3:17-cv02464) (N.D. Ga., Case No. 1:17-cv-05444) 187. Johnson, et al. v. Equifax Inc. (N.D. Tex., Case No. 3:17-cv-03135) (N.D. Ga., Case No. 1:17-cv-05447) 188. Jones, et al. v. Equifax Inc., et al. (N.D. Miss., Case No. 3:17-cv00211) (N.D. Ga., Case No. 1:17-cv-05325) 189. Joof v. Equifax Inc. (C.D. Cal., Case No. 2:17-cv-06659) (N.D. Ga., Case No. 1:17-cv-05003) 190. Jorge, et al. v. Equifax, Inc. (E.D.N.Y., Case No. 2:17-cv-05404) (N.D. Ga., Case No. 1:17-cv-05071) 191. Kalmick, et al. v. Equifax Inc. (W.D. Tex., Case No. 1:17-cv-00954) (N.D. Ga., Case No. 1:17-cv-05461) 192. Katz, et al. v. Equifax, Inc. (N.D. Ga., Case No. 1:17-cv-03798) 193. Kealy, et al. v. Equifax, Inc. (N.D. Ga., Case No. 1:17-cv-03443) 14 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 62 of 295 194. Kelley v. Equifax Inc. et al. (N.D. Ga., Case No. 1:18-cv-00418) 195. Kemp v. Equifax, Inc., et al. (N.D. Miss., Case No. 1:17-cv-00147) (N.D. Ga., Case No. 1:17-cv-05323) 196. Kendall v. Equifax Information Services, LLC (D.N.J., Case No. 2:17cv-06922) (N.D. Ga., Case No. 1:17-cv-05049) 197. Kerobyan v. Equifax Inc., et al. (C.D. Cal., Case No. 2:18-cv-05401) (N.D. Ga., Case No. 1:18-cv-04741) 198. Kilgore, et al. v. Equifax Information Services LLC (D.N.M., Case No. 1:17-cv-00942) (N.D. Ga., Case No. 1:17-cv-05070) 199. King v. Equifax, Inc. (S.D. Ind., Case No. 1:17-cv-03157) (N.D. Ga., Case No. 1:17-cv-05029) 200. King v. Equifax Inc. (S.D. Tex., Case No. 4:19-cv-00368) (N.D. Ga., Case No. 1:19-cv-00881) 201. Kishel, et al. v. Equifax Inc., et al. (N.D. Ga., Case No. 1:17-cv05139) 202. Klavans v. Equifax Inc., et al. (D. Del., Case No. 1:17-cv-01346) (N.D. Ga., Case No. 1:17-cv-05273) 203. Klein, et al. v. Equifax Inc. (E.D.N.Y., Case No. 1:17-cv-05489) (N.D. Ga., Case No. 1:17-cv-05400) 204. Kloewer v. Equifax Inc. (D. Colo., Case No. 1:17-cv-03149) (N.D. Ga., Case No. 1:18-cv-00208) 205. Knepper v. Equifax Information Services, LLC (D. Nev., Case No. 2:17-cv-02368) (N.D. Ga., Case No. 1:17-cv-05154) 206. Kohn, et al. v. Equifax Inc., et al. (D.N.J., Case No. 1:17-cv-07257) (N.D. Ga., Case No. 1:18-cv-00041) 207. Kozlowski v. Bank of America, N.A., et al. (E.D. Cal., Case No. 1:18cv-00131) (N.D. Ga., Case No. 1:18-cv-01185) 15 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 63 of 295 208. Krachanus v. Equifax, Inc. (N.D. Ga., Case No. 1:17-cv-04694) 209. Krawcyk v. Equifax Inc. (W.D. Mo., Case No. 4:17-cv-00760) (N.D. Ga., Case No. 1:17-cv-05014) 210. Kruse v. Equifax Inc. (D. Minn., Case No. 0:19-cv-00177) (N.D. Ga., Case No. 1:19-cv-00879) 211. Kuss, et al. v. Equifax, Inc. (N.D. Ga., Case No. 1:17-cv-03436) 212. LaGasse, et al. v. Equifax, Inc., et al. (N.D. Ga., Case No. 1:17-cv03745) 213. Lamar v. Equifax, Inc. (C.D. Cal, Case No. 5:18-cv-01369) (N.D. Ga., Case No. 1:18-cv-05685) 214. Lander, et al. v. Equifax Inc. (E.D. Tex., Case No. 4:19-cv-00060) (N.D. Ga., Case No. 1:19-cv-00743) 215. Lang, et al. v. Equifax Information Services, LLC (N.D. Ill., Case No. 1:17-cv-06519) (N.D. Ga., Case No. 1:17-cv-05026) 216. Lapter v. Equifax, Inc. (N.D. Ga., Case No. 1:17-cv-03445) 217. Larson, et al. v. Equifax, Inc. (N.D. Ga., Case No. 1:17-cv-03905) 218. Lawyer v. Equifax Inc. (S.D. Tex., Case No. 4:17-cv-03161) (N.D. Ga., Case No. 1:17-cv-05498) 219. Lee, et al. v. Equifax Inc. (N.D. Cal., Case No. 5:17-cv-05553) (N.D. Ga., Case No. 1:17-cv-05346) 220. Lee v. Equifax Information Services, LLC (E.D.N.Y., Case No. 1:18cv-03133) (N.D. Ga., Case No. 1:18-cv-04698) 221. Leigh, et al. v. Equifax, Inc. (N.D. Ga., Case No. 1:18-cv-00116) 222. Leonardo v. Equifax Inc. (C.D. Cal., Case No. 2:18-cv-00647) (N.D. Ga., Case No. 1:18-cv-00622) 16 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 64 of 295 223. Levy v. Equifax Information Services, LLC, et al. (E.D.N.Y., Case No. 1:17-cv-05354) (N.D. Ga., Case No. 1:17-cv-05063) 224. Lewis v. Equifax, Inc. (N.D. Ga., Case No. 1:17-cv-03863) 225. Link v. Equifax Credit Information Services (D. Ariz., Case No. 2:18cv-04070) (N.D. Ga., Case No. 1:18-cv-05620) 226. Link v. Equifax Credit Information Services Incorporated (D. Ariz., Case No. 2:18-cv-04089) (N.D. Ga., Case No. 1:18-cv-05621) 227. Lipchitz v. Equifax, Inc. (N.D. Ga., Case No. 1:17-cv-03457) 228. Luciano v. Equifax Informational Services, LLC (E.D.N.Y., Case No. 1:19-cv-00437) (N.D. Ga., Case No. 1:19-cv-01370) 229. Lynch, et al. v. Equifax, Inc. (E.D. Tex., Case No. 4:17-cv-00640) (N.D. Ga., Case No. 1:17-cv-05090) 230. Mallh v. Equifax, Inc. (E.D.N.Y., Case No. 1:17-cv-05555) (N.D. Ga., Case No. 1:17-cv-05398) 231. Maloney v. Equifax, Inc. (E.D. Wi., Case No. 2:17-cv-01238) (N.D. Ga., Case No. 1:17-cv-05069) 232. Manaher v. Equifax Inc. (N.D. Ga., Case No. 1:17-cv-03447) 233. Mann v. Equifax Information Services LLC (E.D. Pa., Case No. 2:17cv-04100) (N.D. Ga., Case No. 1:17-cv-05103) 234. Manopla v. Equifax Inc. (D.N.J., Case No. 3:17-cv-12275) (N.D. Ga., Case No. 1:17-cv-05492) 235. Manopla v. Equifax Inc. (D.N.J., Case No. 3:17-cv-11424) (N.D. Ga., Case No. 1:17-cv-05431) 236. Manopla v. Equifax Inc. (D.N.J., Case No. 3:17-cv-11440) (N.D. Ga., Case No. 1:17-cv-05435) 237. Manopla v. Equifax Inc. (D.N.J., Case No. 3:17-cv-11419) (N.D. Ga., Case No. 1:17-cv-05430) 17 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 65 of 295 238. Mardock v. Equifax, Inc. (N.D. Ga., Case No. 1:17-cv-03499) 239. Martin, et al. v. Equifax, Inc. (N.D. Ga., Case No. 1:17-cv-03458) 240. Martin v. Equifax Inc. (M.D. Tenn., Case No. 3:17-cv-01246) (N.D. Ga., Case No. 1:17-cv-05116) 241. Martin v. Equifax, Inc. (N.D. Miss., Case No. 3:17-cv-00174) (N.D. Ga., Case No. 1:17-cv-05324) 242. Martin v. Equifax, Inc., et al. (S.D. Miss., Case No. 3:17-cv-00744) (N.D. Ga., Case No. 1:18-cv-00038) 243. Martinez, et al. v. Equifax, Inc. (S.D. Fla., Case No. 1:17-cv-23510) (N.D. Ga., Case No. 1:17-cv-05287) 244. Mashburn, et al. v. Equifax, Inc. (N.D. Ga., Case No. 1:17-cv-04159) 245. Mason v. Equifax, Inc. (D.S.C., Case No. 4:17-cv-02644) (N.D. Ga., Case No. 1:17-cv-05448) 246. McCall, et al. v. Equifax Information Services, LLC (D. Nev., Case No. 2:17-cv-02372) (N.D. Ga., Case No. 1:17-cv-5158) 247. McDowell, et al. v. Equifax, Inc. (N.D. Ga., Case No. 1:17-cv-03502) 248. McGonnigal, et al. v. Equifax Inc. (N.D. Ga., Case No. 1:17-cv03422) 249. McHenry, et al. v. Equifax, Inc. (N.D. Ga., Case No. 1:17-cv-03582) 250. McHill, et al. v. Equifax Inc. (D. Or., Case No. 3:17-cv-01405) (N.D. Ga., Case No. 1:17-cv-05089) 251. McShan, et al. v. Equifax, Inc., et al. (C.D. Cal., Case No. 2:17-cv06764) (N.D. Ga., Case No. 1:17-cv-05020) 252. Mead, et al. v. Equifax Inc., et al. (D. Alaska, Case No. 3:17-cv00208) (N.D. Ga., Case No. 1:17-cv-05251) 18 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 66 of 295 253. Meade, et al. v. Equifax, Inc. (S.D. Ohio, Case No. 2:17-cv-00892) (N.D. Ga., Case No. 1:17-cv-05528) 254. Melrath v. Equifax, Inc., et al. (D. Del., Case No. 1:17-cv-01324) (N.D. Ga., Case No. 1:17-cv-05270) 255. Menzer v. Equifax, Inc. (N.D. Ga., Case No. 1:17-cv-03459) 256. Messer, et al. v. Equifax, Inc. (W.D. Tenn., Case No. 2:17-cv-02694) (N.D. Ga., Case No. 1:17-cv-05527) 257. Meyers, et al. v. Equifax Information Services, LLC, (N.D. Ill., Case No. 1:17-cv-06652) (N.D. Ga., Case No. 1:17-cv-05275) 258. Miller, et al. v. Equifax Inc., et al. (E.D. Cal., Case No. 2:17-cv01872) (N.D. Ga., Case No. 1:17-cv-04996) 259. Miller, et al. v. Equifax Inc., et al. (N.D. Okla., Case No. 4:17-cv00569) (N.D. Ga., Case No. 1:17-cv-05462) 260. Minka, et al. v. Equifax Information Services, LLC (E.D. Pa., Case No. 2:17-cv-04205) (N.D. Ga., Case No. 1:18-cv-00039) 261. Mirarchi v. Equifax, Inc. (N.D. Ga., Case No. 1:17-cv-04600) 262. Mobbs v. Equifax Inc., et al. (N.D. Cal., Case No. 5:17-cv-05815) (N.D. Ga., Case No. 1:17-cv-05361) 263. Mohamedali, et al. v. Equifax Inc. (N.D. Ga., Case No. 1:17-cv03501) 264. Morgan v. Equifax Inc. (E.D. Va., Case No. 3:18-cv-00173) (N.D. Ga., Case No. 1:18-cv-01738) 265. Morris v. Equifax, Inc. (D. Colo., Case No. 1:17-cv-02178) (N.D. Ga., Case No. 1:17-cv-04990) 266. Murphy v. Equifax, Inc. (N.D. Cal., Case No. 4:17-cv-05262) (N.D. Ga., Case No. 1:17-cv-05040) 267. Murphy, et al. v. Equifax, Inc. (N.D. Ga., Case No. 1:17-cv-03613) 19 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 67 of 295 268. Muscarella, et al. v. Equifax Inc., et al. (N.D. Ga., Case No. 1:18-cv1240) 269. Myers, et al. v. Equifax Inc. (E.D. Cal., Case No. 2:17-at-01878) (N.D. Ga., Case No. 1:17-cv-04997 270. Napier v. Equifax Inc., et al. (D. Me., Case No. 1:17-cv-00372) (N.D. Ga., Case No. 1:17-cv-05327) 271. Neilan v. Equifax Inc. (N.D. Ill., Case No. 1:17-cv-06508) (N.D. Ga., Case No. 1:17-cv-05010) 272. Nguyen v. Equifax Inc. (N.D. Cal., Case No. 5:18-06143) (N.D. Ga., Case No. 1:18-cv-04920) 273. Ogburn v. Equifax, Inc., et al. (E.D. Va., Case No. 3:17-cv-00644) (N.D. Ga., Case No. 1:17-cv-05436) 274. O’Neill v. Equifax, Inc., et al. (N.D. Ga., Case No. 1:17-cv-03523) 275. O’Neill v. Equifax, Inc., et al. (D.N.J., Case No. 1:17-cv-07284) (N.D. Ga., Case No. 1:18-cv-00043) 276. Ostoya, et al. v. Equifax, Inc. (N.D. Ala., Case No. 2:17-cv-01550) (N.D. Ga., Case No. 1:17-cv-04987) 277. Pacelli v. Equifax Information Services, LLC (E.D. Pa., Case No. 2:17-cv-04246) (N.D. Ga., Case No. 1:17-cv-05526) 278. Pagliarulo v. Equifax, Inc. (N.D. Ga., Case No. 1:17-cv-03460) 279. Palmer v. Equifax, (D.S.C., Case No. 2:18-cv-02405) (N.D. Ga., Case No. 1:19-cv-01383) 280. Pantaze v. Equifax Information Services, LLC (N.D. Ala., Case No. 2:17-cv-01530) (N.D. Ga., Case No. 1:17-cv-04986) 281. Parkhill v. Equifax Inc., et al. (S.D. Tex., Case No. 4:17-cv-02931) (N.D. Ga., Case No. 1:17-cv-05496) 20 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 68 of 295 282. Partridge, et al. v. Equifax, Inc. (D. Utah, Case No. 2:17-cv-01017) (N.D. Ga., Case No. 1:17-cv-05419) 283. Partridge v. Equifax, Inc. (S.D. Ala., Case No. 1:17-cv-00423) (N.D. Ga., Case No. 1:17-CV-05227) 284. Paul v. Equifax, Inc. (E.D.N.Y., Case No. 2:17-cv-06588) (N.D. Ga., Case No. 1:17-cv-05409) 285. Pavesi, et al. v. Equifax, Inc. (N.D. Ga., Case No. 1:17-cv-03476) 286. Pavitt, et al. v. Equifax, Inc. (W.D. Wash., Case No. 2:17-cv-01363) (N.D. Ga., Case No. 1:17-cv-05101)Pawlowski v. U.S. Dep’t of Educ., et al. (E.D. Va., Case No. 1:18-cv-00626) (N.D. Ga., Case No. 1:18-cv-04611) 287. Pellitteri, et al. v. Equifax, Inc. (N.D. Ga., Case No. 1:17-cv-03881) 288. Perkins, et al. v. Equifax Inc. (N.D. Fla., Case No. 3:17-cv-00727) (N.D. Ga., Case No. 1:17-cv-05274) 289. Perkins, et al. v. Equifax Inc. (N.D. Ga., Case No. 1:17-cv-03479) 290. Peters, et al v. Equifax Information Services, LLC, et al. (C.D. Cal., Case No. 8:17-cv-01634) (N.D. Ga., Case No. 1:17-cv-05381) 291. Peterson, et al. v. Equifax, Inc. (S.D. Tex., Case No. 4:19-cv-00367) (N.D. Ga., Case No. 1:19-cv-00880) 292. Pflager v. Equifax (N.D. Ohio, Case No. 3:18-cv-01027) (N.D. Ga., Case No. 1:18-cv-04472) 293. Pierre, et al. v. Equifax, Inc., et al. (E.D. La., Case No. 2:17-cv10520) (N.D. Ga., Case No. 1:17-cv-05537) 294. Pino v. Equifax Inc., et al. (N.D. Ga., Case No. 1:17-cv-05140) 295. Pleasant, et al. v. Equifax, Inc. (N.D. Ga., Case No. 1:17-cv-03507) 296. Podalsky, et al. v. Equifax, Inc. (S.D. Fla., Case No. 1:17-cv-23465) (N.D. Ga., Case No. 1:17-cv-05286) 21 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 69 of 295 297. Potente v. Equifax Info. Services, LLC (D.N.J., Case No. 2:18-cv10489) (N.D. Ga., Case No. 1:18-cv-03327) 298. Powers, et al. v. Equifax Inc. (D.S.C., Case No. 6:17-cv-02510) (N.D. Ga., Case No. 1:17-cv-05450) 299. Prejean, et al. v. Equifax, Inc. (D. Haw., Case No. 1:17-cv-00468) (N.D. Ga., Case No. 1:17-cv-05367) 300. Pugliese v. Equifax, Inc. (N.D. Ga., Case No. 1:17-cv-03461) 301. Quagliani v. Equifax, Inc., et al. (D. Conn. Case No. 3:17-cv-01668) (N.D. Ga., Case No. 1:17-cv-05250) 302. Raffin v. Equifax, Inc. (C.D. Cal., Case No. 2:17-cv-06620) (N.D. Ga., Case No. 1:17-cv-05001) 303. Rajput v. Equifax, Inc. (N.D. Ala., Case No. 5:17-cv-01606) (N.D. Ga., Case No. 1:17-cv-05217) 304. Ramsay v. Equifax, Inc. (S.D. Tex., Case No. 4:17-cv-02783) (N.D. Ga., Case No. 1:17-cv-05495) 305. Ramirez v. Equifax, Inc., et al. (E.D. Pa., Case No. 2:18-cv-00083) (N.D. Ga., Case No. 1:18-cv-01025) 306. Ray v. Equifax Inc., et al. (D. Del., Case No. 1:17-cv-01331) (N.D. Ga., Case No. 1:17-cv-05272) 307. Ressetar, et al. v. Equifax, Inc., et al. (M.D. Pa., Case No. 3:17-cv01670) (N.D. Ga., Case No. 1:18-cv-00047) 308. Reyes v. Equifax Inc. (E.D.N.Y., Case No. 1:17-cv-06589) (N. D. Ga. Case No. 1:17-cv-05394) 309. Reyes v. Equifax, Inc. (E.D.N.Y., Case No. 1:17-cv-06590) (N.D. Ga., Case No. 1:17-cv-05410) 310. Rice, et al. v. Equifax, Inc. (N.D.W.V., Case No. 1:17-cv-00156) (N.D. Ga., Case No. 1:17-cv-05128) 22 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 70 of 295 311. Rich v. Equifax Information Services, LLC (W.D. Pa., Case No. 3:17cv-00229) (N.D. Ga., Case No. 1:17-cv-05505) 312. Richmond, et al. v. Equifax, Inc. (N.D. Ga., Case No. 1:17-cv-03477) 313. Riveles v. Equifax Information Services, Inc. (E.D.N.Y., Case No. 2:18-cv-00349) (N.D. Ga., Case No. 1:18-cv-00480) 314. Ruscitto v. Equifax, Inc. (N.D. Ga., Case No. 1:17-cv-03444) 315. Salinas, et al. v. Equifax, Inc. (N.D. Cal., Case No. 3:17-cv-05284) (N.D. Ga., Case No. 1:17-cv-05042) 316. Samson v. Equifax, Inc. (N.D. Ga., Case No. 1:17-cv-03448) 317. Sander v. Equifax Inc., et al. (D.D.C., Case No. 1:17-cv-02119) (N.D. Ga., Case No. 1:17-cv-05230) 318. Santomauro v. Equifax Inc. (D.D.C., Case No. 1:17-cv-01852) (N.D. Ga., Case No. 1:17-cv-05028) 319. Schifano, et al. v. Equifax Inc. (C.D. Cal., Case No. 2:17-cv-06996) (N.D. Ga., Case No. 1:17-cv-05267) 320. Scott v. Equifax Inc. (C.D. Cal., Case No. 2:17-cv-06715) (N.D. Ga., Case No. 1:17-cv-05005) 321. Seror v. Equifax Inc. (D.N.J., Case No. 3:17-cv-11437) (N.D. Ga., Case No. 1:17-cv-05432) 322. Seymore, et al. v. Equifax, Inc. (S.D. Cal., Case No. 3:17-cv-01871) (N.D. Ga., Case No. 1:17-cv-05196) 323. Shack v. Equifax, Inc. (N.D. Ill., Case No. 1:19-cv-02622) (N.D. Ga., Case No. 1:19-cv-02527) 324. Sievers v. Equifax Inc., et al. (D. Mont., Case No. 4:17-cv-00103) (N.D. Ga., Case No. 1:17-cv-05416) 325. Sikes v. Equifax Inc., et al. (W.D.N.C., Case No. 1:17-cv-00258) (N.D. Ga., Case No. 1:17-cv-05422) 23 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 71 of 295 326. Simmons, et al. v. Equifax, Inc., et al. (N.D. Ga., Case No. 1:17-cv03659) 327. Skye v. Equifax Inc. (D. Mass., Case No. 1:17-cv-11742) (N.D. Ga., Case No. 1:17-cv-05016) 328. Smith, et al. v. Equifax Inc., et al. (N.D. Ohio, Case No. 1:17-cv02183) (N.D. Ga., Case No. 1:17-cv-05499) 329. Smith, et al. v. Equifax Inc., et al. (S.D. Tex., Case No. 4:17-cv02939) (N.D. Ga., Case No. 1:17-cv-05497) 330. Acosta-Smith v. Equifax Inc., et al. (C.D. Cal., Case No. 8:18-0005) (N.D. Ga., Case No. 1:18-cv-01467) 331. Smith v. Equifax Inc. (N.D. Ala., Case No. 2:18-cv-01147) (N.D. Ga., Case No. 1:19-cv-00744) 332. Solomon v. Equifax Incorporated, (D. Ariz., Case No. 2:18-cv-01567) (N.D. Ga., Case No. 1:18-cv-02842) 333. Southwick, et al. v. Equifax Inc., et al. (W.D. Okla., Case No. 5:17-cv01184) (N.D. Ga., Case No. 1:17-cv-05459) 334. Spicer v. Equifax Inc., et al. (N.D. Cal., Case No. 5:17-cv-05228) (N.D. Ga., Case No. 1:17-cv-05037) 335. Sprecher v. Equifax Inc., et al. (N.D. Ga., Case No. 1:17-cv-05141) 336. St. Clair, et al. v. Equifax, Inc. (N.D. Ga., Case No. 1:17-cv-04792) 337. Stabenow, et al. v. Equifax, Inc. (M.D. Fla., Case No. 8:17-cv-02289) (N.D. Ga., Case No. 1:17-cv-05370) 338. Stanfield, et al. v. Equifax Inc. (S.D. Ill., Case No. 3:17-cv-01102) (N.D. Ga., Case No. 1:17-cv-05223) 339. Stewart, et al. v. Equifax Inc., et al. (E.D. Mo., Case No. 4:17-cv02433) (N.D. Ga., Case No. 1:17-cv-05451) 24 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 72 of 295 340. Stiles v. Equifax Inc., et al. (W.D. Ky., Case No. 5:17-cv-00144) (N.D. Ga., Case No. 1:17-cv-05504) 341. Strange v. Equifax Inc. (W.D. La., Case No. 5:17-cv-01615) (N.D. Ga., Case No. 1:18-cv-00209) 342. Strauchman v. Equifax, Inc. (N.D. Ga., Case No. 1:17-cv-03482) 343. Tada, et al. v. Equifax, Inc. (C.D. Cal., Case No. 2:17-cv-06666) (N.D. Ga., Case No. 1:17-cv-05004) 344. Taenzer, et al. v. Equifax, Inc., et al. (S.D. Iowa, Case No. 4:17-cv00349) (N.D. Ga., Case No. 1:17-cv-05375) 345. Tanks, et al. v. Equifax, Inc. (S.D. Cal., Case No. 3:17-cv-01832) (N.D. Ga., Case No. 1:17-CV-05194) 346. Tate, et al. v. Equifax, Inc. (W.D.N.C., Case No. 3:17-cv-00555) (N.D. Ga., Case No. 1:17-cv-05424) 347. Tepfenhart, et al. v. Equifax, Inc. (N.D. Ga., Case No. 1:17-cv-03571) 348. Thomson, et al. v. Equifax Inc. (N.D. Tex., Case No. 3:17-cv-02468) (N.D. Ga., Case No. 1:17-cv-05443) 349. Tirelli, et al. v. Equifax Information Services, LLC (S.D.N.Y., Case No. 7:17-cv-06868) (N.D. Ga., Case No. 1:17-cv-05124) 350. Tomas v. Equifax Inc., et al. (N.D. Ga. 18:-cv-00466) 351. Tomlin, et al. v. Equifax Information Services, LLC (E.D. Ky., Case No. 2:17-cv-00158) (N.D. Ga., Case No. 1:17-cv-05009) 352. Tomlinson v. Equifax Inc. (E.D. Ky., Case No. 3:17-cv-00087) (N.D. Ga., Case No. 1:17-cv-05310) 353. Torrey v. Equifax Information Services, LLC (N.D. Ohio, Case No. 1:17-cv-01922) (N.D. Ga., Case No. 1:17-cv-05058) 354. Tosco, et al. v. Equifax Inc. (S.D. Fl., Case No. 1:17-cv-24136) (N.D. Ga., Case No. 1:18-cv-00365) 25 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 73 of 295 355. Trevino v. Equifax, Inc., et al. (C.D. Cal., Case No. 2:17-cv-07180) (N.D. Ga., Case No. 1:17-cv-05268) 356. Turner v. Equifax Inc. (S.D. Cal., Case No. 3:17-cv-02041) (N.D. Ga., Case No. 1:17-cv-05241) 357. Turner, et al. v. Equifax Inc. et al. (N.D. Ga., Case No. 1:18-cv00112) 358. Tweeddale v. Equifax, Inc. (M.D. Fla., Case No. 6:17-cv-01936) (N.D. Ga., Case No. 1:17-cv-05369) 359. Vice v. Equifax Inc. (N.D. Ga., Case No. 1:17-cv-04250) 360. Vita, et al. v. Equifax, Inc. (N.D. Ga., Case No. 1:17-cv-03484) 361. Vonwiller v. Equifax Information Services, LLC (S.D. Cal., Case No. 3:17-cv-01839) (N.D. Ga., Case No. 1:17-cv-05195) 362. Walker, et al. v. Equifax, Inc. (N.D. Ala., Case No. 5:17-cv-01527) (N.D. Ga., Case No. 1:17-cv-04988) 363. Walton v. Equifax Inc., et al. (S.D. Ind., Case No. 1:18-cv-00225) (N.D. Ga., Case No. 1:18-cv-02863) 364. Ward, et al. v. Equifax, Inc., et al. (D. Md., Case No. 1:17-cv-3246) (N.D. Ga., Case No. 1:18-cv-1471) 365. Warren v. Equifax Information Services, LLC (N.D. Ga., Case No. 1:18-cv-02044) 366. Washburn, et al. v. Equifax, Inc. (N.D. Ga., Case No. 1:17-cv-03451) 367. Weaver, et al. v. Equifax, Inc. (W.D.N.C., Case No. 1:17-cv-00268) (N.D. Ga., Case No. 1:17-cv-05423) 368. Whipper, et al. v. Equifax, Inc., et al. (W.D. Pa., Case No. 1:17-cv00248) (N.D. Ga., Case No. 1:18-cv-00056) 369. White, et al v. Equifax, Inc. (C.D. Cal., Case No. 2:17-cv-07991) (N.D. Ga., Case No. 1:17-cv-05291) 26 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 74 of 295 370. Whitfill, et al. v. Equifax Inc., et al. (N.D. Tex., Case No. 4:17-cv00771) (N.D. Ga., Case No. 1:17-cv-05490) 371. Whittington v. Equifax, Inc. (N.D. Ga., Case No. 1:17-cv-04940) 372. Wilhite v. Equifax Inc. (S.D. Tex., Case No. 4:18-cv-02062) (N.D. Ga., Case No. 1:18-cv-03328) 373. Wilhite v. Equifax Inc. (S. D. Tex., Case No. 4:18-cv-02067) (N.D. Ga., Case No. 1:18-cv-03329) 374. Wilhite v. Equifax Inc. (S.D. Tex., Case No. 4:18-cv-02077) (N.D. Ga., Case No. 1:18-cv-03330) 375. Wilhite v. Equifax Inc. (S.D. Tex., Case No. 4:18-cv-02080) (N.D. Ga., Case No. 1:18-cv-03332) 376. Wilkins v. Equifax, Inc. (N.D. Ga., Case No. 1:17-cv-03972) 377. Williams v. Equifax Inc., et al. (D. Md., Case No. 1:17-cv-02803) (N.D. Ga., Case No. 1:17-cv-05308) 378. Williams v. Equifax Inc., et al. (E.D. Mich., Case No. 2:17-cv-13307) (N.D. Ga., Case No. 1:17-cv-05311) 379. Williams v. Equifax Inc. (E.D.N.Y., Case No. 1:17-cv06591) (N.D. Ga., Case No. 1:17-cv-05393) 380. Wiltz, et al. v. Equifax, Inc., et al. (S.D. Tex., Case No. 4:17-cv02778) (N.D. Ga., Case No. 1:17-cv-05494) 381. Wolf v. Equifax, Inc. (N.D. Ga., Case No. 1:17-cv-03450) 382. Wolf v. Equifax, Inc. (N.D. Ga., Case No. 1:18-cv-135) 383. Wong v. Equifax, Inc., et al. (D.R.I., Case No. 1:17-cv-00489) (N.D. Ga., Case No. 1:17-cv-05501) 384. Woods, et al. v. Equifax, Inc. (E.D. Tex., Case No. 4:17-cv-00660) (N.D. Ga., Case No. 1:18-cv-00023) 27 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 75 of 295 385. Young v. Equifax Inc. (M.D. Fla., Case No. 2:17-cv-00538) (N.D. Ga., Case No. 1:17-cv-05326) 386. Zamora v. Equifax, Inc., et al. (D.N.J., Case No. 2:17-cv-07085) (N.D. Ga., Case No. 1:17-cv-05062) 387. Ziegeler v. Equifax Inc. (W.D. Tex., Case No. 6:19-cv-00260) (N.D. Ga. Case No. 1:19-cv-01996) 388. Zweig v. Equifax, Inc. (E.D.N.Y., Case No. 1:17-cv-05366) (N.D. Ga., Case No. 1:17-cv-05067) 389. Zweig, et al. v. Equifax Inc., et al. (S.D.N.Y., Case No. 7:17-cv07090) (N.D. Ga., Case No. 1:17-cv-05531) 390. Zribi v. Equifax, Inc., et al. (D. Conn., Case No. 3:17-cv-01710) (N.D. Ga., Case No. 1:17-cv-05328) 28 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 76 of 295 EXHIBIT 2 EQUIFAX BUSINESS PRACTICES COMMITMENTS Unless otherwise specified below, the following security measures or their equivalents will be deployed and maintained by Equifax for at least 5 years from the date the District Court grants final approval of the Settlement Agreement unless otherwise specified below: 1 Scope: This Agreement shall apply to all networking equipment, databases or data stores, applications, servers, and endpoints that: (1) are capable of accessing, using or sharing software, data, and hardware resources; (2) are owned, operated, and/or controlled by Equifax; and (3) collect, process, store, have access, or grant access to Personal Information of consumers who reside in the United States, but excluding networking equipment, databases or data stores, applications, servers, or endpoints outside of the U.S. where access to Personal Information is restricted using a risk-based control (“Equifax Network”). a. “Personal Information” shall have the same meaning as set forth in the data privacy laws in the states in which Class Members reside, unless preempted by federal law. b. The “NIST Standard” refers to the most recent applicable NIST guidance, beginning with NIST 800-53r4, as the primary set of standards, definitions, and controls. Where this Agreement requires Equifax to test cyber resilience, Equifax will use an industryrecognized cybersecurity framework (for example, NIST CSF framework). Where this Agreement refers to “NIST or another comparable standard,” Equifax either will use the NIST standard indicated above or another industry-recognized cybersecurity standard that satisfies Regulator Requirements. c. “Regulator” means the Federal Trade Commission (“FTC”), the Consumer Financial Protection Bureau (“CFPB”), or the multi-state group of state Attorneys General investigating the 2017 Data Breach. If no Regulator is willing or able to make a determination under this Agreement, then one of the attorneys designated as CoLead Counsel for the Consumer Plaintiffs in this multi-district 1 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 77 of 295 litigation, or their law firms, and Equifax’s CISO or their designee shall, in good faith, reach a determination. 2 Information Security Program: Within ninety (90) days of final approval, Equifax shall implement, and thereafter regularly maintain, review, and revise a comprehensive Information Security Program that is reasonably designed to protect the confidentiality, integrity, and availability of the Personal Information that Equifax collects, processes, or stores on the Equifax Network. 3 Managing Critical Assets: Equifax shall identify and document a comprehensive IT asset inventory, using an automated tool(s) where practicable, that, consistent with NIST or another comparable standard, will inventory and classify, and issue reports on, all assets that comprise the Equifax Network, including but not limited to software, applications, network components, databases, data stores, tools, technology, and systems. The asset inventory required under this paragraph shall be regularly updated and, at a minimum, identify: (a) the name of the asset; (b) the version of the asset; (c) the owner of the asset; (d) the asset’s location within the Equifax Network; and (e) the asset’s criticality rating. Equifax shall maintain, regularly review and revise as necessary, and comply with a Governance Process1 establishing that hardware and software within the Equifax Network be rated based on criticality, factoring in whether such assets are used to collect, process, or store Personal Information. Equifax shall comply with this provision by June 30, 2020. 4 Data Classification: Equifax shall maintain and regularly review and revise as necessary a data classification and handling standard.                                                              1 “Governance Process” shall mean any written policy, standard, procedure or process (or any combination thereof) designed to achieve a control objective with respect to the Equifax Network. 2 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 78 of 295 5 Security Information and Event Management: Consistent with NIST or another comparable standard, Equifax shall implement a comprehensive, continuous, risk-based SIEM s olution (or equivalent). Equifax shall continuously monitor, and shall test on at least a monthly basis, any tool used pursuant to this paragraph, to properly configure, regularly update, and maintain the tool, to ensure that the Equifax Network is adequately monitored. 6 Logging and Monitoring: Equifax shall maintain, regularly review and revise as necessary, and comply with a Governance Process establishing: (1) risk-based monitoring and logging of security events, operational activities, and transactions on the Equifax Network, (2) the reporting of anomalous activity through the use of appropriate platforms, and (3) requiring tools used to perform these tasks be appropriately monitored and tested to assess proper configuration and maintenance. The Governance Process shall include the classification of security events based on severity and appropriate remediation timelines based on classification. 7 Vulnerability Scanning: Equifax shall implement and maintain a riskbased vulnerability scanning program reasonably designed to identify and assess vulnerabilities within the Equifax Network. 8 Penetration Testing: Equifax shall implement and maintain a risk-based penetration-testing program reasonably designed to identify and assess security vulnerabilities within the Equifax Network. 9 Vulnerability Planning: Equifax shall rate and rank the criticality of all vulnerabilities within the Equifax Network. For each vulnerability that is ranked most critical, Equifax shall commence remediation planning within twenty-four (24) hours after the vulnerability has been rated as critical and shall apply the remediation within one (1) week after the vulnerability has received a critical rating. If the remediation cannot be applied within one (1) week after the vulnerability has received a critical rating, Equifax shall identify or implement compensating controls designed to protect Personal Information as soon as practicable but no later than one (1) week after the vulnerability received a critical rating. 3 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 79 of 295 10 Patch Management: Equifax shall maintain, regularly review and revise as necessary, and comply with a Governance Process to maintain, keep updated, and support the software on the Equifax Network. Equifax shall maintain reasonable controls to address the potential impact that security updates and patches may have on the Equifax Network and shall maintain a tool that includes an automated Common Vulnerabilities and Exposures (CVE) feed with regular updates regarding known CVEs. 11 Threat Management: Equifax shall maintain, regularly review and revise as necessary, and comply with a Governance Process establishing a threat management program designed to appropriately monitor the Equifax Network for threats and assess whether monitoring tools are appropriately configured, tested, and updated. 12 Access Control and Account Management: Equifax shall maintain, regularly review and revise as necessary, and comply with a Governance Process established to appropriately manage Equifax Network accounts. This Governance Process shall include, at a minimum, (1) implementing appropriate password, multi-factor, or equivalent authentication protocols; (2) implementing and maintaining appropriate policies for the secure storage of Equifax Network account passwords, including policies based on industry best practices; and (3) limiting access to Personal Information by persons accessing the Equifax Network on a least-privileged basis. 13 File Integrity Monitoring: Equifax shall maintain, regularly review and revise as necessary, and comply with a Governance Process established to provide prompt notification of unauthorized modifications to the Equifax Network. 14 Legacy Systems: Equifax shall develop and implement a risk-based plan to remediate current legacy systems on a schedule that provides for remediation within five years following final approval of this Agreement and which includes applying compensating controls until the systems are remediated. Equifax shall also maintain a Governance Process for active lifecycle management for replacing and deprecating legacy systems when they reach end of life. 4 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 80 of 295 15 Encryption: Equifax shall maintain, regularly review and revise as necessary, and comply with a Governance Process requiring Equifax either to encrypt Personal Information or otherwise implement adequate compensating controls. 16 Data Retention: Equifax shall maintain, regularly review and revise as necessary, and comply with a Governance Process establishing a retention schedule for Personal Information on the Equifax Network and a process for deletion or destruction of Personal Information when such information is no longer necessary for a business purpose, except where such information is otherwise required to be maintained by law. 17 TrustedID Premier: Equifax, including by or through any partner, affiliate, agent, or third party, shall not use any information provided by consumers (or the fact that the consumer provided information) to enroll in TrustedID Premier to sell, upsell, or directly market or advertise its feebased products or services. 18 Mandatory Training: Equifax shall establish an information security training program that includes, at a minimum, at least annual information security training for all employees, with additional training to be provided as appropriate based on employees’ job responsibilities. 19 Vendor Management: Equifax shall oversee its third party vendors who have access to the Equifax Network by maintaining and periodically reviewing and revising, as needed, a Governance Process for assessing vendor compliance in accordance with Equifax’s Information Security Program to assess whether the vendor’s security safeguards are appropriate for that business, which Governance Process requires vendors by contract to implement and maintain such safeguards and to notify Equifax within seventy-two (72) hours of discovering a security event, where feasible. 5 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 81 of 295 20 Incident Response Exercises: Equifax shall conduct, at a minimum, biannual incident response plan exercises to test and assess its preparedness to respond to a security event. 21 Breach Notification: Equifax shall comply with the state data breach notification laws, as applicable, and unless preempted by federal law. 22 Information Security Spending: Equifax shall ensure that its Information Security Program receives the resources and support reasonably necessary for the Information Security Program to function as required by this Settlement. In addition, over a five-year period beginning 1/1/2019, Equifax shall spend a minimum of $1 billion on data security and related technology. 23 Third-Party Assessments: Equifax shall engage a Third-Party Assessor meeting the criteria specified in this Agreement to conduct a SOC 2 Type 2 attestation, or to conduct an assessment using industry-recognized procedures and standards in satisfaction of Regulator requirements for this Agreement (the “Third-Party Assessments”). The Third-Party Assessments will meet the following minimum standards, unless a Regulator expressly authorizes otherwise: a. The Third-Party Assessments will be conducted by an unbiased, independent, cybersecurity organization agreeable both to Equifax and a Regulator. Prior to selection, Equifax will disclose to the Regulator approving the Third-Party Assessor any compensated engagement by Equifax of the Third-Party Assessor in the 2 years prior to the assessment. The Third-Party Assessor shall be a Certified Information Systems Security Professional (“CISSP”) or a Certified Information Systems Auditor (“CISA”), or a similarly qualified organization; and have at least five (5) years of experience evaluating the effectiveness of computer system security or information system security. b. The scope of the Third-Party Assessments, including the assertion statements required, will be established by the Third-Party Assessor in consultation with Equifax. 6 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 82 of 295 c. The Third-Party Assessments will evaluate Equifax’s Information Security Program, including its policies and practices, consistent with NIST or another comparable standard. d. The reporting periods for the Third-Party Assessments shall (1) cover the first 180 days following final approval of this Agreement for the initial Third-Party Assessment, and each two-year period thereafter for a total of seven (7) years. Provided, however, that the parties agree in good faith to adjust this timeline to align with ThirdParty Assessments performed for Regulators to the extent that they are used to satisfy this Agreement. e. The Third-Party Assessor will confirm that Equifax has complied with the terms of this Agreement. f. The Third-Party Assessments will identify deficiencies in Equifax’s Information Security Program and, in good faith cooperation with Equifax’s CISO or their designee, prioritize and establish dates by which Equifax shall remediate the deficiencies identified or implement compensating controls. g. Within 30 days after the close of each reporting period in Paragraph 23(d) above, the Third-Party Assessor will provide to a designated Consumer Plaintiffs’ Counsel a verification of compliance with this Agreement, which includes the identification of material deficiencies and Equifax’s corresponding plan pursuant to Paragraph 23(f). h. Equifax may use a Third-Party Assessment performed in satisfaction of obligations to government entities to meet the Third-Party Assessment requirement here, provided that the assessment complies with Paragraph 23. 24 Regulator Requirements: The Parties acknowledge that Equifax may be obligated to comply with requirements governing Equifax’s Information Security Program and Third-Party Assessments as part of the resolution of claims stemming from the 2017 Data Breach and asserted against Equifax 7 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 83 of 295 by certain government entities (the “Regulator Requirements”). In the event that any of the specific obligations set forth in the above provisions conflict with provisions set forth in the Regulator Requirements regarding the same or similar obligations, then the more restrictive Regulator provision shall apply and supersede the less restrictive provision in this Agreement. 25 Miscellaneous: In the event that technological or industry developments or intervening changes in law render any of the provisions set forth in this Agreement obsolete or make compliance by Equifax with any provision impossible or technically impractical, Equifax will provide notice to CoLead Counsel for Consumer Plaintiffs. If the Parties reach a mutual agreement that the elimination or modification of a provision is appropriate, they may jointly petition the Court to eliminate or modify such provision. If the Parties fail to reach an agreement, Equifax may petition the Court to eliminate or modify such provision. Under any circumstances, to the extent Consumer Plaintiffs believe that Equifax is not complying with any business practices commitments, they will first meet and confer with Equifax prior to seeking relief from the Court. 8 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 84 of 295 EXHIBIT 3 PROPOSED CONSENT ORDER Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 85 of 295 IN THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF GEORGIA ATLANTA DIVISION _____________________________ ) MDL Docket No. 2800 In re: Equifax, Inc. Customer ) Case No.: 1:17-md-2800-TWT Data Security Breach Litigation ) ) CONSUMER CASES ) _____________________________ ) [PROPOSED] CONSENT ORDER On July ___, 2019, the Consumer Plaintiffs, by and through the Settlement Class Representatives on behalf of themselves and the Settlement Class, entered into a Settlement Agreement with Defendants Equifax Inc., Equifax Information Services LLC, and Equifax Consumer Services LLC (collectively “Equifax”) to resolve the consumer track of the above-captioned litigation. Pursuant to Sections 2.7, 4.1.1, and 4.1.2, and Exhibits 2 and 3 of the Settlement Agreement, Equifax is obligated to undertake certain Business Practice Commitments that are to be memorialized in a Consent Order entered by this Court in connection with the Judgment. The Court, having reviewed the Settlement Agreement, Exhibits, and Business Practices Commitments set forth therein, hereby ORDERS as follows: Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 86 of 295 Unless otherwise specified below, the following security measures or their equivalents will be deployed and maintained by Equifax for at least five (5) years from the date this Court grants final approval of the Settlement Agreement: 1. Scope: This Order shall apply to all networking equipment, databases or data stores, applications, servers, and endpoints that: (1) are capable of accessing, using or sharing software, data, and hardware resources; (2) are owned, operated, and/or controlled by Equifax; and (3) collect, process, store, have access, or grant access to Personal Information of consumers who reside in the United States, but excluding networking equipment, databases or data stores, applications, servers, or endpoints outside of the U.S. where access to Personal Information is restricted using a risk-based control (“Equifax Network”). For purposes of this Order, the following definitions apply: a. “Personal Information” shall have the same meaning as set forth in the data privacy laws in the states in which Class Members reside, unless preempted by federal law. b. The “NIST Standard” refers to the most recent applicable NIST guidance, beginning with NIST 800-53r4, as the primary set of standards, definitions, and controls. Where this Order requires 2 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 87 of 295 Equifax to test cyber resilience, Equifax will use an industryrecognized cybersecurity framework (for example, NIST CSF framework). Where this Order refers to “NIST or another comparable standard,” Equifax either will use the NIST standard indicated above or another industry-recognized cybersecurity standard that satisfies Regulator Requirements. c. “Regulator” means the Federal Trade Commission (“FTC”), the Consumer Financial Protection Bureau (“CFPB”), or the multi-state group of state Attorneys General investigating the 2017 Data Breach. If no Regulator is willing or able to make a determination under this Order, then one of the attorneys designated as Co-Lead Counsel for the Consumer Plaintiffs in this multi-district litigation, or their law firms, and Equifax’s CISO or their designee shall, in good faith, reach a determination. 2. Information Security Program: Within ninety (90) days of final approval of the Settlement Agreement, Equifax shall implement, and thereafter regularly maintain, review, and revise a comprehensive Information Security Program that is reasonably designed to protect the 3 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 88 of 295 confidentiality, integrity, and availability of the Personal Information that Equifax collects, processes, or stores on the Equifax Network. 3. Managing Critical Assets: Equifax shall identify and document a comprehensive IT asset inventory, using an automated tool(s) where practicable, that, consistent with NIST or another comparable standard, will inventory and classify, and issue reports on, all assets that comprise the Equifax Network, including but not limited to software, applications, network components, databases, data stores, tools, technology, and systems. The asset inventory required under this paragraph shall be regularly updated and, at a minimum, identify: (a) the name of the asset; (b) the version of the asset; (c) the owner of the asset; (d) the asset’s location within the Equifax Network; and (e) the asset’s criticality rating. Equifax shall maintain, regularly review and revise as necessary, and comply with a Governance Process1 establishing that hardware and software within the Equifax Network be rated based on criticality, factoring in whether such assets are used to collect, process, or store 1 “Governance Process” shall mean any written policy, standard, procedure or process (or any combination thereof) designed to achieve a control objective with respect to the Equifax Network. 4 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 89 of 295 Personal Information. Equifax shall comply with this provision by June 30, 2020. 4. Data Classification: Equifax shall maintain and regularly review and revise as necessary a data classification and handling standard. 5. Security Information and Event Management: Consistent with NIST or another comparable standard, Equifax shall implement a comprehensive, continuous, risk-based SIEM solution (or equivalent). Equifax shall continuously monitor, and shall test on at least a monthly basis, any tool used pursuant to this paragraph, to properly configure, regularly update, and maintain the tool, to ensure that the Equifax Network is adequately monitored. 6. Logging and Monitoring: Equifax shall maintain, regularly review and revise as necessary, and comply with a Governance Process establishing: (1) risk-based monitoring and logging of security events, operational activities, and transactions on the Equifax Network, (2) the reporting of anomalous activity through the use of appropriate platforms, and (3) requiring tools used to perform these tasks be appropriately monitored and tested to assess proper configuration and maintenance. The Governance 5 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 90 of 295 Process shall include the classification of security events based on severity and appropriate remediation timelines based on classification. 7. Vulnerability Scanning: Equifax shall implement and maintain a riskbased vulnerability scanning program reasonably designed to identify and assess vulnerabilities within the Equifax Network. 8. Penetration Testing: Equifax shall implement and maintain a risk-based penetration-testing program reasonably designed to identify and assess security vulnerabilities within the Equifax Network. 9. Vulnerability Planning: Equifax shall rate and rank the criticality of all vulnerabilities within the Equifax Network. For each vulnerability that is ranked most critical, Equifax shall commence remediation planning within twenty-four (24) hours after the vulnerability has been rated as critical and shall apply the remediation within one (1) week after the vulnerability has received a critical rating. If the remediation cannot be applied within one (1) week after the vulnerability has received a critical rating, Equifax shall identify or implement compensating controls designed to protect Personal Information as soon as practicable but no later than one (1) week after the vulnerability received a critical rating. 6 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 91 of 295 10. Patch Management: Equifax shall maintain, regularly review and revise as necessary, and comply with a Governance Process to maintain, keep updated, and support the software on the Equifax Network. Equifax shall maintain reasonable controls to address the potential impact that security updates and patches may have on the Equifax Network and shall maintain a tool that includes an automated Common Vulnerabilities and Exposures (CVE) feed with regular updates regarding known CVEs. 11. Threat Management: Equifax shall maintain, regularly review and revise as necessary, and comply with a Governance Process establishing a threat management program designed to appropriately monitor the Equifax Network for threats and assess whether monitoring tools are appropriately configured, tested, and updated. 12. Access Control and Account Management: Equifax shall maintain, regularly review and revise as necessary, and comply with a Governance Process established to appropriately manage Equifax Network accounts. This Governance Process shall include, at a minimum, (1) implementing appropriate password, multi-factor, or equivalent authentication protocols; (2) implementing and maintaining appropriate policies for the secure storage of Equifax Network account passwords, including policies based 7 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 92 of 295 on industry best practices; and (3) limiting access to Personal Information by persons accessing the Equifax Network on a least-privileged basis. 13. File Integrity Monitoring: Equifax shall maintain, regularly review and revise as necessary, and comply with a Governance Process established to provide prompt notification of unauthorized modifications to the Equifax Network. 14. Legacy Systems: Equifax shall develop and implement a risk-based plan to remediate current legacy systems on a schedule that provides for remediation within five years following entry of this Order and which includes applying compensating controls until the systems are remediated. Equifax shall also maintain a Governance Process for active lifecycle management for replacing and deprecating legacy systems when they reach end of life. 15. Encryption: Equifax shall maintain, regularly review and revise as necessary, and comply with a Governance Process requiring Equifax either to encrypt Personal Information or otherwise implement adequate compensating controls. 16. Data Retention: Equifax shall maintain, regularly review and revise as necessary, and comply with a Governance Process establishing a retention 8 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 93 of 295 schedule for Personal Information on the Equifax Network and a process for deletion or destruction of Personal Information when such information is no longer necessary for a business purpose, except where such information is otherwise required to be maintained by law. 17. TrustedID Premier: Equifax, including by or through any partner, affiliate, agent, or third party, shall not use any information provided by consumers (or the fact that the consumer provided information) to enroll in TrustedID Premier to sell, upsell, or directly market or advertise its feebased products or services. 18. Mandatory Training: Equifax shall establish an information security training program that includes, at a minimum, at least annual information security training for all employees, with additional training to be provided as appropriate based on employees’ job responsibilities. 19. Vendor Management: Equifax shall oversee its third party vendors who have access to the Equifax Network by maintaining and periodically reviewing and revising, as needed, a Governance Process for assessing vendor compliance in accordance with Equifax’s Information Security Program to assess whether the vendor’s security safeguards are appropriate for that business, which Governance Process requires vendors 9 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 94 of 295 by contract to implement and maintain such safeguards and to notify Equifax within seventy-two (72) hours of discovering a security event, where feasible. 20. Incident Response Exercises: Equifax shall conduct, at a minimum, biannual incident response plan exercises to test and assess its preparedness to respond to a security event. 21. Breach Notification: Equifax shall comply with the state data breach notification laws, as applicable, and unless preempted by federal law. 22. Information Security Spending: Equifax shall ensure that its Information Security Program receives the resources and support reasonably necessary for the Information Security Program to function as required by this Settlement. In addition, over a five-year period beginning January 1, 2019, Equifax shall spend a minimum of $1,000,000,000 ($1 billion) on data security and related technology. 23. Third-Party Assessments: Equifax shall engage a Third-Party Assessor meeting the criteria specified in this Order to conduct a SOC 2 Type 2 attestation, or to conduct an assessment using industry-recognized procedures and standards in satisfaction of Regulator requirements for this Order (the “Third-Party Assessments”). The Third-Party Assessments will 10 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 95 of 295 meet the following minimum standards, unless a Regulator expressly authorizes otherwise: a. The Third-Party Assessments will be conducted by an unbiased, independent, cybersecurity organization agreeable both to Equifax and a Regulator. Prior to selection, Equifax will disclose to the Regulator approving the Third-Party Assessor any compensated engagement by Equifax of the Third-Party Assessor in the 2 years prior to the assessment. The Third-Party Assessor shall be a Certified Information Systems Security Professional (“CISSP”) or a Certified Information Systems Auditor (“CISA”), or a similarly qualified organization; and have at least five (5) years of experience evaluating the effectiveness of computer system security or information system security. b. The scope of the Third-Party Assessments, including the assertion statements required, will be established by the Third-Party Assessor in consultation with Equifax. c. The Third-Party Assessments will evaluate Equifax’s Information Security Program, including its policies and practices, consistent with NIST or another comparable standard. 11 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 96 of 295 d. The reporting periods for the Third-Party Assessments shall (1) cover the first 180 days following final approval of the Settlement Agreement for the initial Third-Party Assessment, and each twoyear period thereafter for a total of seven (7) years. Provided, however, that the parties agree in good faith to adjust this timeline to align with Third-Party Assessments performed for Regulators to the extent that they are used to satisfy this Order. e. The Third-Party Assessor will confirm that Equifax has complied with the terms of this Order. f. The Third-Party Assessments will identify deficiencies in Equifax’s Information Security Program and, in good faith cooperation with Equifax’s CISO or their designee, prioritize and establish dates by which Equifax shall remediate the deficiencies identified or implement compensating controls. g. Within 30 days after the close of each reporting period in Paragraph 23(d) above, the Third-Party Assessor will provide to Consumer Plaintiffs’ Co-Lead Counsel a verification of compliance with this Order, which includes the identification of material deficiencies and Equifax’s corresponding plan pursuant to Paragraph 23(f). 12 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 97 of 295 h. Equifax may use a Third-Party Assessment performed in satisfaction of obligations to government entities to meet the Third-Party Assessment requirement here, provided that the assessment complies with Paragraph 23 of this Order. 24. Regulator Requirements: The Parties and Court acknowledge that Equifax may be obligated to comply with requirements governing Equifax’s Information Security Program and Third-Party Assessments as part of the resolution of claims stemming from the 2017 Data Breach and asserted against Equifax by certain government entities (the “Regulator Requirements”). In the event that any of the specific obligations set forth in the above provisions conflict with provisions set forth in the Regulator Requirements regarding the same or similar obligations, then the more restrictive Regulator provision shall apply and supersede the less restrictive provision in this Order. 25. Miscellaneous: In the event that technological or industry developments or intervening changes in law render any of the provisions set forth in this Order obsolete or make compliance by Equifax with any provision impossible or technically impractical, Equifax will provide notice to Consumer Plaintiffs Co-Lead Counsel. If the Parties reach a mutual 13 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 98 of 295 agreement that the elimination or modification of a provision is appropriate, they may jointly petition the Court to eliminate or modify such provision. If the Parties fail to reach an agreement, Equifax may petition the Court to eliminate or modify such provision. Under any circumstances, to the extent Consumer Plaintiffs believe that Equifax is not complying with any provision of this Order, they will first meet and confer with Equifax prior to seeking relief from the Court. 26. Continuing Jurisdiction and Enforcement: The Court retains jurisdiction over this matter and the Parties for purposes of enforcing the terms of this Consent Order. IT IS SO ORDERED this ____ day of _________________, 2019. ____________________________ THOMAS W. THRASH, JR. United States District Judge 14 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 99 of 295 EXHIBIT 4 CREDIT MONITORING AND RESTORATION SERVICES Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 100 of 295 Three-Bureau Credit Monitoring Services The following provisions are subject to the terms and definitions set forth in the Parties’ Settlement Agreement (the “Agreement”). The Credit Monitoring Services as defined in the Agreement shall include: 1. Daily Consumer Report monitoring from each of the three nationwide Consumer Reporting Agencies showing key changes to one or more of a Settlement Class Member’s Consumer Reports, including automated alerts when the following occur: new accounts are opened; inquiries or requests for Settlement Class Member’s Consumer Report for the purpose of obtaining credit; changes to a Settlement Class Member’s address; and negative information, including delinquencies or bankruptcies. 2. On-demand online access to a free copy of a Settlement Class Member’s Experian Consumer Report, updated on a monthly basis; 3. Automated alerts, using public or proprietary data sources: i. when data elements submitted by the Settlement Class Member for monitoring (such as a Social Security number, email address, or credit card number) are discovered on suspicious web sites, including underground web sites known as the “dark web”; ii. when names, aliases, and addresses have been associated with the Settlement Class Member’s Social Security number; iii. when a payday loan or certain other unsecured credit has been taken or opened using the Settlement Class Member’s Social Security number; 1 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 101 of 295 iv. when a Settlement Class Member’s information matches information in arrest records or criminal court records; v. when a Settlement Class Member’s information is used for identity authentication; vi. when a Settlement Class Member’s mail has been redirected through the United States Postal Service; vii. when banking activity is detected related to new deposit account applications, opening of new deposit accounts, changes to Settlement Class Member’s personal information on an account, and new signers being added to a Settlement Class Member’s account; viii. when a balance is reported on a Settlement Class Member’s credit line that has been inactive for at least six months. 4. One Million Dollars ($1,000,000) in identity theft insurance to cover loss related to a stolen identity event, including coverage prior to the Settlement Class Member’s enrollment in the Credit Monitoring Services, provided the loss results from a stolen identity event first discovered during the policy period and subject to the terms of the insurance policy; 5. A customer service center to provide assistance with enrollment, website navigation, monitoring alerts questions, dispute assistance, fraud resolution assistance, and other assistance related to the Credit Monitoring Services; 6. Full Identity Restoration Services as described below; and 7. For Settlement Class Members under the age of 18, a parent or guardian can enroll the Settlement Class Member under the age of 18 to receive the following services: 2 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 102 of 295 alerts when data elements submitted for monitoring appear on suspicious websites, including underground websites known as the “dark web;” alerts when the Social Security number of a Settlement Class Member under the age of 18 is associated with new names or addresses or the creation of a Consumer Report at one or more of the three nationwide Consumer Reporting Agencies; and Full Service Identity Restoration, working with the legal guardian, in the event that a Settlement Class Member under the age of 18 has their identity compromised. Upon turning 18, the Settlement Class Member can enroll in the Credit Monitoring Services. If a Settlement Class Member under the age of 18 has an Experian Consumer Report with sufficient detail to permit authentication, a parent or guardian may enroll them in the Credit Monitoring Services prior to their eighteenth birthday. 3 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 103 of 295 Restoration Services The following provisions are subject to the terms and definitions set forth in the Parties’ Settlement Agreement (the “Agreement”). Restoration Services as described in the Agreement consist of “Assisted Identity Restoration” and “Full Service Identity Restoration” provided by a third party not affiliated with Equifax. 1. Assisted Identity Restoration: Any Settlement Class Member who is not enrolled in the Credit Monitoring Services may avail themselves of Assisted Identity Restoration for seven (7) years from the Effective Date. Assisted Identity Restoration includes assignment of a dedicated identity theft restoration specialist to a Settlement Class Member who has experienced an identity theft event. The specialist provides assistance to the Settlement Class Member in addressing that identity theft event, including a customized step-by-step process with form letters to contact companies, government agencies, Consumer Reporting Agencies, or others, and by participating in conference calls with an affected financial institution or government agency related to the identity theft event. 2. Full Service Identity Restoration: Any Affected Consumer who is enrolled in the Credit Monitoring Services may avail themselves of Full Service Identity Restoration while they are enrolled. Full Service Identity Restoration includes assignment of a dedicated identity theft restoration specialist to a Settlement Class Member who has experienced an identity theft event, as well as use of a specialized limited power of attorney to assist the Settlement Class Member in addressing the identity theft event, including by contacting companies, government agencies, or Consumer Reporting Agencies on behalf of the Settlement Class Member. Full Service Identity Restoration 4 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 104 of 295 also includes the use of interactive dispute letters. 5 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 105 of 295 Equifax One-Bureau Credit Monitoring Services The following provisions are subject to the terms and definitions set forth in the Parties’ Settlement Agreement (the “Agreement”). Equifax One-Bureau Credit Monitoring Services will include the following: 1. Daily Consumer Report monitoring from Equifax showing key changes to the enrolled Settlement Class Member’s Equifax Information Services LLC (“EIS”) Consumer Report including automated alerts when the following occur: new accounts are opened; inquiries or requests for an Affected Consumer’s Consumer Report for the purpose of obtaining credit; changes to an Affected Consumer’s address; and negative information, such as delinquencies or bankruptcies; 2. On-demand online access to a free copy of an enrolled Settlement Class Member’s EIS Consumer Report, updated on a monthly basis; 3. Automated alerts using certain available public and proprietary data sources when data elements submitted by an enrolled Settlement Class Member for monitoring, such as Social Security numbers, email addresses, or credit card numbers, appear on suspicious websites, including underground websites known as the “dark web;” and 4. For Settlement Class Members under the age of 18, Equifax shall provide child monitoring services where the validated parent or guardian can enroll the Settlement Class Member under the age of 18 in these services. Child monitoring services include: alerts when data elements such as a Social Security number submitted for monitoring appear on suspicious websites, including underground websites known as the “dark web;” for minors who do not have an EIS Consumer Report, an EIS Consumer Report is created, locked, and then monitored, and for minors with an EIS 6 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 106 of 295 Consumer Report, their Consumer Report is locked and then monitored. The types of alerts that minors may receive through child monitoring services are the same as the types of alerts that adults receive. 7 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 107 of 295 EXHIBIT 5 ORDER DIRECTING NOTICE Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 108 of 295 IN THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF GEORGIA ATLANTA DIVISION _____________________________ ) MDL Docket No. 2800 In re: Equifax, Inc. Customer ) Case No.: 1:17-md-2800-TWT Data Security Breach Litigation ) ) CONSUMER ACTIONS ) _____________________________ ) ORDER DIRECTING NOTICE Before the Court is the Consumer Plaintiffs’ unopposed motion to permit issuance of class notice of the proposed class action settlement. Having reviewed the proposed settlement agreement, together with its exhibits, and based upon the relevant papers and all prior proceedings in this matter, the Court has determined the proposed settlement satisfies the criteria of Federal Rule of Civil Procedure 23(e) such that the Court will likely be able to approve the proposed settlement as fair, reasonable, and adequate, and that issuance of notice of the proposed settlement in accordance with the proposed notice plan is appropriate. Accordingly, good cause appearing in the record, IT IS HEREBY ORDERED THAT: The Settlement Class and Class Counsel (1) As set forth more fully herein, the Court finds that giving notice of the proposed settlement is justified pursuant to Federal Rule of Civil Procedure Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 109 of 295 23(e)(1). The Court finds that it will likely be able to approve the proposed settlement as fair, reasonable, and adequate. The Court also finds that it will likely be able to certify the following settlement class for purposes of judgment on the settlement: The approximately 147 million U.S. consumers identified by Equifax whose personal information was compromised as a result of the cyberattack and data breach announced by Equifax on September 7, 2017.1 (2) For settlement purposes, the Court determines the proposed settlement class meets all the requirements of Rule 23(a) and (b)(3), namely that the class is so numerous that joinder of all members is impractical; that there are common issues of law and fact; that the claims of the class representatives are typical of absent class members; that the class representatives will fairly and adequately protect the interests of the class, as they have no interests antagonistic to or in conflict with the class and have retained experienced and competent counsel to prosecute this matter; that common issues predominate over any individual issues; and that a class action is the superior means of adjudicating the controversy. 1 Excluded from the settlement class are: (i) Defendants, any entity in which Defendants have a controlling interest, and Defendants’ officers, directors, legal representatives, successors, subsidiaries, and assigns; (ii) any judge, justice, or judicial officer presiding over this matter and the members of their immediate families and judicial staff; and (iii) any individual who timely and validly opts out of the settlement class. 2 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 110 of 295 (3) The Court appoints the named plaintiffs identified in Exhibit 10 as representatives of the proposed settlement class. (4) The following lawyers are designated as settlement class counsel pursuant to Rule 23(g): Kenneth S. Canfield of Doffermyre Shields Canfield & Knowles, LLC; Amy E. Keller of DiCello Levitt & Gutzler, LLC; Norman E. Siegel of Stueve Siegel Hanson LLP; and Roy Barnes of Barnes Law Group, LLC. The Court finds that these lawyers are experienced and will adequately protect the interests of the settlement class. Preliminary Evaluation of the Proposed Settlement (5) Upon preliminary review, the Court finds the proposed settlement provides a recovery for the class that is within the range of what could be approved as fair, reasonable, and adequate, taking into account all of the risks, expense, and delay of continued litigation; is the result of numerous good faith and arm’s-length negotiations that took place under the auspices of a prominent national mediator; is not otherwise deficient; otherwise meets the criteria for approval; and thus warrants issuance of notice to the settlement class. (6) In making this determination, the Court has considered the substantial monetary and non-monetary benefits to the class; the specific risks faced by the class in prevailing on Consumer Plaintiffs’ claims; the stage of the proceedings at 3 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 111 of 295 which the settlement was reached; the effectiveness of the proposed method for distributing relief to the class; the proposed manner of allocating benefits to class members; and all of the other factors required under Rule 23. Approval Hearing (7) An approval hearing shall take place before the Court on _________________, 2019, at _____ a.m./p.m. in Courtroom 2108 of the United States District Court for the Northern District of Georgia, located at the Richard B. Russell Federal Building and United States Courthouse, 75 Ted Turner Drive, SW, Atlanta, Georgia 30303-3309 to determine whether: (a) the proposed settlement class should be certified for settlement purposes pursuant to Rule 23; (b) the settlement should be approved as fair, reasonable, and adequate and, in accordance with the settlement’s terms, this matter should be dismissed with prejudice; (c) class counsel’s application for attorneys’ fees and expenses should be approved; and (d) the application for the class representatives to receive service awards should be approved. Any other matters the Court deems necessary and appropriate will also be heard. (8) Any settlement class member who has not timely and properly excluded themselves from the settlement class in the manner described below may appear at the approval hearing in person or through counsel and be heard, as 4 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 112 of 295 allowed by the Court, regarding the proposed settlement; provided, however, that no class member who excluded themselves from the class shall be entitled to object or otherwise appear, and, further provided, that no class member shall be heard in opposition to the settlement unless the class member complies with the requirements of this Order pertaining to objections, which are described below. Administration and CAFA Notice (9) JND Legal Administration is appointed as the settlement administrator, with responsibility for claim submissions, certain notice functions, and administration pursuant to the terms of the settlement agreement. The claim form attached to the settlement agreement is approved, as are versions derived therefrom to be used during the extended claims period and for claims by minors, as described in the motion for this order directing notice. The settlement administrator may, where necessary, require individuals to provide, through written, electronic, or other means, certain personal information including (without limitation) full name, address, year of birth, email address, phone number, and last six (6) digits of Social Security number in order to verify an individual’s status as a class member and/or eligibility for any benefits under the settlement, in addition to any other purposes consistent with the settlement administrator’s responsibilities under the settlement agreement. The settlement administrator’s fees, as approved 5 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 113 of 295 by the parties, will be paid from the settlement fund pursuant to the settlement agreement. (10) Within 10 days after the filing of the motion to permit issuance of notice, Defendant shall serve or cause to be served a notice of the proposed settlement on appropriate state officials in accordance with the requirements under the Class Action Fairness Act (“CAFA”), 28 U.S.C. § 1715(b). Notice to the Class (11) Signal Interactive Media LLC is appointed as the notice provider, with responsibility for effectuating class notice in accordance with the proposed notice plan. The notice provider’s fees, as approved by the parties, will be paid from the settlement fund pursuant to the settlement agreement. (12) The notice plan set forth in the settlement agreement and the forms of notice attached as exhibits to the settlement agreement satisfy the requirements of Federal Rule of Civil Procedure 23 and thus are approved. Non-material modifications to the exhibits may be made without further order of the Court. The notice provider is directed to carry out the notice program in conformance with the settlement agreement and to perform all other tasks that the settlement agreement requires. 6 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 114 of 295 (13) The Court finds that the form, content, and method of giving notice to the settlement class as described in the settlement agreement and exhibits: (a) constitute the best practicable notice to the settlement class; (b) are reasonably calculated, under the circumstances, to apprise settlement class members of the pendency of the action, the terms of the proposed settlement, and their rights under the proposed settlement; (c) are reasonable and constitute due, adequate, and sufficient notice to those persons entitled to receive notice; and (d) satisfy the requirements of Federal Rule of Civil Procedure 23, the constitutional requirement of due process, and any other legal requirements. The Court further finds that the notices are written in plain language, use simple terminology, and are designed to be readily understandable by settlement class members. Appointment of Experian for Monitoring and Restoration Services (14) The Court appoints Experian as the provider of monitoring services to eligible Settlement Class Members as set forth in the Settlement Agreement. The Court directs that Experian effectuate the Settlement Agreement in coordination with Settlement Class Counsel, Equifax, and the Settlement Administrator, subject to the jurisdiction and oversight of this Court. Exclusions from the Class 7 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 115 of 295 (15) Any settlement class member who wishes to be excluded from the settlement class must mail a written notification of the intent to exclude themselves to the settlement administrator at the address provided in the notice, postmarked no later than ____________ (the “opt-out deadline”). Each written request for exclusion must identify this action, set forth the name of the individual seeking exclusion, be signed by the individual seeking exclusion, and can only request exclusion for that one individual. (16) The settlement administrator shall provide the parties with copies of all opt-out notifications, and, within 14 days after the opt-out deadline, a final list of all that have timely and validly excluded themselves from the settlement class. The final list of exclusions as well as a final list of those in the class should be filed with the Court before the approval hearing. (17) Any settlement class member who does not timely and validly exclude themselves from the settlement shall be bound by the terms of the settlement. If final judgment is entered, any settlement class member who has not submitted a timely, valid written notice of exclusion from the settlement class shall be bound by all subsequent proceedings, orders, and judgments in this matter, including but not limited to the release set forth in the settlement and final judgment. 8 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 116 of 295 (18) All those settlement class members who submit valid and timely notices of exclusion shall not be entitled to receive any benefits of the settlement. Objections to the Settlement (19) A settlement class member who complies with the requirements of this Order may object to the settlement, Class Counsel’s request for fees and expenses, or the request for service awards to the class representatives. (20) No settlement class member shall be heard, and no papers, briefs, pleadings, or other documents submitted by any settlement class member shall be received and considered by the Court, unless the objection is (a) electronically filed with the Court by the objection deadline; or (b) mailed to the settlement administrator at the address listed in the Long Form Notice available on the settlement website, and postmarked by no later than the objection deadline. Objections shall not exceed twenty-five (25) pages. For the objection to be considered by the Court, the objection must be in writing and shall set forth: (a) The name of this action; (b) The objector’s full name and current address; (c) The objector’s personal signature on the written objection (an attorney’s signature is not sufficient); 9 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 117 of 295 (d) A statement indicating the basis for the objector’s belief that he or she is a member of the settlement class; (e) A statement of whether the objection applies only to the objector, to a specific subset of the settlement class, or to the entire settlement class; (f) A statement of the objector’s grounds for the objection, accompanied by any legal support for the objection; (g) A statement identifying all class action settlements objected to by the objector in the previous five (5) years; and (h) A statement as to whether the objector intends to appear at the Fairness Hearing, either in person or through counsel, and if through counsel, identifying counsel by name, address, and telephone number, and four dates between the Objection Deadline and [a date two weeks before Fairness Hearing] during which the objecting settlement class member is available to be deposed by counsel for the Parties. (21) In addition to the foregoing, if the objector is represented by counsel and such counsel intends to speak at the Fairness Hearing, the written objection must include: 10 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 118 of 295 (a) A detailed statement of the specific legal and factual basis for each and every objection; and (b) A detailed description of any and all evidence the objector may offer at the Fairness Hearing, including copies of any and all exhibits that the objector may introduce at the Fairness Hearing. (22) In addition to the foregoing, if the objector is represented by counsel, and such counsel intends to seek compensation for his or her services from anyone other than the objector, the written objection must include: (a) The identity of all counsel who represent the objector, including any former or current counsel who may be entitled to compensation for any reason related to the objection; (b) A statement identifying all instances in which the counsel or the counsel’s law firm have objected to a class action settlement within the preceding five (5) years, giving the style and court in which the class action settlement was filed; (c) A statement identifying any and all agreements that relate to the objection or the process of objecting—whether written or oral—between the objector, his or her counsel, and/or any other person or entity; 11 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 119 of 295 (d) A description of the counsel’s legal background and prior experience in connection with class action litigation; and (e) A statement regarding whether fees to be sought will be calculated on the basis of a lodestar, contingency, or other method; an estimate of the amount of fees to be sought; the factual and legal justification for any fees to be sought; the number of hours already spent by the counsel and an estimate of the hours to be spent in the future; and the attorney’s hourly rate. (23) Any settlement class member who fails to comply with the provisions in this Order will waive and forfeit any and all rights they may have to object, may have their objection stricken from the record, and may lose their rights to appeal from approval of the settlement. Any such class member also shall be bound by all the terms of the settlement agreement, this Order, and by all proceedings, orders, and judgments, including, but not limited to, the release in the settlement agreement if final judgment is entered. Claims Process (24) The settlement agreement establishes a process for claiming benefits under the settlement, including reimbursement for out-of-pocket losses relating the 12 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 120 of 295 breach; reimbursement for time spent remedying issues relating the breach; free credit monitoring services; and alternative cash payments for those settlement class members who already have some form of credit monitoring. If money remains in the settlement fund after the initial claims period, an “extended claims period” will go into effect for an additional 4 years (or until the fund is exhausted, whichever occurs first) which will permit settlement class members to submit claims for reimbursement of out-of-pocket losses or time spent remedying issues relating the breach after the initial claims period if certain conditions are met. The settlement agreement also sets forth a detailed disputes and appeals process for settlement class members whose claims are denied in whole or part. The Court approves this claims process and directs that the settlement administrator effectuate the claims process according to the terms of the settlement agreement. Termination of the Settlement and Use of this Order (25) This Order shall become null and void and shall be without prejudice to the rights of the parties, all of which shall be restored to their respective positions existing immediately before this Court entered this Order, if the settlement is not approved by the Court or is terminated in accordance with the terms of the settlement agreement, all subject to the cure provisions set forth in the settlement agreement. In such event, the settlement and settlement agreement shall 13 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 121 of 295 become null and void and be of no further force and effect, and neither the settlement agreement nor the Court’s orders, including this Order, relating to the settlement shall be used or referred to for any purpose whatsoever. (26) This Order shall be of no force or effect if final judgment is not entered or there is no effective date under the terms of the settlement agreement; shall not be construed or used as an admission, concession, or declaration by or against Defendants of any fault, wrongdoing, breach, or liability; shall not be construed or used as an admission, concession, or declaration by or against any settlement class representative or any other settlement class member that its claims lack merit or that the relief requested is inappropriate, improper, or unavailable; and shall not constitute a waiver by any party of any defense or claims it may have in this litigation or in any other lawsuit. Continuance of Final Approval Hearing (27) The Court reserves the right to adjourn or continue the approval hearing and related deadlines without further written notice to the settlement class. If the Court alters any of those dates or times, the revised dates and times shall be posted on the settlement website. Summary of Deadlines (28) The settlement agreement shall be administered according to its terms 14 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 122 of 295 pending the Approval Hearing. Deadlines arising under the settlement agreement and this Order include but are not limited to the following: EVENT TIMING Deadline for Defendant to disseminate CAFA notices [10 days after settlement agreement filed with the Court] Deadline for Defendant to provide settlement class list to settlement administrator [5 business days after order directing notice] Notice date [60 days after order directing notice] Deadline to file Class Counsel’s motion for attorneys’ fees, costs, expenses and service awards [at least 21 days before objection deadline] Deadline for Class Counsel to file motion for final approval of settlement and responses to any timely submitted settlement class member objections [14 days prior to final approval hearing] Objection deadline [60 days after notice date] Opt-out deadline [60 days after notice date] Initial claims deadline [6 months after order directing notice] Extended claims deadline [4 years after initial claims deadline] Final approval hearing [At least 150 days after order directing of notice] 15 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 123 of 295 IT IS SO ORDERED this ____ day of _______________, 2019. ____________________________ THOMAS W. THRASH, JR. United States District Judge 16 Case Document 739-2 Filed 07/22/19 Page 124 of 295 EXHIBIT 6 NOTICE PLAN Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 125 of 295 In re: Equifax, Inc. Customer Data Security Breach Litigation No. 1:17-MD-2800 (N.D. Ga.) Notice Plan Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 126 of 295 NOTICE PLAN The Notice Plan for In re Equifax, Inc., Customer Data Security Breach Litigation, MDL 2800 (N.D. Ga.) (Consumer Track) was developed by the Notice Provider and the Parties in collaboration with the Federal Trade Commission, the Consumer Finance Protection Bureau, and participating offices of State Attorneys General (collectively, the “Regulators”). The Notice Plan will provide the best notice practicable under the circumstances of this case, satisfy all aspects of Rule 23 of the Federal Rules of Civil Procedure, satisfy the Due Process clause of the United States Constitution, and conform with the guidance for effective notice articulated in the Manual for Complex Litigation, 4th. The objective of the Notice Plan is to provide the best notice practicable of the Settlement to members of the Settlement Class as defined in the Settlement Agreement and to enhance class members’ awareness about their rights and the benefits available under the Settlement. The FJC’s Judges’ Class Action Notice and Claims Process Checklist and Plain Language Guide considers 70-95% reach among class members reasonable. In order to meet or exceed that reach, the Notice Plan employs modern developments in the fields of public opinion research and consumer behavior, including qualitative and quantitative testing, to craft and select the most effective messaging and communication channels to increase notice 1 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 127 of 295 and participation rates. The Notice Plan is designed to occur both during the Initial and Extended Claims Periods provided by the Settlement as well as to provide reminder notice during the time period after the Extended Claims Period in which Class Members remain eligible for identity restoration services. The Notice Plan improves upon the approach utilized in many class action settlements, which historically have not taken advantage of testing and consumer research and often involve a single notice to each Settlement Class Member with little follow up. The various forms of Notice in the plan will direct Settlement Class Members to a settlement website that will contain links to Settlement documents and provide Settlement Class Members with the ability to submit Claim Forms electronically. The Settlement Administrator will maintain the website and will work with the Notice Provider to develop and integrate relevant content for the website and enhance consistency between the look and feel of the website and notice messaging. The Notice Plan will have several components: 1) Initial Research and Testing through focus groups in several cities, a national polling survey, and digital ad testing; 2) Direct Notice through email, with assistance by the Settlement Administrator; 2 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 128 of 295 3) Digital Notice during the Initial Claims Period through Facebook, Search (Google, Yahoo, and Bing), Twitter, and Display; 4) Paid Publication notice through the use of paid media, including USA Today and radio; 5) Extended Claims Period Notice Activities (if necessary); and, 6) Supplemental Notice Measures (if necessary). These components will achieve the same reach and frequency benchmarks that have been achieved under notice programs that have been approved by courts in other cases. Each of these components is discussed in more detail below. 1. Initial Research and Testing Following the entry of an order permitting issuance of notice of class action settlement, the Notice Provider will begin a period of Initial Research and Testing. This period of Initial Research and Testing will take about 14 days. Initial Research and Testing is customary in commercial and political mass media advertising. It is used to measure the effectiveness of various media and messaging, so that the Notice Provider may adjust and optimize the messaging prior to full-scale investment and implementation. This methodology has been shown to increase participation rates. In the Notice Plan, the purpose of Initial Research Testing is primarily to confirm two things: 1) the best media and 3 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 129 of 295 messaging practicable across various demographics of the class and 2) the best notice practicable for those class members that may not be reached through the digital components of the program. The Notice Provider has collaborated with the Parties and the Regulators to prepare several different formats of digital and email notice with varying text, graphic design, and layout. The Parties seek Court approval of the forms of notice attached to this Notice Plan so that they may be tested prior to larger distribution. This will permit the Notice Provider to study and analyze the most effective method of providing notice in the digital and email channels and implement those formats of notice deemed most effective. After approval by the Court, the different forms of notices will be translated into Spanish by the Notice Provider and the Spanish language notices will be used in connection with the notice effort where appropriate. The initial research effort will involve a four-step process. First, the Notice Provider will assemble a demographic profile of the Settlement Class using a proprietary database of consumer information maintained by the Notice Provider. Second, the Notice Provider will convene a series of ten focus groups comprised of a representative cross-section of the class across the country. Each group will last approximately two hours, be professionally moderated, and consist of 4 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 130 of 295 approximately eight participants. Third, the Notice Provider will conduct a statistically significant survey of 1,600 Settlement Class Members. As part of the survey, in particular, the Notice Provider will seek to understand which class members are least likely to be found online and assess the best way that is practicable under the circumstances to reach those consumers. Fourth, in conjunction with this research, the Notice Provider will conduct online early media testing using Court-approved digital notices. The Notice Provider will measure empirical results of testing and begin to define and optimize the variables affecting response rate. The Notice Provider will then place (cause to be published) those Court-approved notices, and send (cause to be sent) the Court-approved emails measured to most effectively reach and inform Settlement Class Members of the Settlement. 2. Direct Notice Within five business days after the Court's order directing notice, Equifax shall provide the Settlement Administrator with the names, last known mailing address, date of birth, and last known email addresses of Settlement Class Members to the extent reasonably available. The Settlement Administrator shall make all necessary efforts to ensure the security and privacy of Settlement Class Member information; shall not use the information provided by Equifax or Class 5 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 131 of 295 Counsel in connection with the Settlement or this Notice Plan for any purposes other than providing notice or conducting claims administration; and will not share Settlement Class Member information with any third parties without advance consent from the Parties. The Settlement Administrator will use reasonable efforts to obtain email addresses for those Settlement Class Members whose email addresses Equifax does not possess by comparing the class list with their proprietary databases and purchasing emails to the extent practicable from commercially available sources, including a proprietary database maintained by the Notice Provider. To the extent that Equifax has reasonably available names or other identifying information about Settlement Class Members, but not mailing or email addresses, those names and other identifying information shall also be provided to the Settlement Administrator for use in verifying the identity of Settlement Class Members. Once this process is completed, the Settlement Administrator will send email notice to those Settlement Class Members for whom an email address could be identified. The initial email notice to all Settlement Class Members for whom an email address is available will be sent by the Notice Date (60 days after the Court's order directing notice). The 60-day period between the Court’s order directing notice and the Notice Date is hereinafter referred to as the Initial Notice Period. 6 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 132 of 295 Two more email notices will be sent during the Initial Claims Period to Settlement Class Members who have not yet opted out, filed a claim, or unsubscribed from a previous email. The first additional email notice will be sent approximately halfway through the Initial Claims Period and the second will be sent with approximately two weeks left in the Initial Claims Period. The specific timing of the two additional emails may be adjusted by the Notice Provider and Settlement Administration as needed to avoid logistical difficulties and ensure proper deliverability and effectiveness. Another email notice will be sent at or about the beginning of the Extended Claims Period. Additional email notices may be sent as recommended by the Settlement Administrator and approved by the Parties, who shall not unreasonably withhold approval. The content of all proposed email messaging appears in Exhibit A to this Notice Plan. To ensure the notice emails are seen by as many Class Members as practicable, the Settlement Administrator will take steps to avoid its communications being flagged in spam filters. Such measures include using a reputable email service provider, avoiding spam trigger words in subject lines, avoiding embedding forms and video, and staggering email batches. The Settlement Administrator will also use reasonable efforts to obtain updated email 7 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 133 of 295 addresses for those Class Members whose emails “bounce back” and to resend notices to the updated email addresses. In order to combat phishing, the Settlement Administrator will include a disclaimer in all email communications as well as other coordinated “awareness” and Class Member training information on the website. This disclaimer will let Class Members know that the Settlement Administrator will never request personal information over email, and that any emails they receive requesting data should be reported to the Settlement Administrator. Additionally, the Settlement Administrator will include information on its website for Class Members about what to expect in legitimate, Court-authorized email communications about the Settlement; educate Class Members regarding how to spot a phishing attack and preventative measures to take (e.g., hovering over links to see the actual domain and not forwarding any settlement emails to other addresses); and take steps to protect the class notice domain itself from being impersonated including implementing Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting, and Conformance (DMARC). 3. Digital Notice during the Initial Claims Period In addition to the direct individual notice, the Notice Plan will utilize a 8 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 134 of 295 digital advertising program in its comprehensive campaign targeting a reach of 90 percent of Settlement Class Members during the Initial Notice Period. During this process, the Notice Provider will work iteratively to determine the most effective digital notices, targeting strategies, and digital platforms. The Notice Provider will adjust the campaign to optimize the most efficient and engaging notice practicable. All notice communications will be limited to those that have been approved by the Court. The digital advertising campaign will begin in the Initial Notice Period and last for the duration of the Initial Claims Period. The digital channels to be utilized in providing notice are listed below: ꞏ Facebook and Instagram Advertising ꞏ Twitter ꞏ Google, Bing, and Yahoo Search ꞏ Display Advertising The potential notice communications that will be used in the digital advertising during the Initial Claims Period are attached as Exhibit B. Some of the digital advertising may include video. The scripts of the potential video advertisements are attached as Exhibit F. After approval of the scripts by the Court, the video advertisements will be produced and the final production versions submitted to the Parties for their approval, which shall not be unreasonably withheld. Any disputes 9 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 135 of 295 regarding the final production versions of the video advertisements will be submitted to the Court for resolution. The target for the digital campaign is to create 892 million impressions on or before the Notice Date of which 333 million will occur on Facebook and related platforms (representing assumed activity of 2.5 impressions per class member at a 90 percent reach); 213 million impressions on Twitter (representing assumed activity of one impression per class member), and 346 million impressions on display advertising (representing assumed activity of 2.6 impressions per class member at a 90 percent reach). During the remainder of the Initial Claims Period, the target is to create an additional 332 million impressions of which 133 million will occur on Facebook and related platforms, 106 million impressions on Twitter, and 93 million impressions on display advertising. Accordingly, the targeted total impressions during the length of the Initial Claims Period will exceed 1.2 billion. The actual impressions for the specific platforms may differ from these targets because, as described above, the placement of specific advertising and the platforms used for this advertising will be adjusted by the Notice Provider during the course of the campaign to optimize the notice efforts. The Notice Provider will work with the Parties to develop technical controls and guidelines designed to ensure that notices are placed on reputable websites that 10 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 136 of 295 have controls to prevent spoofing and fraud. The Notice Provider also will ensure that ads do not appear on websites that may be deemed sensitive or inappropriate. The display networks that the Notice Provider will use have built in filters that remove offensive placements. The Notice Provider will take additional precautions to ensure brand safety for Equifax such as excluding sensitive categories and individual websites from the campaign based on a list of inappropriate websites maintained by the Notice Provider to be supplemented by Equifax. To combat artificial traffic from the digital notice programs, to mitigate fraud, and to avoid spoofing, the Notice Provider will use the software, ClickGUARD, to detect and mitigate artificial traffic, and will take other reasonable measures to ensure consumer privacy in coordination with the Parties. 4. Paid Publication Newspapers To provide additional outreach to Settlement Class Members who may not have ready access to email or digital media, the Notice Provider will arrange for a single advertisement to be placed in one issue of USA Today that will run during the Initial Notice Period. The advertisement has been agreed to by the Parties after receiving input from the Regulators and will be approved by the Court before being placed. The content of the newspaper advertisement is contained in Exhibit 11 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 137 of 295 C. If necessary to reach Settlement Class Members who may not have ready access to email or digital media and without detracting from the scope of the notice effort directed at other Settlement Class Members, the advertisement may also be placed in additional publications as recommended by the Notice Provider and approved by the Parties with the input of the Regulators. Radio Furthermore, the Notice Provider will oversee a radio advertising campaign to supplement direct, digital, and publication notice. This radio campaign will focus on areas with lower digital penetration. The content of the radio advertisements has been developed by the Notice Provider and agreed to by the Parties with input from the Regulators. Once approved by the Court, radio advertising will run during the Initial Claims Period. Transcripts of the radio advertising are attached as Exhibit D. 5. Extended Claims Period and Thereafter If the settlement funds are not exhausted during the Initial Claims Period, the Notice Provider will continue to place Digital Advertising as described in Section 3 at a rate of approximately 160,000 impressions per month until the settlement funds are exhausted or the expiration of the Extended Claims Period, whichever occurs first. The Digital Advertising during the Extended Claims Period will be 12 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 138 of 295 tailored to the relief available under the Settlement. The Notice Provider will conduct an additional digital notice campaign on Google, Yahoo, and Bing regarding restoration services throughout the period such services are available under the Settlement. The digital notice campaign will use search terms selected by the Notice Provider and approved by the Parties. The content for this additional digital advertising is attached as Exhibit E. 6. Supplemental Notice Measures As recommended by the Notice Provider or as otherwise deemed appropriate, the Parties may seek approval from the Court to perform supplemental notice or use additional channels or modes of notice not otherwise articulated in this Notice Plan. Supplemental or additional channels and modes of notice may also be recommended by the Regulators. The Parties agree to consider all such recommendations in good faith and, if agreed, seek approval from the Court to implement the recommendations. Further, the Notice Provider will have the discretion to make non-material changes to the Notice Plan, such as by adjusting the formatting or content of the messaging used in the email, digital, and publication notices, without seeking further approval from the Court, provided that the Parties agree to all such changes. 13 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 139 of 295 7. Conclusion In sum, this proposed Notice Plan encompasses the use of modern media testing followed by several synergistic media campaigns in order to deliver the best notice practicable and to optimize participation. The combined email, digital media, and publication notice efforts under this plan are calculated to reach in excess of 90 percent of Settlement Class Members approximately 8 times before the Notice Date and approximately 6 additional times during the remainder of the Initial Claims Period. 14 Case Document 739-2 Filed 07/22/19 Page 140 of 295 EXHIBIT A Email Notices Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 141 of 295 Email 1 – Full short-form notice sent before the Notice Date Sender: Subject: (for testing) 1. Equifax Data Breach Class Action Settlement 2. Equifax Data Breach Settlement – You may be eligible for cash, free credit monitoring, and more 3. Legal Notice of Proposed Class Action Settlement with Equifax 4. Claim Your Benefits in the Equifax Data Breach Settlement 5. Your Rights in the Equifax Data Breach Settlement 6. Notice of Class Action Settlement – Equifax Data Breach Body: COURT APPROVED LEGAL NOTICE If Your Personal Information Was Impacted in the 2017 Equifax Data Breach, You May Be Eligible for Benefits from a Class Action Settlement In September of 2017, Equifax announced it experienced a data breach, which impacted the personal information of approximately 147 million people. Equifax has reached a proposed settlement to resolve class action lawsuits brought by consumers alleging Equifax failed to adequately protect their personal information. Equifax denies any wrongdoing, and no judgment or finding of wrongdoing has been made. If your personal information was impacted in the Equifax data breach, you may be eligible for benefits from the settlement after it becomes final. Under the proposed settlement, Equifax will: (1) pay $380.5 million into a fund to pay benefits to consumers, court-approved fees and costs of class counsel and service awards to the named class representatives, and other expenses; (2) implement and maintain certain data security enhancements; (3) if necessary, pay up to $125 million more to reimburse consumers for out-of-pocket losses resulting from the data breach; and (4) provide certain other relief. 1   Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 142 of 295 Are You Eligible: You are a class member and eligible for settlement benefits if you are a U.S. consumer whose personal information was impacted by the Equifax data breach. If you are unsure of whether you are a class member, visit www.EquifaxBreachSettlement.com or call 1-833-759-2982. Benefits: If you are a class member, you are eligible for one or more of the following benefits: 1. Free Credit Monitoring or $125 Cash Payment. You can get free credit monitoring services. Or, if you already have credit monitoring services, you can request a $125 cash payment.  The free credit monitoring includes at least four years of three-bureau credit monitoring, offered through Experian. You can also get up to six more years of free one-bureau credit monitoring through Equifax.  If you already have credit monitoring services that will continue for at least 6 more months, you may be eligible for a cash payment of $125. 2. Other Cash Payments. You may also be eligible for the following cash payments up to $20,000 for:  the time you spent remedying fraud, identity theft, or other misuse of your personal information caused by the data breach, or purchasing credit monitoring or freezing credit reports, up to 20 total hours at $25 per hour.  out-of-pocket losses resulting from the data breach.  up to 25% of the cost of Equifax credit or identity monitoring products you paid for in the year before the data breach announcement. 3. Free Identity Restoration Services: You are eligible for 7 years of free assisted identity restoration services to help you remedy the effects of identity theft and fraud. How to Get Benefits: To get free credit monitoring or cash payments, or both, you must submit a claim:  Online at www.EquifaxBreachSettlement.com, or  By mail. 2   Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 143 of 295 You must submit a claim by [initial claims period deadline date]. Certain claims may require supporting documents. If there is still money in the fund after payment of valid claims submitted during the initial claims period that ends on [INSERT DATE], there will be an extended claims period lasting for four years. In the extended claims period, you may make certain claims for out-of-pocket losses incurred in the future, including time and money spent trying to address identity theft or fraud related to the data breach. You don’t need to file a claim to get free identity restoration services. None of these benefits will be distributed or available until the settlement is finally approved by the Court. The amount you receive may be less than the claim you submit depending on the number and amount of claims that are submitted. Understanding Your Options: If you want the court to exclude you from the settlement class, you must write to the Settlement Administrator by [INSERT DEADLINE]. List the name of this proceeding (In re: Equifax Inc. Customer Data Security Breach Litigation, Case No. 1:17-md-2800-TWT), your full name, your current address, and the words “Request for Exclusion” at the top of the document. You must sign this request and mail it to Equifax Data Breach Class Action Settlement Administrator, Attn: Exclusion, c/o JND Legal Administration, P.O. Box 91318, Seattle, WA 98111. To object to the settlement, you must file an objection with the court by [INSERT DEADLINE]. For detailed instructions about the process of objecting, visit www.EquifaxBreachSettlement.com. You must file a claim if you want to receive free credit monitoring or cash benefits under this settlement. If you do nothing, you won’t receive a cash payment or credit monitoring service, won’t be able to sue Equifax for the claims being resolved in the settlement, and will be legally bound by all orders of the court. The Court will hold a hearing on [INSERT DATE] to consider any objections, and decide whether to approve the settlement, award attorneys’ fees and expenses, and grant service awards to the named class representatives. You may enter an 3   Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 144 of 295 appearance through an attorney, but do not have to. The court has appointed lawyers to represent you and the class, but you can hire another lawyer at your own expense. This is only a summary of the settlement. For more information, visit www.EquifaxBreachSettlement.com, or call (toll free) 1-833-759-2982. This is a Court authorized notice, not a lawyer advertisement. 4   Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 145 of 295 Email 2 – Sent approximately halfway through the Initial Claims Period Sender: Subject: (for testing) 1. Reminder – Equifax Data Breach Class Action Settlement 2. Equifax Data Breach Settlement – You may still be eligible for cash, free credit monitoring, and more 3. Don’t Forget to Claim Your Benefits in the Equifax Data Breach Settlement 4. Upcoming Deadlines in the Equifax Data Breach Settlement – Know Your Rights 5. Second Notice of Class Action Settlement – Equifax Data Breach Body: The body of Email 2 will use materially the same language as Email 1, but the format will be different. Email 2 will consist of a document containing visual images that was prepared and formatted by the Federal Trade Commission. A copy of the body of Email 2 follows. 5   Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 146 of 295 COURT APPROVED LEGAL NOTICE If Your Personal Information Was Impacted in the 2017 Equifax Data Breach, You May Be Eligible for Benefits from a Class Action Settlement In September of 2017, Equifax announced it experienced a data breach, which impacted lhe personal information of approximately 147 million people Equifax has reached a proposed settlement to resolve class action lawsuits brought by consumers alleging Equifax failed to adequately protect their personal lnformallon Equifax denies any wrongdoing, and no Judgment or finding or wrongdoing has been made If your personallnformallon was Impacted In lhe Equlfax data breach, you may be eligible for benefits from the sett\emenl after il becomes final Under the proposed settlement, Equlfax will: (1) pay $380_5 million Into a fund to pay benefits to consumers, courtapproved fees and costs of class counsel and service awards to the named class representatives, and other expenses: (2) implement and maintain certain data security enhancements; (3) if necessary, pay up to $125 million more to reimburse consumers for out-ofpocket losses resulting from the data breach: and (4) provide certain other relief. ~Are You Eligible: You are a class member and eligible for settlement benefits If you are a U S consumer whose personallnformatlon was Impacted by the Equifax data breach. If you are unsure of whether you are a class member, visit www.EquifaxBreachSettlement.com and click the "Am I Impacted?" button or calll-833-759-2982 •· Berwfit~: If you are a class member, you are eligible for one or more of the following benefits: 1. Free Credit Monitoring or $125 Cash Payment. You can get free credit monitoring services. Or, if you already have credit monitoring services, you can request a $125 cash payment. The free credit monitoring includes at least four years of three-bureau credit monitoring, offered through Experian You can also get up to six more years of free one-bureau credit monitoring through Equifax. If you already have credit monitoring services that will continue for at least 6 more months, you may be eligible for a cash payment of $125. 2. Other Cash Payments. You may also be eligible for the following cash payments up to $20,000 for: the time you spent remedying fraud, identity theft, or other misuse of your personal information caused by the data breach, or purchasing credit monitoring or freezing credit reports, up to 20 total hours at $25 per hour. out-of-pocket losses resulting from the data breach. up to 25% of the cost of Equifax credit or identity monitoring products you paid for in the year before the data breach announcement. 3. Free Identity Restoration Services: You are eligible for 7 years of free assisted identity restoration services to help you remedy the effects of identity theft and fraud . .,_ How to Get Benefits: To get free credit monitoring, cash payments, or both, you must submit a claim: Online at www.EquifaxBreachSettlement.com, or By mail. You must submit a claim by [initial claims period deadline date]. Certain claims may require supporting documents. If there is still money in the fund after payment of valid claims submitted during the initial claims period that ends on (INSERT DATE], there will be an extended claims period lasting for four years In the extended claims period, you may make certain claims for out-ofpocket losses incurred in the future, including time and money spent trying to address identity theft or fraud related to the data breach. You don't need to file a claim to get free identity restoration services The amount you receive may be less than the claim you submit depending on the number and amount of claims that are submitted t- Understanding Your Options: If you want the court to exclude you from the settlement class, you must write to the Settlement Administrator by [INSERT DEADLINE] List the name of this proceeding (In re: Equifax Inc. Customer Data Security Breach Litigation. Case No 1:17-md-2800-TWn. your full name, your current address, and the words "Request for Exclusion" at the top of the document You must sign this request and mail it to Equifax Data Breach Class Action Settlement Administrator. Attn: Exclusion, c/o JND Legal Administration, P.O Box 91318, Seattle, WA 98111. To object to the settlement, you must file an objection with the court by [INSERT DEADLINE]. For detailed Instructions about the process of objecting, visit www.Equlfa:..Br4:!:nc.h.Srit.leml!11t...com.. You must subm~ a claim to www.Equifa•BreachSettlement.com by [INITIAL CLAIMS PERIOD DEADLINE DATE) You musl file a claim If you want to receive free credit monllorlng or cash benefits under this settlement If you do nothing, you won't receive a cash payment or credit monitoring service, won't be able to sue Equifax for the claims being resolved in the settlement, and will be legally bound by all orders of the court The Court will hold a hearing on [INSERT DATE) to consider any objections, and decide whether to approve the settlement, award attorneys' fees and expenses, and grant service awards to the named class representatives You may enter an appearance through an attorney, but do not have to. The court has appointed lawyers to represent you and the class, but you can hire another lawyer at your own expense This is only a summary of the settlement None ofthes~beneflts will be distributed or available until the settlememls flnaltv approved by the-Court. For more information, visit www.EquifaxBreachSeHiement.com, or call (toll free) 1-833-759-2982. This is a Coun authorized notice, nof a lawyer advertisemenf Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 147 of 295 Email 3 – Sent with approximately two weeks left in the Initial Claims Period Sender: Subject: (for testing) 1. Time is Running Out – Equifax Data Breach Settlement 2. Equifax Data Breach Settlement – Last Chance to Claim Benefits 3. Act Now – Don’t Forget to Claim Your Benefits in the Equifax Data Breach Settlement Body: This is a Court approved legal notice. If your personal information was impacted in the 2017 Equifax data breach, you may be eligible for benefits from a class action settlement. BUT YOU MUST ACT SOON. Claims must be made by [DATE] at EquifaxBreachSettlement.com. Are You Eligible: You are a class member and eligible for settlement benefits if you are a U.S. consumer whose personal information was impacted by the Equifax data breach. If you are unsure of whether you are a class member, visit www.EquifaxBreachSettlement.com or call 1-833-759-2982. Benefits: If you are a class member, you are eligible for one or more of the following benefits: 1. Free Credit Monitoring or $125 Cash Payment. You can get free credit monitoring services. Or, if you already have credit monitoring services, you can request a $125 cash payment.  The free credit monitoring includes at least four years of three-bureau credit monitoring, offered through Experian. You can also get up to six more years of free one-bureau credit monitoring through Equifax.  If you already have credit monitoring services that will continue for at least 6 more months, you may be eligible for a cash payment of $125. 2. Other Cash Payments. You may also be eligible for the following cash payments up to $20,000 for: 7   Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 148 of 295  the time you spent remedying fraud, identity theft, or other misuse of your personal information caused by the data breach, or purchasing credit monitoring or freezing credit reports, up to 20 total hours at $25 per hour.  out-of-pocket losses resulting from the data breach.  up to 25% of the cost of Equifax credit or identity monitoring products you paid for in the year before the data breach announcement. 3. Free Identity Restoration Services: You are eligible for 7 years of free assisted identity restoration services to help you remedy the effects of identity theft and fraud. How to Get Benefits: To get free credit monitoring or cash payments, or both, you must submit a claim:  Online at www.EquifaxBreachSettlement.com, or  By mail. You must submit a claim by [initial claims period deadline date]. Certain claims may require supporting documents. If there is still money in the fund after payment of valid claims submitted during the initial claims period that ends on [INSERT DATE], there will be an extended claims period lasting for four years. In the extended claims period, you may make certain claims for out-of-pocket losses incurred in the future, including time and money spent trying to address identity theft or fraud related to the data breach. You don’t need to file a claim to get free identity restoration services. None of these benefits will be distributed or available until the settlement is finally approved by the Court. The amount you receive may be less than the claim you submit depending on the number and amount of claims that are submitted. Understanding Your Rights: You must file a claim if you want to receive free credit monitoring or cash benefits 8   Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 149 of 295 under this settlement. If you do nothing, you won’t receive a cash payment or credit monitoring service. This is only a summary of the settlement. For more information, visit EquifaxBreachSettlement.com, or call (toll free) 1-833-759-2982. This is a Court authorized notice, not a lawyer advertisement. 9   Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 150 of 295 Email 4 – Sent at or about the beginning of the Extended Claims Period Sender: Subject: (for testing) 1. Equifax Data Breach Settlement – You Still Have Four Years to Make Certain Claims 2. Equifax Data Breach Settlement – Extended Chance to Claim Certain Benefits 3. Remember, You Can Still Claim Some Class Action Benefits – Equifax Data Breach Body: This is a Court approved legal notice. Don’t forget, if your personal information was impacted in the 2017 Equifax data breach, and you have a problem with identity theft or fraud because of the breach in the next four years, you may be eligible for further settlement benefits. Claims for such benefits during this “Extended Claims Period” must be made by [DATE] at EquifaxBreachSettlement.com. Until [DATE], you may also be eligible for free identity restoration services to help you remedy the effects of identity theft and fraud. Are You Eligible: You are a class member and eligible for settlement benefits if you are a U.S. consumer whose personal information was impacted by the Equifax data breach. If you are unsure of whether you are a class member, visit www.EquifaxBreachSettlement.com or call 1-833-759-2982. Benefits: 1. Cash Payments for Certain Losses incurred during the next four years: During the Extended Claims Period, you can seek reimbursement for Out-ofPocket Losses or Time Spent (but not losses of money and time associated with freezing or unfreezing credit reports or purchasing credit monitoring or protection services) if you certify that you have not already received reimbursement for the claimed loss. All such claims must be made by [DATE] and will be paid on a firstcome-first-served basis. 10   Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 151 of 295 2. Free Identity Restoration Services: You remain eligible for the remainder of 7 years of free identity restoration services to help you remedy the effects of identity theft and fraud. You do not have to make a claim for this benefit. Visit EquifaxBreachSettlement.com to learn more about using these services. You cannot make claims for Credit Monitoring Services, Alternative Reimbursement Compensation, or Out-of-Pocket Losses or Time associated with freezing or unfreezing credit reports or purchasing credit monitoring or protection services. How to Get Benefits: To get cash payments, you must submit a claim:  Online at www.EquifaxBreachSettlement.com, or  By mail. You must submit a claim by [DATE]. Certain claims may require supporting documents. To get free identity restoration services, visit EquifaxBreachSettlement.com or call (toll free) 1-833-759-2982. You do not need to file a claim to get those services. This is only a summary of the benefits available to eligible class members during the extended claims period. For more information, visit EquifaxBreachSettlement.com, or call (toll free) 1-833-759-2982. This is a Court authorized notice, not a lawyer advertisement. 11   Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 152 of 295 EXHIBIT B Digital Ads for Use During the Initial Claims Period Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 153 of 295 7KH IROORZLQJ DUH PRFNXSV RI GLJLWDO DGYHUWLVHPHQWV WKDW ZLOO EH LPSOHPHQWHG DFURVV )DFHERRN ,QVWDJUDP 7ZLWWHU 'LVSOD\ 1HWZRUNV DQG 6HDUFK 1HWZRUNV LQ WKH SUH SURJUDP PHGLD WHVWLQJ SKDVH RI WKH 1RWLFH 3ODQ $ SRUWLRQ RI WKHVH DGV ZLOO EH WUDQVODWHG LQWR 6SDQLVK %\ WHVWLQJ DQ DEXQGDQFH RI DGV ZLWK YDU\LQJ FRS\ DQG JUDSKLFV ZH FDQ GHWHUPLQH WKH PHVVDJLQJ DQG FUHDWLYH WKDW DUH PRVW VXFFHVVIXO LQ UHDFKLQJ YDULRXV VHJPHQWV RI WKH FODVV LQIRUPLQJ WKHP RI WKH VHWWOHPHQW DQG WKHLU ULJKWV DQG XOWLPDWHO\ GULYLQJ HQJDJHPHQW DQG SDUWLFLSDWLRQ 7RS SHUIRUPLQJ DGV ZLOO WKXV EH GHOLYHUHG WR DSSURSULDWH JURXSV WKURXJKRXW WKH ,QLWLDO 1RWLFH 3HULRG DQG ,QLWLDO &ODLPV 3HULRG $OO DGV ZLOO IHDWXUH DQG RU OLQN GLUHFWO\ WR WKH &DVH :HEVLWH Case Document 739-2 Filed 07/22/19 Page 154 of 295 Facebook Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 155 of 295 0RFNXSV RI )DFHERRN DGV DUH VKRZQ LQ WKUHH VL]HV WKDW FRUUHVSRQG WR WKH GHYLFH DQG SODFHPHQW RI WKH DGV SLFWXUHG IURP OHIW WR ULJKW Ɣ 0RELOH 1HZV )HHG DGV WKDW VKRZ LQ WKH 1HZV )HHG WR SHRSOH XVLQJ )DFHERRN RQ PRELOH GHYLFHV Ɣ 'HVNWRS 1HZV )HHG DGV WKDW VKRZ LQ WKH 1HZV )HHG WR SHRSOH XVLQJ )DFHERRN RQ GHVNWRS FRPSXWHUV Ɣ 5LJKW &ROXPQ DGV WKDW DSSHDU LQ WKH ULJKW VLGH FROXPQ RQ )DFHERRN IRU SHRSOH XVLQJ GHVNWRS FRPSXWHUV Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 156 of 295 E E Equifax Data Breach Settlement Sponsored· 2017 EQUIFAX DATA BREACH ,. Find Out if You·re a Class Member I • Sponsored · 0 ~OIOTUWOfT The 201 7 Equifax data breach impacted the personal inf ormation of 147 million U.S. consumers. Find out if your info was impacted. The 2017 Equifax data breach impacted the personal information of 147 million U.S. consumers. Find out if your info was impacted. " t O, OSlO SmUMlNT 2017 EQUJFAX DATA BREACH PROPOSED SETILEMENT [ LEARN MORE 2017 Equifax Class Action . I. EQUIFAXBREACHSETTLEMENT.COM learn More 2017 Equifax Class Action O Comment &¢ Share rb like - .,. 2017 Equlfax Class Action equifaxbreachsettlement.com The 2017 Equifax data breach impacted the personal Information of 147 million U.S. consume... Find Out if You're a Class Member ~ EQUIFAXBREACHSETTLEMEN... rfJ Like EQUI "AA DATA BREACH Equifax Data Breach Settlement 0 Comment ~Share Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 157 of 295 E Equifax Data Breach Settlement E Sponsored · ~ ,, . Sponsored · 0 $380.5 million has been set aside to help millions of U.S. consumers whose personal info was impacted in the 201 7 Equifax data breach. Are you one of them? $380.5 million has been set aside to help millions of U.S. consumers whose personal info was impacted in the 2017 Equifax data breach. Are you one of them? ~o c ' _~ 1 .Y . }/ ~ "9' • _I_5toe k ~ , ~ ' ,.. •;at ~ : ·l~to Ck ~ · - 1bl. • ·~. .. -~t ~- clt.j_ / ·ist 1 47~illion · U.S. Consumers may have had I .HS'._. . , . their person.11 i ..._ l~ ' infotmat•on impacted · u.s; cons-umers w... · may have had ,18 7. _ . , • their personal . _f.;, information impacted ' 2017 Equifax Data Breach EQUIFAXBREACHSETTLEMENT.COM !LEARN MORE ] Class Action Like t.rtOCK 2017 Equlfax Data Breach Class Action equifaxbreachsettlement.com $380.5 million has been set aside to help millions of U.S. consumers whose personal info 1~.7 Million EQUIFAXBREACHSETTLEMEN ... rfJ / .. - ~ , • / ·t ·~. ~~~ r · ~,.·~ · ··~---_-:' .,. , . cit~ ·iS!· ock _ . . •1./ < llal' ,O'ck ..~' . ' . 14•.. ,. .. . .\ wc~..a k ·wc~..a ,, Equifax Data Breach Settlement 2017 Equifax Data Breach Class Action rb Like CJ Comment 0 Comment learn More ~ Share v:> Share Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 158 of 295 E Equifax Data Breach Settlement Sponsored · Impacted by the 2017 Equifax Data Breach? Find out your options and whether you're eligible for proposed class action settlement benefits. E Equifax Data Breach Settlement Sponsored · 0 Impacted by the 2017 Equifax Data Breach? Find out your options and whether you're eligible for proposed class action settlement benefitS. 2017 Equlfax Data Breach Proposed Settleme... equifaxbreachsettlement.com Impacted by the 2017 Equifax Data Breach? Find out your options and whether you're eligibl ... EQUIFAXBREACHSETTLEMEN .. . 2017 Equifax Data Breach Proposed Settlement rfJ Like CJ Comment I LEARN MORE J EQUIFAXBREACHSETILEMENT.COM 2017 Equifax Data Breach Proposed Settlement ~ Share rb Like 0 Comment Learn More ~Share Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 159 of 295 E Equifax Data Breach Settlement Sponsored Was your personal information impacted in the 2017 Equifax data breach? Click here to find out. You may be entitled to financial compensation from a proposed class action settlement. E Equifax Data Breach Settlement Sponsored · 0 Was your personal inf ormation impacted in t he 2017 Equifax data breach? Click here to find out. You may be entitled to financial compensation f rom a proposed class act ion settlement. equifaxbreachsettlement.com Was your personal Information Impacted In the 2017 Equifax data breach? Click here to find... EQUIFAXBREACHSETTLEMENT.COM rfJ Like CJ Comment ~Share rb Lfke CJ Comment Learn More ~Share Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 160 of 295 E Equifax Data Breach Settlement Sponsored · til The proposed Equifax Data Breach Settlement will provide class members with benefits like free credit monitoring, cash, and identity restoration services. Find out if you're a class member. E Equifax Data Breach Settlement Sponsored · 0 The proposed Equifax Data Breach Settlement will provide class members with benefrts like free credit monitoring, cash, and identity restoration services. Find out if you're a class member. 2017 Equlfax Data Breach Lawsuit equlfaxbreachsettlement.com The proposed Equifax Data Breach Settlement will provide class members with benefits like... EQUIFAXBREACHSETTLEMEN... 2017 Equlfax Data Breach I LEARN MORE ] Lawsuit EQUIFAXBREACHSETTLEMENT.COM Learn More 2017 Equifax Data Breach Lawsuit rfJ Like CJ Comment v!) Share r/':J Liko 0 Comment P Share Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 161 of 295 E Equifax Data Breach Settlement Sponsored · It' Equifax Data Breach Proposed Class Action Settlement: Click here to find out if you're a member of the class. E Equifax Data Breach Settlement Sponsored · 0 Equifax Data Breach Proposed Class Action Settlement: Click here to find out if you're a member of the class. Was your info Impacted? equifaxbreachsettlement.com Equifax Data Breach Proposed Class Action Settlement: Click here to fmd out if you're a m ... EQUIFAXBREACHSETILEMENT.COM rfJ Like CJ Comment ~Share Learn More Was your info impacted? rb Like CJ Comment ~Share Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 162 of 295 E Equifax Data Breach Settlement Sponsored · ~ E Equifax Data Breach Settlement Sponsored · 0 Don't miss the deadline to claim your benefits under the Equifax data breach proposed class action settlement. Find out if you're eligible to submit a claim now. Don't miss the deadline to claim your benefits under the Equifax data breach proposed class action settlement. Find out if you're eligible to submit a claim now. 2017 Equlfax Data Breach Settlement equifaxbreachsettlement.com Don't miss the deadline to claim your benefits under the Equifax data breach proposed clas... EQUIFAXBREACHSETILEMEN ... 2017 Equifax Data Breach I LEARN MORE Settlement J EQUIFAXBREACHSETILEMENT.COM 2017 Equifax Data Breach Settlement rfJ Like CJ Comment ~Share rb like CJ Comment Learn More ~ Share Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 163 of 295 E E Equifax Data Breach Settlement Sponsored· If your personal information was impacted in the 2017 Equifax data breach, you may be eligible for compensation, free credit monitoring, and other benefits under a proposed class action settlement. EQUIFAXBREACHSETTLEMEN... 2017 Equifax Data Breach Class Action [ LEARN MORE Equifax Data Breach Settlement Sponsored · 0 If your personal information was impacted in the 2017 Equifax data breach, you may be eligible for compensation, f ree credit monitoring, and other benefits under a proposed class action settlement. 2017 Equlfax Data Breach Class Action equifaxbreachsettlement.com If your personal Information was Impacted In the 2017 Equifax data breach, you may be elig... I EQUIFAXBREACHSETTLEMENT.COM 2017 Equifax Data Breach Class Action rf; Like CJ Comment f:> Share rb like 0 Comment Learn More ~Sha re Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 164 of 295 E Equifax Data Breach Settlement Sponsored Was your personal information impacted in the 2017 Equifax data breach? Find out if you're eligible for financial compensation and other benefits under a proposed class action settlement. E Equifax Data Breach Settlement Sponsored · 0 Was your personal information impacted in the 2017 Equifax data breach? Find out if you're eligible for f mancial compensation and other benefits under a proposed class action settlement. 2017 Equ' lax Data Breach Class Action equ faxbreacrsetlie.,..e,t.com Was yoor persona d out f you're ... Cash payments Free credit monitoring. Identity restou1tlon services. EQUIFAXBREACHSETTLEMEN ... 2017 Equifax Data Breach Class Action [ LEARN MORE J EQUIFAXBREACHSETTLEMENT.COM 2017 Equifax Data Breach Class Action rtJ Like (J Co mment ~ Share rf:J Liko CJ Comment Learn More {!> Share Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 165 of 295 E Equifax Data Breach Settlement Sponsored · 1/1 A $380.5 million class action proposed settlement fund has been established for U.S. consumers impacted by the Equifax data breach. Follow the link to find out if you're a class member and if you're eligible to make a claim. E Equifax Data Breach Settlement Sponsored · 0 A $380.5 million class action proposed settlement fund has been established for U.S. consumers impacted by the Equifax data breach. Follow the link to find out if you're a class member and if you're eligible to make a claim . 2017 fquifax Oa1a Breach Liligalion eauifu .b·eachsettlerrent.co-n A $380.5 m.aon class acuon proposed sebleml<\1 lund 1\a.s bee<> eotab~sned fer U.S. aonw... EQUIFAXBREACHSETTLEMEN ... 2017 Equifax Data Breach [ LEARN MORE ] Litigation rfJ Like EQUIFAXBREACHSETTLEMENT.COM 2017 Equifax Data Breach Litigation rfj Like CJ Comment CJ Comment Learn More {!; Share ~Share Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 166 of 295 E Equifax Data Breach Settlement E Sponsored · !II Equifax Data Breach Settlement Sponsored · 0 The 2017 Equifax data breach impacted the personal info of 147 million U.S. consumers. A recent class action settlement can provide reimbursement. Find out if you're eligible to claim settlement benefitS today. The 2017 Equifax data breach impacted the personal info of 147 million U .S. consumers. A recent class action settlement can provide reimbursement. Find out if you're eligible to claim settlement benefits today. Equlfax Class Action equifaxbreachsettlement.com The 2017 Equifax data breach impacted the personal info of 147 million U.S. consumers. A r... EQUIFAXBREACHSETTLEM EN... Equifax Class Action cb Like CJ I LEARN MORE I . . EQUIFAXBREACHSETTLEMENT.COM Comment ,:;> Share Learn More Equifax Class Action rb Like CJ Comment ~Share Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 167 of 295 E Equifax Data Breach Settlement Sponsored · -' A proposed settlement in the Equifax data breach lawsuit will provide eligible class members with financial compensation, free credit monitoring, cash reimbursements for losses, and identity restoration services. Find out if you're a class member who can submit a claim for benefits now. E Equifax Data Breach Settlement Sponsored · 0 A proposed settlement in the Equifax data breach lawsuit will provide eligible class members with financial compensation, free credit monitoring, cash reimbursements for losses, and identity restoration services. Find out if you're a class member who can submit a claim for benefits now. 2017 Equ"lax Data Breach Settleml!nt oqu laxbreachsetlle..,e,t.com A p•oposed selllerrent n Ina Equilax data b-each lawsu 1 win p'1)VK!e a ogible dass mamba.. Submit your claim now. EQUIFAXBREACHSETTLEMEN ... 2017 Equifax Data Breach I LEARN MORE I Settlement rfJ Like EQUIFAXBREACHSETTLEMENT.COM 2017 Equifax Data Breach Settlement CJ Comment ~ Share rb Like CJ Comment Learn More ~Share Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 168 of 295 E Equifax Data Breach Settlement Sponsored · ti' A proposed settlement has been reached in the 2017 Equifax data breach lawsuit. If your personal info was impacted, you may be eligible for financial compensation, free credit monitoring, and more. Determine if you're eligible for settlement benefits. E Equifax Data Breach Settlement Sponsored · 0 A proposed settlement has been reached in the 2017 Equifax data breach lawsuit. If your personal info was impacted, you may be eligible for financial compensation, free credit monitoring, and more. Determine if you're eligible for settlement benefits. 2017 Equifax Lawsuit equifaxbreachsettlement.com A proposed settlement has been reached in the 2017 Equifax data breach lawsuit. If your pe... EQUIFAXBREACHSETTLEMENT.COM rfJ Like CJ Comment ~Share learn More 2017 Equifax Lawsuit rb Like 0 Comment ~Share Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 169 of 295 E Equifax Data Breach Settlement Sponsored · 4<'1 Equifax Data Breach Settlement E The proposed settlement in the 2017 Equilax data breach class action provides compensation, free credit monitoring, and identity restoration services to eligible class members. Find out if you're eligible and claim your benelits. The proposed settlement in the 2017 Equifax data breach class action provides compensation, free credit monitoring, and identity restoration services to eligible class members. Find out if you're eligible and claim your rfJ Like CJ Comment I LEARN MORE ~Share Claim your benefits under the proposed settlement. benefits. Claim your benefits under the proposed settlement. EQUIFAXBREACHSETTLEMEN.. Sponsored · 0 I equofaxbreachsettlementcom The proposed settlement In the 2017 Equofax data breach class acllon provodes compensation.- Claim your benefits under the proposed settlement. EQUIFAXBREACHSETTLEMENT.COM rb Like 0 learn More Comment ~Share Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 170 of 295 E Equltax Data Breach Settlement Sponsored 1/4 Impacted by the 2017 EquHax data breach? You could be eligible for compensation and other benefits under a proposed class action settlement E Equlfax Data Breach Settlement Sponsored 0 Impacted by the 2017 Equifax data breach? You could be eligible for compensation and other benefits under a proposed class action settlement. 2017 Equ·tu Class Act on eQ~ faxbreachsetlle-e"'t.com lmpided by ttw 2017 ECJiifax data b .. Kh? You cou d be el'lgible 1o< co'11pei1U'""" and olhef__ rfJ Like CJ Comment ~Share EQUIFAXBREACHSmlEMENT.COM 201 7 Eauifax Class Action rb Like 0 Comment ~Share Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 171 of 295 E E Equlfax Data Breach Settlement Sponsored t/o Was your info Impacted In the 2017 Equifax data breach? Learn what you're entitled to under the proposed class action setUement. Equlfax Data Breach Settlement Sponsored 0 Was your info impacted in the 2017 Equifax data breach? Learn what you're entitled to under the proposed class action settlement. Proposed Class Ac1 on Settlement equ faxbruct>settle~e.,t.c:om 'Was yow lnlo lrnl>-=ted.., tw 2017 Equ4u data breacll? Learn .....,. )IOU~ M 1.«110 .,..__ EOUIFAXBREACHSETTtEME. Proposed Class Action Settlement !LEARN MORE I EQUIFAXBR£ACHSETTL£MENT.COM Proposed Class Action Settlement rb Like 0 Comment l eam More ~Share Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 172 of 295 E Equllax Data Breach Setllement Sponsored 1/' Was your information impacted? Submit your claim for benefits from a proposed class action settlement. F Equlfax Data Breach Settlement Sponsored · 0 Was your information impacted? Submit your claim for benefits from a proposed class act ion settlement. equ laxbreachsettle...,e~t.com Was your inlo'maton lmpac18d' SLtlm~ your clai'lllor benerrts fr0'11 a l)'opo$ed class acbOn... EOUIFAXBREACHSETTLEME... a') Like CJ Comment ?:>Share DATA BREACH PROPOSED SETTLEMENT EQUIFAXBREACHSETTLEMENT.COM rb Like l eamMore 0 Comment ~ S hare Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 173 of 295 E Equlfax Data Breach Settlement Sponsored - 1/1 A proposed settlement has been reached in the 201 7 Equifax data breach lawsuit. If you are a class member, you must act soon to claim your benefits. E Equlfax Data Breach Settlement Sponsored · 0 A proposed settlement has been reached In the 2017 Equifax data breach lawsuit. If you are a class member, you must act soon to claim your benefits. equ•faxbreachsettlement.com A proposed settlement has been reached In the 2017 Equlfax data breach lawswt If you ate... EQUIFAXBREACHSETTLEMENT.COM rb Like Learn More CJ Comment ~Share Case Document 739-2 Filed 07/22/19 Page 174 of 295 Instagram 23 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 175 of 295 E Equlfax Data Breach senl.. Sponsored 2017 EQUIFAX DATA BREACH P ROPOSED SHTUMENT Rnd Out if You're a Class Member Learn More > QO~ QO~ The 2017 Equifax data br each impacted the personal information of 147 m i llion U.S.. .. more $380.5 million has been set aside to help millions of U.S. consumers whose personal info ... more Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 176 of 295 QO'?/ Impacted by the 2017 Equifax Data Breach? Find out your options and whether you're ... more QO'?/ "" '"' " '"' '"""' """'"'-'=J Was your personal information impacted in the Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 177 of 295 E Equifax Data Breach Settl.. Sponsored Learn More QOYJ QOYJ The proposed Equi fax Data Breach Settlement will provide class members with benefits like ... more Equifax Data Breach Proposed Class Action Settlement: Click here to find out if you're ... more Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 178 of 295 Don't miss the deadline to claim your benefits under the Equifax data breach proposed ... more ;?,.,~.,::: ...,...,......,....,.• .••[:) I 2017 Equifax data breach, you may be ... more Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 179 of 295 Learn More Learn More > QO~ QO~ Was your personal information impacted in the 2017 Equifax dat a breach? Find out if ... more A $380.5 million class action proposed settlement fund has been establi shed for U.S.... more Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 180 of 295 E Equlfax Data Breach Settl... Sponsored QO'Y/ QOYI The 2017 Equlfax data breach Impacted the personal info of 147 million U.S.... more A proposed settlement in the Equifax data breach lawsuit will provide eligible class members ... more Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 181 of 295 E Equifax Data Breach Sent.. Sponsorod Claim your benefits under the proposed settlement. Learn More QOYJ A proposed settlement has been reached in the 2017 Equifax data breach lawsuit. If your ... more Learn More QO'Y/ The proposed settlement i n the 2017 Equifax data breach class ac tton pr ovtdes compensation, ... rnt~ Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 182 of 295 QOYJ QOYJ Impacted by the 2017 Equifax data breach' You could be ellgtble tor compensation and othet benefits ... o · Was your •nfo impacted in the 2017 EqUifax data breach? Learn what you're entitled to under the ... ~I Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 183 of 295 F. Equifax Data Breach SettL Sponsored DATAIREACH ftROPOSED SlnUMENT learn .. tore 00?/ Was yow information unpactect' Submrt your claim for benefrte from o proposed cl111 actiOn atttlement 0 0 '(1 A proposed settlement has been reached in the 2017 Eq01fax data breach lawsuit. If you art a class ... "'or~ Case Document 739-2 Filed 07/22/19 Page 184 of 295 Twitter 33 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 185 of 295 Equifax Data Breach Settlement @Equifax_Breach The 2017 Equifax data breach impacted the personal info of 147 million US consumers. Find out if you were impacted. 5:42PM -16 Jul2019 2017 EQUIFAX DATA BREACH PROPOSED SETILEMENT Find Out if You're a Class Member --- 2017 Equifax Data Breach Lawsuit t."l m 416 • 647 Promoted Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 186 of 295 Equifax Data Breach Settlement • @Equifax_Breach $380.5 million has been set aside to help those whose info was impacted in the Equifax breach. Are you one of them? 11 :15 AM - 18 Jul 2019 2017 Equifax Data Breach Lawsuit t.'l ~ Promoted 416 • 647 ••• Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 187 of 295 Equifax Data Breach Settlement • @Equifax_Breach Impacted by the 2017 Equifax Data Breach? Find out your options and whether you're eligible for settlement benefits. 8:40AM- 18 Jul 2019 2017 Equifax Data Breach Lawsuit t.'l 416 • 647 m Promoted Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 188 of 295 Equifax Data Breach Settlement @Equifax_Breach Was your info impacted in the Equifax data breach? You may be entitled to compensation from a proposed settlement. 5:42PM- 16 Jul2019 t.'l 416 • 647 EO! Promoted Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 189 of 295 Equifax Data Breach Settlement @Equifax_Breach The Equifax settlement offers cash & other benefit s to class members. Find out if you 're a member of the class. 5:42PM - 16 Jul2019 2017 Equifax Data Breach Lawsuit t.'l 416 • Learn More I 647 m Promoted Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 190 of 295 Equifax Data Breach Settlement • @Equifax_Breach Equifax data breach proposed class action settlement: Click here to find out if you're a member of the class. 5:42PM- 16 Jul 2019 2017 Equifax Data Breach Lawsuit t.+ 416 • 647 fa Promoted Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 191 of 295 Equifax Data Breach Settlement • @Equifax_Breach Don 't miss the deadline to claim your benefits under the 2017 Equifax data breach settlement. Submit your claim now. 5:42PM- 16 Jul2019 2017 Equifax Data Breach Lawsuit 't."l 416 • 647 ... f.il Promoted Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 192 of 295 Equifax Data Breach Settlement • @Equifax_Breach If your personal info was impacted in the Equifax breach, you could get compensation and other settlement benefits. 8:46AM- 18 Jul2019 2017 Equifax Data Breach Lawsuit t.'l 0 416 • 647 ••• Promoted Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 193 of 295 Equifax Data Breach Settlement @Equifax_Breach • Was your personal info impacted in the 2017 Equifax Data Breach? Find out if you're eligible for compensation. 5:58PM- 16 Jul2019 Cash payments. - Free credit monitOiing. Identity restoration services. 2017 Equifax Data Breach Class Action t."l S 416 • 647 000 Promoted Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 194 of 295 Equifax Data Breach Settlement @Equifax_Breach There's a $380.5 million proposed fund for those impacted by the Equifax breach. You may be entitled to benefits. 5:58PM- 16 Jul2019 j Learn More I 2017 Equifax Data Breach Lawsuit t.'l ~ 416 • 647 ••• Promoted Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 195 of 295 Equifax Data Breach Settlement • @Equifax_Breach 147 million people may be entitled to benefits in the Equifax data breach settlement. Find out if you're eligible. 5:58PM -16 Jul2019 2017 Equifax Data Breach Lawsuit ~· 416 • 647 ... EiJ Promoted Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 196 of 295 Equifax Data Breach Settlement • @Equifax_Breach Equifax settlement benefits: Compensation, credit monitoring, reimbursements, & more. Find out if you're eligible. 5:58PM- 16 Jul2019 Submit your claim now. I Learn More I 2017 Equifax Data Breach Proposed Settlement 'L"l f.iJ Promoted 416 • 647 ••• Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 197 of 295 Equifax Data Breach Settlement • @Equifax_Breach Equifax Data Breach proposed settlement: If your info was impacted, you may be eligible for settlement benefits. 5:58PM- 16 Jul2019 2017 Equifax Data Breach Lawsuit t."l S 416 • 647 ••• Promoted Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 198 of 295 Equifax Data Breach Settlement • @Equifax_Breach The Equifax data breach class action settlement provides compensation, credit & identity protection to class members 5:58PM -16 Jul 2019 Claim your benefits under the proposed settlement. 2017 Equifax Data Breach Lawsuit 'L"l 416 • 647 ••• f.iJ Promoted Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 199 of 295 Equifax Data Breach Settlement • @Equifax_Breach Impacted by the 2017 Equifax data breach? You may be eligible for compensation & other settlement benefits. 5:58PM- 16 Jul2019 2017 Equifax Class Action Settlement t."l 416 • 647 ... S Promoted Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 200 of 295 Equifax Data Breach Settlement • @Equifax_Breach Was your info impacted in the Equifax data breach? Learn what you're entitled to under the proposed settlement. 11:15 AM- 18 Jul2019 Proposed Class Action Settlement t.'l 416 • 647 ... I Learn More I S Promoted Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 201 of 295 Equifax Data Breach Settlement • @Equifax_Breach Was your information impacted? Submit your claim for benefits from a proposed class action settlement. 5:58PM -16 Jul2019 DATA BREACH PROPOSED SETTLEMENT 2017 Equifax Class Action 't."l 416 • 647 ••• fJ Promoted Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 202 of 295 Equifax Data Breach Settlement @Equifax_Breach You may be eligible for benefits under a proposed settlement in the Equifax data breach lawsuit. Learn more today. 5:58PM -16 Jul2019 2017 Equifax Data Breach Lawsuit t.'l m 416 • 647 ••• Promoted Case Document 739-2 Filed 07/22/19 Page 203 of 295 Display Advertising 52 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 204 of 295 7KH GLVSOD\ DGV ZLOO IHDWXUH DFURVV YDULRXV ZHEVLWHV ZKHUH WKH 1RWLFH $GPLQLVWUDWRU FDQ UHDFK SRWHQWLDO FODVV PHPEHUV ,QFOXGHG LV RQH GLVSOD\ VL]H WKRXJK WKHUH ZLOO EH YDULRXV VL]LQJ RSWLRQV WKDW ZH ZLOO XWLOL]H GXULQJ WKH FDPSDLJQ ,W VKRXOG EH QRWHG WKDW DQ\ GLVSOD\ DGV ZKLFK DUH UHVL]HG ZLOO NHHS H[DFWO\ WKH VDPH LPDJHV DQG ODQJXDJH Case Document 739-2 Filed 07/22/19 Page 205 of 295 EQUIFAK HF: 7' .- F'md nut if you're eligible fer bene?ts. Hum-w- Equ If.? Brend?ettlemantxum 54 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 206 of 295 Find out if you're eligible to submit your claim. Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 207 of 295 2017 EQUIFAX www.EquifaxBreachSettlement.com PROPOSED CLASS ACTION SETTLEMENT Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 208 of 295 2017 EQUIFAX PROPOSED SETTLEMENT Find out if you're a class member. SUBMIT A CLAIM. www.Eq uifaxBreachSettlement.com Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 209 of 295 Personal Info Impacted? ( www. Eq u ifaxBreachSettlement.com Case Document 739-2 Filed 07/22/19 Page 210 of 295 EQUIFAK [?41 NT :52. r: Find out if you're a class member a; claim your bene?ts. WW.EquifaxBrL-achsutlementxum 59 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 211 of 295 3DLG 6HDUFK 'HVNWRS DQG 0RELOH Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 212 of 295 Equifax 2017 Data Breach I Was Your Info Impacted? I You May Have a Claim lAd I www.equifaxbreachsettlement.com • $380.5 million has been set aside in a proposed class action settlement to help millions whose personal info was impacted in the 2017 data breach. Are you one of them? Equifax 2017 Data Breach 1 Was Your Info Impacted? I You May Have a Claim lAd I www.equifaxbreachsettlement.com $380.5 million has been set aside in a proposed class action settlement to help millions whose personal info was impacted in the 2017 data breach. Are you one of them? Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 213 of 295 Equifax 2017 Data Breach 1 Was Your Info Impacted? 1 You May Have a Claim lAd I www.equifaxbreachsettlement.com • The court-ordered deadline to submit a claim in the Equifax settlement is coming up. Act now to find out if you're eligible. Equifax 2017 Data Breach 1 Was Your Info Impacted? I You May Have a Claim I lAd www.equ ifaxbreachsettlement.com The court-ordered deadline to submit a claim in the Equifax settlement is coming up. Act now to find out if you're eligible. Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 214 of 295 Equifax 2017 Data Breach I Was Your Info Impacted? I You May Have a Claim lAd I www.equifaxbreachsettlement.com ... The proposed Equifax data breach class action settlement provides compensation and other benefits. Find out if you're eligible to make a claim. Equifax 2017 Data Breach I Was Your Info Impacted? I You May Have a Claim IAdl www.equifaxbreachsettlement.com The proposed Equifax data breach class action settlement provides compensation and other benefits. Find out if you're eligible to make a claim. Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 215 of 295 Equifax 2017 Data Breach 1 Was Your Info Impacted? 1 You May Have a Claim I lAd www.equifaxbreachsettlement.com • Equifax 2017 proposed class action settlement: If your info was impacted, you may be eligible to claim benefits. Find out if you're eligible to claim benefits. Equifax 2017 Data Breach 1 Was Your Info Impacted? 1 You May Have a Claim lAd I www.equifaxbreachsettlement.com Equifax 2017 proposed class action settlement: If your info was impacted, you may be eligible to claim benefits. Find out if you're eligible to claim benefits. Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 216 of 295 Equifax 2017 Data Breach I Was Your Info Impacted? I Act Now To Claim Your Benefits I lAd www.equifaxbreachsettlement.com • A proposed settlement has been reached in the Equifax 2017 data breach lawsuit. Act soon to determine if you are eligible for benefits. Equifax 2017 Data Breach I Was Your Info Impacted? 1 Act Now To Claim Your Benefits IAd I www.equ ifaxbreachsettlement.com A proposed settlement has been reached in the Equifax 2017 data breach lawsuit. Act soon to determine if you are eligible for benefits. Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 217 of 295 Equifax 2017 Data Breach I Was Your Info Impacted? I You May Have a Claim lAd I www.equifaxbreachsettlement.com • 147 million consumers had personal info impacted by the 2017 Equifax data breach. Are you one of them? Equifax 2017 Data Breach 1 Was Your Info Impacted? I You May Have a Claim IAd I www.equ ifaxbreachsettlement.com 147 million consumers had personal info impacted by the 2017 Equifax data breach. Are you one of them? Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 218 of 295 Equifax 2017 Data Breach I Were You Impacted? I Claim Your Benefits Today lAd I www.equifaxbreachsettlement.com .... A proposed settlement has been reached in the Equifax 2017 data breach lawsuit. Act soon to determine if you are eligible for benefits. Equifax 2017 Data Breach I Were You Impacted? I Claim Your Benefits Today lAd I www.equifaxbreachsettlement.com A proposed settlement has been reached in the Equifax 2017 data breach lawsuit. Act soon to determine if you are eligible for benefits. Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 219 of 295 7KH ORJR SLFWXUHG KHUH ZLOO EH LPSOHPHQWHG RQ WKH )DFHERRN ,QVWDJUDP DQG 7ZLWWHU DFFRXQWV DQG ZLOO DSSHDU RQ DOO DGV RQ WKRVH SODWIRUPV Case Document 739-2 Filed 07/22/19 Page 220 of 295 EXHIBIT Newspaper Ad Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 221 of 295 COURT APPROVED LEGAL NOTICE If Your Personal Information Was Impacted in the 2017 Equifax Data Breach, You May Be Eligible for Benefits from a Class Action Settlement In September of 2017, Equifax announced it experienced a data breach, which impacted lhe personal information of approximately 147 million people Equifax has reached a proposed settlement to resolve class action lawsuits brought by consumers alleging Equifax failed to adequately protect their personal lnformallon Equifax denies any wrongdoing, and no Judgment or finding or wrongdoing has been made If your personallnformallon was Impacted In lhe Equlfax data breach, you may be eligible for benefits from the sett\emenl after il becomes final Under the proposed settlement, Equlfax will: (1) pay $380_5 million Into a fund to pay benefits to consumers, courtapproved fees and costs of class counsel and service awards to the named class representatives, and other expenses: (2) implement and maintain certain data security enhancements; (3) if necessary, pay up to $125 million more to reimburse consumers for out-ofpocket losses resulting from the data breach: and (4) provide certain other relief. ~Are You Eligible: You are a class member and eligible for settlement benefits If you are a U S consumer whose personallnformatlon was Impacted by the Equifax data breach. If you are unsure of whether you are a class member, visit www.EquifaxBreachSettlement.com and click the "Am I Impacted?" button or calll-833-759-2982 •· Berwfit~: If you are a class member, you are eligible for one or more of the following benefits: 1. Free Credit Monitoring or $125 Cash Payment. You can get free credit monitoring services. Or, if you already have credit monitoring services, you can request a $125 cash payment. The free credit monitoring includes at least four years of three-bureau credit monitoring, offered through Experian You can also get up to six more years of free one-bureau credit monitoring through Equifax. If you already have credit monitoring services that will continue for at least 6 more months, you may be eligible for a cash payment of $125. 2. Other Cash Payments. You may also be eligible for the following cash payments up to $20,000 for: the time you spent remedying fraud, identity theft, or other misuse of your personal information caused by the data breach, or purchasing credit monitoring or freezing credit reports, up to 20 total hours at $25 per hour. out-of-pocket losses resulting from the data breach. up to 25% of the cost of Equifax credit or identity monitoring products you paid for in the year before the data breach announcement. 3. Free Identity Restoration Services: You are eligible for 7 years of free assisted identity restoration services to help you remedy the effects of identity theft and fraud . .,_ How to Get Benefits: To get free credit monitoring, cash payments, or both, you must submit a claim: Online at www.EquifaxBreachSettlement.com, or By mail. You must submit a claim by [initial claims period deadline date]. Certain claims may require supporting documents. If there is still money in the fund after payment of valid claims submitted during the initial claims period that ends on (INSERT DATE], there will be an extended claims period lasting for four years In the extended claims period, you may make certain claims for out-ofpocket losses incurred in the future, including time and money spent trying to address identity theft or fraud related to the data breach. You don't need to file a claim to get free identity restoration services The amount you receive may be less than the claim you submit depending on the number and amount of claims that are submitted t- Understanding Your Options: If you want the court to exclude you from the settlement class, you must write to the Settlement Administrator by [INSERT DEADLINE] List the name of this proceeding (In re: Equifax Inc. Customer Data Security Breach Litigation. Case No 1:17-md-2800-TWn. your full name, your current address, and the words "Request for Exclusion" at the top of the document You must sign this request and mail it to Equifax Data Breach Class Action Settlement Administrator. Attn: Exclusion, c/o JND Legal Administration, P.O Box 91318, Seattle, WA 98111. To object to the settlement, you must file an objection with the court by [INSERT DEADLINE]. For detailed Instructions about the process of objecting, visit www.Equlfa:..Br4:!:nc.h.Srit.leml!11t...com.. You must subm~ a claim to www.Equifa•BreachSettlement.com by [INITIAL CLAIMS PERIOD DEADLINE DATE) You musl file a claim If you want to receive free credit monllorlng or cash benefits under this settlement If you do nothing, you won't receive a cash payment or credit monitoring service, won't be able to sue Equifax for the claims being resolved in the settlement, and will be legally bound by all orders of the court The Court will hold a hearing on [INSERT DATE) to consider any objections, and decide whether to approve the settlement, award attorneys' fees and expenses, and grant service awards to the named class representatives You may enter an appearance through an attorney, but do not have to. The court has appointed lawyers to represent you and the class, but you can hire another lawyer at your own expense This is only a summary of the settlement None ofthes~beneflts will be distributed or available until the settlememls flnaltv approved by the-Court. For more information, visit www.EquifaxBreachSeHiement.com, or call (toll free) 1-833-759-2982. This is a Coun authorized notice, nof a lawyer advertisemenf Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 222 of 295 EXHIBIT D Scripts for Radio Ads Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 223 of 295 Radio Notice Scripts 15-seconds radio announcement 1. About 147 million U.S. consumers whose personal information was impacted in the 2017 Equifax data breach may be eligible for compensation, free credit monitoring, and more under a proposed class action settlement. Visit EquifaxBreachSettlement.com to find out your options. That’s EquifaxBreachSettlement.com. 2. Equifax has agreed to settle a class action lawsuit about the 2017 data breach that impacted the information of millions of U.S. consumers. Learn more about the settlement, your rights, and whether you can submit a claim for cash and other benefits at EquifaxBreachSettlement.com. That’s EquifaxBreachSettlement.com. 30-seconds radio announcement 1. About 147 million U.S. consumers impacted by the 2017 Equifax data breach are eligible to make a claim under a proposed settlement. Benefits include compensation for time and money spent preventing or recovering from identity theft because of the breach; four years of free credit monitoring; identity restoration services; and more. Visit EquifaxBreachSettlement.com to find out your options and if you’re eligible to submit a claim. Or you can call toll free 1-833-759-2982. That’s EquifaxBreachSettlement.com or call 1-833-759-2982. Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 224 of 295 2. Attention: You may be eligible for cash payments, identity theft protection services, and other benefits in the Equifax data breach class action settlement. If you’re one of about 147 million U.S. consumers whose information was impacted in the 2017 Equifax data breach, you may be eligible for cash payments for time and money you spent because of the data breach. Visit EquifaxBreachSettlement.com for more information about your rights under the settlement and to make a claim. Or you can call toll free 1833-759-2982. That’s EquifaxBreachSettlement.com or call 1-833-7592982. Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 225 of 295 (;+,%,7 ( 'LJLWDO $GV IRU 8VH $IWHU WKH ,QLWLDO &ODLPV 3HULRG Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 226 of 295 7KH IROORZLQJ DUH PRFNXSV RI GLJLWDO DGYHUWLVHPHQWV WKDW ZLOO EH LPSOHPHQWHG DFURVV )DFHERRN ,QVWDJUDP 7ZLWWHU 'LVSOD\ 1HWZRUNV DQG 6HDUFK 1HWZRUNV WR LQIRUP 6HWWOHPHQW &ODVV 0HPEHUV RI ,GHQWLW\ 5HVWRUDWLRQ 6HUYLFHV DQG SRWHQWLDO UHLPEXUVHPHQW RSWLRQV XQGHU WKH ([WHQGHG &ODLPV 3HULRG $ SRUWLRQ RI WKHVH DGV ZLOO EH WUDQVODWHG LQWR 6SDQLVK $OO DGV ZLOO IHDWXUH DQG RU OLQN GLUHFWO\ WR WKH &DVH :HEVLWH Case Document 739-2 Filed 07/22/19 Page 227 of 295 Facebook Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 228 of 295 0RFNXSV RI )DFHERRN DGV DUH VKRZQ LQ WKUHH VL]HV WKDW FRUUHVSRQG WR WKH GHYLFH DQG SODFHPHQW RI WKH DGV SLFWXUHG IURP OHIW WR ULJKW Ɣ 0RELOH 1HZV )HHG DGV WKDW VKRZ LQ WKH 1HZV )HHG WR SHRSOH XVLQJ )DFHERRN RQ PRELOH GHYLFHV Ɣ 'HVNWRS 1HZV )HHG DGV WKDW VKRZ LQ WKH 1HZV )HHG WR SHRSOH XVLQJ )DFHERRN RQ GHVNWRS FRPSXWHUV Ɣ 5LJKW &ROXPQ DGV WKDW DSSHDU LQ WKH ULJKW VLGH FROXPQ RQ )DFHERRN IRU SHRSOH XVLQJ GHVNWRS FRPSXWHUV Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 229 of 295 E Equifax Data Breach Settlement Sponsored· If your information was impacted in the 2017 Equifax data breach, you're eligible to get free identity restoration services under the class action settlement. Click here to find out how. EQUIFAXBREACHSETTLEMEN ... 2017 Equifax Class Action Settlement I E Equifax Data Breach Settlement Sponsored · 0 If your information was impacted in the 2017 Equifax data breach, you"re eligible to get free identity restoration services under the class action settlement. Click here to fmd out how. 2017 Equlfax Class Action Settlement equlfaxbreachsettlement.com If your Information was impacted in the 2017 Equifax data breach, you're eligible to get f ... EQUIFAXBREACHSETTLEMENT.COM LEARN MORE J rb Like rb Like CJ Comment Learn More 2017 Equifax Class Action Settlement CJ Comment R Share ~Share Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 230 of 295 E Equifax Data Breach Settlement E Sponsored · _, Identity impacted after the 2017 Equifax data breach? Get access to free help under a class action settlement if you are a class member. Equifax Data Breach Settlement Sponsored · 0 Identity impacted after the 2017 Equifax data breach? Get access to free help under a class action settlement if you are a class member. 2017 Equifax Class Action Settlement equ ifaxbreachsettlement.com Identity impacted after the 2017 Equifax data breach? Get access to free help under a clas ... EQUIFAXBREACHSETTLEME .. 2017 Equifax Class Action Settlement a'J Like CJ Comment [ LEARN MORE J ~Share EQUIFAXBREACHSETILEMENT.COM Learn More 2017 Equifax Class Action Settlement rb Lfkc 0 Comment p Share Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 231 of 295 E Equifax Data Breach Settlement E Sponsored · The Equifax Settlement provides reimbursement to people who lost time or money due to identity theft or fraud because of the 2017 data breach. Find out if you're eligible for reimbursement and make a claim. EQUIFAXBREACHSETTLEMEN... ( LEARN MORE Equifax Data Breach Settlement Sponsored · 0 The Equifax Settlement provides reimbursement to people who lost time or money due to identity theft or fraud because of the 201 7 data breach. Find out if you're eligible for reimbursement and make a claim. equifaxbreachsettlement.com The Equifax Settlement provides reimbursement to people who lost time or money due to ideo... I EQUIFAXBREACHSETTLEMENT.COM rfJ Like CJ Comment ~Share rb Like CJ Comment Learn More 1¢ Share Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 232 of 295 E Equifax Data Breach Settlement Sponsored· Did you recently lose time or money from identity theft or fraud because of the 2017 Equifax Data Breach? You may have a claim to compensation. Find out if you're eligible to submit a claim. E Equifax Data Breach Settlement Sponsored · 0 Did you recently lose time or money from identity theft or fraud because of the 2017 Equifax Data Breach? You may have a claim to compensation. Find out if you're eligible to submit a claim. 2017 Equ"fax Data Breach Seulement equ faxbreachscttle-e'"lt.com Did you recently lose t.:ne or money lrom ioenUy theft or traud because all"" 2017 EquL EQUIFAXBREACHSETTLEMEN. .. equifaxbreachsettlement.co m I LEARN MORE J EQUIFAXBREACHSETTLEMENT.COM Learn More equifaxbreachsettlement.com rfJ Li ke CJ Comment ~Share rb Like 0 Comment {:!> Share Case Document 739-2 Filed 07/22/19 Page 233 of 295 Instagram Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 234 of 295 Equifax Dat a Breach Settl.. Sponsored Learn More QOYJ Q O YJ If your information was impacted in the 2017 Equifax data breach, you're eligible to get ... more Identity impact ed after the 201 7 Equifax dat a breach> Get access to free he lp und er a c lass act ion ... more Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 235 of 295 E Equifax Data Breach Settl Sponsored Learn More QQ"q QQ"q The Equifax Settlement provides reimbursement to people who lost time or money due to ... more Did you recently lose t ime or money from identity theft or f raud because of the 2017 Equifax ... more Case Document 739-2 Filed 07/22/19 Page 236 of 295 Twitter 12 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 237 of 295 Equifax Data Breach Settlement @Equifax_Breach Info impacted in the 2017 Equifax breach? You may be eligible for identity restoration services under a settlement. 11 :15 AM - 18 Jul2019 2017 Equifax Data Breach t.'l 416 I Learn More j • 647 S Promoted Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 238 of 295 111!11 Equifax Data Breach Settlement lliill @Equifax_Breach Identity impacted because of the 2017 Equifax data breach? Get access to free help under a class action settlement. 11 :54 AM - 19 Jul 2019 t.+ S 416 • 647 Promoted Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 239 of 295 Equifax Data Breach Settlement • @Equifax_Breach Equifax Settlement: Reimbursement may be available for ID theft or fraud losses caused by the 2017 data breach. 5:58PM -16 Jul2019 2017 Equifax Data Breach Class Action t.'l 416 • 647 ••• Eil Promoted Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 240 of 295 Equifax Data Breach Settlement • @Equifax_Breach Do you have losses from ID theft because of the 2017 Equifax data breach? You may have a claim to compensation. 5:58 PM - 20 Jul 2019 t.'l 416 • 647 S Promoted Case Document 739-2 Filed 07/22/19 Page 241 of 295 Display Advertising 17 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 242 of 295 7KH GLVSOD\ DGV ZLOO IHDWXUH DFURVV YDULRXV ZHEVLWHV ZKHUH WKH 1RWLFH $GPLQLVWUDWRU FDQ UHDFK SRWHQWLDO FODVV PHPEHUV ,QFOXGHG LV RQH GLVSOD\ VL]H WKRXJK WKHUH ZLOO EH YDULRXV VL]LQJ RSWLRQV WKDW ZH ZLOO XWLOL]H GXULQJ WKH FDPSDLJQ ,W VKRXOG EH QRWHG WKDW DQ\ GLVSOD\ DGV ZKLFK DUH UHVL]HG ZLOO NHHS H[DFWO\ WKH VDPH LPDJHV DQG ODQJXDJH Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 243 of 295 EQUIFAX www.EquifaxBreachSettlement.com CLASS ACTION SETTLEMENT ........ .. ._____. ~ Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 244 of 295 If Eligible, Get Free Help Resolving Identity Fraud Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 245 of 295 2017 EQUIFAX DATA BREACH CLASS ACTION SETTLEMENT Find out if you're eligible. Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 246 of 295 EQUIFAX www.EquifaxBreachSettlement.com DATA BREACH CLASS ACTION SETTLEMENT ....... . ~ ----...;. Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 247 of 295 3DLG 6HDUFK 'HVNWRS DQG 0RELOH Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 248 of 295 Data Breach Settlement 1 Equifax Class Action 1 Free ID Restoration Services lAd I www.equifaxbreachsettlement.com ... Victim of identity theft, fraud? If eligible, get free help under a court settlement. Click here to access identity restoration services now. 2017 Equifax Data Breach I Was Your Identity Stolen? ~ www.equifaxbreachsettlement.com A recent court settlement provides free Identity Restoration Services. Find out if you're eligible & access your free services now. Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 249 of 295 2017 Equifax Data Breach 1 Did You Lose Time or Money? Submit a Reimbursement Claim I ~ www.equifaxbreachsettlement.com • People who recently lost time or money due to the 2017 Equifax breach could get reimbursed. Find out if you're eligible to submit a claim. Equifax 2017 Settlement I Extended Claims Period I Get Reimbursement ~ www.equifaxbreachsettlement.com • Did you recently lose time or money as a result of the 2017 Equifax data breach? You may be eligible for reimbursement under a proposed class action settlement. Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 250 of 295 7KH ORJR SLFWXUHG KHUH ZLOO EH LPSOHPHQWHG RQ WKH )DFHERRN ,QVWDJUDP DQG 7ZLWWHU DFFRXQWV DQG ZLOO DSSHDU RQ DOO DGV RQ WKRVH SODWIRUPV Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 251 of 295 EXHIBIT F Scripts for Video Ads Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 252 of 295 15-second video script Audio 1. ACTOR: If your personal information was impacted in the 2017 Equifax data breach, you may be eligible for a cash payment, free credit monitoring, and other benefits under a proposed class action settlement. [0:10] 2. VO: Visual GRAPHIC OVERLAY: ● Cash payments ● Free credit monitoring ● Identity restoration services GRAPHIC OVERLAY: Visit EquifaxBreachSettlement.com to EquifaxBreachSettlement.com find out if you’re eligible to submit your claim. [0:15] 30-second video script #1 Audio 1. ACTOR: The 2017 Equifax data breach impacted the personal information of approximately 147 million U.S. consumers. [0:05] Visual Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 253 of 295 2. ACTOR: If your information was impacted, you may be eligible for benefits under a proposed class action settlement. [0:11] 3. ACTOR: Under the settlement, you may be entitled to: ● Cash payments for money and time spent preventing or recovering from identity theft because of the breach; ● Four years of free credit monitoring; and ● Identity restoration services [0:21] 4. VO: GRAPHIC OVERLAY: ● Cash payments ● At least 4 years of free credit monitoring ● Identity restoration services GRAPHIC OVERLAY: Visit EquifaxBreachSettlement.com to EquifaxBreachSettlement.com 1-833-759-2982 find out if you’re a class member and eligible to submit a claim for benefits today. [0:27] 5. VO: GRAPHIC OVERLAY: EquifaxBreachSettlement.com That’s EquifaxBreachSettlement.com. [0:30] 1-833-759-2982 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 254 of 295 60-second video script #2 Audio Visual 1. ACTOR: Are you one of the approximately 147 million U.S. consumers impacted in the Equifax data breach? [0:06] 2. ACTOR: A proposed class action settlement may entitle you to certain benefits, including: ● Cash payments to reimburse you for out-of-pocket costs and compensate you for time spent remedying identity theft because of the breach; ● Four years of free credit monitoring and identity theft protection; and ● Identity restoration services [0:21] GRAPHIC OVERLAY: ● Cash reimbursement for out-of-pocket losses and your time ● Free credit monitoring and identify theft protection ● Identity restoration services Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 255 of 295 3. ACTOR: A class action lawsuit was brought by consumers against Equifax after it announced in September 2017 that a criminal cyberattack on its systems impacted the names, Social Security numbers, birth dates, addresses, and other personal information of millions of people. [0:33] 4. ACTOR: Under the terms of the proposed settlement, Equifax has agreed to pay $380.5 million into a fund to pay benefits. [0:40] 5. VO: GRAPHIC OVERLAY: EquifaxBreachSettlement.com Visit EquifaxBreachSettlement.com to find out if you’re eligible to file a claim 1-833-759-2982 for benefits. [0:45] 6. VO: You may be entitled to compensation, free credit monitoring and identity theft protection, and identity restoration services. Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 256 of 295 [0:50] 7. VO: GRAPHIC OVERLAY: EquifaxBreachSettlement.com Visit EquifaxBreachSettlement.com 1-833-759-2982 for more information and to submit a claim today. [0:55] Draft Disclosure This is a court-approved legal notice. This is not an advertisement. The proposed settlement may affect your rights. If you make a claim under the settlement, or if you do nothing, you will be releasing all of your legal claims relating to the data breach against Equifax when the settlement becomes final. In order to be eligible for certain benefits, you must submit a claim. For cash reimbursement, you must be able to document your claim. The Settlement Administrator has the authority to review and validate claims. Class members who wish to opt out may exclude themselves from the settlement and give up their right to participate. Class members who wish to object to the settlement may do so prior to the courtimposed deadline. Court-approved Class Counsel are: DOFFERMYRE SHIELDS CANFIELD & KNOWLES, LLC; DICELLO LEVITT GUTZLER LLC; STUEVE SIEGEL HANSON LLP; and THE BARNES LAW GROUP, LLC. You will not be charged by these lawyers for their work on the case. Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 257 of 295 EXHIBIT 7-A PROPOSED LONG-FORM NOTICE Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 258 of 295 This is a Court approved Legal Notice. This is not an advertisement. In re: Equifax Inc. Customer Data Security Breach Litigation, Case No. 1:17-md-2800-TWT (N.D. Ga.) EQUIFAX DATA BREACH CLASS ACTION SETTLEMENT IF YOUR PERSONAL INFORMATION WAS IMPACTED IN THE 2017 EQUIFAX DATA BREACH, YOU MAY BE ELIGIBLE FOR BENEFITS FROM A CLASS ACTION SETTLEMENT A class action settlement has been proposed in a case against Equifax Inc., Equifax Information Services LLC, and Equifax Consumer Services LLC (“Equifax”) relating to a data breach that Equifax announced in September 2017 (the “Data Breach”). If you are a Settlement Class Member, there will be benefits available to you from the proposed settlement. The easiest way to submit a claim under the settlement is online at www.EquifaxBreachSettlement.com. If you are unsure of whether you are eligible for benefits, visit the website or call 1-833-759-2982. In addition to other benefits, the proposed settlement requires Equifax to establish a “Consumer Restitution Fund” of a minimum of $380.5 million. The settlement relief includes:  Cash Payment for Out-of-Pocket Losses: The Consumer Restitution Fund will be used to reimburse out-of-pocket losses fairly traceable to the Data Breach, including costs of credit monitoring and placing or removing a credit freeze on a credit file, up to $20,000 per person (“Out-of-Pocket Losses”).  Cash Payment for Time Spent: Out-of-Pocket Losses include payment for time spent remedying fraud, identity theft, or other misuse of your personal information caused by the Data Breach, or freezing or unfreezing credit reports and purchasing credit monitoring services, for up to 20 hours at $25 per hour (“Time Spent”).  Cash Payment for Equifax Subscription Products: Settlement Class Members who paid for Equifax credit or identity monitoring subscription products between September 7, 2016 and September 7, 2017, can receive up to 25% reimbursement for the amount they paid for services during that time (“Subscription Product Reimbursement”).  Credit Monitoring Services: All Settlement Class Members are eligible to enroll in at least four (4) years of Experian’s credit monitoring services at no cost. The services include three-bureau daily monitoring of your credit files, a $1 million identity theft insurance policy, and other features discussed below (“Credit Monitoring Services”). You can make a claim for both cash payments and Credit Monitoring Services.  Cash Payment for Alternative Credit Monitoring Service: If you already have some form of credit monitoring or protection, or would like to get a different credit monitoring service before submitting a claim, you may be eligible for cash up to $125 as an alternative to the free Credit Monitoring Services (“Alternative Reimbursement Compensation”).  Identity Restoration Services: All Settlement Class Members will be able to use assisted identity restoration services offered through Experian, including a dedicated identity theft Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 259 of 295 restoration specialist to help with identity recovery and restoration for a period of seven (7) years (“Restoration Services”) if you experience identity theft or fraud.  Equifax Business Practices Commitments: Equifax has agreed to implement and maintain certain business practices relating to its information security program, which will be monitored by an independent third party and be enforceable in court. YOUR LEGAL RIGHTS AND OPTIONS IN THIS SETTLEMENT File a claim for Out-of-Pocket Losses or Time Spent DEADLINE You must submit a claim in order to receive reimbursement DATE for Out-of-Pocket Losses and/or Time Spent. You may For current claim Out-of-Pocket Losses, Time Spent, and Credit losses and Monitoring Services under the settlement. time For more detailed information, see Questions __-__. DATE For future losses and time File a claim for Credit Monitoring Services or Alternative Reimbursement Compensation You must submit a claim in order to receive the Free Credit DATE Monitoring Services offered under the settlement, or Alternative Reimbursement Compensation up to $125. File a claim for Subscription Product Reimbursement You must submit a claim in order to receive reimbursement DATE for Subscription Product Reimbursements. Access to Identity Restoration Services You may access Identity Restoration Services after the No deadline. settlement becomes final, whether or not you make a claim Services will under the settlement. be available for at least 7 For more detailed information, see Question __. years. Exclude yourself from the settlement You can exclude yourself from the settlement by informing DATE the Settlement Administrator that you want to “opt-out” of the settlement. If the settlement becomes final, this is the only option that allows you to retain your rights to separately sue Equifax for claims related to the Data Breach. If you opt-out, you may not make a claim for benefits under the settlement. For more detailed information, see Question __. For more detailed information, see Question __. Questions? Go to www.EquifaxBreachSettlement.com or call 1-833-759-2982 2 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 260 of 295 Object or comment on the settlement You may object to the settlement by writing to explain to DATE the Court why you don’t think the settlement should be approved. If you object, you will remain a Settlement Class Member, and if the settlement is approved, you will be eligible for the benefits of the settlement and give up your right to sue on certain claims described in the Settlement Agreement, which is available at www.EquifaxBreachSettlement.com. For more detailed information, see Question __. Do nothing If you do nothing, you can still access Identity Restoration Services, but will not be entitled to any other benefits provided under the settlement. If the settlement becomes final, you will give up your rights to sue Equifax separately for claims relating to the Data Breach or to continue to pursue any such claims you have already filed. What this Notice Contains Page BASIC INFORMATION AND OVERVIEW .............................................................................. 1. What is this notice, and why did I get it? ............................................................................. 2. What is this lawsuit about? ................................................................................................... 3. Why is this a class action? .................................................................................................... 4. Why is there a settlement? ................................................................................................... WHO IS PART OF THE SETTLEMENT ................................................................................... 5. How do I know if I am part of the settlement? ..................................................................... THE SETTLEMENT BENEFITS ................................................................................................. 6. What does the settlement provide? ....................................................................................... 7. How will the settlement compensate me for identity theft I have already suffered or money I have already paid to protect myself? ...................................................................... 8. How will the settlement help protect me against future identity theft and fraud? ............... 9. Can minor children make a claim for Credit Monitoring Services? .................................... 10. What if I already have credit monitoring or identity theft protection services? ................... 11. How will the settlement help me deal with identity theft or fraud if it happens? ................ 12. What if I have Out-of-Pocket Losses or Time Spent because of the Equifax Data Breach in the future? ........................................................................................................................ 13. What claims can I make during the Extended Claims Period? ............................................ 14. Will the settlement include changes to Equifax’s data security program? ........................... Questions? Go to www.EquifaxBreachSettlement.com or call 1-833-759-2982 3 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 261 of 295 15. What happens if there are leftover settlement funds? .......................................................... 16. What happens if the Consumer Restitution Fund runs out of money? ................................. HOW TO GET SETTLEMENT BENEFITS ............................................................................... 17. How do I file a claim for Credit Monitoring Services, Time Spent, or Out-of-Pocket Losses? ................................................................................................................................. 18. When and how will I receive the benefits I claim from the settlement? .............................. LEGAL RIGHTS RESOLVED THROUGH THE SETTLEMENT ......................................... 19. What am I giving up to stay in the settlement class? ........................................................... THE LAWYERS REPRESENTING YOU .................................................................................. 20. Do I have a lawyer in this case? ........................................................................................... 21. How will these lawyers be paid? .......................................................................................... 22. Will the class representatives receive any additional money? ............................................. EXCLUDING YOURSELF FROM THE SETTLEMENT ........................................................ 23. How do I exclude myself from the settlement? .................................................................... OBJECTING OR COMMENTING ON THE SETTLEMENT? ............................................... 24. How do I tell the Court that I like or don’t like the settlement? .......................................... GETTING MORE INFORMATION ............................................................................................ 25. Where can I get more information? ...................................................................................... BASIC INFORMATION AND OVERVIEW 1. What is this notice? A Court authorized this notice to inform you how you may be affected by this proposed settlement. This notice describes the lawsuit, the general terms of the proposed settlement and what it may mean to you. This notice also explains how to participate in, or exclude yourself from, the settlement if you were impacted by the Data Breach. For information on how to determine if you are a Settlement Class Member, and therefore eligible for benefits under this settlement, see Question __. 2. What is this lawsuit about? In September 2017, Equifax announced that it had been the victim of a criminal cyberattack on its systems. The attackers gained unauthorized access to the personal information of approximately 147 million U.S. consumers. This information included people’s names, Social Security numbers, birth dates, addresses, and in some instances driver’s license numbers, credit card numbers, or other personal information. Numerous lawsuits were brought on behalf of consumers whose personal information was impacted as a result of the Data Breach. Chief Judge Thomas W. Thrash Jr. of the U.S. District Court for the Northern District of Georgia is overseeing these lawsuits. These lawsuits are known as In re: Equifax Questions? Go to www.EquifaxBreachSettlement.com or call 1-833-759-2982 4 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 262 of 295 Inc. Customer Data Security Breach Litigation, Case No. 1:17-md-2800-TWT. The consumers who sued are called the “Plaintiffs.” Equifax, Inc., and two of its subsidiaries are the “Defendants.” Plaintiffs claim that Equifax did not adequately protect consumers’ personal information and that Equifax delayed in providing notice of the data breach. The most recent version of the lawsuit, which describes the specific legal claims alleged by the Plaintiffs, is available at www.EquifaxBreachSettlement.com. Equifax denies any wrongdoing, and no court or other judicial entity has made any judgment or other determination of any wrongdoing. 3. Why is this a class action? In a class action, one or more people called “class representatives” sue on behalf of themselves and other people with similar claims. All of these people together are the “class” or “class members.” Because this is a class action, even persons who did not file their own lawsuit can obtain relief from harm that may have been caused by the Data Breach, except for those individuals who exclude themselves from the settlement class by the deadline. 4. Why is there a settlement? The Court has not decided in favor of Plaintiffs or Equifax. Instead, both sides agreed to a settlement after a lengthy mediation process overseen by a retired federal judge. Settlements avoid the costs and uncertainty of a trial and related appeals, while more quickly providing benefits to members of the settlement class. The class representatives appointed to represent the class and the attorneys for the settlement class (“Class Counsel,” see Question __) believe that the settlement is in the best interests of the Settlement Class Members. WHO IS PART OF THE SETTLEMENT 5. How do I know if I am part of the settlement? You are a Settlement Class Member if you are among the approximately 147 million U.S. consumers identified by Equifax whose personal information was impacted by the Equifax Data Breach. You can confirm you are a Settlement Class Member, and eligible for benefits, by:  Visiting the secure web page https://www.EquifaxBreachSettlement.com; or  Calling 1-833-759-2982. Excluded from the settlement are:  Officers and directors of Equifax;  The presiding judge and any judicial staff involved in the lawsuit; and  Any Class Member who opts-out (see Question ___). THE SETTLEMENT BENEFITS 6. What does the settlement provide? Equifax will pay at least $380,500,000 into a Consumer Restitution Fund. The Consumer Restitution Fund will be used to:  Make cash payments for Out-of-Pocket Losses and Time Spent (see Question ___);  Purchase Credit Monitoring Services (see Question ___); Questions? Go to www.EquifaxBreachSettlement.com or call 1-833-759-2982 5 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 263 of 295  Pay cash Alternative Reimbursement Compensation to Settlement Class Members who already have their own credit monitoring or identity protection coverage before making a claim (see Question ___);  Make cash payments for Subscription Product Reimbursement;  Purchase Restoration Services for all Settlement Class Members, regardless of whether they make a claim (see Question ___);  Pay the costs of notifying Settlement Class Members and administering the settlement;  Pay service awards to the Settlement Class Representatives, as approved by the Court (see Question ___);  Pay attorneys’ fees, costs, and expenses, as approved by the Court (see Question ___). If the Consumer Restitution Fund is used up, Equifax will pay up to an additional $125,000,000 to pay Out-of-Pocket Losses (see Question ___). Equifax has also agreed to implement and maintain certain business practices relating to its information security program (see Question ___). A detailed description of these business practices commitments is available in the Settlement Agreement, which is available at www.EquifaxBreachSettlement.com. 7. How will the settlement compensate me for identity theft I have already suffered or money I have already paid to protect myself, and my time spent on those things? Settlement Benefit: Cash Payment for Time Spent: If you spent time (i) dealing with fraud, identity theft, or other alleged misuse of your personal information that is fairly traceable to the Data Breach, or (ii) taking preventative measures (time placing or removing security freezes on your credit report, or purchasing credit monitoring or identity protection) that are fairly traceable to the Data Breach, then you may make a claim for reimbursement for $25 per hour for up to 20 hours. You may receive reimbursement for up to 10 hours at $25 per hour by providing a description of (i) the actions taken in response to the Data Breach in dealing with misuse of your information or taking preventative measures and (ii) the time associated with those actions. You must certify that the description is truthful. Valid claims for Time Spent will be reimbursed in 15-minute increments, with a minimum reimbursement of 1-hour per claim. To claim reimbursement of more than 10 hours of Time Spent, you must also provide reasonable documentation of fraud, identity theft, or other alleged misuse of your personal information fairly traceable to the Data Breach (i.e., letter from IRS or bank or police report). If there are more than $31 million in claims for Time Spent made during the Initial Claims Period (see Question __), all payments for Time Spent will be reduced and distributed on a proportional basis. Certain claims for Time Spent may also be made during the Extended Claims Period, up to a total cap for Time Spent during the Initial and Extended Claims Periods of $38 million in claims. The deadline to file a claim for time you have already spent as a result of the Data Breach is [DATE]. The deadline to file eligible claims for time you spend in the future as a result of the Data Breach is [DATE] (see Questions ___). Questions? Go to www.EquifaxBreachSettlement.com or call 1-833-759-2982 6 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 264 of 295 Settlement Benefit: Payment for Unreimbursed Out-of-Pocket Losses: If you spent money to deal with fraud or identity theft that was fairly traceable to the Data Breach, or to protect yourself from future harm, then you can submit a claim for reimbursement up to $20,000 (including your claim for Time Spent). Out-of-Pocket Losses that are eligible for reimbursement may include, without limitation, the following:  Money spent on or after September 7, 2017, associated with placing or removing a security freeze on your credit report with any credit reporting agency;  Credit monitoring or identity theft protection costs you paid on or after September 7, 2017;  Unreimbursed costs, expenses, losses or charges you paid on or after May 13, 2017, because of identity theft or identity fraud, falsified tax returns, or other alleged misuse of your personal information;  Other miscellaneous expenses related to any Out-Of-Pocket Loss such as notary, fax, postage, copying, mileage, and long-distance telephone charges;  Professional fees incurred in connection with addressing identity theft, fraud, or falsified tax returns; and  Up to 25% reimbursement of the money you paid for Equifax credit monitoring or identity theft protection subscription products between September 7, 2016 and September 7, 2017. This list provides examples only, and other losses or costs fairly traceable to the Data Breach may also be eligible for reimbursement. Go to www.EquifaxBreachSettlement.com or call [toll-free number]. The Settlement Administrator will decide if your claim for Out-Of-Pocket Losses are valid. Only valid claims will be paid. The deadline to file a claim for Out-of-Pocket Losses you have already had is [DATE]. Certain claims for losses in the future as a result of the Data Breach may be made during the Extended Claims Period (see Questions ___). The deadline to file those claims is [DATE]. 8. How will the settlement help protect me against future identity theft and fraud? Settlement Benefit: Credit Monitoring Services: The settlement provides a way to help protect yourself from unauthorized use of your personal information. Settlement Class Members may submit a claim to enroll in at least four (4) years of three-bureau credit monitoring services, provided by Experian, at no cost. These services include the following features:  Three-bureau credit monitoring providing notice of changes to your credit report at all three national credit bureaus;  Up to $1 million dollars in insurance covering costs related to identity theft or fraud;  Real-time notification of credit inquiries and other notifications;  On-demand online access to a free copy of one bureau credit report, updated on a monthly basis;  CyberAgent® Dark Web Monitoring that monitors internet activity for the trading or selling of your personal information;  Customer support provided by Experian; and  Many other features described at www.EquifaxBreachSettlement.com. Questions? Go to www.EquifaxBreachSettlement.com or call 1-833-759-2982 7 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 265 of 295 If you make a valid claim and enroll in Credit Monitoring Services, you can also elect to enroll in up to six (6) years of one-bureau credit monitoring services provided by Equifax that would begin after the three-bureau Credit Monitoring Services expire. This one-bureau credit monitoring service will include automated online alerts for key changes to your Equifax credit report, on-demand online access to your Equifax credit report updated on a monthly basis, and, if you request, internet monitoring that includes searching suspicious websites for your Social Security number. You must opt in for these onebureau services when you submit your claim for Credit Monitoring Services, and you will be sent instructions for how to enroll in the one-bureau monitoring before your three-bureau Credit Monitoring Services expire. The cost of this service will be paid separately by Equifax, not out of the Consumer Restitution Fund. Information about Credit Monitoring Services for minor children is provided in Question ___. The deadline for all claims for Credit Monitoring Services is [DATE]. If you submit a valid claim form and elect to enroll in Credit Monitoring Services, you will receive enrollment instructions by email after approval of the settlement. You may make a claim for both reimbursement for Out-of-Pocket Losses and/or Time Spent and Credit Monitoring Services. 9. Can minor children make a claim for Credit Monitoring Services? Settlement Benefit: Credit Monitoring Services for Minor Children: A parent or legal guardian of a Settlement Class Member who is a minor (under the age of 18) can make a claim for Credit Monitoring Services on the child’s behalf under the settlement. While the Settlement Class Member is under 18, they will receive minor monitoring services as follows: alerts when certain personal data appears on suspicious websites, including underground websites known as the “dark web;” alerts when the Social Security number is associated with new names or addresses or the creation of a consumer report at one or more of the three nationwide Consumer Reporting Agencies; and Identity Restoration Services in the event that a Settlement Class Member under the age of 18 has their identity compromised. Upon turning 18, the Settlement Class Member can enroll in the full Credit Monitoring Services. If a Settlement Class Member under the age of 18 has an Experian credit file with sufficient detail to permit authentication, a parent or guardian may enroll them in the full Credit Monitoring Services prior to their eighteenth birthday. Additionally, the parent or legal guardian can elect to enroll the minor in one-bureau credit monitoring services provided by Equifax that would begin after the Credit Monitoring Services expire for a period of up to 14 years. While the Settlement Class Member is under 18, they will receive minor monitoring services as follows: alerts when data elements such as a Social Security number submitted for monitoring appear on suspicious websites, including underground websites known as the “dark web;” for minors who do not have an Equifax credit file, a file is created, locked, and then monitored, and for minors with an Equifax credit file, their credit file is locked and then monitored. The Experian Credit Monitoring Services and the optional one-bureau credit monitoring provided by Equifax together will cover 18 years. The parent or legal guardian must opt for the minor to receive the one-bureau services when submitting a claim for the Credit Monitoring Services, and the parent or legal guardian will be sent instructions for how to enroll in the one-bureau monitoring before the Credit Monitoring Services expire. The cost of these services will be paid separately by Equifax, not out of the Consumer Restitution Fund. Questions? Go to www.EquifaxBreachSettlement.com or call 1-833-759-2982 8 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 266 of 295 10. What if I already have credit monitoring or identity protection services? Settlement Benefit: Cash Alternative Reimbursement Compensation: If you already have some other kind of credit monitoring or protection services, and do not claim the free Credit Monitoring Services available through the settlement, you may file a claim for Alternative Reimbursement Compensation for up to $125. To claim Alternative Reimbursement Compensation you must certify that you have some form of credit monitoring or protection services on the date you submit your claim form and that you will keep those services for a minimum of six (6) months. You should keep in mind that:  The deadline for all claims for Alternative Reimbursement Compensation is [DATE].  If you claim Alternative Reimbursement Compensation, you cannot claim free Credit Monitoring Services.  If you claim Alternative Reimbursement Compensation, you cannot also seek reimbursement for purchasing credit monitoring or protection services covering the 6 month period after you make your claim. However, you can still make other claims for Time Spent or Out-of-Pocket Losses.  If there are more than $31 million claims for Alternative Reimbursement Compensation, all payments for Alternative Reimbursement Compensation will be lowered and distributed on a proportional basis. 11. How will the settlement help me deal with identity theft or fraud if it happens? Settlement Benefit: Free Identity Restoration Services: All Settlement Class Members will receive access to Assisted Identity Restoration Services if they experience an identity theft event. These services will be provided by Experian for a period of seven (7) years. These services include:  Access to a U.S. based call center providing services relating to identity restoration.  Assignment of a certified Identity Theft Restoration Specialist to assist you in addressing an identity theft event.  Assistance with a step-by-step process to deal with companies, government agencies, and credit bureaus. All Settlement Class Members may access Assisted Identity Restoration Services after the settlement becomes final, even if you never make a claim from this settlement, by going to www.EquifaxBreachSettlement.com, or calling toll free 1-833-759-2982. 12. What if I have Out-of-Pocket Losses or Time Spent because of the Equifax Data Breach in the future? All claims for Out-of-Pocket Losses or Time Spent that have already happened must be made by [DATE]. If there is still money in the Consumer Restitution Fund after all initial payments, there will be an “Extended Claims Period” which will allow you to make certain claims for Out-of-Pocket Losses or Questions? Go to www.EquifaxBreachSettlement.com or call 1-833-759-2982 9 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 267 of 295 Time Spent that happen after the initial claims deadline. All such claims must be made by [DATE] and will be paid on a first-come-first-served basis. During the Extended Claims Period, you can seek reimbursement for Out-of-Pocket Losses or Time Spent (but not losses of money and time associated with freezing or unfreezing credit reports or purchasing credit monitoring or protection services) if you certify that you have not already received reimbursement for the claimed loss. 13. What claims can I make during the Extended Claims Period? If the Extended Claims Period goes into effect as described in Question No. ___, you can seek reimbursement for Out-of-Pocket Losses or Time Spent incurred during the Extended Claims Period (excluding losses of money and time associated with placing or removing a security freeze on your credit reports or purchasing credit monitoring or identity theft protection services) if you certify that you have not already received reimbursement for the claimed loss. You cannot make any of the following claims during the Extended Claims Period:  Claims for free Credit Monitoring Services (see Question __).  Claims for cash Alternative Reimbursement Compensation for credit monitoring or protection (see Question __).  Claims for Out-of-Pocket Losses or Time Spent associated with freezing or unfreezing credit reports or purchasing credit monitoring or protection services. 14. Will the settlement include changes to Equifax’s data security program? Settlement Benefit: Data Security Business Practices Commitments by Equifax: Equifax has agreed to adopt, pay for, implement, and maintain extensive Business Practices Commitments related to information security for a period of five (5) years. A detailed description of these Business Practices Commitments is available in the Settlement Agreement, which is available at www.EquifaxBreachSettlement.com. These commitments will be assessed by an independent third party and be enforceable in court. Equifax also will not seek to enforce any arbitration provision in any Equifax product that has been offered in response to the Data Breach as of the date of the settlement agreement or that is provided under the settlement. 15. What happens if there are leftover settlement funds? The Consumer Restitution Fund will be used to pay initial claims for Out-of-Pocket Losses and Time Spent, for Credit Monitoring Services and Alternative Reimbursement Compensation, for Identity Restoration Services, for administrative and notice costs, and for class representative service awards and attorneys’ fees and expenses as approved by the Court.  If there are still settlement funds, valid claims made during the Extended Claims Period will be paid on a first-come-first-served basis.  If settlement funds remain, the monetary caps for Time Spent (see Question __) and Alternative Reimbursement Compensation (see Question __) will be lifted (if applicable) and those Questions? Go to www.EquifaxBreachSettlement.com or call 1-833-759-2982 10 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 268 of 295 payments will be increased proportionally up to the full amount of approved claims for Time Spent and Alternative Reimbursement Compensation.  If settlement funds still remain, up to three (3) additional years of Identity Restoration Services will be made available to all Settlement Class Members, regardless of whether they made a claim under the settlement.  If settlement funds still remain, additional Credit Monitoring Services (purchased in full month increments) will be provided to Settlement Class Members who claimed Credit Monitoring Services.  If any settlement funds still remain, then those remaining funds will be distributed by the court for consumer restitution and redress, but no money will be returned to Equifax. 16. What happens if the Consumer Restitution Fund runs out of money? If the payments described in Question ___ use up the Consumer Restitution Fund, Equifax will add up to $125,000,000 as needed to pay valid claims for Out-of-Pocket Losses. HOW TO GET SETTLEMENT BENEFITS 17. How do I file a claim for Credit Monitoring Services, Time Spent, or Out-of-Pocket Losses? To obtain Credit Monitoring Services or to file a claim for reimbursement for Time Spent or Out-ofPocket Losses fairly traceable to the Data Breach, you will need to file a claim form. There are two options for filing claims: (1) File Online: You may fill out and submit the claim form online at www.EquifaxBreachSettlement.com. This is the quickest way to file a claim. (2) File by Mail: Alternatively, you may simply fill out the claim form included with this notice and mail it to the address on the form with supporting documentation, if any. You can download a hard copy of the claim form (available at www.EquifaxBreachSettlement.com), or ask the Settlement Administrator to mail a claim form to you by calling 1-833-759-2982. Fill out your claim form, and mail it to: Equifax Data Breach Litigation Claims, c/o JND Legal Administration, P.O. Box 91318, Seattle, Washington, 98111. The deadline to file a claim is [ DATE] (this is the last day to file online and the postmark deadline for mailed claims). To fill out and submit a claim form during the Extended Claims Period (see Questions __), you will need to access and submit the Extended Claims Period claim form online at www.EquifaxBreachSettlement.com; or contact the Settlement Administrator and request a hard copy of the Extended Claims Period claim form that can be filled out and returned by mail. Questions? Go to www.EquifaxBreachSettlement.com or call 1-833-759-2982 11 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 269 of 295 18. When and how will I receive the benefits I claim from the settlement? Credit Monitoring Services claimed by Settlement Class Members will begin, and payments for valid claims will be made, after the Court enters a final judgment and the settlement becomes final. This may take several months or more; please be patient. Once there is a final judgment, it will be posted on the Settlement Administrator’s website. If you make a valid claim for Credit Monitoring Services, the Settlement Administrator will send you information on how to activate your credit monitoring once the settlement is final. The Settlement Administrator will provide you with an activation code and link to the Experian website where you can enroll and activate your Credit Monitoring Services. Checks for valid claims for Out-of-Pocket Losses, Time Spent, and Alternative Reimbursement Compensation will be mailed by the Settlement Administrator to the mailing address that you provide. LEGAL RIGHTS RESOLVED THROUGH THE SETTLEMENT 19. What am I giving up to stay in the settlement class? If you make a claim under the settlement, or if you do nothing, you will be releasing all of your legal claims relating to the Data Breach against Equifax when the settlement becomes final. By releasing your legal claims, you are giving up the right to file, or to continue to pursue, separate legal claims against or seek further compensation from Equifax for any harm related to the Data Breach—whether or not you are currently aware of those claims. Unless you exclude yourself from the settlement (see Question __), all of the decisions by the Court will bind you. That means you will be bound to the terms of the settlement and accompanying court orders, and cannot bring a lawsuit or be part of another lawsuit against Equifax regarding the Data Breach. Paragraphs __-__ of the Settlement Agreement define the claims that will be released by Settlement Class Members who do not exclude themselves from the settlement. You can access the Settlement Agreement and read the specific details of the legal claims being released at www.EquifaxBreachSettlement.com. If you have any questions, you can contact the Settlement Administrator (see Question __). Questions? Go to www.EquifaxBreachSettlement.com or call 1-833-759-2982 12 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 270 of 295 THE LAWYERS REPRESENTING YOU 20. Do I have a lawyer in the case? Yes. The Court appointed the following attorneys to represent you and other Settlement Class Members as “Class Counsel.” Norman E. Siegel STUEVE SIEGEL HANSON LLP 460 Nichols Road, Suite 200 Kansas City, MO 64112 Amy E. Keller DICELLO LEVITT GUTZLER LLC Ten North Dearborn Street, 11th Floor Chicago, IL 60602 Roy E. Barnes THE BARNES LAW GROUP, LLC 31 Atlanta Street Marietta, GA 30060 Kenneth S. Canfield DOFFERMYRE SHIELDS CANFIELD & KNOWLES, LLC 1355 Peachtree Street, N.E., Suite 1725 Atlanta, GA 30309 You will not be charged by these lawyers for their work on the case. If you want to be represented by your own lawyer, you may hire one at your own expense. If you have questions about making a claim, please contact the Settlement Administrator (see Question __). 21. How will these lawyers be paid? Class Counsel have undertaken this case on a contingency-fee basis, meaning they have paid for all of the expenses in the case and have not been paid any money in relation to their work on this case. Accordingly, Class Counsel will ask the Court to award them attorneys’ fees of up to $77,500,000 and reimbursement for costs and expenses up to $3,000,000 to be paid from the Consumer Restitution Fund. The Court will decide the amount of fees and costs and expenses to be paid. You will not have to separately pay any portion of these fees yourself. Class Counsel’s request for attorneys’ fees and costs (which must be approved by the Court) will be filed by [DATE] and will be available to view on the settlement website at www.EquifaxBreachSettlement.com. 22. Will the class representatives receive any additional money? The class representatives in this action are listed in the Settlement Agreement, which is available at www.EquifaxBreachSettlement.com. Class Counsel will ask the Court to award these individuals “service awards” of $2,500 each for the time that they spent, and the risks that they undertook, in bringing this lawsuit on behalf of the class. This amount will also have to be approved by the Court. Any amount approved by the Court will be paid from the Consumer Restitution Fund. EXCLUDING YOURSELF FROM THE SETTLEMENT 23. How do I exclude myself from the settlement? If you are a member of the settlement class but do not want to remain in the class, you may exclude yourself from the class (also known as “opting out”). If you exclude yourself, you will lose any right to participate in the settlement, including any right to receive the benefits outlined in this notice. Questions? Go to www.EquifaxBreachSettlement.com or call 1-833-759-2982 13 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 271 of 295 If you decide on this option, you may keep any rights you have, if any, against Equifax and you may file your own lawsuit against Equifax based upon the same legal claims that are asserted in this lawsuit, but you will need to find your own attorney at your own cost to represent you in that lawsuit. If you are considering this option, you may want to consult an attorney to determine your options. IMPORTANT: You will be bound by the terms of the Settlement Agreement unless you submit a timely and signed written request to be excluded from the settlement. To exclude yourself from the settlement you must mail a “request for exclusion,” postmarked no later than [DATE], to: Equifax Data Breach Class Action Settlement Administrator Attn: Exclusion c/o JND Legal Administration P.O. Box 91318 Seattle, WA 98111 This statement must contain the following information: (1) The name of this proceeding (In re: Equifax Inc. Customer Data Security Breach Litigation, Case No. 1:17-md-2800-TWT, or similar identifying words such as “Equifax Data Breach Lawsuit”); (2) Your full name; (3) Your current address; (4) The words “Request for Exclusion” at the top of the document or a statement that you do not wish to participate in the settlement; and (5) Your signature. If you do not comply with these procedures and the deadline for exclusions, you will lose any opportunity to exclude yourself from the settlement class, and your rights will be determined in this lawsuit by the Settlement Agreement if it is approved by the Court, and you may not recover under any other settlement agreement regarding the claims released as part of the settlement. OBJECTING OR COMMENTING ON THE SETTLEMENT 24. How do I tell the Court that I like or don’t like the settlement? If you are a Settlement Class Member, you have the right to tell the Court what you think of the settlement. You can object to the settlement if you don’t think it is fair, reasonable, or adequate, and you can give reasons why you think the Court should not approve it. You can’t ask the Court to order a larger settlement; the Court can only approve or deny the settlement as it is. To object, you must send a letter stating that you object to the settlement. Your objection letter must include: (1) (2) The name of this proceeding (In re: Equifax Inc. Customer Data Security Breach Litigation, Case No. 1:17-md-2800-TWT, or similar identifying words such as “Equifax Data Breach Lawsuit”); Your full name and current address; Questions? Go to www.EquifaxBreachSettlement.com or call [PHONE NUMBER] 14 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 272 of 295 (3) (4) (5) (6) (7) Your personal signature (an attorney’s signature is not enough); A statement indicating why you think that you are a member of the settlement class; A statement with the reasons why you object, accompanied by any legal support for your objection; A statement identifying all class action settlements to which you have objected in the previous five (5) years; and A statement as to whether you intend to appear at the Fairness Hearing, either in person or through a lawyer, and if through a lawyer, identifying your lawyer by name, address, and telephone number, and four dates between [the Objection Deadline] and [a date two weeks before Fairness Hearing] during which you are available to be deposed by counsel for the Parties. Additionally, if you are represented by a lawyer and your lawyer intends to speak at the Fairness Hearing, your written objection letter must include: (8) (9) A detailed statement of the specific legal and factual basis for each and every objection; and A detailed description of any and all evidence you may offer at the Fairness Hearing, including copies of any and all exhibits that you may introduce at the Fairness Hearing. Additionally, if you are represented by a lawyer, and your lawyer intends to seek compensation for his or her services from anyone other than you, your written objection letter must include: (10) The identity of all lawyers who represent you, including any former or current lawyer who may be entitled to compensation for any reason related to the objection; (11) A statement identifying all instances in which your lawyer or your lawyer’s law firm have objected to a class action settlement within the preceding five (5) years, giving the case name, case number, and court in which the class action settlement was filed; (12) A statement identifying any and all agreements or contracts that relate to the objection or the process of objecting—whether written or oral—between the you, your lawyer, and/or any other person or entity; (13) A description of your lawyer’s legal background and prior experience in connection with class action litigation; and (14) A statement regarding whether your lawyer’s compensation will be calculated on the basis of a lodestar, contingency, or other method; an estimate of the amount of fees to be sought; the factual and legal justification for any fees to be sought; the number of hours already spent by your lawyer and an estimate of the hours to be spent in the future; and the lawyer’s hourly rate. Questions? Go to www.EquifaxBreachSettlement.com or call [PHONE NUMBER] 15 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 273 of 295 To be considered by the Court, your objection letter must be filed electronically with the Court by [DATE] or mailed, postmarked no later than [DATE], to the following addresses: Equifax Data Breach Class Action Settlement Administrator Attn: Objection c/o JND Legal Administration P.O. Box 91318 Seattle, WA 98111 If you do not comply with these procedures and the deadline for objections, you may lose any opportunity to have your objection considered at the Fairness Hearing or otherwise to contest the approval of the settlement or to appeal from any orders or judgments entered by the Court in connection with the proposed settlement. You will still be eligible to receive settlement benefits if the settlement becomes final even if you object to the settlement. The Court has scheduled a Fairness Hearing to listen to and consider any concerns or objections from Settlement Class Members regarding the fairness, adequacy, and reasonableness of the terms of the Settlement Agreement. That hearing will take place on [DATE and TIME] before the Honorable Thomas W. Thrash Jr., at the United States District Court for the Northern District of Georgia located in Courtroom 2108 of the Richard B. Russell Federal Building and United States Courthouse, 75 Ted Turner Dr., SW, Atlanta, Georgia 30303-3309. This hearing date and time may be moved. Please refer to the settlement website, www.EquifaxBreachSettlement.com for notice of any changes. GETTING MORE INFORMATION 25. Where can I get more information? If you have questions about this notice or the settlement, you may go to the settlement website at www.EquifaxBreachSettlement.com. You can also contact the Settlement Administrator at [PHONE NUMBER] or by mailing a letter to Equifax Data Breach Settlement, c/o [ADMINISTRATOR], [ADDRESS], for more information or to request that a copy of this document be sent to you in the mail. If you wish to communicate directly with Class Counsel, you may contact them (contact information noted above in Question __). You may also seek advice and guidance from your own private lawyer at your own expense, if you wish to do so. This notice is only a summary of the lawsuit and the settlement. Other related documents can be accessed through the settlement website. If you have questions about the proposed settlement, or wish to receive a copy of the Settlement Agreement but do not have access to the Internet to download a copy online, you may contact the Settlement Administrator. The Court cannot respond to any questions regarding this notice, the lawsuit, or the proposed settlement. Please do not contact the Court or its Clerk. Questions? Go to www.EquifaxBreachSettlement.com or call [PHONE NUMBER] 16 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 274 of 295 EXHIBIT 7-B PROPOSED SHORT-FORM NOTICE Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 275 of 295 COURT APPROVED LEGAL NOTICE If Your Personal Information Was Impacted in the 2017 Equifax Data Breach, You May Be Eligible for Benefits from a Class Action Settlement In September of 2017, Equifax announced it experienced a data breach, which impacted the personal information of approximately 147 million people. Equifax has reached a proposed settlement to resolve class action lawsuits brought by consumers alleging Equifax failed to adequately protect their personal information. Equifax denies any wrongdoing, and no judgment or finding of wrongdoing has been made. If your personal information was impacted in the Equifax data breach, you may be eligible for benefits from the settlement after it becomes final. Under the proposed settlement, Equifax will: (1) pay $380.5 million into a fund to pay benefits to consumers, court-approved fees and costs of class counsel and service awards to the named class representatives, and other expenses; (2) implement and maintain certain data security enhancements; (3) if necessary, pay up to $125 million more to reimburse consumers for out-of-pocket losses resulting from the data breach; and (4) provide certain other relief. Are You Eligible: You are a class member and eligible for settlement benefits if you are a U.S. consumer whose personal information was impacted by the Equifax data breach. If you are unsure of whether you are a class member, visit www.EquifaxBreachSettlement.com or call 1-833-759-2982. Benefits: If you are a class member, you are eligible for one or more of the following benefits: 1. Free Credit Monitoring or $125 Cash Payment. You can get free credit monitoring services. Or, if you already have credit monitoring services, you can request a $125 cash payment.  The free credit monitoring includes at least four years of three-bureau credit monitoring, offered through Experian. You can also get up to six more years of free one-bureau credit monitoring through Equifax.  If you already have credit monitoring services that will continue for at least 6 more months, you may be eligible for a cash payment of $125. 2. Other Cash Payments. You may also be eligible for the following cash payments up to $20,000 for:  the time you spent remedying fraud, identity theft, or other misuse of your personal information caused by the data breach, or purchasing credit monitoring or freezing credit reports, up to 20 total hours at $25 per hour.  out-of-pocket losses resulting from the data breach.  up to 25% of the cost of Equifax credit or identity monitoring products you paid for in the year before the data breach announcement. 3. Free Identity Restoration Services: You are eligible for 7 years of free assisted identity restoration services to help you remedy the effects of identity theft and fraud. How to Get Benefits: To get free credit monitoring or cash payments, or both, you must submit a claim:  Online at www.EquifaxBreachSettlement.com, or  By mail. Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 276 of 295 You must submit a claim by [initial claims period deadline date]. Certain claims may require supporting documents. If there is still money in the fund after payment of valid claims submitted during the initial claims period that ends on [INSERT DATE], there will be an extended claims period lasting for four years. In the extended claims period, you may make certain claims for out-of-pocket losses incurred in the future, including time and money spent trying to address identity theft or fraud related to the data breach. You don’t need to file a claim to get free identity restoration services. None of these benefits will be distributed or available until the settlement is finally approved by the Court. The amount you receive may be less than the claim you submit depending on the number and amount of claims that are submitted. Understanding Your Options: If you want the court to exclude you from the settlement class, you must write to the Settlement Administrator by [INSERT DEADLINE]. List the name of this proceeding (In re: Equifax Inc. Customer Data Security Breach Litigation, Case No. 1:17-md-2800-TWT), your full name, your current address, and the words “Request for Exclusion” at the top of the document. You must sign this request and mail it to Equifax Data Breach Class Action Settlement Administrator, Attn: Exclusion, c/o JND Legal Administration, P.O. Box 91318, Seattle, WA 98111. To object to the settlement, you must file an objection with the court by [INSERT DEADLINE]. For detailed instructions about the process of objecting, visit www.EquifaxBreachSettlement.com. You must file a claim if you want to receive free credit monitoring or cash benefits under this settlement. If you do nothing, you won’t receive a cash payment or credit monitoring service, won’t be able to sue Equifax for the claims being resolved in the settlement, and will be legally bound by all orders of the court. The Court will hold a hearing on [INSERT DATE] to consider any objections, and decide whether to approve the settlement, award attorneys’ fees and expenses, and grant service awards to the named class representatives. You may enter an appearance through an attorney, but do not have to. The court has appointed lawyers to represent you and the class, but you can hire another lawyer at your own expense. This is only a summary of the settlement. For more information, visit www.EquifaxBreachSettlement.com, or call (toll free) 1-833-759-2982. This is a Court authorized notice, not a lawyer advertisement.  Case Document 739-2 Filed 07/22/19 Page 277 of 295 EXHIBIT 8 CLAIM FORM Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 278 of 295 Must be postmarked or submitted online NO LATER THAN Month Day, 2019 EQUIFAX DATA BREACH SETTLEMENT C/O JND LEGAL ADMINISTRATION P.O. BOX 91318 SEATTLE, WA 98111-9418 WWW.EQUIFAXBREACHSETTLEMENT.COM EFX Equifax Data Breach Claim Form SETTLEMENT BENEFITS – WHAT YOU MAY GET If you are a U.S. consumer whose personal information was impacted by the Equifax data breach announced on September 7, 2017, you may submit a claim. The easiest way to submit a claim is online at www.EquifaxBreachSettlement.com, or you can complete and mail this claim form to the mailing address above. You may submit a claim for one or more of these benefits: Credit monitoring or $125 Cash Payment: Use the claim form to request free credit monitoring services. Or, if you have credit monitoring services, you can request a $125 cash payment. Cash Reimbursement. Use the claim form to request money for one or more of the following: 1. Reimbursement for Time Spent. If you spent time trying to avoid or recover from fraud or identity theft because of the Equifax data breach, you can get $25 per hour for up to 10 total hours, or up to 20 total hours if you provide supporting documents. 2. Reimbursement for Money You Spent. If you spent money trying to avoid or recover from fraud or identity theft because of the Equifax data breach, you can be reimbursed up to $20,000. You must submit documents supporting your claim. 3. Up to 25% Reimbursement for Equifax Credit Monitoring Subscriptions. If you had an Equifax credit monitoring or identity theft protection subscription between 9/7/2016 and 9/7/2017, you can get a payment of 25% of the amount you paid. No claim is required for identity restoration services. U.S. consumers impacted by the Equifax data breach will be able to access identity restoration services for a period of at least 7 years once the Settlement is final. More information is available at www.EquifaxBreachSettlement.com. * * * Claims must be submitted online or mailed by [DATE]. Use the address at the top of this form for mailed claims. Please note: the settlement administrator may contact you to request additional documents to process your claim. Your cash benefit may decrease depending on the number and amount of claims filed. For more information and complete instructions visit www.EquifaxBreachSettlement.com. Questions? Visit www.EquifaxBreachSettlement.com or call 1-833-759-2982 Page 1 of 6 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 279 of 295 Please note that Settlement benefits will be distributed after the Settlement is approved by the Court and final. Your Information We will use this information to contact you and process your claim. It will not be used for any other purpose. If any of the following information changes, you must promptly notify us by emailing info@EquifaxBreachSettlement.com. 1. NAME (REQUIRED): First Middle Initial Last 2. ALTERNATIVE NAME(S) (IF ANY): 3. MAILING ADDRESS Street Address (REQUIRED): Apt. No. City State Zip 4. PHONE NUMBER: 5. EMAIL ADDRESS: 6. YEAR OF BIRTH (REQUIRED) Credit Monitoring: Free Service or Cash Payment You may be eligible to receive free credit monitoring or up to $125 if you already have credit monitoring. You can receive free, three-bureau credit monitoring at all three national credit reporting agencies (Equifax, Experian, and TransUnion). Experian will provide this service for at least four years. You can also enroll in free, single-bureau credit monitoring of your Equifax credit file, provided by Equifax, for up to six years after the Experian service ends. Questions? Visit www.EquifaxBreachSettlement.com or call 1-833-759-2982 Page 2 of 6 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 280 of 295 Or, if you have credit monitoring services that you will keep for at least six months, you can request a cash payment of $125. Please select either Option 1 or Option 2 below, but not both.  Option 1, Credit Monitoring: I want to receive free, three-bureau credit monitoring. If you select this option, you will be sent instructions and an activation code after the settlement is final to your email address or home address. You won’t be “upsold” any services by enrolling or otherwise asked to submit any payment for these services now or in the future. If You selected Option 1, would you like to sign-up for Equifax’s free, one-bureau credit monitoring service for up to 6 more years after the initial, three-bureau credit monitoring services expire?  Yes. If you select “yes” for this option, you will be sent instructions to your email address or your home address before your three-bureau credit monitoring expires. You won’t be “upsold” any services by enrolling or otherwise asked to submit any payment for these services now or in the future.  Option 2, Cash Payment: I want a cash payment of $125. I certify that I have credit monitoring and will have it for at least 6 months from today. If you select this option, you cannot also enroll in the free, three-bureau credit monitoring service offered through this Settlement. Cash Payment: Time Spent If you spent time trying to recover from fraud or identity theft caused by the data breach, or if you spent time trying to avoid fraud or identity theft because of the data breach (placing or removing credit freezes on your credit files or purchasing credit monitoring services), complete the chart below. You can be compensated $25 per hour for up to 20 hours. If you claim 10 hours or less, you must describe the actions you took in response to the data breach and the time each action took. If you claim more than 10 hours total, you must describe the actions you took in response to the data breach and include supporting documents showing fraud, identity theft, or other misuse of your personal information. By filling out the boxes below, you are certifying that the time you spent doesn’t relate to other data breaches. Questions? Visit www.EquifaxBreachSettlement.com or call 1-833-759-2982 Page 3 of 6 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 281 of 295 Explanation of Time Spent (Identify what you did and why) Approx. Date(s) Number of Hours and Minutes Supporting Documentation? (Y/N) ____________________________________ ____________________________________ ____________________________________ ____________________________________ ____________________________________ ____________________________________ ____________________________________ ____________________________________ ____________________________________ ____________________________________ ____________________________________ ____________________________________ ____________________________________ ____________________________________ ____________________________________ Cash Payment: Money You Lost or Spent If you lost or spent money trying to prevent or recover from fraud or identity theft caused by the Equifax data breach and have not been reimbursed for that money, you can receive reimbursement for up to $20,000 total. It is important for you to send documents that show what happened and how much you lost or spent, so that you can be repaid (except for money you may have spent on Equifax subscription products as explained below). If they are the same as the documents you attached in the section above, you do not need to send them again. To look up more details about how cash payments work, visit www.EquifaxBreachSettlement.com or call toll-free 1-833-759-2982. You will find more information about the types of costs and losses that can be paid back to you, what documents you need to attach, and how the Settlement Administrator decides whether to approve your payment. Questions? Visit www.EquifaxBreachSettlement.com or call 1-833-759-2982 Page 4 of 6 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 282 of 295 Loss Type and Examples of Documents Amount and Date Costs for freezing or unfreezing your credit report on or after 9/7/2017 $ Examples: Receipts, notices, or account statements reflecting payment for a credit freeze Credit monitoring and identity theft protection purchased between 9/7/2017 and the date of your claim submission Date: $ Date: Description of Loss or Money Spent and Supporting Documents (Identify what you are attaching, and why it’s related to the Equifax breach) ______________________________________ ______________________________________ ______________________________________ ______________________________________ ______________________________________ ______________________________________ ______________________________________ ______________________________________ ______________________________________ Examples: Receipts or statements for credit monitoring services Costs incurred for an Equifax credit or identity theft monitoring subscription products I had between 9/7/2016 and 9/7/2017 $ Date: Equifax will check its records and these claims will be paid without documentation if Equifax’s records match your claim. You may still submit receipts of statements for Equifax credit monitoring services to support your claim Costs, expenses, and losses due to identity theft, fraud, or misuse of your personal information on or after 05/13/2017 $ Date: Examples: Account statement with unauthorized charges highlighted; police reports; IRS documents; FTC Identity Theft Reports; letters refusing to refund fraudulent charges; credit monitoring services you purchased Professional fees paid to address identity theft on or after 5/13/2017 $ Examples: Receipts, bills, and invoices from accountants, lawyers, or others Date: ______________________________________ ______________________________________ ______________________________________ ______________________________________ ______________________________________ ______________________________________ ______________________________________ ______________________________________ ______________________________________ ______________________________________ ______________________________________ ______________________________________ ______________________________________ ______________________________________ ______________________________________ ______________________________________ Questions? Visit www.EquifaxBreachSettlement.com or call 1-833-759-2982 Page 5 of 6 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 283 of 295 Other expenses such as notary, fax, postage, copying, mileage, and longdistance telephone charges related to the data breach Examples: Phone bills, receipts, detailed list of places you traveled (i.e. police station, IRS office), reason why you traveled there (i.e. police report or letter from IRS re: falsified tax return) and number of miles you traveled $ Date: ______________________________________ ______________________________________ ______________________________________ ______________________________________ ______________________________________ ______________________________________ ______________________________________ How You Would Like to Receive Your Cash Payment If you made a claim for a cash payment in this claim form, you can elect to receive your payment either by check or pre-paid card to your mailing address. Checks must be cashed within 90 days. If you select a pre-paid card, the card never expires. Which do you prefer?  Check  Pre-Paid Card Signature I affirm under the laws of the United States that the information I have supplied in this claim form and any copies of documents that I am sending to support my claim are true and correct to the best of my knowledge. I understand that I may be asked to provide more information by the claims administrator before my claim is complete. Signature: Dated: Print Name: Questions? Visit www.EquifaxBreachSettlement.com or call 1-833-759-2982 Page 6 of 6 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 284 of 295 EXHIBIT 9 CLAIMS ADMINISTRATION PROTOCOL Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 285 of 295 CLAIMS ADMINISTRATION PROTOCOL The provisions below are subject to the terms and definitions set forth in the Order Permitting Issuance of Notice of Class Action Settlement and the Settlement filed with the Court in the litigation styled In re: Equifax, Inc. Customer Data Security Breach Litigation, Case No. 1:17-md-2800-TWT (N.D. Ga.) (the “Class Action”). Terms used throughout this Claims Administration Protocol (“Protocol”) shall have the same meaning as in the Agreement. To the extent any provisions in this Protocol are inconsistent with the Order Permitting Issuance of Notice of Class Action Settlement or Agreement, those terms in the Order Permitting Issuance of Notice of Class Action Settlement and Agreement control. The Court overseeing the Class Action shall have the ultimate oversight and approval of this Protocol. I. II. Claims Periods. There will be two claims periods: the Initial Claims Period and the Extended Claims Period. A. The Initial Claims Period will run for 6 months after the Order Permitting Issuance of Notice of Class Action Settlement. B. The Extended Claims Period will run for 4 years after the conclusion of the Initial Claims Period. During the Extended Claims Period, Settlement Class Members can seek reimbursement for valid Out-ofPocket Losses (excluding losses of money and time associated with Preventative Measures) incurred during the Extended Claims Period only if the Settlement Class Member provides a certification that he or she has not obtained reimbursement for the claimed expense through other means. Claims Process. Settlement Class Members may submit Claim Forms to the Settlement Administrator electronically through the Settlement Website or physically by mail to the Settlement Administrator. Claim Forms must be submitted electronically or postmarked during the Initial Claims Period, or, where applicable, during the Extended Claims Period. A. The Settlement Administrator will mail paper copies of the Claim Forms and Notice to Settlement Class Members who request such copies. B. The Settlement Administrator will review, determine the validity of, and process all claims submitted by Settlement Class Members. Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 286 of 295 1. C. III. In determining whether to approve claims submitted by Settlement Class Members, the Settlement Administrator will consider circumstances beyond the control of the Settlement Class Member (e.g., if a Settlement Class Member incurs a loss on the last day of the Initial Claims Period that could only be compensated during the Initial Claims Period and submits their claim during the Extended Claims Period, that claim would be deemed as having been submitted during the Initial Claims Period). The Settlement Administrator will process valid claims of Settlement Class Members and distribute payments after the Effective Date. Claims for Reimbursement for Out-of-Pocket Losses. The Settlement Administrator shall verify that each person who submits a Claim Form is a Settlement Class Member and shall be responsible for evaluating claims and making a determination as to whether claimed Out-of-Pocket Losses are valid and fairly traceable to the Data Breach. Settlement Class Members with Out-of-Pocket Losses must submit Reasonable Documentation supporting their claims, except no documentation is required for claims for reimbursement for Equifax subscription products as provided in the Agreement. As used herein, “Reasonable Documentation” means documentation supporting a claim, including but not limited to: credit card statements, bank statements, invoices, telephone records, and receipts. Except as expressly provided herein, personal certifications, declarations, or affidavits from the claimant do not constitute Reasonable Documentation but may be included to provide clarification, context or support for other submitted Reasonable Documentation. A. In assessing what qualifies as “fairly traceable,” the Parties agree to instruct the Settlement Administrator to consider (i) the timing of the loss, including whether the loss occurred on or after May 13, 2017, through the date of the Class Member’s claim submission; (ii) whether the loss involved the possible misuse of the type of personal information accessed in the Data Breach (i.e., name, address, birth date, Social Security Number, driver’s license number, payment card information); (iii) whether the personal information accessed in the Data Breach that is related to the Class Member is of the type that was possibly misused; (iv) the Class Member’s explanation as to how the loss is fairly traceable to the Data Breach; (v) the nature of the loss, including whether the loss was reasonably incurred as a result of the 2 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 287 of 295 Data Breach; and/or (vi) any other factor that the Settlement Administrator considers to be relevant. The Settlement Administrator shall have the sole discretion and authority to determine whether claimed Out-of-Pocket Losses are valid and fairly traceable to the Data Breach. IV. B. Out-of-Pocket Losses associated with placing or removing credit freezes on credit files and purchasing credit monitoring services (“Preventative Measures”), shall be deemed fairly traceable to the Data Breach if (i) they were incurred on or after September 7, 2017, through the date of the Settlement Class Member’s claim submission, and (ii) the claimant certifies that they incurred such Out-of-Pocket Losses as a result of the Data Breach and not as a result of any other compromise of the Settlement Class Member’s information. C. The Settlement Administrator shall not require Settlement Class Members to seek reimbursement for Out-of-Pocket Losses from other sources before filing a Claim Form. Claims for Time. Settlement Class Members who spent time remedying fraud, identity theft, or other alleged misuse of the Settlement Class Member’s personal information fairly traceable to the Data Breach, or subject to the Agreement, Settlement Class Members who spent time on Preventative Measures fairly traceable to the Data Breach, can receive reimbursement for such time expenditures subject to the following provisions. A. Documented Time. Settlement Class Members with (i) Reasonable Documentation of fraud, identity theft, or other alleged misuse of the Settlement Class Member’s personal information fairly traceable to the Data Breach and (ii) time spent remedying these issues, or time spent taking Preventative Measures, may submit a claim for up to 20 hours of such time to be compensated at $25 per hour. This documentation may overlap with documents submitted to support other Out-of-Pocket Losses. In the event the Settlement Administrator does not approve a claim for Documented Time, that claim shall be treated as a claim for Self-Certified Time. B. Self-Certified Time. Settlement Class Members who attest (i) to fraud, identity theft, or other alleged misuse of the Settlement Class Member’s personal information fairly traceable to the Data Breach, or 3 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 288 of 295 Preventative Measures, and (ii) that they spent time remedying such misuse or taking Preventative Measures, but who cannot provide Reasonable Documentation of such issues may self-certify the amount of time they spent by providing a certified explanation of the misuse or Preventative Measures taken and how the time claimed was spent remedying the misuse or taking Preventative Measures. Settlement Class Members may file a claim for Self-Certified Time for up to 10 hours at $25 per hour. C. V. Claims for Credit Monitoring Services. All Settlement Class Members will be eligible to claim and enroll in at least 4 years of Credit Monitoring Services. Claims for Credit Monitoring Services can be made only within the Initial Claims Period. Settlement Class Members who elect to enroll in Credit Monitoring Services within the Initial Claims Period shall have the option to make a claim for One-Bureau Credit Monitoring Services at the same time they claim Credit Monitoring Services. A. VI. Time Increments. Valid claims for both Documented Time and SelfCertified Time will be reimbursed in 15-minute increments, with a minimum reimbursement of 1-hour per valid Out-of-Pocket Loss claim for time. The Settlement Administrator will coordinate with Experian to receive and send activation codes for Credit Monitoring Services no later than 45 days after either the Effective Date or the conclusion of the Initial Claims Period, whichever is later. Claims for Alternative Reimbursement Compensation. Settlement Class Members who already have some form of credit monitoring or protection and do not claim Credit Monitoring Services may file a claim for Alternative Reimbursement Compensation of $125. The Settlement Class Member must identify the monitoring service and certify that he or she has some form of credit monitoring or protection as of the date the Settlement Class Member submits the claim and will have such credit monitoring in place for a minimum of six (6) months from the claim date. A Settlement Class Member who elects to receive Alternative Reimbursement Compensation is not eligible to enroll in Credit Monitoring Services or to seek reimbursement, as Out-of-Pocket Losses, for purchasing credit monitoring or protection services covering the six-month period after the Settlement Class Member makes a claim for Alternative Reimbursement Compensation. Claims for 4 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 289 of 295 Alternative Reimbursement Compensation can be made only within the Initial Claims Period. VII. Restoration Services. All Settlement Class Members (regardless of whether the Settlement Class Member makes any claim under the Settlement) will also be able to access Restoration Services. VIII. Certification and Attestation. The requirement that Settlement Class Members certify or attest to certain information in Claims Forms they submit will be satisfied by Settlement Class Members’ signatures on the Claim Forms. For Claims Forms submitted on behalf of minor Settlement Class Members, an additional attestation will be required to ensure that the individual filing on behalf of the minor is the minor’s legal guardian or parent. Additional security protocols and verification may be proposed by the Settlement Administrator to ensure validity of minor claims. IX. Disputes and Appeals. A. To the extent the Settlement Administrator determines a claim for Out-of-Pocket Losses, Alternative Reimbursement Compensation, or Credit Monitoring Services is deficient in whole or part, within 14 days after making such a determination, the Settlement Administrator shall notify the Settlement Class Member in writing (including by email where the Settlement Class Member selects e-mail as his or her preferred method of communication) of the deficiencies and give the Settlement Class Member 30 days to cure the deficiencies. The notice shall inform the Settlement Class Member that he or she can either attempt to cure the deficiencies outlined in the notice, or dispute the determination in writing and request an appeal. If the Settlement Class Member attempts to cure the deficiencies but, in the sole discretion and authority of the Settlement Administrator fails to do so, the Settlement Administrator shall notify the Settlement Class Member of that determination within 14 days of the determination. The notice shall inform the Settlement Class Member of his or her right to dispute the determination in writing and request an appeal within 30 days. The Settlement Administrator shall have the sole discretion and authority to determine whether a claim for Out-of-Pocket Losses, Alternative Reimbursement Compensation, or Credit Monitoring Services is deficient in whole or part but may consult with the Parties in making individual determinations. 5 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 290 of 295 B. If a Settlement Class Member disputes a determination in writing (including by e-mail where the Settlement Class Member selects email as his or her preferred method of communication) and requests an appeal, the Settlement Administrator shall provide Class Counsel and Defendants’ Counsel a copy of the Settlement Class Member’s dispute and Claim Form along with all documentation or other information submitted by the Settlement Class Member. Class Counsel and Defendants’ Counsel will confer regarding the claim submission, and their agreement on approval of the Settlement Class Member’s claim, in whole or part, will be final. If Class Counsel and Defendants’ Counsel cannot agree on approval of the Settlement Class Member’s claim, in whole or part, the dispute will be submitted to a mutually-agreeable neutral who will serve as the claims referee. If no agreement is reached on selection of the claims referee, the Parties will submit proposals to the Court. The Court will have final, nonappealable decision-making authority over designating the claims referee. The claims referee’s decision will be final and not subject to appeal or further review. X. Shortfall Notification. Beginning when the Settlement Administrator first determines that there are insufficient funds remaining in the Consumer Restitution Fund to pay valid Out-of-Pocket Losses (a “Shortfall”), the Settlement Administrator shall notify Defendants and Class Counsel on a monthly basis in writing of the Shortfall. That written notification will identify the amount needed to pay the Shortfall. Within fourteen (14) days of receiving this written notice, Defendants shall deposit money into the Consumer Restitution Fund in the amount necessary to cure the Shortfall. XI. Reporting. The Consumer Financial Protection Bureau (the “Bureau”), the Federal Trade Commission (the “Commission”), and the Parties shall, on at least a weekly basis during the Initial Claims Period unless the Bureau or the Commission determine otherwise, and as requested thereafter during the Extended Claims Period, jointly discuss with the Notice Provider and Settlement Administrator compliance with the Notice Plan, the claims process, and administration of the Consumer Restitution Fund. During such discussions, the Bureau and the Commission may make requests to the Notice Provider and Settlement Administrator for information regarding compliance with the Notice Plan, the claims process, and administration of the Consumer Restitution Fund. Such information shall not be unreasonably withheld, and any such productions shall be made within 14 days of the 6 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 291 of 295 request, provided that any reasonable request for an extension shall not be denied. All information provided to the Bureau or the Commission, whether orally or in writing, shall be treated as confidential pursuant to 12 C.F.R. Part 1070, and 15 U.S.C. 46(f) and 16 CFR 4.10, respectively, and not publicly disclosed until the Effective Date. Information provided to the Bureau or the Commission will be anonymized except in the case of a consumer complaint to the Bureau or the Commission or where the consumer provides consent. XII. Toll-Free Number. The Settlement Administrator will establish and maintain a toll-free telephone line for Settlement Class Members to call with Settlement-related inquiries, and answering the questions of Settlement Class Members who call with or otherwise communicate such inquiries. The toll-free telephone line will be staffed with sufficient resources to handle reasonably expected call volumes. XIII. Settlement Website. The Settlement Administrator will establish and maintain the Settlement Website to permit consumers to obtain information about the Settlement Class Members’ rights and options under the Settlement and submit claims during the Initial and Extended Claims Periods. The Settlement Website will: A. Contain a “landing page” upon Class Counsel’s filing of the Motion for Preliminary Approval, indicating that the Settlement Website will be updated upon the Court’s entry of the Order Permitting Issuance of Class Action Notice in the Class Action; B. Be available for informational purposes and for submission of claims as soon as possible after the Court’s entry of the Order Permitting Issuance of Class Action Notice in the Class Action; C. Be maintained until the end of the Extended Claims Period; D. Include answers to frequently asked questions; E. Provide consumers the ability to access a mechanism to determine whether they are Settlement Class Members; F. Include information concerning how Settlement Class Members can enroll in the Credit Monitoring Services and One-Bureau Credit Monitoring Services, and access Restoration Services available through the Settlement once these benefits become available; 7 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 292 of 295 G. Describe the information and documentation that consumers must submit in connection with their claims, including instructions for providing such information and submitting such documentation by electronic upload or mail; and H. Be available in English, and translated to Spanish as soon as possible. XIV. Mailing Payments: When mailing a check or prepaid card, the Settlement Administrator shall send the check or prepaid card to the address provided by the Settlement Class Member in the Claim Form or to the Settlement Class Member’s preferred address if updated with the Claims Administrator. If a check or prepaid card is returned as undeliverable, the Settlement Administrator will make all reasonable efforts to deliver the check or prepaid card, including by attempting to contact the Settlement Class Member in order to obtain an updated address, sending the check or prepaid card to any forwarding address provided upon return as undeliverable, and/or by using the National Change of Address (NCOA) dataset. Any check or prepaid card will include its expiration date, if applicable, and the Settlement Class Member’s name. The Settlement Administrator will inform the Settlement Class Member that the check or prepaid card is for the “Equifax Data Breach Settlement” and any conditions that must be complied with in order to receive the funds. There will be no fees or charges of any kind debited from Settlement Class Members for obtaining funds from the check or prepaid card; however, checks not cashed within 90 days shall no longer be valid. Class Members who have not yet cashed checks will be reminded to do so between 30 and 40 days after the checks have been issued. 8 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 293 of 295 EXHIBIT 10 SETTLEMENT CLASS REPRESENTATIVES 1 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 294 of 295 IN THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF GEORGIA ATLANTA DIVISION MDL Docket No. 2800 IN RE: EQUIFAX, INC. CUSTOMER DATA SECURITY BREACH LITIGATION Case No.: 1:17-md-2800-TWT CONSUMER ACTIONS EXHIBIT 10 SETTLEMENT CLASS REPRESENTATIVES 1. Acklin-Davis, Cherya 2. Adams, Christy 3. Anderson, Robert 4. Angelechio, Donald 5. Archambault, Michelle 6. Armstrong, Dean 7. Bakko, Justin 8. Benson, Robert 9. Bielecki, David 10. Bishop, Michael 11. Bologna, Sabina 12. Browning, Nancy 13. Campbell, Francine 14. Carr, Mark 15. Carr, Natasha 16. Chase, Michael 17. Cherney, Jack 18. Cho, Grace 19. Clemente, Ricardo 20. Craney, Bridgette 21. Crowell, Thomas 22. Davis, Germany 23. Dunleavy, Christopher 24. Elliott, Abby 25. Etten, Robert 26. Ferrel, Kayla 27. Ferrell, Janelle 28. Galpern, Andrew 29. Gay, James 30. Getz, Michael 31. Goza, Terry 32. Greenwood, Thomas 33. Grossberg, Josh 34. Guess, Jasmine 35. Hammond, John 36. Hannon, Thomas 2 Case 1:17-md-02800-TWT Document 739-2 Filed 07/22/19 Page 295 of 295 37. Harris, Jennifer 38. Harvey, Kismet 39. Hawkins, Tabitha 40. Heath, Todd 41. Helton, Bob 42. Henry, Cathy 43. Hepburn, Alexander 44. Hitchcock, Eva 45. Holly, Kathleen 46. Hornblas, Michael 47. Jacobs, Gregory 48. Kacur, David 49. Kier, Aloha 50. King, Brenda 51. Kleveno Jr., Alvin 52. Klotzbaugh, Joanne 53. Lee, Debra 54. Lemmons, Brett 55. Lipner, Leah 56. Martucci, Maria 57. May, Delitha 58. McGonnigal, James 59. Mirarchi, Anthony 60. Napier, Barry 61. O’Dell, Justin 62. Olson, Kyle 63. Orchard III, Mel 64. Packwood, Joseph 65. Pagliarulo, John 66. Parks, Richard 67. Parrow, Clara 68. Pascal, Bruce 69. Patterson, Sylvia 70. Paulo, Wanda 71. Perkins, Dallas 72. Plante, Stephen 73. Podalsky, Gregg 74. Rajput, Sanjay 75. Sanchez, Benjamin 76. Sands, David 77. Santomauro, Rodd 78. Schifano, Maria 79. Schneider, Thomas 80. Sharp, James 81. Sharpe, Miche’ 82. Simmons II, John 83. Smith, Amie 84. Solorio, Anna 85. Strausser, Jonathan 86. Strychalski, Kim 87. Swiftbird, Pete 88. Tafas, Cheryl 89. Tobias, Gerry 90. Turner, Nathan 91. Tweeddale, Jennifer 92. Van Fleet, Katie 93. Whittington II, Richard 3 Case 1:17-md-02800-TWT Document 739-3 Filed 07/22/19 Page 1 of 17 Exhibit 2 Proposed Order Directing Notice In re: Equifax Inc. Customer Data Security Breach Litigation, No. 17-md-2800-TWT (N.D. Ga.) Plaintiffs’ Motion to Direct Notice of Proposed Settlement Case 1:17-md-02800-TWT Document 739-3 Filed 07/22/19 Page 2 of 17 IN THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF GEORGIA ATLANTA DIVISION _____________________________ ) MDL Docket No. 2800 In re: Equifax, Inc. Customer ) Case No.: 1:17-md-2800-TWT Data Security Breach Litigation ) ) CONSUMER ACTIONS ) _____________________________ ) ORDER DIRECTING NOTICE Before the Court is the Consumer Plaintiffs’ unopposed motion to permit issuance of class notice of the proposed class action settlement. Having reviewed the proposed settlement agreement, together with its exhibits, and based upon the relevant papers and all prior proceedings in this matter, the Court has determined the proposed settlement satisfies the criteria of Federal Rule of Civil Procedure 23(e) such that the Court will likely be able to approve the proposed settlement as fair, reasonable, and adequate, and that issuance of notice of the proposed settlement in accordance with the proposed notice plan is appropriate. Accordingly, good cause appearing in the record, IT IS HEREBY ORDERED THAT: The Settlement Class and Class Counsel (1) As set forth more fully herein, the Court finds that giving notice of the proposed settlement is justified pursuant to Federal Rule of Civil Procedure Case 1:17-md-02800-TWT Document 739-3 Filed 07/22/19 Page 3 of 17 23(e)(1). The Court finds that it will likely be able to approve the proposed settlement as fair, reasonable, and adequate. The Court also finds that it will likely be able to certify the following settlement class for purposes of judgment on the settlement: The approximately 147 million U.S. consumers identified by Equifax whose personal information was compromised as a result of the cyberattack and data breach announced by Equifax on September 7, 2017.1 (2) For settlement purposes, the Court determines the proposed settlement class meets all the requirements of Rule 23(a) and (b)(3), namely that the class is so numerous that joinder of all members is impractical; that there are common issues of law and fact; that the claims of the class representatives are typical of absent class members; that the class representatives will fairly and adequately protect the interests of the class, as they have no interests antagonistic to or in conflict with the class and have retained experienced and competent counsel to prosecute this matter; that common issues predominate over any individual issues; and that a class action is the superior means of adjudicating the controversy. 1 Excluded from the settlement class are: (i) Defendants, any entity in which Defendants have a controlling interest, and Defendants’ officers, directors, legal representatives, successors, subsidiaries, and assigns; (ii) any judge, justice, or judicial officer presiding over this matter and the members of their immediate families and judicial staff; and (iii) any individual who timely and validly opts out of the settlement class. 2 Case 1:17-md-02800-TWT Document 739-3 Filed 07/22/19 Page 4 of 17 (3) The Court appoints the named plaintiffs identified in Exhibit 10 as representatives of the proposed settlement class. (4) The following lawyers are designated as settlement class counsel pursuant to Rule 23(g): Kenneth S. Canfield of Doffermyre Shields Canfield & Knowles, LLC; Amy E. Keller of DiCello Levitt & Gutzler, LLC; Norman E. Siegel of Stueve Siegel Hanson LLP; and Roy Barnes of Barnes Law Group, LLC. The Court finds that these lawyers are experienced and will adequately protect the interests of the settlement class. Preliminary Evaluation of the Proposed Settlement (5) Upon preliminary review, the Court finds the proposed settlement provides a recovery for the class that is within the range of what could be approved as fair, reasonable, and adequate, taking into account all of the risks, expense, and delay of continued litigation; is the result of numerous good faith and arm’s-length negotiations that took place under the auspices of a prominent national mediator; is not otherwise deficient; otherwise meets the criteria for approval; and thus warrants issuance of notice to the settlement class. (6) In making this determination, the Court has considered the substantial monetary and non-monetary benefits to the class; the specific risks faced by the class in prevailing on Consumer Plaintiffs’ claims; the stage of the proceedings at 3 Case 1:17-md-02800-TWT Document 739-3 Filed 07/22/19 Page 5 of 17 which the settlement was reached; the effectiveness of the proposed method for distributing relief to the class; the proposed manner of allocating benefits to class members; and all of the other factors required under Rule 23. Approval Hearing (7) An approval hearing shall take place before the Court on _________________, 2019, at _____ a.m./p.m. in Courtroom 2108 of the United States District Court for the Northern District of Georgia, located at the Richard B. Russell Federal Building and United States Courthouse, 75 Ted Turner Drive, SW, Atlanta, Georgia 30303-3309 to determine whether: (a) the proposed settlement class should be certified for settlement purposes pursuant to Rule 23; (b) the settlement should be approved as fair, reasonable, and adequate and, in accordance with the settlement’s terms, this matter should be dismissed with prejudice; (c) class counsel’s application for attorneys’ fees and expenses should be approved; and (d) the application for the class representatives to receive service awards should be approved. Any other matters the Court deems necessary and appropriate will also be heard. (8) Any settlement class member who has not timely and properly excluded themselves from the settlement class in the manner described below may appear at the approval hearing in person or through counsel and be heard, as 4 Case 1:17-md-02800-TWT Document 739-3 Filed 07/22/19 Page 6 of 17 allowed by the Court, regarding the proposed settlement; provided, however, that no class member who excluded themselves from the class shall be entitled to object or otherwise appear, and, further provided, that no class member shall be heard in opposition to the settlement unless the class member complies with the requirements of this Order pertaining to objections, which are described below. Administration and CAFA Notice (9) JND Legal Administration is appointed as the settlement administrator, with responsibility for claim submissions, certain notice functions, and administration pursuant to the terms of the settlement agreement. The claim form attached to the settlement agreement is approved, as are versions derived therefrom to be used during the extended claims period and for claims by minors, as described in the motion for this order directing notice. The settlement administrator may, where necessary, require individuals to provide, through written, electronic, or other means, certain personal information including (without limitation) full name, address, year of birth, email address, phone number, and last six (6) digits of Social Security number in order to verify an individual’s status as a class member and/or eligibility for any benefits under the settlement, in addition to any other purposes consistent with the settlement administrator’s responsibilities under the settlement agreement. The settlement administrator’s fees, as approved 5 Case 1:17-md-02800-TWT Document 739-3 Filed 07/22/19 Page 7 of 17 by the parties, will be paid from the settlement fund pursuant to the settlement agreement. (10) Within 10 days after the filing of the motion to permit issuance of notice, Defendant shall serve or cause to be served a notice of the proposed settlement on appropriate state officials in accordance with the requirements under the Class Action Fairness Act (“CAFA”), 28 U.S.C. § 1715(b). Notice to the Class (11) Signal Interactive Media LLC is appointed as the notice provider, with responsibility for effectuating class notice in accordance with the proposed notice plan. The notice provider’s fees, as approved by the parties, will be paid from the settlement fund pursuant to the settlement agreement. (12) The notice plan set forth in the settlement agreement and the forms of notice attached as exhibits to the settlement agreement satisfy the requirements of Federal Rule of Civil Procedure 23 and thus are approved. Non-material modifications to the exhibits may be made without further order of the Court. The notice provider is directed to carry out the notice program in conformance with the settlement agreement and to perform all other tasks that the settlement agreement requires. 6 Case 1:17-md-02800-TWT Document 739-3 Filed 07/22/19 Page 8 of 17 (13) The Court finds that the form, content, and method of giving notice to the settlement class as described in the settlement agreement and exhibits: (a) constitute the best practicable notice to the settlement class; (b) are reasonably calculated, under the circumstances, to apprise settlement class members of the pendency of the action, the terms of the proposed settlement, and their rights under the proposed settlement; (c) are reasonable and constitute due, adequate, and sufficient notice to those persons entitled to receive notice; and (d) satisfy the requirements of Federal Rule of Civil Procedure 23, the constitutional requirement of due process, and any other legal requirements. The Court further finds that the notices are written in plain language, use simple terminology, and are designed to be readily understandable by settlement class members. Appointment of Experian for Monitoring and Restoration Services (14) The Court appoints Experian as the provider of monitoring services to eligible Settlement Class Members as set forth in the Settlement Agreement. The Court directs that Experian effectuate the Settlement Agreement in coordination with Settlement Class Counsel, Equifax, and the Settlement Administrator, subject to the jurisdiction and oversight of this Court. Exclusions from the Class 7 Case 1:17-md-02800-TWT Document 739-3 Filed 07/22/19 Page 9 of 17 (15) Any settlement class member who wishes to be excluded from the settlement class must mail a written notification of the intent to exclude themselves to the settlement administrator at the address provided in the notice, postmarked no later than ____________ (the “opt-out deadline”). Each written request for exclusion must identify this action, set forth the name of the individual seeking exclusion, be signed by the individual seeking exclusion, and can only request exclusion for that one individual. (16) The settlement administrator shall provide the parties with copies of all opt-out notifications, and, within 14 days after the opt-out deadline, a final list of all that have timely and validly excluded themselves from the settlement class. The final list of exclusions as well as a final list of those in the class should be filed with the Court before the approval hearing. (17) Any settlement class member who does not timely and validly exclude themselves from the settlement shall be bound by the terms of the settlement. If final judgment is entered, any settlement class member who has not submitted a timely, valid written notice of exclusion from the settlement class shall be bound by all subsequent proceedings, orders, and judgments in this matter, including but not limited to the release set forth in the settlement and final judgment. 8 Case 1:17-md-02800-TWT Document 739-3 Filed 07/22/19 Page 10 of 17 (18) All those settlement class members who submit valid and timely notices of exclusion shall not be entitled to receive any benefits of the settlement. Objections to the Settlement (19) A settlement class member who complies with the requirements of this Order may object to the settlement, Class Counsel’s request for fees and expenses, or the request for service awards to the class representatives. (20) No settlement class member shall be heard, and no papers, briefs, pleadings, or other documents submitted by any settlement class member shall be received and considered by the Court, unless the objection is (a) electronically filed with the Court by the objection deadline; or (b) mailed to the settlement administrator at the address listed in the Long Form Notice available on the settlement website, and postmarked by no later than the objection deadline. Objections shall not exceed twenty-five (25) pages. For the objection to be considered by the Court, the objection must be in writing and shall set forth: (a) The name of this action; (b) The objector’s full name and current address; (c) The objector’s personal signature on the written objection (an attorney’s signature is not sufficient); 9 Case 1:17-md-02800-TWT Document 739-3 Filed 07/22/19 Page 11 of 17 (d) A statement indicating the basis for the objector’s belief that he or she is a member of the settlement class; (e) A statement of whether the objection applies only to the objector, to a specific subset of the settlement class, or to the entire settlement class; (f) A statement of the objector’s grounds for the objection, accompanied by any legal support for the objection; (g) A statement identifying all class action settlements objected to by the objector in the previous five (5) years; and (h) A statement as to whether the objector intends to appear at the Fairness Hearing, either in person or through counsel, and if through counsel, identifying counsel by name, address, and telephone number, and four dates between the Objection Deadline and [a date two weeks before Fairness Hearing] during which the objecting settlement class member is available to be deposed by counsel for the Parties. (21) In addition to the foregoing, if the objector is represented by counsel and such counsel intends to speak at the Fairness Hearing, the written objection must include: 10 Case 1:17-md-02800-TWT Document 739-3 Filed 07/22/19 Page 12 of 17 (a) A detailed statement of the specific legal and factual basis for each and every objection; and (b) A detailed description of any and all evidence the objector may offer at the Fairness Hearing, including copies of any and all exhibits that the objector may introduce at the Fairness Hearing. (22) In addition to the foregoing, if the objector is represented by counsel, and such counsel intends to seek compensation for his or her services from anyone other than the objector, the written objection must include: (a) The identity of all counsel who represent the objector, including any former or current counsel who may be entitled to compensation for any reason related to the objection; (b) A statement identifying all instances in which the counsel or the counsel’s law firm have objected to a class action settlement within the preceding five (5) years, giving the style and court in which the class action settlement was filed; (c) A statement identifying any and all agreements that relate to the objection or the process of objecting—whether written or oral—between the objector, his or her counsel, and/or any other person or entity; 11 Case 1:17-md-02800-TWT Document 739-3 Filed 07/22/19 Page 13 of 17 (d) A description of the counsel’s legal background and prior experience in connection with class action litigation; and (e) A statement regarding whether fees to be sought will be calculated on the basis of a lodestar, contingency, or other method; an estimate of the amount of fees to be sought; the factual and legal justification for any fees to be sought; the number of hours already spent by the counsel and an estimate of the hours to be spent in the future; and the attorney’s hourly rate. (23) Any settlement class member who fails to comply with the provisions in this Order will waive and forfeit any and all rights they may have to object, may have their objection stricken from the record, and may lose their rights to appeal from approval of the settlement. Any such class member also shall be bound by all the terms of the settlement agreement, this Order, and by all proceedings, orders, and judgments, including, but not limited to, the release in the settlement agreement if final judgment is entered. Claims Process (24) The settlement agreement establishes a process for claiming benefits under the settlement, including reimbursement for out-of-pocket losses relating the 12 Case 1:17-md-02800-TWT Document 739-3 Filed 07/22/19 Page 14 of 17 breach; reimbursement for time spent remedying issues relating the breach; free credit monitoring services; and alternative cash payments for those settlement class members who already have some form of credit monitoring. If money remains in the settlement fund after the initial claims period, an “extended claims period” will go into effect for an additional 4 years (or until the fund is exhausted, whichever occurs first) which will permit settlement class members to submit claims for reimbursement of out-of-pocket losses or time spent remedying issues relating the breach after the initial claims period if certain conditions are met. The settlement agreement also sets forth a detailed disputes and appeals process for settlement class members whose claims are denied in whole or part. The Court approves this claims process and directs that the settlement administrator effectuate the claims process according to the terms of the settlement agreement. Termination of the Settlement and Use of this Order (25) This Order shall become null and void and shall be without prejudice to the rights of the parties, all of which shall be restored to their respective positions existing immediately before this Court entered this Order, if the settlement is not approved by the Court or is terminated in accordance with the terms of the settlement agreement, all subject to the cure provisions set forth in the settlement agreement. In such event, the settlement and settlement agreement shall 13 Case 1:17-md-02800-TWT Document 739-3 Filed 07/22/19 Page 15 of 17 become null and void and be of no further force and effect, and neither the settlement agreement nor the Court’s orders, including this Order, relating to the settlement shall be used or referred to for any purpose whatsoever. (26) This Order shall be of no force or effect if final judgment is not entered or there is no effective date under the terms of the settlement agreement; shall not be construed or used as an admission, concession, or declaration by or against Defendants of any fault, wrongdoing, breach, or liability; shall not be construed or used as an admission, concession, or declaration by or against any settlement class representative or any other settlement class member that its claims lack merit or that the relief requested is inappropriate, improper, or unavailable; and shall not constitute a waiver by any party of any defense or claims it may have in this litigation or in any other lawsuit. Continuance of Final Approval Hearing (27) The Court reserves the right to adjourn or continue the approval hearing and related deadlines without further written notice to the settlement class. If the Court alters any of those dates or times, the revised dates and times shall be posted on the settlement website. Summary of Deadlines (28) The settlement agreement shall be administered according to its terms 14 Case 1:17-md-02800-TWT Document 739-3 Filed 07/22/19 Page 16 of 17 pending the Approval Hearing. Deadlines arising under the settlement agreement and this Order include but are not limited to the following: EVENT TIMING Deadline for Defendant to disseminate CAFA notices [10 days after settlement agreement filed with the Court] Deadline for Defendant to provide settlement class list to settlement administrator [5 business days after order directing notice] Notice date [60 days after order directing notice] Deadline to file Class Counsel’s motion for attorneys’ fees, costs, expenses and service awards [at least 21 days before objection deadline] Deadline for Class Counsel to file motion for final approval of settlement and responses to any timely submitted settlement class member objections [14 days prior to final approval hearing] Objection deadline [60 days after notice date] Opt-out deadline [60 days after notice date] Initial claims deadline [6 months after order directing notice] Extended claims deadline [4 years after initial claims deadline] Final approval hearing [At least 150 days after order directing of notice] 15 Case 1:17-md-02800-TWT Document 739-3 Filed 07/22/19 Page 17 of 17 IT IS SO ORDERED this ____ day of _______________, 2019. ____________________________ THOMAS W. THRASH, JR. United States District Judge 16 Case 1:17-md-02800-TWT Document 739-4 Filed 07/22/19 Page 1 of 45 Exhibit 3 Declaration of Class Counsel In re: Equifax Inc. Customer Data Security Breach Litigation, No. 17-md-2800-TWT (N.D. Ga.) Plaintiffs’ Motion to Direct Notice of Proposed Settlement Case 1:17-md-02800-TWT Document 739-4 Filed 07/22/19 Page 2 of 45 UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF GEORGIA ATLANTA DIVISION In re: Equifax Inc. Customer Data Security Breach Litigation MDL Docket No. 2800 No. 1:17-md-2800-TWT CONSUMER ACTIONS Chief Judge Thomas W. Thrash, Jr. CLASS COUNSEL’S DECLARATION IN SUPPORT OF PLAINTIFFS’ MOTION TO DIRECT NOTICE OF PROPOSED SETTLEMENT TO THE CLASS Kenneth S. Canfield, Amy E. Keller, and Norman E. Siegel declare as follows: 1. We were appointed by this Court to serve as Co-Lead Counsel for the Consumer Plaintiffs and Interim Class Counsel in the above-captioned MDL. Along with Roy E. Barnes, who serves as Co-Liaison Counsel with lead responsibilities, we have led the Plaintiffs’ efforts in the consumer track since our appointment on February 9, 2018. We have personal knowledge of all the matters addressed in this Declaration, including the negotiations that culminated with the filing of the proposed settlement now before the Court. Case 1:17-md-02800-TWT Document 739-4 Filed 07/22/19 Page 3 of 45 2. Plaintiffs were represented in the negotiations by a Settlement Committee chaired by Mr. Siegel, who in that capacity had overall responsibility for the negotiations and took the lead on our side of the table. Mr. Canfield and Ms. Keller are members of the committee, as are Mr. Barnes and Cam Tribble of the Barnes Law Group. The other members of our negotiating team are Andrew Friedman of Cohen Milstein Sellers & Toll PLLC in Washington, D.C.; Adam Levitt of DiCello Levitt & Gutzler LLC of Chicago, Illinois; James Pizzirusso of Hausfeld, LLP in Washington, D.C.; and John Yanchunis of Morgan & Morgan Complex Litigation Group in Tampa, Florida. The negotiating team was assisted and advised by the Plaintiffs’ Steering Committee appointed by the Court, including as needed by other lawyers at their firms. David Berger of the Gibbs Law Group in San Francisco, who has developed a deep expertise in technology matters, provided particular assistance in connection with the business practice changes that are mandated by the settlement. 3. Collectively, the lawyers on our negotiating team have a long history of leading some of the country’s most complex civil litigation; have been recognized by courts and national publications for their knowledge and experience in data breach cases; and are responsible for what until this case were the largest data breach settlements in history, including Home Depot, Anthem, Yahoo!, and 2 Case 1:17-md-02800-TWT Document 739-4 Filed 07/22/19 Page 4 of 45 Target. Much of this experience was detailed in our leadership application in this case and will not be repeated here. But a brief summary of our experience as it relates to this case may be helpful to the Court. 4. Since the revelation of the Target data breach in late 2013, Mr. Siegel has dedicated much of his practice to representing victims of data breaches. He cofounded the American Association for Justice’s Consumer Privacy and Data Breach Litigation Group and previously served as the group’s co-chair. He is a nationally published author on emerging issues impacting data breach cases, and he regularly speaks on data breach litigation issues and best practices in settling data breach cases. 5. Mr. Siegel’s experience in data breach and consumer privacy cases includes appointment as co-lead counsel for the consumer plaintiffs in In re: The Home Depot, Inc., Customer Data Security Breach Litigation, MDL No. 2522, No. 14-md-02583 (N.D. Ga.) (involving a breach affecting more than 60 million customers). In the Home Depot litigation, he served as the principal negotiator with Mr. Barnes on behalf of the consumer class that resulted in a settlement that the Court referred to as an “exceptional result” and “the most comprehensive settlement achieved in large-scale data breach litigation.” In re The Home Depot, Inc., Customer Data Sec. Breach Litig., MDL No. 2583, No. 1:14-MD-02583- 3 Case 1:17-md-02800-TWT Document 739-4 Filed 07/22/19 Page 5 of 45 TWT, 2016 WL 11299474, at *1 (N.D. Ga. Aug. 23, 2016). He also served as a member of the executive committee and was part of the negotiating team in In re: Target Corporation Customer Data Security Breach Litigation, No. 14-md-2522 (D. Minn.) (involving a breach affecting tens of millions of customers), and has worked closely with lead counsel including drafting large portions of the successful standing appeal in In re U.S. Office of Personnel Management Data Security Breach Litigation, No. 1:15-mc-01394-ABJ (D.D.C.) (involving a breach of millions of government employee records). He has also served as lead counsel and crafted settlements in smaller data breach cases including Hutton v. National Board of Examiners in Optometry, Inc., No. 16-cv-03025-JKB (D. Md.) (resolving a data breach impacting 60,000 eye doctors across the country; Court finding “multiple beneficial forms of relief . . . reflects an outstanding result for the Class.”). 6. In addition to their extensive experience in many other types of complex litigation and class actions that was described in our leadership application, Mr. Canfield, Mr. Barnes, and Ms. Keller have also litigated and settled major data breach cases. Mr. Canfield served as co-lead counsel in the financial institution track of the Home Depot data breach multidistrict litigation before this Court that resulted in what remains the largest data breach settlement 4 Case 1:17-md-02800-TWT Document 739-4 Filed 07/22/19 Page 6 of 45 involving banks and credit unions. Mr. Barnes, as noted above, shared responsibility for negotiating the successful settlement of the consumer track in the Home Depot breach case. And, both Mr. Canfield and Mr. Barnes serve in leadership positions in In re: Arby’s Rest. Group, Inc. Data Security Litig., No. 1:17-cv-1035-AT (N.D. Ga.). Ms. Keller, in addition to her recent appointment as co-lead counsel in the Marriott data breach multidistrict litigation, has experience in litigating a number of nationwide consumer class actions. She is a member of the Sedona Conference’s Working Group 11, which focuses on litigation issues surrounding technology, privacy, artificial intelligence, and data security, and serves on two drafting teams—one proposing a model data breach notification law, and another opining on statutory damages under U.S. privacy laws, such as the California Consumer Privacy Act. 7. Our colleagues on the Plaintiffs’ negotiating team also have extensive backgrounds litigating and resolving data breach cases large and small. Examples of these cases include In re Anthem, Inc. Data Breach Litig., No. 15- MD-02617 (N.D. Cal), which Mr. Friedman led as co-lead counsel and resulted in what until now is by far the largest consumer data breach settlement. Other examples include In Re: Arby’s Rest. Group, Inc. Data Security Litig., No. 1:17-cv-1035-AT (N.D. Ga.) (Mr. Pizzirusso); In re: Yahoo! Inc. Customer Data Security Breach Litig., 5 Case 1:17-md-02800-TWT Document 739-4 Filed 07/22/19 Page 7 of 45 No. 16-md-02752 (N.D. Cal.) (Mr. Yanchunis); In re VIZIO Inc. Consumer Privacy Litig., No. 8-16-md-02693-JLS (C.D. Cal.) (Mr. Friedman); In re Sony Gaming Networks and Customer Data Security Breach Litig., No. 11-md- 02258 (S.D. Cal.) (Mr. Yanchunis). Including all members of the Plaintiffs Steering Committee, we have collectively handled over 50 data breach cases from coast to coast. [Doc. 187-2] And that record continues—just recently for example, Ms. Keller, Mr. Friedman, and Mr. Pizzirusso were appointed to lead the consumer claim in the Marriott data breach multi-district litigation and Mr. Siegel was named to the steering committee. 8. These collective experiences litigating and resolving the largest data breach cases in history were brought to bear on the approach to settling the claims presented in this case, and it is the shared view of the entire Plaintiffs’ Steering Committee that the settlement presented here is historic in several respects. We are confident that this settlement is fair, reasonable, and adequate and in the best interests of the 147 million Americans who were impacted by the 2017 Equifax data breach. Overview of the Litigation 9. On September 7, 2017, Equifax announced that criminals had stolen from its computer networks confidential personal and financial information 6 Case 1:17-md-02800-TWT Document 739-4 Filed 07/22/19 Page 8 of 45 pertaining to about 147 million Americans. Class action lawsuits against Equifax immediately began to be filed by affected consumers and financial institutions. Ultimately, more than 300 such lawsuits were filed around the country. In addition, a few lawsuits were filed by small businesses alleging they had been damaged because their owners’ personal information had been stolen in the breach. 10. In December 2017, all of these lawsuits were consolidated by the Judicial Panel on Multidistrict Litigation and transferred to Chief Judge Thomas Thrash, Jr. of the Northern District of Georgia in Atlanta, where Equifax is headquartered. The Court created two separate tracks to manage the litigation — one for the consumer cases (which included claims that had been brought against small businesses) and one for the cases brought by financial institutions. The Court also directed counsel interested in leadership positions in each track to file applications with the Court. There were several dozen applications, some by groups of lawyers and others by individuals. On February 12, 2018, the Court appointed a designated group of 13 lawyers to lead the litigation including Ken Canfield, Amy Keller, and Norman Siegel as Co-Lead Counsel and Roy Barnes as liaison counsel, sharing duties with Co-Lead Counsel. [Doc. 232] This group was also appointed Interim Consumer Class Counsel pursuant to Fed. R. Civ. P. 23(g), 7 Case 1:17-md-02800-TWT Document 739-4 Filed 07/22/19 Page 9 of 45 and referred to as “Class Counsel” in the Settlement Agreement and this Declaration. 11. As Class Counsel, our first major task was to file a consolidated amended complaint, which the Court had announced would serve as the vehicle for litigating the consumer claims. Our group had a substantial head start on this task because prior to our appointment we had already filed a case that named class representatives from every state. Nonetheless, the consolidated complaint was a massive undertaking, involving investigating the underlying facts, vetting several thousand potential class representatives, and thoroughly researching many legal theories under federal law and the laws of all 50 states. 12. On May 14, 2018, Plaintiffs filed a 559-page consolidated amended consumer complaint, which named 96 class representatives and asserted numerous common law and statutory claims under both state and federal law. [Doc. 374] Due to the Court’s inclusion of the small business cases in the consumer track, we also filed a separate complaint on behalf of the small businesses. [Doc. 375] 13. In June and July 2018, Equifax moved to dismiss both the consumer and small business complaints in their entirety. [Docs. 428 and 441] Equifax’s primary focus in these motions was attacking Plaintiffs’ negligence and negligence per se claims, arguing that Georgia law does not recognize a legal duty to 8 Case 1:17-md-02800-TWT Document 739-4 Filed 07/22/19 Page 10 of 45 safeguard personal information, none of the class representatives (or any class members) suffered a legally-cognizable injury, and Plaintiffs could not plausibly prove any alleged injury was caused by the Data Breach. Both motions to dismiss were exhaustively briefed during the summer and early fall of 2018. [Docs. 452, 471] 14. On December 14, 2018, the Court heard more than three hours of oral argument on Equifax’s motions to dismiss. [Doc. 534] On January 28, 2019, the Court issued its rulings granting the motion to dismiss the small business complaint and largely denying the motion directed at the consumer complaint. Equifax answered the consumer complaint on February 25, 2019. [Docs. 540, 541] 15. While the consolidated amended complaints were being prepared and Equifax’s motions to dismiss were pending, Class Counsel and the members of Plaintiffs’ Steering Committee undertook a substantial amount of other work to move the case forward. That work included the organizational activity that is part of leading any case of this magnitude (establishing committees, assigning areas of responsibility, hiring vendors for e-discovery, etc.), as well as tasks such as locating and consulting with experts; working with the class representatives to assemble their documents and compile their damages; investigating the facts relating to the breach, including the mechanism for how the breach occurred and 9 Case 1:17-md-02800-TWT Document 739-4 Filed 07/22/19 Page 11 of 45 the data exfiltrated; communicating with public interest groups active in the cybersecurity, consumer protection, and financial fraud fields; coordinating with the leadership of the financial institution track and the related securities litigation; developing our strategy for prosecuting the case; meeting with state and federal lawmakers regarding the breach; issuing document retention subpoenas to scores of third parties; and attending monthly status conferences in court. 16. Under the local rules of the Northern District of Georgia, discovery does not begin until 30 days after an answer is filed. Nevertheless, we were able to secure case management orders that front-loaded much of the preparatory work needed before formal discovery could as a practical matter proceed, setting the groundwork for discovery once the motions were decided. In accordance with these orders, the parties negotiated a series of protocols to govern discovery, exchanged requests for production of documents, and attempted to negotiate the search terms and list of custodians that would be used in electronic searches. [Doc. 258] (Protective Order); [Doc. 449] (Production and ESI Protocol) Several parts of this pre-discovery process proved to be challenging, forcing Class Counsel to spend substantial time on these matters. On some issues, the parties reached impasse compelling Class Counsel to file a motion seeking limited relief from the 10 Case 1:17-md-02800-TWT Document 739-4 Filed 07/22/19 Page 12 of 45 discovery stay and an order facilitating our interviews of former Equifax employees who had signed non-disclosure agreements. [Doc. 488] 17. Once the Court ruled on Equifax’s motions to dismiss, Plaintiffs’ discovery efforts intensified. Among other things, Class Counsel and Plaintiffs’ Steering Committee reviewed approximately 500,000 pages of documents produced by Equifax (along with many thousands of native files including presentations and databases), began producing named plaintiffs’ documents to Equifax, and scheduled depositions of several former Equifax employees. Our document review was complicated by Equifax’s decision to segregate highlyconfidential documents in a “reading room” controlled by Equifax, which involved beginning to negotiate revised orders concerning discovery and creating new review protocols, along with meeting and conferring about Equifax’s ongoing productions. Those efforts continued up to the moment the case settled. Overview of Settlement Discussions 18. In September 2017, Equifax’s counsel contacted Mr. Siegel, Mr. Levitt, and others and told us that Equifax was interested in exploring early resolution of the litigation. This led to the formation of a group of Plaintiffs’ counsel that decided to work together in an effort to litigate and resolve the case. 11 Case 1:17-md-02800-TWT Document 739-4 Filed 07/22/19 Page 13 of 45 This group, with a few additions selected by the Court, was later appointed to lead the consumer track. 19. After initial telephone and in-person discussions regarding a potential settlement process, the parties retained Layn R. Phillips, a former federal judge and principal of Phillips ADR, to serve as mediator. Judge Phillips is perhaps the country’s preeminent mediator in major civil litigation and has successfully mediated several other data breach cases, including In re Anthem Customer Data Breach Security Litig., which until now is the most successful consumer data breach settlement. Our first negotiating session took place in Newport Beach, California on November 27-28, 2017. The parties engaged in extensive preparation for the mediation and exchanged comprehensive mediation statements. 20. Based on the collective experiences described above, Plaintiffs presented a paradigm for settlement that would serve as the groundwork for further negotiations: First, Equifax would create a common fund for the benefit of the class that would reimburse class members for out-of-pocket expenses and lost time associated with the breach. Second, class members would be entitled to high quality, three-bureau credit monitoring and identity restoration services. And, third, Equifax would be subject to specific contractual obligations and a related consent order requiring that it substantially reform its data security practices. 12 Case 1:17-md-02800-TWT Document 739-4 Filed 07/22/19 Page 14 of 45 21. Although little progress was made at the first mediation, it did serve to initiate what became a lengthy back-and-forth process with Equifax that lasted over the next 16 months. Throughout the process, the three core elements of resolution discussed at the first mediation served as the guideposts that led the parties through various iterations of proposed term sheets, and ultimately the settlement presented by this motion. During the course of 2018, Class Counsel collectively spent more than a thousand hours preparing for and participating in settlement talks, struggling to reach agreement with Equifax on a comprehensive term sheet. 22. The parties negotiated over this period with the oversight of Judge Phillips — work that involved exchanging additional mediation statements, numerous and regular telephone conferences, and additional all-day mediation sessions with Judge Phillips on May 25, 2018, August 9, 2018, November 16, 2018, and March 30, 2019. During this period, Class Counsel and Plaintiffs’ settlement committee also spent significant time with vendors so that we could develop and deliver state-of-the-art monitoring and restoration services to the entire class. We also retained several leading cybersecurity experts to assist us and consulted with knowledgeable consumer groups. 13 Case 1:17-md-02800-TWT Document 739-4 Filed 07/22/19 Page 15 of 45 23. On a separate track, the parties worked on detailed and comprehensive business practice changes involving Equifax’s cybersecurity measures. In connection with the negotiations, we retained Mary Frantz, one of the nation’s leading cybersecurity experts. Working continuously with Ms. Frantz, we examined Equifax’s existing data security systems, attended multiple meetings at Equifax’s headquarters in Atlanta with Equifax’s counsel and security experts, and exchanged numerous proposals and counter-proposals regarding improvements to Equifax’s data security. 24. Although the negotiations were productive and moved the parties closer to settlement, the process slowed substantially following the November 16, 2018 mediation session, and eventually came to a stop in December. At that point, the parties turned their attention to continuing the briefing and then arguing the motions to dismiss, resulting in a relative standstill on the negotiations pending the Court’s ruling on those motions. 25. Following the Court’s decision largely denying Equifax’s motion to dismiss the consumer claims, the parties renewed negotiations. The meaning and impact of the Court’s orders on the prospects of the litigation was hotly debated and prompted the parties to continue their settlement efforts through Judge Phillips. In March 2019, the parties agreed to another mediation session. After 14 Case 1:17-md-02800-TWT Document 739-4 Filed 07/22/19 Page 16 of 45 meeting with Equifax’s counsel and in-house representatives in California for several hours on the evening of March 29, 2019, and following an all-day mediation session on March 30, 2019, the parties executed a binding Term Sheet that serves as the basis of this Settlement. 26. In between the formal mediation sessions, the parties met several times, engaged in scores of telephone conferences, and exchanged constant emails (Mr. Siegel has over a thousand emails to and from Equifax’s lawyers) – all in an effort to move the negotiations forward. At all times the negotiations were at arm’s length, sometimes contentious, but always professional. The Mediated Settlement Terms 27. As discussed above, from the outset of the negotiations, Class Counsel focused on three major components of the settlement. First, the establishment of a cash settlement fund to compensate those class members that had suffered out-ofpocket losses and lost time as a result of the breach. Second, the provision of high quality credit monitoring and identity restoration services. And third, modifications to Equifax’s data security practices that would be subject to Court enforcement. The March 30, 2019 Term Sheet achieved all of these goals. 28. The Term Sheet achieved the first litigation goal of securing significant monetary relief through the establishment of a non-reversionary $310 15 Case 1:17-md-02800-TWT Document 739-4 Filed 07/22/19 Page 17 of 45 million settlement fund. The deal was structured so that class members could receive up to $20,000 with documented losses fairly traceable to the breach, including, but not limited to money spent on placing or removing a security freeze on a credit report with any credit reporting agency; credit monitoring or identity theft protection costs purchased on or after September 7, 2017; unreimbursed costs, expenses, losses, or charges paid on or after May 13, 2017, because of identity theft or identity fraud, falsified tax returns, or other misuse of personal information; other miscellaneous expenses related to any out-of-pocket loss such as notary, fax, postage, copying, mileage, and long-distance telephone charges; professional fees incurred in connection with addressing identity theft, fraud, or falsified tax returns; and up to 25% reimbursement of the money paid for Equifax credit monitoring or identity theft protection subscription products in the year before the breach. The parties also agreed the fund would provide for reimbursement to class members who spent time taking preventative measures or dealing with fraud, identity theft, or other misuse of their personal information for up to 20 hours of time at $25 per hour. Up to 10 hours of time could be selfcertified and not require documentation. 29. The Term Sheet achieved the second key litigation goal in that all class members would be entitled to enroll in three years of three-bureau credit 16 Case 1:17-md-02800-TWT Document 739-4 Filed 07/22/19 Page 18 of 45 monitoring services provided by Experian. Comparable products, like Experian’s CreditWorks Premium service, retail for $25 a month ($300 per year). And, if a class member already had some other kind of monitoring services in place, the Term Sheet provided that class members may file a claim for alternative cash compensation of $100. In addition, the Term Sheet provided all class members with access to “assisted identity restoration services” if they experience an identity theft event. These services include access to a U.S.-based call center providing services relating to identity theft and fraud restoration. Importantly, class members do not need to file a claim to access these services. Under the Term Sheet, the settlement fund would pay for monitoring for up to seven million enrollees, but Equifax was required to separately pay for all class members who registered in excess of seven million. 30. The Term Sheet achieved the third key litigation goal of requiring Equifax to adopt, pay for, implement, and maintain extensive business practices commitments related to information security to safeguard consumer information for a period of five years, including spending a minimum of $1 billion on data security and related technology. Over a lengthy period that began in 2017, the information security program was developed by Class Counsel in consultation with Ms. Frantz, and negotiated with Equifax to provide security improvements relating 17 Case 1:17-md-02800-TWT Document 739-4 Filed 07/22/19 Page 19 of 45 to data classification, logging and monitoring, vulnerability scanning, penetration testing, patch management, access control and account management, file integrity monitoring, encryption, data retention requirements, and required third party assessments, among many others. Moreover, the Term Sheet provided that an independent third party would assess these commitments and be enforceable in court. 31. The Term Sheet provided for two claims periods – an initial claims period of six months, followed by an extended claims period (if money remained in the fund) for up to three years. At the conclusion of the extended claims period the parties agreed that excess funds would be used for the benefit of the class and could not revert to Equifax. The Term Sheet also delivered another important nonmonetary benefit – it provided that Equifax could not seek to enforce any arbitration provision in any Equifax product that has been offered in response to the Data Breach as of the date of the settlement agreement or that is provided under the settlement. Input from Federal and State Regulators 32. The March 30, 2019, Term Sheet provided for a period of 60 days following the execution of the Term Sheet to allow Class Counsel to consider any comments from the Federal Trade Commission, the Consumer Financial Protection 18 Case 1:17-md-02800-TWT Document 739-4 Filed 07/22/19 Page 20 of 45 Bureau, and state Attorneys General (“Regulators”) regarding the relief afforded to the class under the Term Sheet. This provision is consistent with guidance provided by the Federal Judicial Center regarding solicitation of the views of federal and state regulators regarding class action settlements. See generally, Federal Judicial Center, Managing Class Action Litigation: A Pocket Guide for Judges at 26-27. Because the Regulators were not involved in negotiating the Term Sheet, the parties agreed that, “to the extent that the Regulators propose changes to the class benefits or the Term Sheet, Plaintiffs will discuss and consider in good faith such changes, and if the parties agree, the Term Sheet and settlement agreement will be amended accordingly.” 33. In the weeks that followed, the Regulators proposed several changes to the substantive terms of the Term Sheet. Some were relatively minor (making clear that consumers could recover for time in 15 minute intervals and increasing the dollar amount for alternative monitoring compensation from $100 to $125) while others provided significant additional relief ($70.5 million for the fund that included money to pay for another year of 3-bureau monitoring and, if needed, $125 million more to pay excess out-of-pocket claims; 6 years of 1-bureau monitoring through Equifax; and expansion of the Extended Claims Period from 3 to 4 years). Plaintiffs accepted all those proposals. However, Plaintiffs opposed 19 Case 1:17-md-02800-TWT Document 739-4 Filed 07/22/19 Page 21 of 45 other proposed changes Class Counsel believed would be the subject of criticism and, in certain instances, might lessen the class benefits in the Term Sheet they had negotiated. 34. These discussions triggered a new round of difficult negotiations that lasted over two months and delayed submitting an agreement to the Court. Through intensive good faith discussions, the remaining issues were resolved, and Class Counsel turned to working with Equifax and the Regulators to refine the notice and claims programs. After numerous conferences with Equifax and the Regulators, and an “all hands” meeting in Washington, D.C. on July 16, the parties were finally able to execute the Settlement Agreement. Like the negotiations with Equifax, all negotiations with the Regulators were arm’s length. 35. Both the Federal Trade Commission and Consumer Financial Protection Bureau also offered helpful suggestions to the notice program and claims administration process. The proposed changes were intended to maximize the efficacy of the notice program, improve accessibility of the notice and claims process, and ultimately increase claims rates. Class Counsel adopted nearly all of these proposed changes, and believe the Regulators’ input improved the final notice program and claims process. 20 Case 1:17-md-02800-TWT Document 739-4 Filed 07/22/19 Page 22 of 45 Confirmatory Discovery 36. Following execution of the Term Sheet, Class Counsel engaged in confirmatory discovery related to both the identification of the class and other issues bearing on the settlement. Specifically, Class Counsel sought and received information regarding the specifics of how Equifax determined those individuals impacted by the breach, confirming the mechanism of the breach, and confirming the steps Equifax has taken to improve its data security since the breach was discovered. Specifically, on June 26, 2019, Ms. Keller deposed an employee of Mandiant (the firm that conducted the post-breach investigation) and Equifax’s Chief Information Security Officer concerning the breach, Equifax’s systems and business practices, and Equifax’s post-breach response. The deposition assisted Class Counsel in ensuring that the negotiated settlement relief addresses Plaintiffs’ allegations and benefits Settlement Class Members by improving Equifax’s security and business practices. The Settlement Benefits Conferred on the Class 37. Under the proposed settlement, Equifax will pay $380.5 million into a non-reversionary fund for class benefits, fees, expenses, service awards, and notice and administration costs; and up to an additional $125 million if needed to satisfy claims for Out-of-Pocket losses if the $380.5 million fund is exhausted, bringing 21 Case 1:17-md-02800-TWT Document 739-4 Filed 07/22/19 Page 23 of 45 the cash fund up to $505.5 million. Settlement Agreement ¶¶ 3.1 and 3.2. The settlement is structured so that Equifax also may pay into the fund the added costs of credit monitoring if more than seven million class members claim that benefit. These payments could exceed $2 billion if all class members enroll for this benefit, and accrues at a rate of $16.4 million for every 1 million enrollees above 7 million. Id. at ¶¶ 7.8 and 7.9. 38. The Settlement provides that the fund will provide specific benefits to class members, including:  Compensation of up to 20 hours at $25 per hour for time spent taking preventative measures or dealing with identity theft. Ten hours can be self-certified, requiring no documentation. This provision is subject to a $38 million cap.  Reimbursement of up to $20,000 for documented losses fairly traceable to the breach, such as the cost of freezing or unfreezing a credit file; buying credit monitoring services; out of pocket losses from identity theft or fraud, including professional fees and other remedial expenses; and 25 percent of any money paid to Equifax for credit monitoring or identity theft protection subscription products in the year before the breach.  Four years of specially-negotiated, three-bureau credit monitoring and identity protection services through Experian (a retail value of $1,200) and an additional six years of one-bureau credit monitoring through Equifax (a retail value of $720).  Alternative compensation of $125 for class members who already have credit monitoring or protection services in place. This provision is subject to a $31 million cap. 22 Case 1:17-md-02800-TWT Document 739-4 Filed 07/22/19 Page 24 of 45  Identity restoration services through Experian to help class members victimized by identity theft for seven years, including access to a U.S. based call center, assignment of a certified identity theft restoration specialist, and step by step assistance in dealing with credit bureaus, companies and government agencies. Id. at ¶ 6.2. 39. The documentation necessary to establish Out-of-Pocket Losses may consist of documents such as receipts from third parties, highlighted account statements, phone bills, gas receipts, and postage receipts, among other relevant documentation. Similarly, to obtain Reimbursement for Attested Time of up to 10 hours, class members need only attest to the time spent and briefly describe the actions taken. Claims for Reimbursement for Attested Time of more than 10 hours require documentation, which can be the same documents submitted for Out-ofPocket losses. If it is not readily apparent how the document establishes a loss, the claimant can provide a brief description of the documentation describing the nature of the loss. Id. at ¶ 8.3. 40. If a claim is rejected for any reason, there is also a consumer-friendly appeals process whereby claimants will have the opportunity to cure any deficiencies in their submission or request an automatic appeal if the Settlement Administrator determines a claim for Out-of-Pocket Losses or time is deficient in whole or part. Id. at ¶ 8.5. 23 Case 1:17-md-02800-TWT Document 739-4 Filed 07/22/19 Page 25 of 45 41. Class members will have six months to file a claim for benefits, but are not required to file a claim to access identity restoration services. Id. at ¶¶ 7.2 and 8.1. If money remains in the fund, there will be up to a four-year extended claims period during which class members may recover for Out-of-Pocket losses and time spent rectifying identity theft after the end of the initial claims period. Id. at ¶ 8.1.2. Any money remaining after the extended claims period will first be used to pay any claims for time or alternative compensation that were not paid in full because of the caps; purchase up to three years of additional identity restoration services and then to extend the length of credit monitoring for those who claimed that benefit. Id. at ¶ 5.4. 42. The credit monitoring product offers class members expansive coverage in monitoring for and protecting against identity theft and fraud. Id. at 7.1. Credit monitoring is a service that monitors an individual’s credit reports and alerts the individual when any change is made that could signal fraudulent activity. Credit changes can include new credit card or loan applications, new credit inquiries, existing account changes, and new public records or address changes, among others. Credit monitoring gives the individual the opportunity to confirm the accuracy of a credit change in real time and, if necessary, address the issue before fraud occurs or expands. 24 Case 1:17-md-02800-TWT Document 739-4 Filed 07/22/19 Page 26 of 45 43. As a separate class benefit, all Settlement Class Members, even those who do not enroll in Credit Monitoring Services or do not submit a claim, will be entitled to utilize identity restoration services offered through Experian. This coverage is a separate benefit and permits all class members to have access to fraud resolution specialists who can assist with important tasks such as placing fraud alerts with the credit bureaus, disputing inaccurate information on credit reports, scheduling calls with creditors and other service providers, and working with law enforcement and government agencies to dispute fraudulent information. Identity restoration services will be available for a period of seven years from the Effective Date of the Settlement Agreement. Id. at ¶ 7.2. 44. Equifax has also agreed to entry of a consent order in this action requiring the company to spend a minimum of $1 billion for cybersecurity over five years and to comply with comprehensive data security requirements as originally provided in the Term Sheet. Id. at ¶ 4.1.1. Equifax’s compliance will be audited by independent experts and subject to this Court’s enforcement powers. Id. at ¶ 4.1.2. The components of the business practice changes include:  Information Security Program: Within 90 days of final approval, Equifax shall implement, and thereafter regularly maintain, review, and revise a comprehensive Information Security Program that is reasonably designed to protect the confidentiality, integrity, and availability of the Personal 25 Case 1:17-md-02800-TWT Document 739-4 Filed 07/22/19 Page 27 of 45 Information that Equifax collects, processes, or stores on the Equifax Network.  Managing Critical Assets: Equifax shall identify and document a comprehensive IT asset inventory, using an automated tool(s) where practicable, that, consistent with NIST or another comparable standard, will inventory and classify, and issue reports on, all assets that comprise the Equifax Network, including but not limited to software, applications, network components, databases, data stores, tools, technology, and systems. The asset inventory required under this paragraph shall be regularly updated and, at a minimum, identify: (a) the name of the asset; (b) the version of the asset; (c) the owner of the asset; (d) the asset’s location within the Equifax Network; and (e) the asset’s criticality rating. Equifax shall maintain, regularly review and revise as necessary, and comply with a Governance Process establishing that hardware and software within the Equifax Network be rated based on criticality, factoring in whether such assets are used to collect, process, or store Personal Information. Equifax shall comply with this provision by June 30, 2020.  Data Classification: Equifax shall maintain and regularly review and revise as necessary a data classification and handling standard.  Security Information and Event Management: Consistent with NIST or another comparable standard, Equifax shall implement a comprehensive, continuous, risk-based SIEM solution (or equivalent). Equifax shall continuously monitor, and shall test on at least a monthly basis, any tool used pursuant to this paragraph, to properly configure, regularly update, and maintain the tool, to ensure that the Equifax Network is adequately monitored.  Logging and Monitoring: Equifax shall maintain, regularly review and revise as necessary, and comply with a Governance Process establishing: (1) risk-based monitoring and logging of security events, operational activities, and transactions on the Equifax Network, (2) the reporting of anomalous activity through the use of appropriate platforms, and (3) requiring tools used to perform these tasks be appropriately monitored and tested to assess 26 Case 1:17-md-02800-TWT Document 739-4 Filed 07/22/19 Page 28 of 45 proper configuration and maintenance. The Governance Process shall include the classification of security events based on severity and appropriate remediation timelines based on classification.  Vulnerability Scanning: Equifax shall implement and maintain a risk-based vulnerability scanning program reasonably designed to identify and assess vulnerabilities within the Equifax Network.  Penetration Testing: Equifax shall implement and maintain a risk-based penetration-testing program reasonably designed to identify and assess security vulnerabilities within the Equifax Network.  Vulnerability Planning: Equifax shall rate and rank the criticality of all vulnerabilities within the Equifax Network. For each vulnerability that is ranked most critical, Equifax shall commence remediation planning within 24 hours after the vulnerability has been rated as critical and shall apply the remediation within one week after the vulnerability has received a critical rating. If the remediation cannot be applied within one week after the vulnerability has received a critical rating, Equifax shall identify or implement compensating controls designed to protect Personal Information as soon as practicable, but no later than one week after the vulnerability received a critical rating.  Patch Management: Equifax shall maintain, regularly review and revise as necessary, and comply with a Governance Process to maintain, keep updated, and support the software on the Equifax Network. Equifax shall maintain reasonable controls to address the potential impact that security updates and patches may have on the Equifax Network and shall maintain a tool that includes an automated Common Vulnerabilities and Exposures (CVE) feed with regular updates regarding known CVEs.  Threat Management: Equifax shall maintain, regularly review and revise as necessary, and comply with a Governance Process establishing a threat management program designed to appropriately monitor the Equifax 27 Case 1:17-md-02800-TWT Document 739-4 Filed 07/22/19 Page 29 of 45 Network for threats and assess whether monitoring tools are appropriately configured, tested, and updated.  Access Control and Account Management: Equifax shall maintain, regularly review and revise as necessary, and comply with a Governance Process established to appropriately manage Equifax Network accounts. This Governance Process shall include, at a minimum, (1) implementing appropriate password, multi-factor, or equivalent authentication protocols; (2) implementing and maintaining appropriate policies for the secure storage of Equifax Network account passwords, including policies based on industry best practices; and (3) limiting access to Personal Information by persons accessing the Equifax Network on a least-privileged basis.  File Integrity Monitoring: Equifax shall maintain, regularly review and revise as necessary, and comply with a Governance Process established to provide prompt notification of unauthorized modifications to the Equifax Network.  Legacy Systems: Equifax shall develop and implement a risk-based plan to remediate current legacy systems on a schedule that provides for remediation within five years following final approval of this Agreement and which includes applying compensating controls until the systems are remediated. Equifax shall also maintain a Governance Process for active lifecycle management for replacing and deprecating legacy systems when they reach end of life.  Encryption: Equifax shall maintain, regularly review and revise as necessary, and comply with a Governance Process requiring Equifax either to encrypt Personal Information or otherwise implement adequate compensating controls.  Data Retention: Equifax shall maintain, regularly review and revise as necessary, and comply with a Governance Process establishing a retention schedule for Personal Information on the Equifax Network and a process for deletion or destruction of Personal Information when such information is no 28 Case 1:17-md-02800-TWT Document 739-4 Filed 07/22/19 Page 30 of 45 longer necessary for a business purpose, except where such information is otherwise required to be maintained by law.  TrustedID Premier: Equifax, including by or through any partner, affiliate, agent, or third party, shall not use any information provided by consumers (or the fact that the consumer provided information) to enroll in TrustedID Premier to sell, upsell, or directly market or advertise its fee-based products or services.  Mandatory Training: Equifax shall establish an information security training program that includes, at a minimum, at least annual information security training for all employees, with additional training to be provided as appropriate based on employees’ job responsibilities.  Vendor Management: Equifax shall oversee its third party vendors who have access to the Equifax Network by maintaining and periodically reviewing and revising, as needed, a Governance Process for assessing vendor compliance in accordance with Equifax’s Information Security Program to assess whether the vendor’s security safeguards are appropriate for that business, which Governance Process requires vendors by contract to implement and maintain such safeguards and to notify Equifax within 72 hours of discovering a security event, where feasible.  Incident Response Exercises: Equifax shall conduct, at a minimum, biannual incident response plan exercises to test and assess its preparedness to respond to a security event.  Breach Notification: Equifax shall comply with the state data breach notification laws, as applicable, and unless preempted by federal law.  Information Security Spending: Equifax shall ensure that its Information Security Program receives the resources and support reasonably necessary for the Information Security Program to function as required by this Settlement. In addition, over a five-year period beginning January 1, 2019, 29 Case 1:17-md-02800-TWT Document 739-4 Filed 07/22/19 Page 31 of 45 Equifax shall spend a minimum of $1 billion on data security and related technology.  Third-Party Assessments: Equifax shall engage a Third-Party Assessor meeting the criteria specified in this Agreement to conduct a SOC 2 Type 2 attestation, or to conduct an assessment using industry-recognized procedures and standards in satisfaction of Regulator requirements for this Agreement (the “Third-Party Assessments”). Settlement Agreement, Exhibits 2 and 3. 45. In addition to the business practice changes regarding data security, Equifax has also agreed that it will not seek to enforce any arbitration provision or class action waiver in any Equifax product or service that has been offered in response to the breach or the settlement. Settlement Agreement ¶ 4.1.3. Further, Equifax will not receive any monetary or other financial consideration for the monitoring or restoration services made available under the Settlement, and is providing data necessary to provide those services free of charge. Id. ¶ 7.3. The Notice Plan and Claims Process 46. A key feature of the settlement is a first-of-its-kind notice program that applies modern techniques used in commercial and political advertising to inform the class and stimulate participation. Settlement Agreement, Exhibit 6. The program, which was developed by Class Counsel and Signal Interactive Media with input from the Federal Trade Commission and Consumer Financial Protection 30 Case 1:17-md-02800-TWT Document 739-4 Filed 07/22/19 Page 32 of 45 Bureau, consists of: (1) four emails to those class members whose email addresses can be found with reasonable effort, which is expected to be at least 75 percent of the class; (2) an aggressive digital and social media campaign designed to reach 90 percent of the class an average of eight times before the Notice Date and another six times by the end of the initial claims period; (3) radio advertising and a fullpage, color advertisement in USA Today to reach those who have a limited digital presence; and (4) digital advertising during the extended claims period and while identity restoration services are available. Id. 47. The proposed emails and other notices, which are attached as exhibits to the Notice Plan, will be tested and targeted based on the demographics and other relevant characteristics of the class. The initial testing will involve focus groups, a national survey of 1,600 likely class members, and sending approved notices to small subsets of the class to measure their effectiveness. Then, once the full-scale campaign is launched, Signal will monitor its effectiveness through empirical data and continuously adjust the specific ads that are used and where those are placed to maximize their impact and drive claims. If the empirical data shows that additional measures are needed to accomplish its goals, the notice program may be supplemented with the Court’s approval. 31 Case 1:17-md-02800-TWT Document 739-4 Filed 07/22/19 Page 33 of 45 48. The claims process similarly draws upon the most up-to-date techniques to facilitate participation, including a link to a settlement website in all emails and digital advertising; the ability to file and check claims electronically optimized for use on any device whether mobile or via personal computer; and a call-center via a toll-free number to assist class members in filing claims. JND, the proposed Settlement Administrator, is a widely-regarded expert with the experience and capability to handle a case of this magnitude. Attorneys’ Fees and Expenses 49. Class Counsel may request a fee of up to $77.5 million, which represents 25 percent of the original settlement fund created by the March 30 Term Sheet, and reimbursement of up to $3 million in litigation expenses. Settlement Agreement ¶ 11.1. Equifax has agreed not to oppose this amount. Id. This provision was a separately negotiated provision of the Term Sheet and Settlement Agreement, which was not discussed until after the parties had agreed on relief to the class. Class Counsel believes this fee is justified as a percentage of the fund generated through its skill and efforts, and when considered in light of the substantial monetary and non-monetary benefits conferred on the Class. 50. Class Counsel will also seek service awards for $2,500 for each Settlement Class Representative. Each of these individuals provided detailed 32 Case 1:17-md-02800-TWT Document 739-4 Filed 07/22/19 Page 34 of 45 information of the circumstances regarding the impact of the breach that was vital to Class Counsel’s investigation and litigation of the class’s claims. Furthermore, each of them has remained active in the case, communicating with the attorneys working on the case during subsequent phases of the case. Equifax does not oppose these requests. Id. at ¶ 10.1. Both the application for fees and expenses, and the application for service awards will be filed at least 21 days before the Objection Deadline. Releases 51. The class will release Equifax from claims that were or could have been asserted in this case and in turn Equifax will release the class from certain claims. Id. at ¶¶ 20-22. Class Counsel believes the releases are appropriately tethered to the claims that were presented in the litigation and therefore appropriate consideration in exchange for the substantial class relief provided by the settlement. The Settlement is Fair, Reasonable, and Adequate 52. The resulting settlement, by any measure, is the largest settlement ever achieved in a data breach case. As reflected in the attached chart summarizing the terms of other significant consumer data breach settlements, the relief conferred on the class here including a non-reversionary fund of $380.5 million 33 Case 1:17-md-02800-TWT Document 739-4 Filed 07/22/19 Page 35 of 45 (plus an additional $125 million if needed to pay Out-of-Pocket Losses and the added amount Equifax will have to pay for credit monitoring if more than 7 million class members enroll) is materially higher than that achieved in any other data breach case. Likewise, the specific benefits available to class members compare favorably to those available under any other settlement, and the business practice changes to which Equifax has agreed (including its commitment to spend at least $1 billion on cybersecurity over the next five years) are far more extensive than have previously been achieved. See Exhibit 1. 53. Class Counsel also believes that a settlement at this point in the litigation is warranted because class members benefit immediately from protections like credit monitoring and identity restoration services that can help prevent and detect identity theft and fraud before misuse occurs, and assist class members in addressing any issues that arise, including the protection of a $1 million insurance policy in case of identity theft or fraud. 54. Similarly, based on our experience in other data breach cases, the funds available in the Consumer Restitution Fund are tailored to address the losses stemming from the alleged breach. When a victim incurs out-of-pocket expenses relating to a data breach, it is typically associated with seeking advice about how to address the breach (e.g., paying for professional services), paying incidental costs 34 Case 1:17-md-02800-TWT Document 739-4 Filed 07/22/19 Page 36 of 45 associated with identity theft or fraud (e.g., overdraft fees or costs for sending documents by certified mail), or taking mitigation measures like paying for credit monitoring or credit freezes. As such, the out-of-pocket expenses associated with a data breach are generally relatively modest, and rarely exceed several hundred dollars. When victims spend more than this amount, it is typically associated with paying for professional services such as accountant or attorneys’ fees. As such, we believe the Settlement provides a mechanism to recover the out-of-pocket losses that would have been proved at trial. 55. The settlement must also be viewed against the significant risks to the Plaintiffs had they continued to litigate the case. There was a risk that Plaintiffs’ claims would not have survived on a class-wide basis after a motion for class certification, or after one or more motions for summary judgment following the completion of fact and expert discovery. Data breach litigation is relatively new. While the law has gradually adapted, the path to a class-wide monetary judgment remains untrodden, and it will take some time before litigants and courts navigate all the unique issues posed by data breach lawsuits and some level of certainty sets, particularly in the area of damages. 56. Here, in addition to the traditional risks facing class plaintiffs in data breach cases, the settlement is highly beneficial when compared to two unique 35 Case 1:17-md-02800-TWT Document 739-4 Filed 07/22/19 Page 37 of 45 risks presented under Georgia law, which the Court ruled applies to all the common law claims asserted by Plaintiffs. First, the Georgia Supreme Court recently called into question whether a defendant has a legal duty to safeguard the confidential personal information stolen in a data breach. See Georgia Department of Labor v. McConnell (Nos. S181786 and S181787), decided May 20, 2019. If this case was not settled (and had Equifax not executed a binding Term Sheet in March 2019), Equifax would have surely argued that the McConnell decision would bar Plaintiffs’ common law claims under Georgia law. 57. Second, Equifax also argued in moving to dismiss that there are questions under Georgia law whether most class members suffered a legallycognizable injury. In Collins v. Athens Orthopedic Clinic, 347 Ga. App. 13, 815 S.E.2d 13 (2018), the Georgia Court of Appeals specifically held that the costs of precautionary measures to protect against the risk of future harm from a criminal data breach are not recoverable under Georgia law. The Georgia Supreme Court has accepted cert in the case, but has yet to decide the case. 58. Class Counsel took all steps necessary to ensure that we had all the necessary information to advocate for a fair settlement that serves the best interests of the Settlement Class. Based on the public information available regarding the breach and Class Counsel’s extensive review of the factual record produced by 36 Case 1:17-md-02800-TWT Document 739-4 Filed 07/22/19 Page 38 of 45 Equifax, Class Counsel believes the Settlement is in the best interests of the Settlement Class. 59. Finally, there is no indication that there are any conflicts between the Settlement Class Representatives and the Settlement Class. Rather, Settlement Class Representatives’ claims are substantially similar to the claims of the Settlement Class. Each of them was impacted by the Data Breach due to the unauthorized access to their personal information. Moreover, in crafting the Settlement, Class Counsel took care to ensure that the relief was allocated commensurate to the value of each class member’s respective claims – those that suffered a greater Out-of-Pocket loss will be able to make a proportionately larger claim than someone that did not. 60. In light of the totality of the circumstances, including the historic relief provided to the class as described above, the Court should conclude that the settlement is fair, reasonable, and adequate and likely to achieve final approval, and therefore notice should issue to the class. Continuing Appointment of Class Counsel 61. As discussed above, the Court previously appointed, Kenneth Canfield, Amy E. Keller, Norman E. Siegel and Roy Barnes as Class Counsel based on extensive applications provided to the Court. [Doc. 232] Class Counsel 37 Case 1:17-md-02800-TWT Document 739-4 Filed 07/22/19 Page 39 of 45 respectfully submit that they have diligently served the class and the Court in litigating this case and presenting this Settlement for initial approval requesting issuance of notice and therefore request a continuing appointment pursuant to Fed. R. Civ. P. Rule 23(g) for purposes of implementing this Settlement. We declare under penalty of perjury pursuant to 28 U.S.C. § 1746 that the foregoing is true and correct. Executed this 21st day of July, 2019. /s/ Kenneth S. Canfield Kenneth S. Canfield /s/ Amy E. Keller Amy E. Keller /s/ Norman E. Siegel Norman E. Siegel 38 Case 1:17-md-02800-TWT Document 739-4 Filed 07/22/19 Page 40 of 45 Chart of Data Breach Settlement Involving Class of 10+ Million Case Number of Class Members and PII Compromised Up to 194 million individuals w/ compromised email addresses, passwords, security questions and answers, and telephone numbers and dates of birth if Preliminary approval provided granted: July 20, 2019 In re: Yahoo! Inc. Customer Data Security Breach Litig., No. 16-md02752-LHK (N.D. Cal.) In re: Experian Data Breach Litig., No. 8:15-cv-01592 (C.D. Cal.) 14.93 million individuals w/ compromised names, addresses, SSNs, Non-Monetary Security-Related Relief Credit / Financial Acct. Monitoring  Increased security budget and security employee headcount  Implementation of security program compliant with NIST Cybersecurity Framework Yes, 2 years of credit monitoring through AllClear ID that may be extended multiple years depending on remaining funds  Four years of third-party risk assessments  Implementation of vulnerability management schedules requiring critical issues to be resolved on set schedule Monetary Settlement Benefits  $117.5 million cash fund which includes:  Reimbursement of class members’ out-of-pocket costs up to $25,000 and time spent remedying issues up to 15 hours with documentation and 5 hours without documentation at $25 per hour  Alternative payments to class members w/ credit monitoring for $100 (can be increased to $358.80 per individual)  2 years of credit monitoring (to be extended if remaining funds)  Compensate paid users of Yahoo! for up to 25% of the amounts they paid for email services  Implementation of enhanced intrusion and anomaly detection tools  Attorneys fees’ up to $30 million and costs and expenses up to $2.5 million  Employee security training  Appointment of external Chief Information Security Officer board of advisors  Notice and administration costs up to $6 million  $22 million cash fund which includes:  Data security enhancements to Experian’s network  Reimbursement of class members’  Remediation of identified Yes, 2 years of credit monitoring through Identity Guard that may be extended if Case 1:17-md-02800-TWT Document 739-4 Filed 07/22/19 Page 41 of 45 Final approval granted: May 30, 2019 In re: Anthem, Inc. Data Breach Litig., No. 15-md-02617LHK (N.D. Cal.) Final approval granted: Aug. 15, 2018 dates of birth, identification numbers, and other PII 79.15 million individuals w/ compromised names, dates of birth, SSNs, healthcare ID numbers, addresses, and other PII out-of-pocket costs up to $10,000 and time spent remedying issues up to 7 hours with documentation and 2 hours without documentation at $20 per hour  2 years of credit monitoring at cost of up to $2.5 million depending on number of claimants  Attorneys fees’ up to $10.5 million and costs and expenses up to approx. $153,000  $115 million cash fund which includes:  Reimbursement of class members’ out-of-pocket costs up to $10,000 (up to $15 million of fund allocated for this purpose)    Alternative payments to class members w/ credit monitoring for $50 (up to $13 million of fund allocated for this purpose) Access to fraud resolution services through Experian for all class members 2 years of credit monitoring at a cost of $17 million (to be extended 2 vulnerabilities  Heightened encryption throughout network and user database  Implementation of Security First Program consisting of 82 security-related projects  Hiring an additional 60 fulltime security employees  Increased annual spending on data security for three years  Implement cybersecurity controls and reforms recommended by Plaintiffs’ cybersecurity experts  Change data retention policies  Follow specific remediation recommendations  Perform annual IT security risk assessments and settlement compliance review certain conditions are met Yes, 2 years of credit monitoring through Experian that may be extended multiple years depending on remaining funds Case 1:17-md-02800-TWT Document 739-4 Filed 07/22/19 Page 42 of 45 if remaining funds) In re: The Home Depot, Inc. Consumer Data Security Data Breach Litig., No. 1:14-md-02583 (N.D. Ga.) Attorneys fees’ up to $37.95 million and costs and expenses up to $2.14 million1  Notice and administration costs of $23 million 40 million individuals  with compromised  payment card information  Up to 53 million with stolen email addresses Final approval granted: Aug. 23, 2016 In re: Target Corp. Customer Data Sec. Breach Litig., No. 14-md- 2522 (D. Minn.)   $6.5 million for credit monitoring services separate from cash fund Up to $8.475 million in attorneys’ fees and $300,000 in costs separate from cash fund2 Notice and administration costs of $750,000 separate from cash fund  Appointment of Chief Information Security Officer  Required product and data risk assessments  Heightened vendor selection  Dynamic security program implementation  Employee education  Enhanced security measures for payment cards Total Value: 29,025,0003 Up to 110 million individuals with compromised payment card information  $10 million cash fund   Notice and administration costs of $6.57 million separate from cash fund Appointment of Chief Information Security Officer  Maintain written information security program  Maintain process to  Final approval granted: Nov. 15, $13 million cash fund Up to $6.75 million in attorneys’ fees separate from cash fund Total Value: $23,320,8164 1 The full amount of fees and costs were not ultimately awarded. Home Depot, ECF No. 181-2 at ¶¶ 28, 38, 61. 3 The full amount of fees and costs were not ultimately awarded, resulting in an actual total value of $28,468,800.97. 2 3 Yes, 18 months of identity protection services from Identity Guard No Case 1:17-md-02800-TWT Document 739-4 Filed 07/22/19 Page 43 of 45 2015 (affirmed on appeal June 14, 2018) In re Sony Gaming Networks and Consumer Data Security Breach Litig., No. 3:11-md02258 (S.D. Cal.) Final approval granted: May 4, 2015 In re: Heartland Payment Systems, Inc. Customer Data Security Breach Litig., 4:09-MD2046 (S.D. Tex.) Final approval granted: March 20, monitor for and respond to information security events  60 million individuals  w/ compromised names, mailing addresses, email  addresses, dates of birth, credit card information, login credentials, answers to security questions,  purchase history 130 million individuals w/ compromised payment card information No fund; claims-made settlement capped at $1 million with additional non-cash benefits Employee security training No No Reimbursement up to $2,500 for class members with unreimbursed charges from identity theft (capped at $1 million) $14 million in non-cash benefits including free games, subscriptions, and credits for various subclasses  Notice and administration costs of $1.25 million to be paid separately  Attorneys fees’ up to $2.67 million and costs and expenses of $77,724 to be paid separately  Settlement fund of $1 million and up to $2.4 million depending on number of claims  Reimbursement of class members’ out-of-pocket costs up to $175 or $10,000 in cases of identity theft and time spent remedying issues up to 5 hours with documentation at $10 per hour 4  Class Counsel employed independent expert to review the actions taken by Heartland to enhance the security of its payment processing systems and determined Heartland took prudent and good faith measures to minimize likelihood of a future No Target, ECF No. 482 at 35; see also ECF No. 645 at 8 (Final Approval Order) (noting that fee award of $6.75 million was 29% of total monetary fund, equating to value of 23,275,862). 4 Case 1:17-md-02800-TWT Document 739-4 Filed 07/22/19 Page 44 of 45  2012 In re: Countrywide Financial Corp. Customer Data Security Breach Litig., No. 3:08-MD01998 (W.D. Ky.) Final approval granted: Aug. 23, 2010 In re Department of Veterans Affairs (VA) Data Theft Litig., No. 06-0506 (JR) (D.D.C.) Final Approval granted: Sept. 11, 2009 17 million individuals  w/ compromised names, SSNs,  addresses, telephone numbers, credit and bank account information, and other financial  information 26.5 million individuals with compromised names, dates of birth, and SSNs intrusion Attorneys fees’ up to $725,000 and costs and expenses up to $35,000 to be paid separately No fund; claims-made settlement capped at $6.5 million  Reimbursement of losses attributable to identity theft up to $50,000 per incident (capped at $5 million) Reimbursement of out-of-pocket expenses incurred as result of identity theft (capped at $1.5 million)  Notice and administration costs of approx. $6 million to be paid separately  Attorneys fees’ up to $3.5 million and costs and expenses up to $125,000 to be paid separately  Service awards totaling $26,500 to be paid separately  Settlement fund of $20 million  Reimbursement of class members’ out-of-pocket costs up to $1,500 with each claimant to receive a minimum of $75  Balance paid to targeted military cy pres recipients  Notice and administration costs to be paid from fund 5 No Enhanced security measures adopted by Countrywide and subject to confirmatory discovery Yes, 2 years of credit monitoring services from Experian offered to 1.85 million class members who did not receive prior offer from Countrywide No Case 1:17-md-02800-TWT Document 739-4 Filed 07/22/19 Page 45 of 45 In re TJX Companies Retail Security Breach Litig., No. 07-10162 (D. Mass.) 45.7 million individuals with compromised payment card information  Attorneys fees’ of $3.6 million and costs and expenses of $157,076 awarded from fund  No fund; claims-made settlement capped at $10 million  $15 check or $30 store voucher for class members who certify they made a purchase at TJX and spent more than $5 or 30 minutes as a result of the data breach (subject to $10 million cap with checks and vouchers credited as $30 against cap) Final approval granted: Sept. 2, 2008  Additional $15 check or $30 voucher for documented claims ($7 million cap on checks, no cap on vouchers)  Reimbursement of driver’s license replacement costs and unreimbursed losses greater than $60 resulting from identity theft available to approx. 455,000 class members whose ID was compromised  Notice and administration costs of approx. $4.5 million to be paid separately  Attorneys fees’ up to $6.5 million and costs and expenses up to $155,000 to be paid separately 6  Retain an independent expert to recommend data security practices to be adopted by TJX and accepted by Plaintiffs’ expert  Enhanced computer systems Yes, 3 years of credit monitoring services from Equifax for the approx. 455,000 class members whose driver’s license or military, tax or state identification number may have been compromised Case 1:17-md-02800-TWT Document 739-5 Filed 07/22/19 Page 1 of 34 Exhibit 4 Declaration of Jim Messina, Signal Interactive Media, LLC In re: Equifax Inc. Customer Data Security Breach Litigation, No. 17-md-2800-TWT (N.D. Ga.) Plaintiffs’ Motion to Direct Notice of Proposed Settlement Case 1:17-md-02800-TWT Document 739-5 Filed 07/22/19 Page 2 of 34 7 ;. :>2/*A 7, ><=86.; *=* $.,>;2=B ;.*,1 2=20*=287 8,4.= 8 8 6- %'% %12< -8,>6.7= ;.5*=.< =8 ! $& # $ $ *6 * ,8 /8>7-.; 8/ $207*5 7=.;*,=2?. .-2* E$207*5F @12,1 <>+3.,= =8 =1. *99;8?*5 8/ =1. 8>;= 1*< +..7 <.5.,=.- +B =1. 9*;=2.< =8 <.;?. *< =1. 8=2,. ";8?2-.; 27 ,877.,=287 @2=1 =1. 9;898<.- <.==5.6.7= 27 =12< ,*<. 6*4. =12< .,5*;*=287 +*<.- >987 6B 9.;<87*5 478@5.-0. 27/8;6*=287 9;8?2-.- =8 6. +B 6B *<<8,2*=.< *7- <=*// 27 =1. 8;-27*;B ,8>;<. 8/ +><27.<< *7- 27/8;6*=287 ;.*<87*+5B ;.52.- >987 +B .A9.;=< 27 =1. /2.5-< 8/ *-?.;=2<270 6.-2* *7- ,866>72,*=287< %1. 9>;98<. 8/ =12< -.,5*;*=287 2< =8 <.= /8;=1 $207*5G< .A9.;2.7,. *7- ,*9*+252=2.< -.<,;2+. =1. 9;898<.- 8=2,. "5*7 -.687<=;*=. @1B =1. 95*7 2< =1. +.<= 9;*,=2,*+5. 6.*7< 8/ 27/8;6270 ,5*<< 6.6+.;< *+8>= =1. <.==5.6.7= =1.2; Case 1:17-md-02800-TWT Document 739-5 Filed 07/22/19 Page 3 of 34 89=287< *7- =1. +.7./2=< *?*25*+5. =8 =1.6 *7- .A95*27 18@ =1. 95*7 =*4.< *-?*7=*0. 8/ 68-.;7 =.,172:>.< ;8>=27.5B ><.- 27 ,866.;,2*5 *7- 9852=2,*5 *-?.;=2<270 =8 +.<= =*;0.= *7- ;.*,1 ,5*<< 6.6+.;< *7- 6*A262C. =1.2; 9*;=2,29*=287 %1. 9;898<.- 8=2,. "5*7 @12,1 2< *==*,1.- *< *7 .A12+2= =8 =1. <.==5.6.7= *0;..6.7= @*< -.<207.- +B $207*5 27 ,855*+8;*=287 @2=1 =1. 9*;=2.< =8 =1. <.==5.6.7= *7- @2=1 279>= /;86 ;.9;.<.7=*=2?.< 8/ =1. .-.;*5 %;*-. 8662<<287 *7- =1. 87<>6.; 27*7,2*5 ";8=.,=287 >;.*> =1. 9;898<.- $.==5.6.7= -6272<=;*=8; *7- * ;.,8072C.- .A9.;= 27 2=< 8@7 ;201= 27 =1. /2.5- 8/ 9;8?2-270 78=2,. 27 ,5*<< *,=287< *5<8 @*< ,87<>5=.- *7- 1*< +..7 =*<4.- @2=1 ,.;=*27 ;.<987<2+252=2.< >7-.; =1. 95*7 27,5>-270 2-.7=2/B270 .6*25 *--;.<<.< /8; ,5*<< 6.6+.;< 78= 6*27=*27.- +B :>2/*A =;*7<62==270 .6*25< =8 ,5*<< 6.6+.;< *7- 6*27=*27270 =1. <.==5.6.7= @.+<2=. %1. 95*7 9;8?2-.< /8; * 27-2?2->*5 -2;.,= 78=2,. ?2* .6*25 =8 *55 ,5*<< 6.6+.;< @18<. .6*25 *--;.<<.< ,*7 +. 2-.7=2/2.- @2=1 ;.*<87*+5. .//8;= *< @.55 *< /8558@ >9 .6*25< ->;270 =1. 72=2*5 *7- A=.7-.- 5*26< ".;28-< + * <8912<=2,*=.- -202=*5 78=2,. ,*69*207 =*;0.=.- =8 ;.*,1 9.;,.7= 8/ *55 ,5*<< 6.6+.;< *99;8A26*=.5B =26.< +./8;. =1. 8=2,. *=. *7- *99;8A26*=.5B *--2=287*5 =26.< ->;270 =1. ;.6*27-.; 8/ =1. 72=2*5 5*26< ".;28- , ,87=27>*=287 Case 1:17-md-02800-TWT Document 739-5 Filed 07/22/19 Page 4 of 34 8/ =1. -202=*5 ,*69*207 ->;270 =1. A=.7-.- 5*26< ".;28- @12,1 *6870 8=1.; =1270< @255 =*;0.= ,5*<< 6.6+.;< @18 <.*;,1 87527. /8; 1.59 ;.6.-B270 2-.7=2=B =1./= *7- - ;*-28 *-?.;=2<270 *7- * 9*2- *-?.;=2<.6.7= 27 * 7*=287*5 7.@<9*9.; =8 ;.*,1 ,5*<< 6.6+.;< @18 *;. 5.<< 524.5B =8 ><. .6*25 8; =1. 7=.;7.= %1. .//.,=2?.7.<< 8/ =1. 78=2,. ,*69*207 D =1*= 2< $207*5G< *+252=B =8 =*;0.= 78=2,. =8 ,5*<< 6.6+.;< @1.;. =1.B *;. 68<= 524.5B =8 <.. *7- ;.<987- =8 2= D @255 +. .71*7,.- +B 9;. ,*69*207 =.<=270 ><270 /8,>< 0;8>9< *7- * 7*=287*5 8927287 <>;?.B $207*5 @255 *5<8 ,87=27>8><5B 6872=8; =1. ;.<>5=< 8/ =1. ,*69*207 *< 2= 2< 8708270 *7- ><. =18<. ;.<>5=< =8 -.=.;627. @12,1 8/ =1. 9;898<.- .6*25 78=2,.< *7- -202=*5 *-?.;=2<.6.7=< *;. 68<= .//.,=2?. *7- @12,1 -202=*5 95*=/8;6< *;. -.52?.;270 =1. +.<= 8>=,86.< 7- *= =1. ,87,5><287 8/ =1. 9;80;*6 $207*5 @255 +. *+5. =8 ><. -*=* *7*5B=2,< =8 .?*5>*=. *7- ;.98;= =8 =1. 8>;= ;.0*;-270 =1. .//.,=2?.7.<< 8/ =1. 78=2,. .//8;=< %1. 8=2,. "5*7 -.<,;2+.- *+8?. 2< ,87<2<=.7= @2=1 =1. 0>2-.527.< 2<<>.- +B =1. .-.;*5 >-2,2*5 .7=.; .-.;*5 >-2,2*5 .7=.; E >-0.*0. >2-.F 9;8?2-270 *6870 8=1.; =1270< =1*= * ;.*<87*+5. 78=2,. 9;80;*6 <18>5- ;.*,1 +.=@..7 *7- 9.;,.7= 8/ =1. ,5*<< =1*= 78=2,.< ,86. =8 =1. *==.7=287 8/ =1. ,5*<< =1*= 78=2,.< *;. 27/8;6*=2?. *7- .*987 %1. 8=2,. "5*7 2< *5<8 ,87<2<=.7= @2=1 =1. +.<= 9;*,=2,.< 27 =1. /2.5- 8/ ,87<>6.; 8>=;.*,1 78=2,. *7- *-?.;=2<270 *7- 2< ,87<2<=.7= @2=1 =1. E >4. $=*7-*;--2,2*5 7<=2=>=. >4. *@ $,1885 ! ! " >0><= 7- 9.;1*9< 68<= 2698;=*7=5B =1. 9;898<.- 8=2,. "5*7 ,87<=2=>=.< =1. +.<= 78=2,. 9;*,=2,*+5. >7-.; =1. ,2;,>6<=*7,.< *7- 6..=< *55 8/ =1. ;.:>2;.6.7=< 8/ .- 2? " #>5. *7- =1. >. ";8,.<< 5*><. 8/ =1. & $ 87<=2=>=287 ! % #0) " (&+% % .' (! % $207*5 @*< ,8 /8>7-.- 27 +B *== *;;.=<87 *7- 6. ; *;;.=<87 2< * 5*@B.; @18 /8>7-.- =1. *;;.=<87 #.<85>=287 ;8>9 27 27,277*=2 !128 . 1*< .A=.7<2?. .A9.;2.7,. *-6272<=.;270 1>7-;.-< 8/ ,8695.A 6*<< =8;= *7- ,5*<< *,=287 <.==5.6.7=< 8?.; =1. 5*<= /2/=..7 B.*;< <9*77270 -8C.7< 8/ ,87=;2.< *7- 6255287< 8/ 98=.7=2*5 ,5*<< 6.6+.;< 7 *587. ; *;;.=<87 8?.;<*@ 68;. =1*7 =12;=B 52=20*=287 <.==5.6.7= 9;80;*6< @12,1 9*2- 8>= 68;. =1*7 +255287 27 ,5*26< ; *;;.=<87G< +28 2< *==*,1.- *< A12+2= Case 1:17-md-02800-TWT Document 739-5 Filed 07/22/19 Page 6 of 34 B +*,40;8>7- 2< 27 9852=2,< @1.;. 8?.; 68;. =1*7 B.*;< +.,*6. *7 .A9.;= 27 ;.*,1270 *7- 68=2?*=270 =*;0.=.- *>-2.7,.< =1;8>01 6*<< 6.-2* < ";.<2-.7= !+*6*G< ,*69*207 6*7*0.; 6.;0.- 6.-2* *7*5B=2,< *7- 9852=2,< 27 *7 >79;.,.-.7=.- @*B /8,><270 87 =*;0.=.- .6*25 <8,2*5 6.-2* *7- -202=*5 6.<<*0270 8805.G< A.,>=2?. 1*2;6*7 ;2, $,162-= ,*55.- 2= E=1. +.<= ;>7 ,*69*207 .?.; F 7 /8>7-.- =1. .<<27* ;8>9 7 *--2=287 =8 <.;?270 *< * ,*69*207 *-?2<8; =8 9852=2,2*7< <>,1 *< ;2=2<1 ";26. 272<=.;< *?2- *6.;87 *7- %1.;.<* *B 6B 0;8>9 -.<207< *7- 2695.6.7=< 6.-2* 95*7< /8; 787 9;8/2=< *7- 6*38; ,8;98;*=287< ;*70270 /;86 =89 /256 <=>-28< *7- 9>+52<1.;< =8 27=.;7*=287*5 *2;527.< B +28 2< *==*,1.- *< A12+2= !>; 08*5 27 /8>7-270 $207*5 @*< =8 *995B =1. <*6. =.,172:>.< ><.- 27 ,87=.698;*;B ,866.;,2*5 *7- 9852=2,*5 *-?.;=2<270 =8 =1. 9;8,.<< 8/ 9;8?2-270 78=2,. 27 ,5*<< *,=287< 2<=8;2,*55B 78=2,. 9;80;*6< 27 ,5*<< *,=287 <.==5.6.7=< 8/=.7 1*?. 27?85?.- * <2705. 78=2,. =8 .*,1 ,5*<< 6.6+.; @2=1 52==5. /8558@ >9 8?.; =26. 95*,.6.7= 8/ *-< 27 9>+52,*=287< =1*= -8 78= .//.,=2?.5B ;.*,1 6*7B ,5*<< 6.6+.;< *7- .?.7 2/ =1. 9;80;*6< 1*?. * -202=*5 ,86987.7= =1. ;.<>5=< 8/ =1. -202=*5 ,*69*207 /*55 <18;= +.,*><. 8/ =1. 5*,4 8/ *99;89;2*=. =*;0.=270 *7- 6.<<*0270 '. +.52.?. =1*= 2/ ,87=.698;*;B -.?.5896.7=< 27 =1. /2.5-< 8/ 9>+52, 8927287 ;.<.*;,1 *7- ,87<>6.; +.1*?28; 27,5>-270 :>*52=*=2?. *7- :>*7=2=*=2?. Case 1:17-md-02800-TWT Document 739-5 Filed 07/22/19 Page 7 of 34 =.<=270 *;. 9;89.;5B ><.- =8 <.5.,= =1. 68<= .//.,=2?. 6.<<*0270 *7- ,866>72,*=287 8>=5.=< =1.;. @255 +. +.==.; 78=2,. 9;80;*6< ,5*<< 6.6+.;< @255 +. 68;. *@*;. *+8>= * <.==5.6.7= *7- =1.2; 9*;=2,29*=287 ;*=.< @255 27,;.*<. '. ><. =1.<. <*6. =.,172:>.< 27 ,877.,=287 @2=1 8>; ,866.;,2*5 *7- 9852=2,*5 @8;4 '. +.52.?. />7-*6.7=*55B =1*= *55 6.<<*0.< <18>5- +. =.<=.- ;. =.<=.- *7- ;./27.- *7- =*;0.=.- .//.,=2?.5B /8; 6*A26>6 .70*0.6.7= *7- 6.*<>;.6.7= 8; 27<=*7,. =1. <*6. *-?.;=2<.6.7= =1*= @8;4< /8; * B.*; 85- 686 27 ;>;*5 !128 524.5B @255 78= @8;4 @2=1 * 87. B.*; <2705. 6*5. 27 .@ (8;4 2=B 7 =12< 9;8,.<< @. ><. * /.@ 4.B =*,=2,< -.<,;2+.- +.58@ • & +) (&+') .9.7-270 87 =1. 9;83.,= @. ,188<. /8,>< 0;8>9 58,*=287< =1*= 9;8?2-. >< =1. 68<= ;.9;.<.7=*=2?. <*695. 8/ 8>; =*;0.=.- 0;8>9 8,>< 0;8>9< .7*+5. >< =8 52<=.7 =8 -2//.;.7= 0;8>9< 8/ 9.895. 1.*; =1.2; ?2.@< *7- D ,;>,2*55B D =1.2; 5*70>*0. 87 =1. =892, *= 1*7- *7- =1.7 =.<= -2//.;.7= <=;*=.02, 1B98=1.<.< *7- 6.<<*0.< @2=1 =1.6 '. 8?.;<.. *7- ?2.@ =1.<. /8,>< 0;8>9< 27 9.;<87 @8;4270 @2=1 58,*5 /*,252=2.< '. 1*?. +>25= =1.<. =B9.< 8/ /8,>< 0;8>9< 27 6*7B -2//.;.7= 7*=287< *7- *;. *,,><=86.- =8 ,;.*=270 *7- /*,252=*=270 0;8>9< =1*= ,*9=>;. ,>5=>;*5 *7- ;.0287*5 7>*7,. *7- =1*= 9;8?84. 187.<= *7- 27<201=/>5 -2<,><<287 Case 1:17-md-02800-TWT Document 739-5 Filed 07/22/19 Page 8 of 34 • +(, /) 7 ,873>7,=287 @2=1 8>; /8,>< 0;8>9< @. /2.5- * 6.<<*0270 <>;?.B =1;8>01 6>5=295. 68-.< 8/ ,87=*,= /*,. =8 /*,. 87527. *7- 9187. -.9.7-270 87 @1*= @8;4< +.<= 27 * 02?.7 .7?2;876.7= %1. <>;?.B *558@< >< =8 >7-.;<=*7- 6.<<*0.< =1*= @8;4 *< @.55 *< 18@ +.<= =8 =*;0.= -2//.;.7= 0;8>9< 8/ 9.895. 7 *--2=287 2= *558@< >< =8 -.=.;627. 9;26*;B 7.@< *7- 27/8;6*=287 <8>;,.< *7- +.==.; =*;0.= 27-2?2->*5 ,866>72,*=287 ,1*77.5< =8 <>+0;8>9< • * % #/*! ) &7-.;<=*7-270 =1. -.680;*912,< 8/ =1. =*;0.= *>-2.7,. 2< 9*;= 8/ 8>; <=;*=.0B %8 -8 =1*= @. ><. -*=* =1. ,52.7= 1*< *?*25*+5. *7- 27/8;6*=287 27 8>; 9;89;2.=*;B ,87<>6.; /25. !>; ,87<>6.; /25. ,87=*27< 8?.; -*=* 9827=< =1*= *;. 9>+52,5B *?*25*+5. 87 8?.; 6255287 6.;2,*7< 27,5>-270 -.680;*912, 27/8;6*=287 *7- ,87<>6.; 9>;,1*<270 1*+2=< +*<.- 87 <>;?.B< ,;.-2= ,*;- =;*7<*,=287< 58B*5=B ,*;- 27/8;6*=287 6*0*C27. <>+<,;29=287< *7- 8=1.; <8>;,.< '. 6*=,1 =12< 27/8;6*=287 =8 9;8/25. 8>; =*;0.= *>-2.7,. *7- *7*5BC. 2=< -.680;*912,< *7- +.1*?28; %12< *558@< >< =8 >7-.;<=*7- 68;. *+8>= =1. 0;8>9 *7- ;.*,1 =1.6 68;. .//.,=2?.5B • ! !* # , (*!)!% % /&% '125. =1. ;.<.*;,1 98;=287 =*4.< 95*,. @. <26>5=*7.8><5B +.027 8>; @8;4 87527. !7. 8/ =1. 4.B< =8 Case 1:17-md-02800-TWT Document 739-5 Filed 07/22/19 Page 9 of 34 .70*0.6.7= *7- ;.<987<. 2< 9;8->,270 =1. ;201= ,87=.7= *= =1. ;201= /;.:>.7,B .*;7270 =1. =B9.< 8/ ,87=.7= =1*= ;.<87*=.< @2=1 8>; *>-2.7,. *558@< >< =8 ,87=27>*55B 27,;.*<. .70*0.6.7= *7- 0;8@=1 %8 *,12.?. =12< 8+3.,=2?. -.=*25.- ,87=.7= *7*5B=2,< *7- =.<=< *;. .<<.7=2*5 '. -8 =1. <*6. =B9. 8/ @8;4 =1;8>01 8=1.; 6.-2>6< 27,5>-270 .6*25 *7- 7.@<9*9.; *7- ;*-28 *-?.;=2<270 • )) !% $ %* * (&+ ! !* # %% #) =.<=270 9;8=8,85 =8 6.*<>;. =1. .//.,=2?.7.<< 8/ -2//.;.7= <8,2*5 6.-2* 6.<<*0.< 6.<<.70.;< *7- =26270 2< *78=1.; 4.B 9*;= 8/ 8>; <=;*=.0B *,.+884 /8; .A*695. 2< * ?.;B .//.,=2?. =885 =1*= *558@< >< =8 <.06.7= 8>; *>-2.7,.< *7- 6.*<>;. =1. ;.5.?*7,. <.7=26.7= *7- .70*0.6.7= *;8>7- -2//.;.7= 6.<<*0.< %1. ;.<>5=< 8/ 272=2*5 =.<=270 9;8?2-. * ,5.*; 9*=1 /8;@*;- /8; =1. <8,2*5 6.-2* <=;*=.0B +>= =.<=270 ,87=27>.< =1;8>018>= =1. .7=2;. ,*69*207 '. *;. ,87=27>*55B *7*5BC270 @1*= *-< @8;4 +.<= @2=1 @1*= 0;8>9< *7- *-3><=270 *,,8;-2705B $207*5 *7- 2=< 9.895. ;.<987<2+5. /8; =1. 8=2,. "5*7 1*?. ><.- =1. =.,172:>.< *7- 6.=18-< -.<,;2+.- *+8?. 27 -.<207270 *7- 2695.6.7=270 1>7-;.-< 8/ 6.-2* ,*69*207< 27 8>; ,866.;,2*5 *7- 9852=2,*5 @8;4 7 <8 -8270 @. 1*?. <>9.;?2<.- 8?.; +255287 27 9*2- *-?.;=2<270 *;8>7- =1. @8;5- Case 1:17-md-02800-TWT Document 739-5 Filed 07/22/19 Page 10 of 34 >,1 8/ =12< @8;4 2< -87. 87 * ,87/2-.7=2*5 +*<2< *7- ,*778= +. 9>+52,5B -2<,58<.- 8@.?.; 1.;. 2< 87. =B92,*5 .A*695. 8/ @1*= @. -8 6*38; 6.;2,*7 /88- 6*7>/*,=>;270 ,869*7B *<4.- >< =8 -.?.589 *- ,*69*207< =8 =*;0.=.- *>-2.7,.< <8 =1.B ,8>5- 5.*;7 68;. *+8>= @1*= =8 <*B *7- 18@ =8 <*B 2= @2=1 =1. 08*5 8/ /27-270 8>= 18@ =8 +.<= 0.= =1.2; 9;8->,=< 27=8 =1. 1*7-< 8/ ,><=86.;< @18 @8>5- 68<= 524. =8 1*?. =1.6 !?.; =1. ,8>;<. 8/ /8>; 687=1< 8>; =.*6 -.?.589.- 1>7-;.-< 8/ *-< 0.*;.- =8@*;-< -8C.7< 8/ *>-2.7,. 0;8>9< =1*= @. 2-.7=2/2.- =1;8>01 <8,2*5 52<=.7270 *7- ,87<>6.; 68-.5270 '. =1.7 =*;0.=.- =1. *-< *6870 *>-2.7,. 0;8>9< =8 -.=.;627. @12,1 @.;. 68<= .//.,=2?. *7- ,;*/=.- 7.@ *-< @2=1 2-.7=2/B 6.<<*0.< ,;.*=2?.< *7- 26*0.< =1*= 9;8?.- =8 +. 68<= .//.,=2?. +*<.- 87 <9.,2/2, 9;8->,=< *7- *-?.;=2<270 08*5< %1. =.,172:>.< @. 1*?. ><.- 27 8>; ,866.;,2*5 *7- 9852=2,*5 @8;4 1*?. +..7 <18@7 =8 +. .//.,=2?. 27 ,5*<< *,=287 78=2,. 9;80;*6< 27,;.*<270 ,5*<< 6.6+.; *@*;.7.<< *7- 9*;=2,29*=287 ;*=.< %1. +.<= .A*695. 2< " # # ' 8 * 9;8->,= 52*+252=B ,5*<< *,=287 *55.0270 =1*= <.?.7 6255287 #.6270=87 /2;.*;6< @.;. -./.,=2?. *7- 98<.- * <.;28>< <*/.=B ;2<4 7 9;.52627*;25B *99;8?270 * 9;898<.- <.==5.6.7= =1*= 9;8?2-.- ,5*<< 6.6+.;< *7 8998;=>72=B =8 1*?. =1. -./.,= ;.9*2;.- /8; /;.. =1. ,8>;= *>=18;2C.- * =;*-2=287*5 78=2,. ,*69*207 ,87<2<=270 8/ -2;.,= 6*25 <8,2*5 Case 1:17-md-02800-TWT Document 739-5 Filed 07/22/19 Page 11 of 34 6.-2* *-?.;=2<270 *7- 9>+52,*=287 27 ,87<>6.; 6*0*C27.< =1*= ;*7 /8; =1;.. 687=1< !75B ,5*<< 6.6+.;< <>+62==.- ,5*26< ,*><270 =1. 3>-0. 8?.;<..270 =1. <.==5.6.7= =1. 878;*+5. !;=;2. $62=1 8/ =1. '.<=.;7 2<=;2,= 8/ 2<<8>;2 =8 -.,527. /27*5 *99;8?*5 8/ =1. <.==5.6.7= *7- 8;-.; =1. 9*;=2.< =8 2695.6.7= * 68;. .//.,=2?. 78=2,. 9;80;*6 $207*5 @*< ;.=*27.- =8 -.<207 *7- 2695.6.7= =1. <>995.6.7=*5 78=2,. 9;80;*6 '. -.<207.- =1. 9;80;*6 ><270 6*7B 8/ =1. =.,172:>.< -.<,;2+.- *+8?. 27,5>-270 .6958B270 -*=* *7*5B=2,< =8 -./27. *7- 2-.7=2/B =1. 6*4.>9 8/ =1. ,87<>6.;< 27 =1. ,5*<< ,;.*=270 *-< =*;0.=.- =8 =18<. ,87<>6.;< *7- =.<=270 =1. *-< *6870 =1;.. ,818;=< 8/ ;8>015B 98=.7=2*5 ,5*<< 6.6+.;< 8558@270 6.-2* =.<=270 *7- ,8>;= *99;8?*5 =1. 6.-2* .//8;= +.0*7 87 $.9=.6+.; *7- ;*7 =1;8>01 !,=8+.; >;270 =12< -*B 9.;28- ,5*<< 6.6+.;< <>+62==.- *7 *--2=287*5 ,5*26< *7 9.;,.7= 27,;.*<. 27 ,5*26< 8?.; =1. -*B 9.;28- ,869*;.- =8 =1. 9;.?28>< -*B 9.;28- *7- ,5*26< 1*?. <27,. 0;8@7 =8 68;. =1*7 6*;4270 * 68;. =1*7 9.;,.7= 27,;.*<. 27 ,5*26< 8?.; @1*= ;.<>5=.- /;86 =1. 272=2*5 78=2,. 9;80;*6 %1. .//.,=2?.7.<< 8/ =1. ,*69*207 2< -.687<=;*=.- +B =1. /8558@270 ,1*;= Case 1:17-md-02800-TWT Document 739-5 Filed 07/22/19 Page 12 of 34 7 /27*55B *99;8?270 =1. <.==5.6.7= */=.; =1. 272=2*5 ;.<>5=< 8/ =1. <>995.6.7=*5 78=2,. 9;80;*6 +.,*6. *99*;.7= >-0. $62=1 .691*<2C.- =1. .//2,*,B 8/ =1. <8,2*5 6.-2* ,*69*207 $207*5 -.<207.- *7- 2695.6.7=.- !7. 8/ =1. 5B7,1927< 8/ =1. <>995.6.7=*5 78=2,. >=252C.- +B =1. 9*;=2.< @*< =1.2; =*;0.=.- <8,2*5 6.-2* ,*69*207 %1;8>01 =12< 6.=18- 8/ 78=2,. =1. 78=2,. ;.*,1.- 68;. =1*7 /8>; 6255287 27-2?2->*5< *7- =1. *-?.;=2<.6.7=< @.;. ,52,4.- 68;. =1*7 =26.< 2?.7 =1. 989>5*;2=B 8/ <8,2*5 6.-2* 27 =1. &72=.- $=*=.< =1. ><. 8/ =*;0.=.- <8,2*5 6.-2* =8 78=2/B ,5*<< 6.6+.;< @*< B.= *78=1.; ;.*<87*+5. ,86987.7= 8/ =1. 78=2,. 95*7 " # # *= &*! # % (&'&) &( * !) ) '8;4 87 =1. 8=2,. "5*7 +.0*7 68;. =1*= .201= 687=1< *08 !7 8?.6+.; $207*5 ;.<987-.- =8 * ,87/2-.7=2*5 ;.:>.<= /;86 =1. 9*;=2.< Case 1:17-md-02800-TWT Document 739-5 Filed 07/22/19 Page 13 of 34 <852,2=270 +2-< /8; * 78=2,. 9;80;*6 =8 +. ><.- 2/ 87 08270 <.==5.6.7= 7.08=2*=287< 27 =12< ,*<. ,*6. =8 /;>2=287 !>; 9;898<*5 <.= /8;=1 27 <86. -.=*25 @1*= @. +.52.?.- @8>5- +. *7 .//.,=2?. 78=2,. 9;80;*6 *7- =1. 9;898<*5 1*< <>+<.:>.7=5B +..7 ;./27.- * 0;.*= -.*5 7 9*;=2,>5*; 8?.; =1. 9*<= <.?.;*5 687=1< @. 1*?. <9.7= 1>7-;.-< 8/ 18>;< @8;4270 @2=1 =1. 9*;=2.< *7- 8=1.; <=*4.185-.;< =8 ;.*<<.<< *7- 68-2/B *<9.,=< 8/ =1. 8=2,. "5*7 ,;.*=. *7- ;.?2<. 9;8=.7=2*5 *-?.;=2<.6.7=< *7- 8=1.; 6.<<*0270 *7- 8=1.;@2<. 9;.9*;. /8; =1. 95*7G< 2695.6.7=*=287 %1. 9;898<.- 95*7 1*< +..7 ?.==.- +B =1. 9*;=2.< *78=1.; ;.,8072C.- .A9.;= 27 =1. /2.5- 8/ ,5*<< *,=287 78=2,. *7- ,87<>6.; .A9.;=< *= =1. .-.;*5 %;*-. 8662<<287 *7- 87<>6.; 27*7,2*5 ";8=.,=287 >;.*> *5<8 >7-.;<=*7- =1*= ;.9;.<.7=*=2?.< 8/ =1. 8//2,.< 8/ /8;=B .201= $=*=. ==8;7.B< .7.;*5 @.;. *//8;-.- *7 8998;=>72=B =8 9;8?2-. 279>= %1. 6*38; .5.6.7=< 8/ =1. 9;80;*6 27?85?. * =@8 @..4 9.;28- 8/ ;.<.*;,1 *7- =.<=270 -2;.,= 78=2,. =1;8>01 .6*25 =8 =18<. ,5*<< 6.6+.;< /8; @186 .6*25 *--;.<<.< ,*7 +. 2-.7=2/2.- =1;8>01 ;.*<87*+5. .//8;=< -202=*5 *-?.;=2<270 ->;270 =1. 72=2*5 5*26< ".;28- =1;8>01 *,.+884 $.*;,1 8805. (*188 *7- 270 %@2==.; *7- 2<95*B 9*2- *-?.;=2<270 ><270 # *7- ;*-28 *7- * -202=*5 *-?.;=2<270 .//8;= ->;270 =1. A=.7-.- 5*26< ".;28- ";8?2<287< *;. *5<8 Case 1:17-md-02800-TWT Document 739-5 Filed 07/22/19 Page 14 of 34 27,5>-.- /8; *--2=287*5 78=2,. 6.=18-< -.9.7-270 87 =1. ;.<>5=< 8/ =1. 78=2,. ,*69*207 <>+3.,= =8 />;=1.; *99;8?*5 /;86 =1. 8>;= %1. 9;80;*6 .7<>;.< =1*= =1. ,5*<< ;.,.2?.< ,87<=2=>=287*55B *-.:>*=. 78=2,. +B =1. 8=2,. *=. @12,1 8,,>;< -*B< /;86 =1. -*=. 8/ =1. 8>;=G< 8;-.; *99;8?270 =1. 9;80;*6 %1*= @255 *558@ ,5*<< 6.6+.;< =8 =26.5B .A.;,2<. =1.2; 89=287< =8 .A,5>-. =1.6<.5?.< /;86 =1. <.==5.6.7= 8; =8 8+3.,= =8 =1. <.==5.6.7= 2/ =1.B <8 ,188<. !>; 27=.7= 27 ,87=27>270 =8 <.7- .6*25< *7- 95*,. -202=*5 *-< */=.; =1. 8=2,. *=. 2< =8 ;.27/8;,. =1. .*;52.; 78=2,. .//8;=< ;.627- ,5*<< 6.6+.;< *+8>= =1. +.7./2=< *?*25*+5. =8 =1.6 >7-.; =1. <.==5.6.7= *7- 6*A262C. 9*;=2,29*=287 +B 27,;.*<270 *@*;.7.<< *7- *5.;=270 ,5*<< 6.6+.;< @1.7 =1. ,5*26< -.*-527. 2< *+8>= =8 .A92;. 55 8/ =1. /8;6< 8/ 78=2,. 1*?. +..7 @;2==.7 27 95*27 7052<1 *7- ,8695B @2=1 =1. *9952,*+5. ;.:>2;.6.7=< 8/ #>5. -2<,><< .*,1 ,86987.7= 8/ =1. 9;898<.- 8=2,. "5*7 27 68;. -.=*25 +.58@ %!*! # )*!% (!& $207*5 @255 9>= =80.=1.; * -.680;*912, 9;8/25. 8/ =1. <.==5.6.7= ,5*<< ><270 <>;?.B -*=* *7- -;*@270 87 =1. 9;89;2.=*;B -*=*+*<. 8/ ,87<>6.; 27/8;6*=287 $207*5 6*27=*27< =1*= -.<,;2+.- *+8?. %12< -*=*+*<. @12,1 Case 1:17-md-02800-TWT Document 739-5 Filed 07/22/19 Page 15 of 34 ,87=*27< ,87<>6.; 27/8;6*=287 87 6255287 27-2?2->*5< 9>;,1*<.- /;86 A9.;2*7 2< -.;2?.- /;86 =1. <*6. <8>;,.< ><.- +B :>2/*A <>,1 *< ,;.-2= ,*;- ,869*72.< +*74< *7- ;.*5 .<=*=. =;*7<*,=287< $207*5 *5<8 @255 ,87?.7. * <.;2.< 8/ =.7 /8,>< 0;8>9< ,869;2<.- 8/ * ;.9;.<.7=*=2?. ,;8<< <.,=287 8/ =1. ,5*<< *,;8<< =1. ,8>7=;B *,1 0;8>9 @255 5*<= *99;8A26*=.5B =@8 18>;< +. 9;8/.<<287*55B 68-.;*=.- *7- ,87<2<= 8/ *99;8A26*=.5B .201= 9*;=2,29*7=< %1.<. /8,>< 0;8>9< @255 1.59 >< >7-.;<=*7- =1. -.680;*912, 6*4.>9 8/ =1. ,5*<< 98=.7=2*5 ,5*<< 6.6+.;;= *;. 68<= .//.,=2?. = =1. <*6. =26. @. @255 ,87->,= * <=*=2<=2,*55B <2072/2,*7= <>;?.B 8/ ,5*<< 6.6+.;< =1*= @255 9;8?2-. />;=1.; 27/8;6*=287 *+8>= =1. 98=.7=2*5 ,5*<< 6.6+.;< *7- *6870 8=1.; =1270< +. 8/ 1.59 27 2-.7=2/B270 @1*= 6.-2* <8>;,.< *;. ><.- *,;8<< =1. ?*;28>< -.680;*912,< 5.*;7270 @12,1 ,5*<< 6.6+.;< *;. 5.*<= 524.5B =8 +. /8>7- 87527. *7- *<<.<<270 =1. +.<= @*B =8 ;.*,1 =18<. ,5*<< 6.6+.;< 27*55B $207*5 @255 ,87->,= .*;5B =.<=270 8/ =1. 8>;= *99;8?.- *-< =1*= @. +.52.?. @255 @8;4 +.<= +*<.- 87 =1. /8,>< 0;8>9< *7- <>;?.B ;.<>5=< '. @255 *5<8 =.<= =1. 9;898<.- <>+3.,= 527.< 27 =1. 8>;= *99;8?.- .6*25 6.<<*0.< +B <.7-270 =1. .6*25< =8 * <6*55 <>+<.= 8/ =1. ,5*<< *7- -.=.;627270 @12,1 87.< *;. Case 1:17-md-02800-TWT Document 739-5 Filed 07/22/19 Page 16 of 34 68<= .//.,=2?. 27 ,*><270 ,5*<< 6.6+.;< =8 89.7 =1. .6*25< *<.- 87 =1. .692;2,*5 ;.<>5=< 8/ =18<. =.<=< $207*5 @255 +.027 =8 -./27. *7- 89=262C. =1. ?*;2*+5.< *//.,=270 =1. .//.,=2?.7.<< 8/ =1. ?*;28>< /8;6< *7- ,1*77.5< 8/ 78=2,. 55 8/ =1. *-< .6*25 <>+3.,= 527.< *7- ,87=.7= 8/ =1. .6*25< =8 +. =.<=.- *;. *==*,1.- *< .A12+2=< =8 =1. 8=2,. "5*7 / =1. 8>;= -.,527.< =8 *99;8?. *7B 8/ =1.6 =1. 87.< =1*= *;. 78= *99;8?.- @255 7.2=1.; +. =.<=.- 78; ><.- 27 =1. 78=2,. 9;80;*6 '. *5<8 27=.7- =8 =.<= =1. .//.,=2?.7.<< 8/ ?2-.8 *-< =1*= ,*7 +. 98<=.- 87 <8,2*5 6.-2* <2=.< &<. 8/ ?2-.8 2< 2698;=*7= +.,*><. 2= ,><=86*;25B 9;8->,.< 1201.; ;.<987<. ;*=.< ,,8;-270 =8 ,86$,8;. 87527. ?2-.8 ;.*,1.< >9 =8 9.;,.7= 8/ *->5=< .*,1 687=1 %1. <,;29=< /8; =1. 9;898<.- ?2-.8 *-< *;. 27,5>-.- 27 A12+2= =8 =1. 8=2,. "5*7 !7,. =1. <,;29=< 1*?. +..7 *99;8?.- =1. ?2-.8 *-< @255 +. 9;8->,.- *7- 9;.<.7=.- =8 =1. 9*;=2.< /8; =1.2; *99;8?*5 8 ?2-.8 *- @255 +. =.<=.- 8; 8=1.;@2<. ><.- >7=25 *7- >75.<< =1. /272<1.- 9;8->,=287 1*< ;.,.2?.- <>,1 *99;8?*5 !( * $ !# &*! '. @255 <.7- *= 5.*<= /8>; .6*25 78=2,.< =8 =1. ,5*<< %1. /2;<= @255 +. <.7= *< <887 *< 9;*,=2,*5 */=.; =1. 8;-.; *99;8?270 =1. 95*7 2< 2<<>.- *7- <>+<=*7=2*55B +./8;. =1. 8=2,. *=. %1. +8-B 8/ =1. .6*25 @255 ,87<2<= 8/ =1. Case 1:17-md-02800-TWT Document 739-5 Filed 07/22/19 Page 17 of 34 <18;= /8;6 78=2,. .2=1.; 27 =.A= 8; =.A= @2=1 ?2<>*5 26*0.< %@8 8=1.; .6*25< @255 +. <.7= ->;270 =1. 72=2*5 5*26< ".;28- D 87. *99;8A26*=.5B 27 =1. 62--5. 8/ =1. 9.;28- *7- =1. 8=1.; *99;8A26*=.5B =@8 @..4< +./8;. =1. .7- 8/ =1. 9.;28- %1. 9>;98<. 8/ =1.<. =@8 .6*25< 2< =8 ;.627- ,5*<< 6.6+.;< @18 1*?. 78= B.= /25.- * ,5*26 8/ =1. +.7./2=< *?*25*+5. =8 =1.6 >7-.; =1. <.==5.6.7= *7- *5.;= =1.6 =8 =1. >9,86270 ,5*26< -.*-527. /8>;=1 .6*25 @255 +. <.7= *= =1. +.0277270 8/ =1. A=.7-.- 5*26< .*-527. =8 27/8;6 ,5*<< 6.6+.;< =1*= =1.B 1*?. *--2=287*5 =26. =8 <>+62= ,5*26< /8; ,.;=*27 />=>;. 58<<.< %1. ,87=.7= 8/ *55 /8>; .6*25< 2< <.= /8;=1 27 A12+2= =8 =1. 8=2,. "5*7 $207*5 1*< 9;.9*;.- *99;8A26*=.5B /8>; -2//.;.7= <>+3.,= 527.< /8; .*,1 8/ =1. /8>; 9;898<.- .6*25< @12,1 *;. <.= 8>= 27 A12+2= =8 =1. 8=2,. "5*7 *,1 8/ =1. <>+3.,= 527.< @255 +. =.<=.- /8; .//.,=2?.7.<< 27 =1. 272=2*5 =.<=270 91*<. %1. ;.<>5=< 8/ =1*= =.<=270 @255 -.=.;627. =1. <>+3.,= 527.< =1*= @255 *,=>*55B +. ><.- @1.7 =1. .6*25< *;. <.7= '. *5<8 *7=2,29*=. ;>77270 * <.;2.< 8/ =.<=< @2=1 .6*25< <.7= =8 -2//.;.7= 0;8>9< =8 .7<>;. =1*= =1. 68<= .//.,=2?. <=;*=.02.< *;. +.270 ><.- =8 *?82- <9*6 /25=.;< *7- 27,;.*<. 89.7 ;*=.< 6*25< @255 ,87=*27 * 5274 -2;.,=5B =8 =1. <.==5.6.7= @.+<2=. 6*27=*27.- +B =1. $.==5.6.7= -6272<=;*=8; /*,252=*=270 =1. *+252=B 8/ ,5*<< 6.6+.;< =8 *,,.<< =1. @.+<2=. *7- /25. .5.,=;872, ,5*26< %1. .6*25< @255 *5<8 Case 1:17-md-02800-TWT Document 739-5 Filed 07/22/19 Page 18 of 34 ,87=*27 * 5274 =1*= $9*72<1 <9.*4270 ,5*<< 6.6+.;< 6*B ,52,4 =8 *,,.<< =1. $9*72<1 5*70>*0. 98;=287 8/ =1. @.+<2=. %1. .6*25< @255 +. <.7= +B 8; >7-.; =1. 266.-2*=. -2;.,=287 8/ =1. $.==5.6.7= -6272<=;*=8; =8 *7 .6*25 52<= =1*= 2= @255 +>25- '2=127 /2?. -*B< */=.; =1. 8;-.; *99;8?270 78=2,. 1*< 2<<>.- :>2/*A @255 9;8?2-. =8 * 52<= 8/ ,5*<< 6.6+.;< @12,1 @255 27,5>-. .*,1 ,5*<< 6.6+.;G< .6*25 *--;.<< 2/ 478@7 8; ;.*<87*+5B *?*25*+5. =8 :>2/*A @255 =1.7 <>995.6.7= =1. .6*25 52<= +B 8+=*27270 .6*25 *--;.<<.< /;86 * =12;- 9*;=B ?.7-8; *7- 98=.7=2*55B /;86 $207*5 @12,1 6*27=*27< 2=< 8@7 9;89;2.=*;B -*=*+*<. 8/ ,87<>6.; .6*25 *--;.<<.< 6*25 -.52?.;B ,*7 /*25 /8; * ?*;2.=B 8/ ;.*<87< <>,1 *< *7 27?*52- .6*25 *--;.<< ;.3.,=287 *< 98=.7=2*5 <9*6 +B =1. ;.,292.7=G< 27=.;7.= <.;?2,. 9;8?2-.; 8; ;.3.,=287 +B =1. ;.,292.7=G< ,869>=.; 8; 7.=@8;4 /25=.;< @255 .6958B =.,172:>.< =8 *==.69= =8 ;.<85?. -.52?.;*+252=B 9;8+5.6< @2=1 =1. .6*25< =8 +. <.7= 27 =1. 78=2,. 9;80;*6 *7- ><. ;.*<87*+5. .//8;=< =8 8+=*27 >9-*=.- .6*25 *--;.<<.< /8; ,5*<< 6.6+.;< @18<. .6*25< *;. ;.=>;7.- *< >7-.52?.;*+5. @255 *5<8 =*4. <=.9< =8 .->,*=. ,5*<< 6.6+.;< *+8>= =1. 9;8+5.6 8/ 912<1270 *< -2<,><<.- 27 =1. 8=2,. "5*7 >7-.;<=*7- =1*= 27 2=< -.,5*;*=287 =8 +. <>+62==.- 27 ,877.,=287 @2=1 =1. 68=287 <..4270 *99;8?*5 8/ =1. 78=2,. 95*7 @255 -.<,;2+. 27 Case 1:17-md-02800-TWT Document 739-5 Filed 07/22/19 Page 19 of 34 68;. -.=*25 =1. .6*25 78=2,. 9;80;*6 =1*= 2= @255 >7-.;=*4. *7- 8?.;<.. ! !* # &*! +(!% * %!*! # # !$) (!& %1. 9;898<.- 8=2,. "5*7 9;8?2-.< /8; .A=.7<2?. -202=*5 *-?.;=2<270 +8=1 +./8;. =1. 8=2,. *=. @1.7 2= 2< =*;0.=.- =8 ;.*,1 9.;,.7= 8/ =1. <.==5.6.7= ,5*<< *7- ,87=27>270 =1;8>018>= =1. 72=2*5 5*26< ".;28- %1. 98=.7=2*5 *-< $207*5 9;898<.< =8 =.<= /8; .//.,=2?.7.<< *7- ;.<987<. ;*=.< *;. *==*,1.- *< A12+2= =8 =1. 8=2,. "5*7 %1. *-< =1*= @255 *,=>*55B +. 95*,.- @255 +. ,18<.7 +*<.- 87 =1. =.<=270 ;.<>5=< =1*= 2< @. @255 95*,. =1. *-< =1*= *;. 68<= .//.,=2?. *7- 1*?. =1. <=;870.<= ;.<987<. ;*=.< !75B *-< =1*= 1*?. +..7 *99;8?.- +B =1. 8>;= @255 +. =.<=.- 8; ><.- *,1 8/ =1. *-< @255 5274 =8 =1. <.==5.6.7= @.+<2=. *//8;-270 ,5*<< 6.6+.;< .*= =1. <.==5.6.7= *7- =1. 8998;=>72=B =8 <>+62= ,5*26< 87527. %1. *-< @255 +. =;*7<5*=.- 27=8 $9*72<1 *7- =1. $9*72<1 5*70>*0. *-< @255 +. 95*,.- @1.;. *99;89;2*=. 202=*5 6.-2* *7- 68;. <9.,2/2,*55B <8,2*5 7.=@8;4270 <2=.< <>,1 *< *,.+884 8//.;< *-?*7,.- ,*9*+252=2.< 8?.; 68;. =;*-2=287*5 6.-2* /8;6< =1*= *//.,= +8=1 .//2,*,B *7- ,8<= '125. * -202=*5 6.-2* ,*69*207 2< >7-.;@*B @. ,*7 *7*5BC. .692;2,*5 -*=* 6.*<>;270 ;.*,1 =1. 7>6+.; 8/ 9.895. @18 <.. *7 *- 269;.<<287< =1. 7>6+.; 8/ =26.< =1. *- 2< -2<95*B.- *7- ;.<987<. ;*=.< =1. 7>6+.; 8/ =26.< * ?2.@.; ,52,4< 87 =1. *- ;6.- @2=1 =12< -*=* @. ,*7 *-3><= Case 1:17-md-02800-TWT Document 739-5 Filed 07/22/19 Page 20 of 34 =1. 62A 8/ *-< =1*= *;. +.270 ><.- *7- @1.;. =18<. *-< *;. 95*,.- =8 6*A262C. =1. .//.,=2?.7.<< 8/ =1. ,*69*207 +8=1 27 *+<85>=. =.;6< *7- 9.; -855*; <9.7= %1. -202=*5 ,1*77.5< =8 +. >=252C.- 27 9;8?2-270 78=2,. *;. -.<,;2+.- +.58@ • &&" % %)* ( $ *,.+884 *7- 2=< *//252*=. 7<=*0;*6 @255 /8;6 =1. ,8;7.;<=87. 8/ =1. ,*69*207 = 1*< =1. 68<= <8912<=2,*=.- =*;0.=270 ,*9*+252=2.< *7- ;2,1.<= /.*=>;. <.= ".;1*9< 68;. 2698;=*7=5B 8?.; 6255287 6.;2,*7< ><. =1. 95*=/8;6 • -!** ( %@2==.; 2< *78=1.; .//.,=2?. 95*=/8;6 =8 ;.*,1 6.;2,*7< =1;8>01 -202=*5 6.*7< 9*;=2,>5*;5B 4.B 27/5>.7,.;< 27 =1. 6*27<=;.*6 6.-2* @18 1*?. =1. *+252=B =8 *6952/B 8>; 78=2,. .//8;=< +B ;.98;=270 87 =1. <.==5.6.7= *7- =1>< 27,;.*<270 *@*;.7.<< 8/ =1. <.==5.6.7= *6870 ,5*<< 6.6+.;< • && # !% % && ( 7 .//.,=2?. -202=*5 78=2,. ,*69*207 <18>5- +. -.<207.- <8 =1*= ,5*<< 6.6+.;< @18 *;. <.*;,1270 87527. /8; 27/8;6*=287 ;.5*=270 =8 =1. <.==5.6.7= 8; 2-.7=2=B =1./= ,*7 .*<25B /27- =1*= 27/8;6*=287 *7- +. -2;.,=.- =8 =1. <.==5.6.7= @.+<2=. %1. 6*38; <.*;,1 .7027.< ><.- +B 6.;2,*7< *;. 8805. 270 *7- (*188 '. @255 ><. * ,8<= .//.,=2?. 9*2- <.*;,1 <=;*=.0B 87 Case 1:17-md-02800-TWT Document 739-5 Filed 07/22/19 Page 21 of 34 =1.<. =1;.. <.*;,1 .7027.< =8 2-.7=2/B ,5*<< 6.6+.;< *7- 78=2/B =1.6 8/ =1. ;.5.?*7= 27/8;6*=287 =1.B 7..- =8 +. *@*;. 8/ =1. <.==5.6.7= >7-.;<=*7- =1.2; 89=287< *7- <>+62= * ,5*26 2/ =1.B ,188<. =8 -8 <8 8;. =1*7 *7B 8=1.; -202=*5 *-?.;=2<270 ,1*77.5 =.<=270 *7- .A9.;26.7=*=287 *;. ,;2=2,*5 /8; 9*2- <.*;,1 • !)'# / , (*!)!% 2<95*B *-?.;=2<270 2< *7 8672+>< =.;6 /8; * ?*;2.=B 8/ 26*0. =.A= *7- ?2-.8 *-< =1*= *99.*; 7.*; 8; 27 527. @2=1 @.+ ,87=.7= 2<95*B *-< *;. 95*,.- *= =1. =89 8/ @.+<2=.< +*77.; *-< 8?.;5*2- 87 @.+ ?2-.8 *5870<2-. 7.@< *;=2,5.< 87 68+25. *99< *7- 87 ?2;=>*55B .?.;B 8=1.; 95*,. ,87<>6.;< 08 87 =1. @.+ $207*5 @255 95*,. -2<95*B *-< ;.5*=270 =8 =1. <.==5.6.7= ><270 9;26*;25B =@8 87527. -2<95*B 7.=@8;4< 8805. 2<95*B .=@8;4 *7- *,.+884 >-2.7,. .=@8;4 $207*5 @255 .7<>;. -2<95*B *-< -8 78= *99.*; 87 @.+<2=.< =1*= *;. <.7<2=2?. 8; 27*99;89;2*=. *7- @255 =*4. <=.9< =8 ,86+*= *;=2/2,2*5 =;*//2, 62=20*=. /;*>- *7- *?82- <988/270 !>; =*;0.= 2< =8 ,;.*=. 6255287 -202=*5 269;.<<287< 87 8; +./8;. =1. 8=2,. *=. D 6255287 87 *,.+884 *7- ;.5*=.- 95*=/8;6< ;.9;.<.7=270 *<<>6.- *,=2?2=B 8/ 269;.<<287< 9.; ,5*<< 6.6+.; *= * 9.;,.7= ;.*,1 6255287 269;.<<287< 87 %@2==.; ;.9;.<.7=270 *<<>6.- *,=2?2=B 8/ *99;8A26*=.5B Case 1:17-md-02800-TWT Document 739-5 Filed 07/22/19 Page 22 of 34 87. 269;.<<287 9.; ,5*<< 6.6+.; *= * 9.;,.7= ;.*,1 *7- 6255287 269;.<<287< /;86 -2<95*B *-?.;=2<270 ;.9;.<.7=270 *<<>6.- *,=2?2=B 8/ 269;.<<287< 9.; ,5*<< 6.6+.; *= * 9.;,.7= ;.*,1 >;270 =1. ;.6*27-.; 8/ =1. 72=2*5 5*26< ".;28- =1. =*;0.= 2< =8 ,;.*=. *7 *--2=287*5 6255287 269;.<<287< D 6255287 87 *,.+884 *7- ;.5*=.- 95*=/8;6< 6255287 269;.<<287< 87 %@2==.; *7- 6255287 269;.<<287< 87 -2<95*B *-?.;=2<270 ,,8;-2705B =1. =*;0.=.- =8=*5 269;.<<287< ->;270 =1. 72=2*5 5*26< ".;28- @255 .A,..- +255287 %1. *,=>*5 269;.<<287< /8; =1. <9.,2/2, 95*=/8;6< 6*B -2//.; /;86 =1.<. =*;0.=< +.,*><. *< -.<,;2+.- *+8?. =1. 95*,.6.7= 8/ <9.,2/2, *-?.;=2<270 @255 +. *-3><=.- +B $207*5 ->;270 =1. ,8>;<. 8/ =1. ,*69*207 ! + #! *!&% &*! 7 *--2=287 =8 -2;.,= .6*25 78=2,. *7- 87527. -202=*5 *-?.;=2<270 =1. 8=2,. "5*7 9;8?2-.< 6.*7< =8 ;.*,1 ,5*<< 6.6+.;< @18 6*B 78= 1*?. ;.*-B *,,.<< =8 .6*25 8; +. .A98<.- =8 -202=*5 6.-2* $207*5 @255 95*,. * />55 9*0. *-?.;=2<.6.7= 27 # 87. 8/ =1. =1;.. 5*;0.<= 7*=287*5 7.@<9*9.;< ;.*- +B *99;8A26*=.5B <.?.7 6255287 6.;2,*7< .*,1 -*B %1. *-?.;=2<.6.7= @255 ;>7 +./8;. =1. 8=2,. *=. %1. ,87=.7= 8/ =1. *-?.;=2<.6.7= 2< ,87=*27.- 27 A12+2= =8 =1. 8=2,. "5*7 .9.7-270 87 =1. ;.<>5=< 8/ =.<=270 *7- =1. .692;2,*5 -*=* =1*= @255 +. *?*25*+5. ->;270 =1. 78=2,. ,*69*207 $207*5 6*B ;.,866.7- =1*= =1. Case 1:17-md-02800-TWT Document 739-5 Filed 07/22/19 Page 23 of 34 *-?.;=2<.6.7= +. 95*,.- 27 8=1.; 9>+52,*=287< $207*5 @255 *5<8 9;8->,. *7- 2695.6.7= * ;*-28 *-?.;=2<270 ,*69*207 =8 <>995.6.7= -2;.,= -202=*5 *7- 9*2- 9>+52,*=287 78=2,. 27 *;.*< @2=1 58@.; -202=*5 9.7.=;*=287 %1. ;*-28 *-?.;=2<270 ,*69*207 @255 8,,>; +./8;. =1. 8=2,. *=. %1. .A=.7= *7- <,89. 8/ =1. ,*69*207 @255 +. -.=.;627.- +*<.- >987 =1. ;.<>5=< 8/ =1. =.<=270 91*<. *7- =1. .692;2,*5 -*=* =1*= +.,86.< *?*25*+5. */=.; =1. 78=2,. 9;80;*6 +.027< $,;29=< /8; =1. ;*-28 *-?.;=2<.6.7=< *;. *==*,1.- =8 =1. 8=2,. "5*7 *< A12+2= &*! &(*) +(!% * .* % # !$) (!& % /&% &7-.; =1. <.==5.6.7= ,5*<< 6.6+.;< @255 +. .5202+5. =8 <>+62= ,5*26< /8; 8>= 8/ 98,4.= 58<<.< =1*= =1.B <>//.; ->;270 =1. /8>; B.*; A=.7-.- 5*26< ".;28- 2/ />7-< ;.6*27 *?*25*+5. 7 *--2=287 ,5*<< 6.6+.;< @255 +. .5202+5. =8 ;.,.2?. 2-.7=2=B ;.<=8;*=287 <.;?2,.< /8; <.?.7 B.*;< %8 =*4. *-?*7=*0. 8/ =1.<. +.7./2=< ,5*<< 6.6+.;< 7..- =8 +. *@*;. 8/ =1.6 / =1. 78=2,. 9;80;*6 .7-< @2=1 =1. ,8695.=287 8/ =1. .7- 8/ =1. <2A 687=1 72=2*5 5*26< ".;28- ,5*<< 6.6+.;< 6*B 78= ;.6.6+.; 8; +. *@*;. =1*= =1.B 1*?. * ,87=27>270 8998;=>72=B =8 <>+62= ,5*26< *7- 0.= 1.59 2/ =1.B *;. * ?2,=26 8/ 2-.7=2=B =1./= 8; =12< ;.*<87 =1. 8=2,. "5*7 9;898<.< =8 ,87=27>. =1. 78=2,. 9;80;*6 */=.; =1. .7- 8/ =1. 72=2*5 5*26< ".;28- *5=18>01 *= * 5.<< 27=.7<. 5.?.5 Case 1:17-md-02800-TWT Document 739-5 Filed 07/22/19 Page 24 of 34 >;270 =1. A=.7-.- 5*26< ".;28- <8 5870 *< />7-< ;.6*27 *?*25*+5. =8 9*B ,5*26< $207*5 @255 ,87=27>. =8 95*,. -202=*5 *-?.;=2<270 *= * ;*=. 8/ *99;8A26*=.5B 269;.<<287< 9.; 687=1 %1.<. *-< @255 +. =*258;.- =8 =1. ;.52./ *?*25*+5. ->;270 =1. A=.7-.- 5*26< ".;28- 5<8 <8 5870 *< ,5*<< 6.6+.;< ;.6*27 .5202+5. /8; 2-.7=2=B ;.<=8;*=287 <.;?2,.< $207*5 @255 ,87->,= * 9*2- <.*;,1 <=;*=.0B *7- ><. 8=1.; -202=*5 6.*7< =8 =*;0.= 98=.7=2*5 ,5*<< 6.6+.;< @18 *;. ?2,=26< 8/ /;*>- 8; 2-.7=2=B =1./= %1. ,87=.7= /8; =12< *--2=287*5 -202=*5 *-?.;=2<270 2< *==*,1.- =8 =1. 8=2,. "5*7 *< A12+2= +''# $ %* # &*! )+( ) .9.7-270 87 =1. .//.,=2?.7.<< 8/ =1. 78=2,. 9;80;*6 27 *,,86952<1270 2=< 08*5< *7- ;.*,1270 *55 6.6+.;< 8/ =1. ,5*<< *< <18@7 +B =.<=270 *7- *7*5B<2< 8/ =1. .692;2,*5 -*=* 0.7.;*=.- ->;270 =1. 9;80;*6 $207*5 6*B ;.,866.7- =1*= <>995.6.7=*5 78=2,. .//8;=< +. 6*-. %1. 9*;=2.< 1*?. *0;..- =8 ,87<2-.; *55 <>,1 ;.,866.7-*=287< 27 088- /*2=1 *7- 2/ =1.B *0;.. @2=1 $207*5G< ;.,866.7-*=287< =8 <..4 *99;8?*5 /;86 =1. 8>;= =8 2695.6.7= =1.6 &% #+)!&% *6 ,87/2-.7= =1*= =1. 9;898<.- 8=2,. "5*7 @255 .//.,=2?.5B ;.*,1 =1. <.==5.6.7= ,5*<< 27,;.*<. ,5*<< 6.6+.;72=B /8; Case 1:17-md-02800-TWT Document 739-5 Filed 07/22/19 Page 25 of 34 9*;=2,29*=287 -.52?.; =1. +.<= 78=2,. 9;*,=2,*5 >7-.; =1. ,2;,>6<=*7,.< *7- =1>< <*=2. 9;8,.<< *7- =1. ;.:>2;.6.7=< 8/ #>5. B =*4270 *-?*7=*0. 8/ 68-.;7 =.,172:>.< 27 ,866.;,2*5 *7- 9852=2,*5 *-?.;=2<270 *< @. 1*?. 9;898<.- *7- ,87=27>270 =8 9;8?2-. 78=2,. /8; * 9.;28- 8/ 68;. =1*7 <.?.7 B.*;< =1. 8=2,. "5*7 <>+<=*7=2*55B 269;8?.< >987 =1. 78=2,. 9;80;*6< =1*= *;. ,><=86*;25B ><.- 27 6*38; ,5*<< *,=287< <.==5.6.7=< 7 6*7B @*B< =1. 9;80;*6 2< >72:>. B .A9.,=*=287 2< =1*= =1. 9;898<.- 8=2,. "5*7 */=.; 2=< *99;8?*5 *7- 2695.6.7=*=287 @255 1.59 =8 <.= =1. <=*7-*;- /8; />=>;. ,5*<< *,=287 <.==5.6.7=< *7- 27 <8 -8270 ,87=;2+>=. =8 269;8?270 =1. .//.,=2?.7.<< 8/ 78=2,. 9;80;*6< *7- 27,;.*<270 ,5*26< ;*=.< 27 8=1.; ,*<.< -.,5*;. >7-.; 9.7*5=B 8/ 9.;3>;B >7-.; =1. 5*@< 8/ =1. &72=.- $=*=.< 8/ 6.;2,* =1*= =1. /8;.08270 2< =;>. *7- ,8;;.,= $207.- 87 >5B 27 $*7 ;*7,2<,8 ))))))))))))))))))))))))))))) 26 .<<27* Case 1:17-md-02800-TWT Document 739-5 Filed 07/22/19 Page 26 of 34 EXHIBIT 1 Bio of Matt Garretson Case 1:17-md-02800-TWT Document 739-5 Filed 07/22/19 Page 27 of 34 Matthew Garretson Matthew Garretson received a BA from Yale University, a law degree at Kentucky’s Salmon P. Chase College of Law and a Masters in Theology from Chicago Theological Seminary. Garretson has served as the special master or administrator of settlement funds and crisis response programs through the country in environmental disaster, product liability, civil rights, sexual abuse and other cases. In this capacity, Garretson has substantial firsthand experience with the design, oversight and/or administration of hundreds of class action and mass tort resolution programs. Garretson is also the author of a legal textbook published by West Publishing entitled “Negotiating and Settling Tort Cases,” in addition to several articles regarding professional responsibility in settlements. He is a frequent speaker at Continuing Legal Education seminars regarding lawyers’ professional responsibilities in class action and other mass tort matters, including The American Association For Justice, The American Bar Association, The Rand Corporation, DRI and dozens of state attorney associations. Garretson also serves as a member of the Advisory Board for Rand Center for Catastrophic Risk Management and Compensation. Garretson is the co-founder of Signal Interactive Media, a firm dedicated to improving the efficacy of class notice through contemporary data analytics and mass media. He is also the co-Founder and former CEO of The Garretson Resolution Group, Inc (“GRG”), which provides lien resolution and complex settlement administration services in mass torts. Garretson led GRG through two separate private equity transactions in 2008 and 2012 and thereafter transitioned leadership to a seasoned management team and exited that business. (GRG ultimately was acquired by Epiq Claims). Case 1:17-md-02800-TWT Document 739-5 Filed 07/22/19 Page 28 of 34 When he is not designing or overseeing settlement programs, Garretson spends his time pouring into AmarrasLead.org. Amarras provides learning management systems for innovators and leaders of non-profit organizations operating in the Dominican Republic and Haiti with an emphasis on improving the well being of vulnerable youth, their families and their communities. Experience Garretson provides detailed design, coordination and oversight of complex operations in settlements to achieve controlled, predictable outcomes (e.g. notice/outreach, predictive claim progression, claim valuation methodology, settlement program integration and disbursement controls). Relevant experience in select high profile matters: World Trade Center Disaster Site Litigation (MDL Docket MC100, MC102 and MC103, United States District Court, Southern District of New York) Deepwater Horizon Litigation (MDL 2179, United States District Court, Eastern District Louisiana) National Football League Players’ Concussion Injury Litigation (MDL 2323, United States District Court, Eastern District of Pennsylvania). Archdiocese of Louisville (In re: Roman Catholic Bishop of Louisville, Inc., Jefferson Circuit Court, Louisville, Kentucky). Archdiocese of Cincinnati Claims Restitution Fund Case 1:17-md-02800-TWT Document 739-5 Filed 07/22/19 Page 29 of 34 Cincinnati Policing (Case No. C-1-99-3170, United States District Court, Southern District of Ohio) Zyprexa Products Liability Litigation (MDL 1596, United States District Court, Eastern District of New York) Vioxx Products Liability Litigation (MDL 1657, United States District Court, Eastern District of Louisiana) Pelvic Repair System Products Liability Litigation [a/k/a Transvaginal Mesh] (MDL 2326, United States District Court, Southern District of District of West Virginia) Avandia Marketing, Sales Practices, and Products Liability Litigation (MDL 1871, United States District Court, Eastern District of Pennsylvania) Actos Products Liability Litigation (MDL 2299, United States District Court, Western District of Louisiana) Remington Arms Company (Case No. 4:13-CV-00086OD (Western District of Missouri) TK Holdings Inc. (a/k/a Takata Airbags (Case No. 1711375, United States Bankruptcy Court, District of Delaware) Speaking Engagements (re: Aggregate Settlements, Legal Ethics & Professional Responsibility)     AAJ Annual Meeting ‘03, ‘06, ‘08 AAJ Hormone Therapy ‘04 AAJ Mid-Winter ‘05, ‘06 AAJ Weekend with the Stars ‘06 Case 1:17-md-02800-TWT Document 739-5 Filed 07/22/19 Page 30 of 34                                               AAJ Nursing Home Litigation Seminar ‘08 AAJ Ski Medical Seminar ‘08 AAJ Winter Convention ‘08, ‘13 AAJ MSP Teleseminar ‘12 American Bar Association Annual Convention ‘15 Catholic Health Initiatives ‘08 Colorado Trial Lawyers Association Winter Convention ‘09, ‘12 Connecticut Trial Lawyers Association ‘09 Consumer Attorneys of California ‘01, ‘03, ‘04, ’06, ‘09 Consumer Attorneys of Sonoma County ‘01 DRI Annual Meeting ‘07 DRI Mass Torts MSP Webcast ‘13 Duke Law Center for Judicial Studies ‘16 Florida Justice Association ‘09 Georgia Trial Lawyers Association ‘08, ‘09 George Washington University Law School ‘16 Hamilton Country Trial Lawyers Association ‘05 Harris Martin ‘13, ‘15, ‘15, ‘16 Hormone Replacement Therapy Seminar ‘07 Indiana Trial Lawyers Association ‘09 Kansas Trial Lawyers Association ‘03, ‘04, ‘07 Kentucky Academy of Trial Lawyers ‘06 Kentucky Justice Association ‘08 Louisiana State Bar Association Admiralty Symposium ‘07, ‘13, ‘14, ‘15 Louisiana Bar Mass Tort Symposium ‘02, ‘04 Louisiana State Bar Assoc. Complex Litigation Symposium ‘13, ‘16 Louisiana Trial Lawyers Association Annual ‘07 Mass Torts Made Perfect ‘03, ‘04, ‘06, ‘08, ‘13 Mass Torts Made Perfect Judicial Forum ‘13 Mealey’s Lexis/Nexis Art of Negotiation ‘07 Mealey’s Lexis/Nexis Contingency Fees ‘07 Mealey’s Lexis/Nexis Ethics ‘07 Mealey’s Lexis/Nexis Client Expenses ‘06 Mealey’s Lexis/Nexis Emerging Drug and Devices ‘04 Mealey’s Lexis/Nexis MMSEA ‘08 Mealey’s Medicare & ERISA Liens: New Developments ‘09 Mississippi Trial Lawyers Association ‘02 Michigan Negligence Law Section ‘09 Michigan Association for Justice ‘08 Minnesota Trial Lawyers Association ‘09 Montana Trial Lawyers Association ‘08 New York Academy of Trial Lawyers ‘07 Norfolk and Portsmouth Bar Association ‘03 NABIS – Medical Issues in Brain Injury ‘05, ‘06, ‘07 Ohio Academy of Trial Lawyers Annual ‘03, ‘04, ‘05, ‘06, ‘07 Ohio Academy of Trial Lawyers Subrogation Seminar ‘06 Case 1:17-md-02800-TWT Document 739-5 Filed 07/22/19 Page 31 of 34                     Ohio Academy of Trial Lawyers Worker's Compensation ‘07 Ohio Association for Justice ‘08, ‘09 Insurance/Negligence Seminar ‘09 Ohio State Bar Association Annual Convention ‘06 Ohio Trial Advocacy Seminar ‘04, ‘06 Oklahoma Trial Lawyers Association ‘07 Perrin Conferences ‘12, ‘13 Philadelphia Assn. for Justice ‘08 Plaintiff Asbestos Litigation Seminar ‘07 Professionally Speaking Seminar ‘07 RAND Corporation ’16, ‘17 San Antonio Trial Lawyers Association ‘07 Society of Settlement Planners ‘07 TBI Symposium - Brain Injury Association of Ohio ‘04, ‘06 TPL-COB National Conference ‘07 Utah Bar Association Annual Seminar ‘05 Utah Trial Lawyers Brain Injury ‘02, ‘03, ‘04, ‘05, ‘06, ‘07 Utah Trial Lawyers Association Annual Convention ‘07 Utah Association for Justice ‘09 Virginia Trial Lawyers Association ‘05 Publications            Negotiating and Settling Tort Cases, ATLA / West Publishing (2007). Updated 2013, 2015. A Fine Line We Walk: Counseling Clients About the “Form” of Settlement, 13 A.B.A. Prof’l Law. 4, 2002. Don’t Get Trapped By A Settlement Release, Trial Magazine, September 2003. A Practical Approach to Proactive Client-Counseling and Avoiding Conflicts of Interest in Aggregate Settlements, The Loyola University Journal of Public Interest Law, Volume 6, 2004. Deferring Attorney Fees: Is There Now a Critical Mass of Enabling Legislation? Ohio Trial, Volume 14, Issue 2, 2005. Making Sense of Medicare Set-Asides, Trial Magazine, May 2006. What Does the Ahlborn Decision Really Mean? Ohio Trial, Fall 2006. Medicare’s Reimbursement Claim - The Only Constant is Change, Ohio Trial, Spring 2007. One More Thing to Worry About in Your Settlements: The Medicare, Medicaid and SCHIP Extension Act of 2007, Philadelphia Trial Lawyers Association Verdict, Volume 2007, Issue 6. Act II – Reporting Obligations for Settling Insurers where Medicare is a Secondary Payer: The Medicare, Medicaid and SCHIP Extension Act of 2007, May 18, 2009. Easing Health Care Lien Resolution, AAJ Trial Magazine, October 2010. Case 1:17-md-02800-TWT Document 739-5 Filed 07/22/19 Page 32 of 34   The Medicare, Medicaid and SCHIP Extension Act of 2007, Section 111 Reporting: One More Thing to Worry About in Your Settlements, March 2012. The SMART Act: How a New Federal Law Could Fast Track Your Settlements, 2013. Case Document 739-5 Filed 07/22/19 Page 33 of 34 EXHIBIT 2 Bio of Jim Messina Case 1:17-md-02800-TWT Document 739-5 Filed 07/22/19 Page 34 of 34 Jim Messina Jim Messina is an internationally recognized expert of reaching and informing target audiences through contemporary mass media. As President Obama’s 2012 campaign manager, Messina abandoned every step of a traditional presidential campaign and merged media, analytics, and politics in an unprecedented way. Messina’s approach to media established the modern presidential campaign—Google’s Former Executive Chairman Eric Schmidt called it “the best run campaign ever.” Messina is recognized throughout the globe as a mass media and data analytics expert, and is engaged by several heads of state as well as Fortune 500 retailers across the globe. Messina and his team have supervised over $1.1 billion in paid advertising across the globe. Messina has experience in using all contemporary paid, earned, and owned media (including traditional print media and, more notably, contemporary digital media such as social networking using Facebook).. His group currently designs media plans for political campaigns, non profits, and leading corporations from top Hollywood studios to international publishers. During the Obama Campaign, he saved $40 million by applying testing and data analytics to paid advertising. Messina’s “winning formula” is rooted in data analytics. In developing media plans, his group is guided by the belief that data, analytics, and testing can deliver dramatic improvements in efficacy per dollar. For example, to identify voters, his team compiled a score between 1 and 100 and predicted the vote for every single registered voter in Ohio—nearly 8 million people. His ability to test and analyze data enabled him to predict the early voting results within 1 percentage point nationwide, and the total results within .2 percentage points in Florida, a state in which 8.4 million people voted. As Time Magazine reported, “[A]ssumptions were rarely left in place without numbers to back them up.” Messina defined the modern approach to identify, reach, and effectively engage individuals through political advertising. Case 1:17-md-02800-TWT Document 739-6 Filed 07/22/19 Page 1 of 57 Exhibit 5 Declaration of Jennifer M. Keough, JND Legal Administration, LLC In re: Equifax Inc. Customer Data Security Breach Litigation, No. 17-md-2800-TWT (N.D. Ga.) Plaintiffs’ Motion to Direct Notice of Proposed Settlement Case 1:17-md-02800-TWT Document 739-6 Filed 07/22/19 Page 2 of 57 IN THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF GEORGIA ATLANTA DIVISION IN RE: EQUIFAX INC. CUSTOMER DATA SECURITY BREACH LITIGATION Case No. 1:17-md-2800-TWT DECLARATION OF JENNIFER M. KEOUGH REGARDING PROPOSED ADMINISTRATION PROGRAM I, JENNIFER M. KEOUGH, declare as follows: I. 1. INTRODUCTION I am the Chief Executive Officer (“CEO”) of JND Legal Administration LLC (“JND”). This Declaration is based on my personal knowledge, as well as upon information provided to me by experienced JND employees and Counsel for the Plaintiffs and Defendants (“Counsel”), and if called upon to do so, I could and would testify competently thereto. 2. I have more than 20 years of legal experience creating and supervising claims administration programs and have personally overseen well over 500 matters. Some of the larger matters I have handled in my career include the administration of the $20 billion Gulf Coast Claims Facility; the $10 billion Deepwater Horizon BP Settlement; and the $3.4 billion Cobell Indian Trust (the largest U.S. Government class action ever). I have also been appointed as the Independent Claims -1- 1:17-MD-2800-TWT JENNIFER M. KEOUGH DECLARATION Case 1:17-md-02800-TWT Document 739-6 Filed 07/22/19 Page 3 of 57 Administrator (“ICA”) by the United States District Court for the Northern District of California in Allagas v. BP Solar Int’l, Inc., Case No. 14-cv-00560. A comprehensive description of my experience is attached hereto as Exhibit A. 3. JND is a legal administration services provider with headquarters located in Seattle, Washington, and other offices throughout the Country. JND has extensive experience with all aspects of legal administration and has administered hundreds of class action settlements. JND was chosen as the Settlement Administrator in this case after going through a competitive bidding process. 4. As CEO, I am involved in all facets of JND’s operation, including monitoring the implementation of our claims administration programs. 5. I submit this Declaration at the request of Counsel in the above- referenced litigation to describe the proposed Administration Program for Class Members. II. 6. RELEVANT EXPERIENCE JND is one of the leading legal administration firms in the country. JND’s class action division provides all services necessary for the effective implementation of class action settlements including: (1) all facets of legal notice, such as outbound mailing, email notification, and the design and implementation of media programs, including through digital and social media platforms; (2) website design and deployment, including on-line claim filing capabilities; (3) call center and other contact support; (4) secure class member data management; (5) paper and -2- 1:17-MD-2800-TWT JENNIFER M. KEOUGH DECLARATION Case 1:17-md-02800-TWT Document 739-6 Filed 07/22/19 Page 4 of 57 electronic claims processing; (6) lien verification, negotiation, and resolution; (7) calculation design and programming; (8) payment disbursements through check and pre-paid cards, among other things; (9) qualified settlement fund tax reporting; (10) banking services and reporting; and (11) all other functions related to the secure and accurate administration of class action settlements. JND is an approved vendor for the Federal Trade Commission (“FTC”) as well as for the United States Securities and Exchange Commission (“SEC”). We also have Master Services Agreements with various law firms, corporations, banks, and other government agencies, which were only awarded after JND underwent rigorous reviews of our systems, privacy policies, and procedures. JND has also been certified as SOC 2 compliant by accounting firm Moss Adams. Finally, JND has been recognized by various publications, including the National Law Journal, the Legal Times, and, most recently, the New York Law Journal, for excellence in class action administration. 7. As CEO of JND, I am regularly called on to submit declarations in connection with JND’s notice and administration work. In the last year alone, I have submitted expert declarations in connection with the following matters: USC Student Health Ctr. Settlement, Case No. 18-cv-04258-SVW (C.D. Cal.); Racies v. Quincy Bioscience, LLC, Case No. 15-cv-00292 (N.D. Cal.); Boskie v. Backgroundchecks.com, Case No. 2019CP3200824 (Ct. Com. Pl. S.C.); Hanks v. The Lincoln Life & Annuity Co. of New York, et al., Case No. 16-cv-6399 PKC -3- 1:17-MD-2800-TWT JENNIFER M. KEOUGH DECLARATION Case 1:17-md-02800-TWT Document 739-6 Filed 07/22/19 Page 5 of 57 (S.D.N.Y.); In re ConAgra Foods Inc., Case No. 11-cv-05379-CJC-AGR (C.D. Cal.); Podawiltz v. Swisher Int’l, Inc., Case No. 16CV27621 (Or. Cir. Ct.); Linneman v. Vita-Mix Corp., Case No. 15-cv-748 (S.D. Ohio); In re Intuit Data Litig., Case No. 15-cv-1778-EJD (N.D. Cal.); In re Broiler Chicken Antitrust Litig., Case No. 16-cv-08637 (N.D. Ill.); McWilliams v. City of Long Beach, Case No. BC361469 (Cal. Super. Ct.); Granados v. County of Los Angeles, Case No. BC361470 (Cal. Super. Ct.); Finerman v. Marriott Ownership Resorts, Inc., Case No. 14-cv-1154-J32MCR (M.D. Fla.); Huntzinger v. Suunto Oy, Case No. 37-2018-00027159-CUBT-CTL (Cal. Super. Ct.); and Dover v. British Airways, PLC (UK), Case No. 125567 (E.D.N.Y.). The foregoing list is merely illustrative, not exhaustive, as I have submitted many more expert declarations in other matters during the abovereferenced period. 8. JND and its principals, including myself, have extensive experience handling settlements in federal courts throughout the Country including, but not limited to: In Re SunTrust Banks, Inc. ERISA Litig., Case No. 08-cv-03384-RWS (N.D. Ga.); Liotta v. Wolford Boutiques, LLC, Case No. 16-cv-4634 (N.D. Ga.); In re AudioEye, Inc. Sec. Litig., Case No. 15-cv-163 (DCB) (D. Ariz.); Wornicki v. Brokerpriceopinion.com, Inc., Case No. 13-cv-03258 (PAB) (KMT) (D. Colo.); Dixon v. Zabka, Case No. 11-cv-982 (D. Conn.); United States v. Greyhound Lines, Inc., Case No. 16-67-RGA (D. Del.); In re Wholesale Grocery Prods. Antitrust Litig., Case No. 9-md-2090 (ADM) (TNL) (D. Minn.); Tkachyk v. Travelers Ins., -4- 1:17-MD-2800-TWT JENNIFER M. KEOUGH DECLARATION Case 1:17-md-02800-TWT Document 739-6 Filed 07/22/19 Page 6 of 57 Case No. 16-28-m (DLC) (D. Mont.); Muir v. Early Warning Servs., LLC, Case No. 16-cv-00521 (D.N.J.); San Antonio Fire & Police Pension Fund v. Dole Food Co., Case No. 15-cv-1140 (LPS) (E.D. Del.); Anger v. Accretive Health, Case No. 14-cv12864 (E.D. Mich.); Cecil v. BP America Prod. Co., Case No. 16-cv-410 (RAW) (E.D. Okla.); Doughtery v. QuickSIUS, LLC, Case No. 15-cv-06432-JHS (E.D. Pa.); Chance v. E.I. Du Pont De Nemours, Case No. 16-cv-00376-MAC-ZJH (E.D. Tex.); Dover v. British Airways, PLC (UK), Case No. 12-cv-5567 (E.D.N.Y.); Finerman v. Marriott Ownership Resorts, Inc., Case No. 14-cv-1154-J-32MCR (M.D. Fla.); In re Yahoo! Inc. Sec. Litig., Case No. 17-cv-00373 (N.D. Cal.); In re Akorn, Inc. Sec. Litig., Case No. 15-c-1944 (N.D. Ill.); Easley v. The Reserves Network, Inc., Case No. 16-cv-00544 (N.D. Ohio); Jeter v. Bullseye Energy, Inc., Case No. 12-cv-411 (TCK) (PJC) (N.D. Okla.); Parmelee v. Santander Consumer USA Holdings Inc., Case No. 16-cv-783-K (N.D. Tex.); Pierce v. Anthem Ins. Cos., Case No. 15-cv00562-TWP-TAB (S. D. Ind.); Family Medicine Pharmacy LLC v. Impax Laboratories, Inc., Case No. 17-cv-53 (S.D. Ala.); Kellgren v. Petco Animal Supplies, Inc., Case No. 13-cv-644 (L) (KSC) (S.D. Cal.); Belanger v. RoundPoint Mortg. Servicing, Case No. 17-cv-23307-MGC (S.D. Fla.); Linneman v. Vita-Mix Corp., Case No. 15-cv-748 (S.D. Ohio); Broussard v. Stein Mart, Inc., Case No. 16cv-03247 (S.D. Tex.); Cline v. TouchTunes Music Corp., Case No. 14-CIV-4744 (LAK) (S.D.N.Y.); In re Global Tel*Link Corp. Litig., Case No. 14-CV-5275 (W.D. Ark.); Sullivan v. Wenner Media LLC, Case No. 16-cv−00960-JTN-ESC (W.D. -5- 1:17-MD-2800-TWT JENNIFER M. KEOUGH DECLARATION Case 1:17-md-02800-TWT Document 739-6 Filed 07/22/19 Page 7 of 57 Mich.); Backer Law Firm, LLC v. Costco Wholesale Corp., Case No. 15-cv-327 (SRB) (W.D. Mo.); Bollenbach Enters. Ltd. P’ship v. Oklahoma Energy Acquisitions, Case No. 07-cv-00134 (W.D. Okla.); Gragg v. Orange CAB Co., Inc., Case No. CV 12-576 RSL (W.D. Wash.); Hernandez v. Experian Info. Solutions, Inc., Case No. 05-cv-1070-DOC (MLGx) (C.D. Cal.); Chester v. The TJX Co., Inc., Case No. 5:15-cv-01437-DDP-DTBx (C.D. Cal.); In re Intuit Data Litig., Case No. 15-cv-1778-EJD (N.D. Cal.); and del Toro Lopez v. Uber Technologies, Inc., Case No. 17-cv-06255-YGR (N.D. Cal.). 9. JND’s Legal Notice Team, which operates under my direct supervision, researches, designs, develops, and implements a wide array of legal notice programs to meet the requirements of Rule 23 of the Federal Rules of Civil Procedure and relevant state court rules. Our notice campaigns, which are regularly approved by courts throughout the United States, use a variety of media including newspapers, press releases, magazines, trade journals, radio, television, social media and the internet depending on the circumstances and allegations of the case, the demographics of the class, and the habits of its members, as reported by various research and analytics tools. Although JND did not design the Notice Plan in this case, I have reviewed the Notice Plan proposed by Signal Interactive Media, LLC (“Signal” or “Notice Provider”), and believe that it meets the requirements of Rule 23 of the Federal Rules of Civil Procedure. I provide a more detailed analysis in Section III, below. -6- 1:17-MD-2800-TWT JENNIFER M. KEOUGH DECLARATION Case 1:17-md-02800-TWT Document 739-6 Filed 07/22/19 Page 8 of 57 10. JND’s Class Action Administration Operations Team, which also operates under my direct supervision, works on a host of diverse and complex administration programs in the areas of Consumer, Antitrust, Securities, Employment, Discrimination, and Data Breach, among others. We are currently administering more than 200 active programs and have over 150 people on staff, not including our call center personnel. 11. Based on discussions with Counsel and what we understand of the Settlement Administration process at this time, and pending the Court’s preliminary approval of the proposed Settlement, JND’s Settlement Administration tasks are expected to include, among others, the following: TASK DESCRIPTION PROJECT Design, oversee and implement the administration program including but not limited to notice design (with the Notice Provider), website development, phone center protocols, claimant outreach and response, claims processing and handling, benefit distribution, working and coordinating with Counsel, preparing reports and declarations, working with and coordinating exchange of information with the Notice Provider and all other functions to ensure smooth completion of administration program. MANAGEMENT DATABASE MANAGEMENT Design and establish secure, case-specific database to house and track all noticing, calls, claims materials, deficiencies, outreach and payments. Build secure mechanism for any data transfers. DEDICATED WEBSITE Design secure case-specific website in English and Spanish with on-line filing capability, all settlement documents, FAQ section, ability to check claim status, upload document screen, integrated Equifax “Am I Impacted” tool, and other features so that there is a readily-available tool for Class Members with an -7- 1:17-MD-2800-TWT JENNIFER M. KEOUGH DECLARATION Case 1:17-md-02800-TWT Document 739-6 Filed 07/22/19 Page 9 of 57 abundance of information about the settlement administration process. Website to be easily navigable, mobile enabled/optimized, and secure. CALL CENTER ASSISTANCE Establish toll free number and 24/7 Interactive Voice Recording (“IVR”) with an option for individuals to speak with Call Center during certain business hours. These Call Center agents will be trained on the specifics of the settlement, the administration program, the notice, the FAQs and the options available to Class Members. Call Center staffing will be dictated, in large part, by the notice program and its timing. For now, we anticipate having approximately 100 operators on the phones when the project goes “live.” We will quickly evaluate call volume to determine how to right-size the call center, either by increasing or decreasing our staffing. EMAIL TEAM Build a team to handle all email inquiries. We will build scripts, based off the website FAQs, and provide support to Class Members as needed. EMAIL NOTICE In coordination with Signal, provide email Notice to potential Class Members. To effectuate the four email campaigns, JND will take the following steps: • Obtain Class Member information from Equifax within five business days of preliminary approval—including names, last known mailing address, date of birth and last known email addresses to the extent reasonably available; • Use information from Equifax to build a complete Class Member email list for use in sending Notice via email; • Work collaboratively with the Notice Provider to ensure consistency of message and notice language to the Class; • Craft a subject line to ensure high deliverability and avoid spam; • Register the sender with the largest Internet Service Providers (“ISPs”), again to prevent spam; • Perform a verification process to validate the quality of the email addresses; • Use only verified email addresses when sending notice to increase open rate; -8- 1:17-MD-2800-TWT JENNIFER M. KEOUGH DECLARATION Case 1:17-md-02800-TWT Document 739-6 Filed 07/22/19 Page 10 of 57 • Work with contacts at major ISPs to “whitelist” the email campaign; and • Review Notice Provider’s content and suggest revisions so that it is not too lengthy or otherwise cumbersome. JND will work closely with Signal and the Parties to send Email Notice meeting the requirements of Rule 23 and Due Process by the Notice Date. Prior to commencing the email program, JND will send test emails to email addresses hosted by several of the largest ISPs. We will also validate that the email notice will be able to be viewed via desktop, web, and mobile email applications. We also will run the email against spam testing software. We will work with Equifax to secure necessary data for email append project and to develop a list of emails based on Equifax’s data. Finally, if an email is returned undeliverable as a soft bounce, JND will attempt re-email of the Email Notice. MAIL NOTICE In coordination with Signal, print and mail notice to Class Members who request hard copy via case website or phones. Notice to be printed and mailed as requests come in. PROCESS CLAIM FORMS JND will mail copies of the Claim Form to Settlement Class Members who request such copies. Intake, prep, scan and process all paper forms and load and review all electronic forms. Per the terms of the Settlement, validate whether claims meet the criteria for one or more of the following forms of relief: (1) reimbursement for Out-of-Pocket Losses; (2) reimbursement for Time Spent remedying issues relating to the Data Breach; (3) free Credit Monitoring Services and/or (4) Alternative Reimbursement Compensation up to $125 for costs related to the purchase of Equifax credit or identity monitoring. In addition, reviewing necessary documentation to determine compliance with different claim category requirements. PROCESS OPT-OUTS AND OBJECTIONS Process mailed opt-outs and objections; validate forms; final review; identify and resolve issues. Provide copies of opt-outs and objections to Class Counsel and Defendants’ Counsel. DEFICIENCY AND Determine any deficiencies and work with Class Members to APPEALS PROCESS cure deficient conditions. Within 14 days after determining that a Settlement Class Member’s claim is deficient, JND will -9- 1:17-MD-2800-TWT JENNIFER M. KEOUGH DECLARATION Case 1:17-md-02800-TWT Document 739-6 Filed 07/22/19 Page 11 of 57 notify the Settlement Class Member of his or her right to cure the deficiency within 30 days or to request an appeal. If a Class Member appeals JND’s determination, JND shall send Class Counsel and Defendant’s Counsel the Class Member’s dispute, Claim Form, and relevant documentation, if any, for determination of the Class Member’s claim. SHORTFALL NOTIFICATION JND will notify Defendant’s Counsel and Class Counsel in writing on a monthly basis if and when there are insufficient funds remaining in the Consumer Restitution Fund to pay valid Out-of-Pocket Losses. DISTRIBUTION Calculate, review and implement individual benefits; establish QSF/Tax ID; account setup and management; reconciliation; create check language and design/format checks; manage check mailing; print and mail checks; research undeliverable checks and pre-paid cards (skip-trace) and remail; reissue checks and pre-paid cards. Work with card issuer to design pre-paid Visa card and create distribution awards. When mailing a check or pre-paid card, JND will send the check or pre-paid card to the address provided by the Settlement Class Member in the Claim Form or to the Settlement Class Member’s preferred address if updated with the Settlement Administrator. Checks not cashed within 90 days shall no longer be valid. Class Member who have not yet cashed checks will be reminded to do so between 30 and 40 days after the checks have been issued. REPORTING Prepare and disseminate custom reporting based on requirements of various stakeholders. III. 12. NOTICE PROGRAM DETAILS The Court has been asked to appoint a separate Notice Provider to design a comprehensive Notice Plan based upon focus-group testing. Although the Notice Provider will work to ensure that the Class is reached by Notice via - 10 - 1:17-MD-2800-TWT JENNIFER M. KEOUGH DECLARATION Case 1:17-md-02800-TWT Document 739-6 Filed 07/22/19 Page 12 of 57 alternative means—such as digital and social media, as well as other forms of nondirect notice—JND will be responsible for delivery of direct Email Notice to streamline the claims submission process, and will also provide support to the Notice Provider where necessary. Below is a more complete description of some of the key tasks listed above, as well as other elements of the Notice Program to be implemented by the Notice Provider. A. Email Notice 13. It is my understanding that Counsel has proposed sending Notice via email and alternative means (such as social media, electronic media, radio, print publication, and earned media) given the cost of direct mail notice. Based upon my experience in the field, the proposed Notice Plan is effective, will engage Class Members, and will have the necessary reach to meet the requirements of Rule 23 and Due Process. 14. An Email Notice will be disseminated to potential Class Members using email contact information provided by Equifax. Additionally, Equifax will provide the name, address, and date of birth for Class Members for whom Equifax does not possess an email address. JND will then work with entities, such as TransUnion, to cross-check the information provided by Equifax and purchase email addresses for these Class Members. Based on experience, JND expects to successfully locate an email address for in excess of 75% of Class Members for whom Equifax does not possess an email address. - 11 - 1:17-MD-2800-TWT JENNIFER M. KEOUGH DECLARATION Case 1:17-md-02800-TWT Document 739-6 Filed 07/22/19 Page 13 of 57 15. JND will send an initial Email Notice to all Class Members for whom an email address can be identified by the Notice Date. Before the claims deadline, additional Email Notices will be sent to Class Members who have not yet opted out, filed a claim, or unsubscribed from the initial email. If needed, another Email Notice will be sent at or about the beginning of the Extended Claims Period. 16. The Email Notice, among other things, will contain a link to the case- specific website so that Class Members can learn more about the Settlement and file a claim. The Email Notice will also contain a Spanish-language tag that will direct Spanish-speaking Class Members to a Spanish-language notice at the case website. 17. JND uses industry-leading email solutions to achieve the most efficient email notification campaigns. Our Data Team is staffed with email experts and software solution teams to conform the Email Notice program to the particulars of the Settlement. JND provides individualized support during the program and manages our sender reputation with the ISPs. For each of our programs, we analyze the program’s data and monitor the ongoing effectiveness of the notification campaign, adjusting the campaign as needed. These actions ensure the highest possible deliverability of the email campaign so that more potential Class Members receive Notice of the proposed Settlement. 18. Prior to sending the Email Notice, JND will work with the Notice Provider to evaluate the email for potential spam language to improve deliverability. This process includes running the email through spam testing software, DKIM for - 12 - 1:17-MD-2800-TWT JENNIFER M. KEOUGH DECLARATION Case 1:17-md-02800-TWT Document 739-6 Filed 07/22/19 Page 14 of 57 sender identification and authorization, and hostname evaluation. Additionally, we will check the send domain against the 25 most common IPv4 blacklists. 19. For each email campaign, JND will utilize a verification program to eliminate invalid email and spam traps that would otherwise negatively impact deliverability. We will then clean the list of email addresses for formatting and incomplete addresses to further identify all invalid email addresses. The email content is then formatted and structured in a way that receiving servers expect, allowing the email to pass easily to the recipient. 20. To ensure readability of the Email Notice, our team will work with the Notice Provider to review and format the body content into a structure that is applicable to all email platforms. Before sending the Email Notice campaign, we send a test email to multiple ISPs and open the email on multiple devices (iPhones, Android phones, desktop computers, tablets, etc.) to ensure the email opens as expected. Additionally, JND includes an “unsubscribe” link at the bottom of the Email Notice to allow Class Members to opt out of any additional email notices from JND. This step is essential to maintain JND’s good reputation among the ISPs and reduce complaints relating to the email campaign. JND will also work with the Notice Provider, Class Counsel, and counsel for the Defendants to identify email phishing campaigns and fraudulent websites, and will notify the Notice Provider, Class Counsel, and counsel for the Defendants of fraud schemes as soon as discovered. - 13 - 1:17-MD-2800-TWT JENNIFER M. KEOUGH DECLARATION Case 1:17-md-02800-TWT Document 739-6 Filed 07/22/19 Page 15 of 57 21. Emails that are returned are generally characterized as either “Soft Bounces” or “Hard Bounces.” Hard Bounces are when the ISP rejects the email due to a permanent reason such as the email account in no longer active. Soft Bounces are when the email is rejected for temporary reasons, such as the recipient’s email address inbox is full. 22. When an email is returned due to a soft bounce, JND attempts to re- email the Email Notice up to three additional times in an attempt to secure deliverability. The email is considered Undeliverable if it is a Hard Bounce or a Soft Bounce that is returned after third resend. B. Media Effort 23. In addition to the email effort, the Notice Provider will implement a media campaign that will consist of a digital effort that will serve more than 1.2 billion impressions over Facebook/Instagram, Twitter, and the Google Display Network; an internet search effort; a full-page notice placement in USA Today; and a radio campaign that will focus on areas with lower digital penetration. C. Extended Claims Period 24. If the Settlement funds are not exhausted during the Initial Claims Period, the Notice Provider will continue to place digital advertising at a rate of approximately 160,000 impressions per month until the Settlement funds are exhausted or the expiration of the Extended Claims Period, whichever occurs first. - 14 - 1:17-MD-2800-TWT JENNIFER M. KEOUGH DECLARATION Case 1:17-md-02800-TWT Document 739-6 Filed 07/22/19 Page 16 of 57 D. Dedicated Settlement Website 25. An informational, interactive, ADA-compliant, mobile-enabled Settlement Website (in both English and Spanish) will be developed to enable Class Members to get information about the Litigation and Settlement. 26. Upon Class Counsel’s filing of the Motion for Preliminary Approval, the Website will contain a “landing page,” indicating that the Website will be updated upon the Court’s entry of an Order Permitting Issuance of Class Action Notice in the Class Action. 27. As soon as possible after the Court’s entry of the Order Permitting Issuance of Class Action Notice in the Class Action and until the end of the time that Identity Restoration Services are available, the Website will have an easy-tonavigate design and will be formatted to emphasize important information and deadlines. Moreover, the Website will provide information about the Settlement Class Member’s rights and options under the Settlement. Other available features will include a secure contact form, check claim status tool, integration of Equifax’s “Am I Impacted” look-up tool to determine whether an individual is a Class Member, document upload feature, Settlement deadlines, Frequently Asked Questions page, and links to download the Long Form Notice (in both English and Spanish), Claim Form, and other important Court documents. The Website will describe the information and documentation that consumers must submit in connection with their claims, including instructions for providing such information - 15 - 1:17-MD-2800-TWT JENNIFER M. KEOUGH DECLARATION Case 1:17-md-02800-TWT Document 739-6 Filed 07/22/19 Page 17 of 57 and submitting documentation. The Website will be updated to include information concerning how Settlement Class Members can enroll in the Credit Monitoring Services and One-Bureau Credit Monitoring Services, and access Identity Restoration Services available through the Settlement once these benefits become available. 28. The Settlement Website will be optimized for mobile visitors so that information loads quickly on mobile devices and will also be designed to maximize search engine optimization through Google and other search engines. Keywords and natural language search terms will be included in the site’s metadata to maximize search engine rankings. 29. Visitors to the Settlement Website will have the ability to download the Claim Form or submit it electronically during the Initial and Extended Claims Periods. For extra protection related to the claims of minor Class Members, JND will make Claims Forms available for download, require a “wet signature” of a parent or guardian, and work with Class Counsel and Equifax’s Counsel to identify fraudulent claims. JND reserved the domain requested for this Settlement as www.EquifaxBreachSettlement.com. purchased by JND and Additional domains, which have been Class Counsel, will also forward to www.EquifaxBreachSettlement.com, to minimize potential spoofing and the creation of fraudulent sites. - 16 - 1:17-MD-2800-TWT JENNIFER M. KEOUGH DECLARATION Case 1:17-md-02800-TWT Document 739-6 Filed 07/22/19 Page 18 of 57 E. Settlement Administrator Email Address 30. JND has established a dedicated email address (info@EquifaxBreachSettlement.com) to receive and respond to known and potential Class Member inquiries. The settlement mailbox will be managed and maintained by JND and is hosted in JND's secure cloud and on-premise infrastructure. Data is always encrypted at rest and any data transmitted to the mailbox from the Settlement Website will be encrypted in-transit. Additionally, JND has configured the mailbox to employ encryption in-transit, whenever supported by the claimants’ email solution, for communications directly between a potential or known claimant’s mailbox and the settlement mailbox. The provisioning of access for JND staff to the info@EquifaxBreachSettlement.com mailbox follows JND's rigorous access policies which include, formal change management processes, quarterly reviews of access, and adherence to principle of least privilege best practices. JND will never request via email sensitive information from known or potential Class Members and will include a disclaimer stating such on the settlement website and all email correspondence. JND will generate email responses from scripted FAQs that will also be used by our call center personnel. Depending on call volume and availability, we will use some of the same members on each team for efficiency and to establish uniformity of messaging. - 17 - 1:17-MD-2800-TWT JENNIFER M. KEOUGH DECLARATION Case 1:17-md-02800-TWT Document 739-6 Filed 07/22/19 Page 19 of 57 F. 31. Dedicated Toll-Free Number JND will make available its scalable call center resources to develop and manage the incoming telephone calls received in response to the Notice Program. JND will establish and maintain a 24-hour, seven days per week, tollfree telephone line with IVR where callers may obtain information about the Settlement. During certain business hours, JND’s call center will be staffed with live operators who are professionally trained in how to answer questions related to this Settlement and in class action administration matters in general. We expect to staff the center with up to 100 operators to start the program. Our staffing will also include leads, supervisors, and QA staff. We intend to use at least two of our Call Center facilities to accommodate volume but also to create redundancy. 32. During both the Initial Claims Period and Extended Claims Period, we will monitor call activity on a daily basis and make regular decisions, in consultation with Counsel, whether to increase or decrease the staff depending on call volumes and also depending on milestones during the case. For example, we will likely increase staffing around the time of the claim filing deadline to accommodate anticipated questions about the deadline. We will also regularly update the Call Center scripts consistent with the feedback we are receiving from Class Members. We may add questions to the scripts as well as clarifying information to make sure that the claimant population understands all nuances of the Settlement and Administration program. Finally, we will prepare weekly reports for all stakeholders - 18 - 1:17-MD-2800-TWT JENNIFER M. KEOUGH DECLARATION Case 1:17-md-02800-TWT Document 739-6 Filed 07/22/19 Page 20 of 57 showing call metrics, and make recommendations to adjust Call Center hours and staffing levels during certain times of the day as we monitor the flow of calls during the day. IV. 33. CONCLUSION JND is prepared to handle the administration of this matter and has the resources and experience to do so in an effective manner. 34. In JND’s opinion, the Notice Program as described herein provides the best notice practicable under the circumstances; is consistent with the requirements of Rule 23 and all applicable court rules; and is consistent with other similar courtapproved best notice practicable notice programs. The Notice Program is designed to reach more than 90% of likely Class Members and provide them with multiple opportunities to review a notice and the ability to easily take next steps to learn more about the Settlement. Further, JND will provide support to Signal, where necessary, to ensure the Notice Program is carried out in an efficient and secure manner. I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on July 21, 2019, in Seattle, Washington. JENNIFER M. KEOUGH - 19 - 1:17-MD-2800-TWT JENNIFER M. KEOUGH DECLARATION Case Document 739-6 Filed 07/22/19 Page 21 of 57 EXHIBIT A Case 1:17-md-02800-TWT Document 739-6 Filed 07/22/19 Page 22 of 57 JENNIFER KEOUGH CHIEF EXECUTIVE OFFICER AND CO-FOUNDER I. INTRODUCTION Jennifer Keough is Chief Executive Officer and a Founder of JND Legal Administration (“JND”). She is the only judicially recognized expert in all facets of class action administration - from notice through distribution. With more than 20 years of legal experience, Ms. Keough has directly worked on hundreds of high-profile and complex administration engagements, including such landmark matters as the $10 billion BP Deepwater Horizon Settlement, $3.4 billion Cobell Indian Trust Settlement (the largest U.S. government class action settlement ever), $600 million Engle Smokers Trust Fund, $20 billion Gulf Coast Claims Facility, $1 billion Stryker Modular Hip Settlement, and countless other high-profile matters. She has been appointed notice expert in many notable cases and has testified on settlement matters in numerous courts and before the Senate Committee for Indian Affairs. The only female CEO in the field, Ms. Keough oversees more than 150 employees at JND’s Seattle headquarters, as well as six other office locations around the country. She manages all aspects of JND’s class action business from day-to-day processes to high-level strategies. Her comprehensive expertise with noticing, claims processing, Systems and IT work, call center, data analytics, recovery calculations, check distribution, and reporting gained her the reputation with attorneys on both sides of the aisle as the most dependable consultant for all legal administration needs. Ms. Keough also applies her knowledge and skills to other divisions of JND, 1 Case 1:17-md-02800-TWT Document 739-6 Filed 07/22/19 Page 23 of 57 including mass tort, lien resolution, government services, and eDiscovery. Given her extensive experience, Ms. Keough is often called upon to consult with parties prior to settlement, is frequently invited to speak on class action issues and has authored numerous articles in her multiple areas of expertise. Ms. Keough launched JND with her partners in early 2016. Just a few months later she was named as the Independent Claims Administrator (“ICA”) in a complex BP Solar Panel Settlement. Ms. Keough also started receiving numerous appointments as notice expert and in 2017 was chosen to oversee a restitution program in Canada where every adult in the country was eligible to participate. Also, in 2017, Ms. Keough was named a female entrepreneur of the year finalist in the 14th annual Stevie Awards for Women in Business. In 2015 and 2017, she was recognized as a “Woman Worth Watching” by Profiles in Diversity Journal. In 2013, she was featured in a CNN article, “What Changes with Women in the Boardroom.” Prior to forming JND, Ms. Keough was Chief Operating Officer and Executive Vice President for one of the then largest administration firms in the country, where she oversaw operations in several offices across the country and was responsible for all large and critical projects. Previously, Ms. Keough worked as a class action business analyst at Perkins Coie, one of the country’s premier defense firms, where she managed complex class action settlements and remediation programs, including the selection, retention, and supervision of legal administration firms. While at Perkins she managed, among other matters, the administration of over $100 million in the claims-made Weyerhaeuser siding case, one of the largest building product class action settlements ever. In her role, she established a reputation as being fair in her ability to see both sides of a settlement program. Ms. Keough earned her J.D. from Seattle University. She graduated from Seattle University with a B.A. and M.S.F. with honors. 2 Case 1:17-md-02800-TWT Document 739-6 Filed 07/22/19 Page 24 of 57 II. LANDMARK CASES Jennifer Keough has the distinction of personally overseeing the administration of more large class action programs than any other notice expert in the field. Some of her largest engagements include the following: 1. Allagas v. BP Solar Int’l, Inc. No. 14-cv-00560 (N.D. Cal.) Ms. Keough was appointed by the United States District Court for the Northern District of California as the Independent Claims Administrator (“ICA”) supervising the notice and administration of this complex settlement involving inspection, remediation, and replacement of solar panels on homes and businesses throughout California and other parts of the United States. Ms. Keough and her team devised the administration protocol and built a network of inspectors and contractors to perform the various inspections and other work needed to assist claimants. She also built a program that included a team of operators to answer claimant questions, a fully interactive dedicated website with on-line claim filing capability, and a team trained in the very complex intricacies of solar panel mechanisms. In her role as ICA, Ms. Keough regularly reported to the parties and the Court as to the progress of the administration. In addition to her role as ICA, Ms. Keough also acted as mediator for those claimants who opted out of the settlement to pursue their claims individually against BP. Honorable Susan Illston, recognized the complexity of the settlement when appointing Ms. Keough the ICA (December 22, 2016): The complexity, expense and likely duration of the litigation favors the Settlement, which provides meaningful and substantial benefits on a much shorter time frame than otherwise possible and avoids risk to class certification and the Class’s case on the merits...The Court appoints Jennifer Keough of JND Legal Administration to serve as the Independent Claims Administrator (“ICA”) as provided under the Settlement. 3 Case 1:17-md-02800-TWT Document 739-6 Filed 07/22/19 Page 25 of 57 2. Careathers v. Red Bull North America, Inc. No. 13-cv-0369 (KPF) (S.D.N.Y.) Due to the nature of this case, direct notice was impossible. Therefore, Ms. Keough assisted in the design of a publication notice and claims administration program intended to reach the greatest number of affected individuals. Due to the success of the notice program, the informational website designed by Ms. Keough and her team received an unprecedented 67 million hits in less than 24 hours. The Claims Administration program received over 2 million claim forms submitted through the three available filing options: online, mail, and email. Judge Katherine Polk Failla approved the notice program (May 12, 2015) finding: …that the Notice to the Settlement Class… was collectively the best notice practicable under the circumstances of these proceedings of the matters set forth therein, and fully satisfies the requirements of Rule 23(c)(2)(B) of the Federal Rules of Civil Procedure, due process, and any other applicable laws. 3. Chester v. The TJX Cos., Inc., et al. No. 15-cv-01437 (C.D. Cal.) As the notice expert, Ms. Keough proposed a multi-faceted notice plan designed to reach over eight million class members. Where class member information was available, direct notice was sent via email and via postcard when an email was returned as undeliverable or for which there was no email address provided. Additionally, to reach the unknown class members, Ms. Keough’s plan included a summary notice in eight publications directed toward the California class and a tear-away notice posted in all TJ Maxx locations in California. The notice effort also included an informational and interactive website with online claim filing and a toll-free number that provided information 24 hours a day. Additionally, associates were available to answer class member questions in both English and Spanish during business hours. Honorable Otis D. Wright, II approved the plan (May 14, 2018): 4 Case 1:17-md-02800-TWT Document 739-6 Filed 07/22/19 Page 26 of 57 ... the Court finds and determines that the Notice to Class Members was complete and constitutionally sound, because individual notices were mailed and/or emailed to all Class Members whose identities and addresses are reasonably known to the Parties, and Notice was published in accordance with this Court’s Preliminary Approval Order, and such notice was the best notice practicable. 4. Cobell v. Salazar No. 96 CV 1285 (TFH) (D. D.C.) As part of the largest government class action settlement in our nation’s history, Ms. Keough worked with the U.S. Government to implement the administration program responsible for identifying and providing notice to the two distinct but overlapping settlement classes. As part of the notice outreach program, Ms. Keough participated in multiple town hall meetings held at Indian reservations located across the country. Due to the efforts of the outreach program, over 80% of all class members were provided notice. Additionally, Ms. Keough played a role in creating the processes for evaluating claims and ensuring the correct distributions were made. Under Ms. Keough’s supervision, the processing team processed over 480,000 claims forms to determine eligibility. Less than one half of 1 percent of all claim determinations made by the processing team were appealed. Ms. Keough was called upon to testify before the Senate Committee for Indian Affairs, where Senator Jon Tester of Montana praised her work in connection with notice efforts to the American Indian community when he stated: “Oh, wow. Okay… the administrator has done a good job, as your testimony has indicated, [discovering] 80 percent of the whereabouts of the unknown class members.” Additionally, when evaluating the Notice Program, Judge Thomas F. Hogan concluded (July 27, 2011): …that adequate notice of the Settlement has been provided to members of the Historical Accounting Class and to members of the Trust Administration Class…. Notice met and, in many cases, exceeded the requirements of F.R.C.P. 23(c)(2) for classes certified under F.R.C.P. 23(b)(1), (b)(2) and (b)(3). The best notice practicable has been provided class members, including individual notice where members could be identified through reasonable effort. The 5 Case 1:17-md-02800-TWT Document 739-6 Filed 07/22/19 Page 27 of 57 contents of that notice are stated in plain, easily understood language and satisfy all requirements of F.R.C.P. 23(c)(2)(B). 5. Gulf Coast Claims Facility (GCCF) The GCCF was one of the largest claims processing facilities in U.S. history and was responsible for resolving the claims of both individuals and businesses relating to the Deepwater Horizon oil spill. The GCCF, which Ms. Keough helped develop, processed over one million claims and distributed more than $6 billion within the first year-and-a-half of its existence. As part of the GCCF, Ms. Keough and her team coordinated a large notice outreach program which included publication in multiple journals and magazines in the Gulf Coast area. She also established a call center staffed by individuals fluent in Spanish, Vietnamese, Laotian, Khmer, French, and Croatian. 6. Hernandez v. Experian Info. Solutions, Inc. No. 05-cv-1070 (C.D. Cal.) This case asserts claims in violation of the Fair Credit Reporting Act. The litigation dates back to 2005, when José Hernandez filed his original Class Action Complaint in Hernandez v. Equifax Info. Services, LLC, et al., No. 05-cv-03996 (N.D. Cal.), which was later transferred to C.D. Cal. and consolidated with several other related cases. In April 2009, a settlement agreement between Defendants and some plaintiffs was reached that would provide payments of damage awards from a $45 million settlement fund. However, after being granted final approval by the Court, the agreement was vacated on appeal by the United States Circuit Court of Appeals for the Ninth Circuit. The parties resumed negotiations and reached an agreement in April 2017. The settlement provided both significant monetary (approximately $38.7 million in non-reversionary cash) and non-monetary benefits. Ms. Keough oversaw the notice and administration efforts for the entire litigation. In approving the settlement and responding to objections about notice and administration expenses, Honorable David O. Carter, stated (April 6, 2018): 6 Case 1:17-md-02800-TWT Document 739-6 Filed 07/22/19 Page 28 of 57 The Court finds, however, that the notice had significant value for the Class, resulting in over 200,000 newly approved claims—a 28% increase in the number of Class members who will receive claimed benefits—not including the almost 100,000 Class members who have visited the CCRA section of the Settlement Website thus far and the further 100,000 estimated visits expected through the end of 2019. (Dkt. 1114-1 at 3, 6). Furthermore, the notice and claims process is being conducted efficiently at a total cost of approximately $6 million, or $2.5 million less than the projected 2009 Proposed Settlement notice and claims process, despite intervening increases in postage rates and general inflation. In addition, the Court finds that the notice conducted in connection with the 2009 Proposed Settlement has significant ongoing value to this Class, first in notifying in 2009 over 15 million Class members of their rights under the Fair Credit Reporting Act (the ignorance of which for most Class members was one area on which Class Counsel and White Objectors’ counsel were in agreement), and because of the hundreds of thousands of claims submitted in response to that notice, and processed and validated by the claims administrator, which will be honored in this Settlement. 7. In re Air Cargo Shipping Services Antitrust Litig. No. 06-md-1775 (JG) (VVP) (E.D.N.Y.) This antitrust settlement involved five separate settlements. As a result, many class members were affected by more than one of the settlements, Ms. Keough constructed the notice and claims programs for each settlement in a manner which allowed for the comparison of claims data. Each claims administration program included claims processing, review of supporting evidence, and a deficiency notification process. The deficiency notification process included mailing of deficiency letters, making follow up phone calls, and sending emails to class members to help them complete their claim. To ensure accuracy throughout the claims process for each of the settlements, Ms. Keough created a process which audited many of the claims that were eligible for payment. 7 Case 1:17-md-02800-TWT Document 739-6 Filed 07/22/19 Page 29 of 57 8. In re Classmates.com No. C09-45RAJ (W.D. Wash.) Ms. Keough managed a team that provided email notice to over 50 million users with an estimated success rate of 89%. When an email was returned as undeliverable, it was re-sent up to three times in an attempt to provide notice to the entire class. Additionally, Ms. Keough implemented a claims administration program which received over 699,000 claim forms and maintained three email addresses in which to receive objections, exclusions, and claim form requests. The Court approved the program when it stated: The Court finds that the form of electronic notice… together with the published notice in the Wall Street Journal, was the best practicable notice under the circumstances and was as likely as any other form of notice to apprise potential Settlement Class members of the Settlement Agreement and their rights to opt out and to object. The Court further finds that such notice was reasonable, that it constitutes adequate and sufficient notice to all persons entitled to receive notice, and that it meets the requirements of Due Process... 9. In re General Motors LLC Ignition Switch Litig. No. 2543 (MDL) (S.D.N.Y.) Ms. Keough oversaw the creation of a Claims Facility for the submission of injury claims allegedly resulting from the faulty ignition switch. The Claims Facility worked with experts when evaluating the claim forms submitted. First, the Claims Facility reviewed thousands of pages of police reports, medical documentation, and pictures to determine whether a claim met the threshold standards of an eligible claim for further review by the expert. Second, the Claims Facility would inform the expert that a claim was ready for its review. Ms. Keough constructed a database which allowed for a seamless transfer of claim forms and supporting documentation to the expert for further review. 8 Case 1:17-md-02800-TWT Document 739-6 Filed 07/22/19 Page 30 of 57 10. In re Oil Spill by the Oil Rig “Deepwater Horizon” in the Gulf of Mexico, on April 20, 2010 No. 2179 (MDL) (E.D. La.) Following the closure of the Gulf Coast Claims Facility, the Deepwater Horizon Settlement claims program was created. There were two separate legal settlements that provided for two claims administration programs. One of the programs was for the submission of medical claims and the other was for the submission of economic and property damage claims. Ms. Keough played a key role in the formation of the claims program for the evaluation of economic and property damage claims. Additionally, Ms. Keough built and supervised the back-office mail and processing center in Hammond, Louisiana, which was the hub of the program. The Hammond center was visited several times by Claims Administrator Pat Juneau -- as well as by the District Court Judge and Magistrate -- who described it as a shining star of the program. 11. In re Stryker Rejuvenate and ABG II Hip Implant Products Liability Litig. No. 13-2441 (MDL) (D. Minn.) Ms. Keough and her team were designated as the escrow agent and claims processor in this $1 billion settlement designed to compensate eligible U.S. Patients who had surgery to replace their Rejuvenate Modular-Neck and/or ABG II Modular-Neck hip stems prior to November 3, 2014. As the claims processor, Ms. Keough and her team designed internal procedures to ensure the accurate review of all medical documentation received; designed an interactive website which included online claim filing; and established a toll-free number to allow class members to receive information about the settlement 24 hours a day. Additionally, she oversaw the creation of a deficiency process to ensure claimants were notified of their deficient submission and provided an opportunity to cure. The program also included an auditing procedure designed to detect fraudulent claims and a process for distributing initial and supplemental payments. Approximately 95% of the registered eligible patients enrolled in the settlement program. 9 Case 1:17-md-02800-TWT Document 739-6 Filed 07/22/19 Page 31 of 57 12. In re The Engle Trust Fund No. 94-08273 CA 22 (Fla. 11th Jud. Cir. Ct.) Ms. Keough played a key role in administering this $600 million landmark case against the country’s five largest tobacco companies. Miles A. McGrane, III, Trustee to the Engle Trust Fund recognized Ms. Keough’s role when he stated: The outstanding organizational and administrative skills of Jennifer Keough cannot be overstated. Jennifer was most valuable to me in handling numerous substantive issues in connection with the landmark Engle Trust Fund matter. And, in her communications with affected class members, Jennifer proved to be a caring expert at what she does. 13. In re Washington Mutual Inc., Sec. Litig. No. 08-md-1919 MJP (W.D. Wash.) Ms. Keough supervised the notice and claims administration for this securities class action which included three separate settlements with defendants totaling $208.5 million. In addition to mailing notice to over one million class members, Ms. Keough managed the claims administration program, including the review and processing of claims, notification of claim deficiencies, and distribution. In preparation for the processing of claims, Ms. Keough and her team established a unique database to store the proofs of claim and supporting documentation; trained staff to the particulars of this settlement; created multiple computer programs for the entry of class member’s unique information; and developed a program to calculate the recognized loss amounts pursuant to the plan of allocation. The program was designed to allow proofs of claim to be filed by mail or through an online portal. The deficiency process was established in order to reach out to class members who submitted incomplete proof of claims. It involved reaching out to claimants via letters, emails, and telephone calls. 10 Case 1:17-md-02800-TWT Document 739-6 Filed 07/22/19 Page 32 of 57 14. In re Yahoo! Inc. Sec. Litig. No. 17-cv-373 (N.D. Cal.) Ms. Keough oversaw the notice and administration of this $80 million securities settlement. In approving the settlement, Judge Lucy H. Koh, stated (September 7, 2018): The Court hereby finds that the forms and methods of notifying the Settlement Class of the Settlement and its terms and conditions: met the requirements of due process, Rule 23 of the Federal Rules of Civil Procedure, and 15 U.S.C. § 78u-4(a)(7) (added to the Exchange Act by the Private Securities Litigation Reform Act of 1995); constituted the best notice practicable under the circumstances; and constituted due and sufficient notice to all persons and entities entitled thereto of these proceedings and the matters set forth herein, including the Settlement and Plan of Allocation. 15. Linneman, et al., v. Vita-Mix Corp., et al. No. 15-cv-748 (S.D. Ohio) Ms. Keough was hired by plaintiff counsel to design a notice program regarding this consumer settlement related to allegedly defective blenders. The Court approved Ms. Keough’s plan and designated her as the notice expert for this case. As direct notice to the entire class was impracticable due to the nature of the case, Ms. Keough proposed a multi-faceted notice program. Direct notice was provided by mail or email to those purchasers identified through Vita-Mix’s data as well as obtained through third parties, such as retailers, dealers, distributors, or restaurant supply stores. To reach the unknown class members, Ms. Keough oversaw the design of an extensive media plan that included published notice in Cooking Light, Good Housekeeping, and People magazine and digital notice placements through Facebook/Instagram, Twitter, and Conversant, as well as a paid search campaign through Google and Bing. In addition, the program included an informational and interactive website where class members could submit claims electronically, and a toll-free number that provided information to class members 24 hours a day. When approving the plan, Honorable Susan J. Dlott stated (May 3, 2018): 11 Case 1:17-md-02800-TWT Document 739-6 Filed 07/22/19 Page 33 of 57 JND Legal Administration, previously appointed to supervise and administer the notice process, as well as oversee the administration of the Settlement, appropriately issued notice to the Class as more fully set forth in the Agreement, which included the creation and operation of the Settlement Website and more than 3.8 million mailed or emailed notices to Class Members. As of March 27, 2018, approximately 300,000 claims have been filed by Class Members, further demonstrating the success of the Court-approved notice program. 16. Loblaw Card Program Jennifer Keough was selected by major Canadian retailer Loblaw and its counsel to act as program administrator in its voluntary remediation program as a result of a price-fixing scheme by some employees of the company involving bread products. The program offered a $25 Card to all adults in Canada who purchased bread products in Loblaw stores between 2002 and 2015. Some 28 million Canadian residents were potential claimants. Ms. Keough and her team: (1) built an interactive website that was capable of withstanding hundreds of millions of “hits” in a short period of time; (2) built, staffed and trained a call center with operators available to take calls twelve hours a day, six days a week; (3) oversaw the vendor in charge of producing and distributing the cards; (4) was in charge of designing and overseeing fraud prevention procedures; and (5) handled myriad other tasks related to this high-profile and complex project. 17. New Orleans Tax Assessor Project After Hurricane Katrina, the City of New Orleans began to reappraise properties in the area which caused property values to rise. Thousands of property owners appealed their new property values and the City Council did not have the capacity to handle all the appeals in a timely manner. As a result of the large number of appeals, the City of New Orleans hired Ms. Keough to design a unique database to store each appellant’s historical property documentation. Additionally, Ms. Keough designed a facility responsible for scheduling and coordinating meetings between the 5,000 property owners who appealed their property values and real estate agents or appraisers. The database that 12 Case 1:17-md-02800-TWT Document 739-6 Filed 07/22/19 Page 34 of 57 Ms. Keough designed facilitated the meetings between the property owners and the property appraisers by allowing the property appraisers to review the property owner’s documentation before and during the appointment with them. 18. Williams, et al. v. Weyerhaeuser Co. Civil Action No. 995787 (Cal. Super. Ct.) This landmark consumer fraud litigation against Weyerhauser Co. had over $100 million in claims paid. The action involved exterior hardboard siding installed on homes and other structures throughout the United States from January 1, 1981 to December 31, 1999 that was alleged to be defective and prematurely fail when exposed to normal weather conditions. Ms. Keough oversaw the administration efforts of this program, both when she was employed by Perkins Coie, who represented defendants, and later when she joined the administration firm handling the case. The claims program was extensive and went on for nine years, with varying claims deadlines depending on when the class member installed the original Weyerhaeuser siding. The program involved not just payments to class members, but an inspection component where a court-appointed inspector analyzed the particular claimant’s siding to determine the eligibility and award level. Class members received a check for their damages, based upon the total square footage of damaged siding, multiplied by the cost of replacing, or, in some instances, repairing, the siding on their homes. Ms. Keough oversaw the entirety of the program from start to finish. 13 Case 1:17-md-02800-TWT Document 739-6 Filed 07/22/19 Page 35 of 57 III. CASE EXPERIENCE Ms. Keough has played an important role in hundreds of matters throughout her career. A partial listing of her notice and claims administration case work is provided below. CASE NAME CASE NUMBER LOCATION Adair v. Michigan Pain Specialist, PLLC 14-28156-NO Mich. Cir. Adzhikosyan v. Denver Mgmt. Inc. BC648100 Cal. Super. Ct. Allagas v. BP Solar Int’l, Inc. 14-cv-00560 (SI) N.D. Cal. Andreas-Moses, et al. v. Hartford Fire Ins. Co. 17-cv-2019-Orl-37KRS M.D. Fla. Anger v. Accretive Health d/b/a Medical Financial Solutions 14-cv-12864 E.D. Mich. Arthur v. Sallie Mae, Inc. 10-cv-00198-JLR W.D. Wash. Atkins v. Nat’l. General Ins. Co., et al. 16-2-04728-4 Wash. Super. Ct. Atl. Ambulance Corp. v. Cullum and Hitti MRS-L-264-12 N.J. Super. Ct. Backer Law Firm, LLC v. Costco Wholesale Corp. 15-cv-327 (SRB) W.D. Mo. Barclays Dark Pool Sec. Litig. 14-cv-5797 (VM) S.D.N.Y. Belanger v. RoundPoint Mortgage Servicing 17-cv-23307-MGC S.D. Fla. Beltran, et al. v. InterExchange, et al. 14-cv-3074 D. Colo. Bergman v. Thelen LLP 08-cv-05322-LB N.D. Cal. BlackRock Core Bond Portfolio, et al. v. Wells Fargo 65687/2016 N.Y. Sup. Ct. Blocher v. Landry's Inc. 14-cv-03213-MSS-JSS M.D. Fla. Bollenbach Enters. Ltd. P’ship. v. Oklahoma Energy Acquisitions, et al. 17-cv-00134 W.D. Okla. Briones v. Patelco Credit Union RG 16805680 Cal. Super. Ct. Brna v. Isle of Capri Casinos and Interblock USA, LLC 17-cv-60144 (FAM) S.D. Fla. Broussard, et al. v. Stein Mart, Inc. 16-cv-03247 S.D. Tex. Browning v. Yahoo! C04-01463 HRL N.D. Cal. Calvert v. Xcel Energy 17-cv-02458-RBJ D. Colo. Careathers v. Red Bull North America, Inc. 13-cv-0369 (KPF) S.D.N.Y. Carmack, et al. v. Amaya Inc., et al. 16-cv-1884 D.N.J. Castro v. Cont’l Airlines, Inc. 14-cv-00169 C.D. Cal. 14 Case 1:17-md-02800-TWT Document 739-6 Filed 07/22/19 Page 36 of 57 CASE NAME CASE NUMBER LOCATION Cecil v. BP America Prod. Co. 16-cv-410 (RAW) E.D. Okla. Chamblee, et al. v. TerraForm Power, Inc. 16 MD 2742 (PKC)(AJP) S.D.N.Y. Chanve c. E.I. Du Pont De Nemours 16-cv-00376-MAC-ZJH E.D. Tex. Chavez v. Our Lady of Lourdes Hosp. 12-2-50575-9 Wash. Sup. Ct. Chester v. The TJX Cos., Inc., et al. 15-cv-01437 C.D. Cal. Chieftain Royalty Co., et al. v. Marathon Oil Co. 17-cv-334 E.D. Okla. Chieftain Royalty Co. v. XTO Energy, Inc. 11-cv-00029-KEW E.D. Okla. Cline, et al. v. TouchTunes Music Corp. 14-CIV-4744 (LAK) S.D.N.Y. Cobell v. Salazar 96-cv-1285 (TFH) D.D.C. Common Ground Healthcare Coop. v. The United States 17-877C F.C.C. Connolly v. Umpqua Bank C15-517 (TSZ) W.D. Wash. Corona et al., v. Sony Pictures Entm’t Inc. 14−CV−09600−RGK−E C.D. Cal. Courtney v. Avid Tech., Inc. 13-cv-10686-WGY D. Mass. Davis v. Carfax, Inc. CJ-04-1316L D. Okla. Dearth v. Hartford Fire Insurance Co. 16-cv-1603-Orl-37LRH M.D. Fla. DeFrees, et al. v. John C. Kirkland, et al. and U.S. Aerospace, Inc. CV 11-04574 C.D. Cal. del Toro Lopez v. Uber Technologies, Inc. 17cv-06255-YGR N.D. Cal. Delkener v. Cottage Health System, et al. 30-2016-847934 (CU) (NP) (CXC) Cal. Super. Ct. DeMarco v. AvalonBay Communities, Inc. 15-cv-00628-JLL-JAD D.N.J. Diaz, et al. v. Lost Dog Pizza, LLC 17-cv-02228-WJM-NYW D. Colo. Dixon et al. v. Zabka et al. 11-cv-982 D. Conn. Djoric v. Justin Brands, Inc. BC574927 Cal. Super. Ct. Doan v. State Farm General Ins. Co. 1-08-cv-129264 Cal. Super. Ct. Doughtery v. QuickSIUS, LLC 15-cv-06432-JHS E.D. Pa. Dover et al. v. British Airways, PLC (UK) 12-cv-5567 E.D.N.Y. Dozier v. Club Ventures Investments LLC 17BK10060 S.D.N.Y. Easley v. The Reserves Network, Inc. 16-cv-544 N.D. Ohio Edwards v. Hearst Communications, Inc. 15-cv-9279 (AT) (JLC) S.D.N.Y. EEOC v. Patterson-UTI Drilling Co. LLC 5-cv-600 (WYD) (CBS) D. Colo. Erica P. John Fund, Inc. v. Halliburton Co. 02-cv-1152 N.D. Tex. 15 Case 1:17-md-02800-TWT Document 739-6 Filed 07/22/19 Page 37 of 57 CASE NAME CASE NUMBER LOCATION Espenshade v. Wilcox & Wilcox BC647489 Cal. Super. Ct. Essex v. The Children's Place, Inc. 15-cv-5621 D.N.J. Expedia Hotel Taxes & Fees Litig. 05-2-02060-1 (SEA) Wash. Super. Ct. Family Medicine Pharmacy LLC v. Impax Laboratories, Inc. 17-cv-53 S.D. Ala. Family Medicine Pharmacy LLC v. Trxade Group 15-cv-00590-KD-B Inc. S.D. Ala. Farmer v. Bank of Am. 11-cv-00935-OLG W.D. Tex. Finerman v. Marriott Ownership Resorts, Inc. 14-cv-1154-J-32MCR M.D. Fla. Fitzgerald, as Trustee v. Lime Rock Resources CJ-2017-31 Okla. Dist. Fosbrink v. Area Wide Protective, Inc. 17-cv-1154-T-30CPT M.D. Fla. Fresno County Employees Retirement Association, et al. v. comScore Inc. 16-cv-1820 (JGK) S.D.N.Y. Frost v. LG Elec. MobileComm U.S.A., Inc. 37-2012-00098755-CUPL-CTL Cal. Super. Ct. FTC v. Consumerinfo.com SACV05-801 AHS (MLGx) C.D. Cal. Gervasio et al. v. Wawa, Inc. 17-cv-245 (PGS) (DEA) D.N.J. Gormley v. magicJack Vocaltec Ltd., et al. 16-cv-1869 S.D.N.Y. Gragg v. Orange Cab Co., Inc. and RideCharge, Inc. CV 12-576 RSL W.D. Wash. Granados v. County of Los Angeles BC361470 Cal. Super., Ct. Hahn v. Hanil Dev., Inc. BC468669 Cal. Super. Ct. Hanks v. The Lincoln Life & Annuity Co. of New York, et al. 16-cv-6399 PKC S.D.N.Y. Harris, et al. v. Amgen, Inc., et al. CV 07-5442 PSG (PLAx) C.D. Cal. Harrison v. Strategic Experiential Group RG16 807555 Cal. Super. Ct. Health Republic Ins. Co. v. The United States 16-259C F.C.C. Hernandez, et al. v. Experian Info. Solutions, Inc. 05-cv-1070 (DOC) (MLGx) C.D. Cal. Hines v. CBS Television Studios, et al. 17-cv-7882 (PGG) S.D.N.Y. Hopwood v. Nuance Commc’n, Inc. 4:13-cv-02132-YGR N.D. Cal. Howard v. Southwest Gas Corp. 18-cv-01035-JAD-VCF D. Nev. Howell v. Checkr, Inc. 17-cv-4305 N.D. Cal. Huntzinger v. Suunto Oy and Aqua Lung America, Inc. 37-2018-27159 (CU) (BT) (CTL) Cal. Super. Ct. 16 Case 1:17-md-02800-TWT Document 739-6 Filed 07/22/19 Page 38 of 57 CASE NAME CASE NUMBER LOCATION In re Air Cargo Shipping Services Antitrust Litig. 06-md-1775 (JG) (VVP) E.D.N.Y. In re Akorn, Inc. Sec. Litig. 15-c-1944 N.D. Ill. In re Am. Express Fin. Advisors Sec. Litig. 04 Civ. 1773 (DAB) S.D.N.Y. In re AMR Corp., et al. (American Airlines Bankruptcy) 1-15463 (SHL) S.D.N.Y. In re Auction Houses Antitrust Litig. 00-648 (LAK) S.D.N.Y. In re AudioEye, Inc. Sec. Litig. 15-cv-163 (DCB) D. Ariz. In re Broiler Chicken Antitrust Litig. 16-cv-08637 N.D. Ill. In re Classmates.com C09-45RAJ W.D. Wash. In re ConAgra Foods Inc. 11-cv-05379-CJC-AGR C.D. Cal. In re CRM Holdings, Ltd. Sec. Litig. 10-cv-00975-RPP S.D.N.Y. In re General Motors LLC Ignition Switch Litig. 2543 (MDL) S.D.N.Y. In re Global Tel*Link Corp. Litig. 14-CV-5275 W.D. Ark. In re GoPro, Inc. Shareholder Litig. CIV537077 Cal. Super. Ct. In re Guess Outlet Store Pricing JCCP No. 4833 Cal. Super. Ct. In re Initial Public Offering Sec. Litig. (IPO Sec. Litig.) No. 21-MC-92 S.D.N.Y. In re Intuit Data Litig. 15-CV-1778-EJD N.D. Cal. In re Legacy Reserves LP Preferred Unitholder Litig. 2018-225 (JTL) Del. Chancery In re LIBOR-Based Financial Instruments Antitrust Litig. 11-md-2262 (NRB) S.D.N.Y. In re MyFord Touch Consumer Litig. 13-cv-3072 (EMC) N.D. Cal. In re Oil Spill by the Oil Rig “Deepwater Horizon” in the Gulf of Mexico, on April 20, 2010 2179 (MDL) E.D. La. In re PHH Lender Placed Ins. Litig. 12-cv-1117 (NLH) (KMW) D.N.J. In re Polyurethane Foam Antitrust Litig. 10-md-196 (JZ) N.D. Ohio In re Processed Egg Prod. Antitrust Litig. 08-MD-02002 E.D. Pa. In re Resonant Inc. Sec. Litig. 15-cv-1970 (SJO) (MRW) C.D. Cal. In re Stryker Rejuvenate and ABG II Hip Implant 13-md-2441 Products Liability Litig. D. Minn. In Re SunTrust Banks, Inc. ERISA Litig. 08-cv-03384-RWS N.D. Ga. In re Tenet Healthcare Corp. Sec. CV-02-8462-RSWL (Rzx) C.D. Cal. In re The Engle Trust Fund 94-08273 CA 22 Fla. 11th Cir. Ct. 17 Case 1:17-md-02800-TWT Document 739-6 Filed 07/22/19 Page 39 of 57 CASE NAME CASE NUMBER LOCATION In re Unilife Corp. Sec. Litig. 16-cv-3976 (RA) S.D.N.Y. In re Washington Mutual Inc. Sec. Litig. 8-md-1919 (MJP) W.D. Wash. In re Webloyalty.com, Inc., Mktg. and Sales Practices Litig. 06-11620-JLT D. Mass. In re Wholesale Grocery Products Antitrust Litig. 9-md-2090 (ADM) (TNL) D. Minn. In re Williams Sec. Litig. 02-CV-72-SPF (FHM) N.D. Okla. In re Worldcom, Inc. Sec. Litig. 2-CIV-3288 (DLC) S.D.N.Y. In re Yahoo! Inc. Sec. Litig. 17-cv-373 N.D. Cal. Ivery v. RMH Illinois, LLC and RMH Franchise Holdings, Inc. 17-CIV-1619 N.D. Ill. Jerome, et al. v. Elan 99, LLC 2018-02263 Tx. Dist. Ct. Jeter, et al. v. Bullseye Energy, Inc., et al. 12-cv-411 (TCK) (PJC) N.D. Okla. Johnson, et al. v. MGM Holdings, Inc., et al. 17-cv-00541 W.D. Wash. Jordan v. Things Remembered, Inc. 114CV272045 Cal. Super. Ct. Kellgren, et al. v. Petco Animal Supplies, Inc., et al. 13-cv-644 (L) (KSC) S.D. Cal. Kissel v. Code 42 Software Inc., et al. SACV 15-1936 -JLS (KES) C.D. Cal. Konecky v Allstate CV-17-10-M-DWM D. Mont. Krueger v. Ameriprise Fin., Inc. 11-cv-02781 (SRN/JSM) D. Minn. Lindsay v. Cutter Wireline Service, Inc. 7-cv-01445 (PAB) (KLM) D. Colo. Linneman, et al., v. Vita-Mix Corp., et al. 15-cv-748 S.D. Ohio Lion Biotechnologies Sec. Litig. 17-cv-02086-SI N.D. Cal. Liotta v. Wolford Boutiques, LLC 16-cv-4634 N.D. Ga. Lippert v. Baldwin 10-cv-4603 N.D. Ill. Lloyd v. CVB Financial Corp, et al. 10-cv-6256 (CAS) C.D. Cal. Loblaw Card Program Remediation Program Martinez v. Rial de Minas, Inc., et al. 16-cv-01947 D. Colo. McClellan v. Chase Home Fin. 12-cv-01331-JGB-JEM C.D. Cal. McFarland v. Swedish Medical Center 18-2-02948-1 SEA Wash. Super. Ct. McGann, et al. v. Schnuck Markets Inc. 1322-CC00800 Mo. Cir. Ct. McKibben, et al. v. McMahon, et al. 14-2171 (JGB) (SP) C.D. Cal. McKnight Realty Co. v. Bravo Arkoma, LLC and Bravo Natural Resources 17-CIV-00308 (KEW) E.D. Okla. 18 Case 1:17-md-02800-TWT Document 739-6 Filed 07/22/19 Page 40 of 57 CASE NAME CASE NUMBER LOCATION McNeal v. AccentCare, Inc. 15cv03304 N.D. Cal. McNeill v. Citation Oil & Gas Corp. 17-CIV-121 (KEW) E.D. Okla. McWilliams v. City of Long Beach BC361469 Cal. Super. Ct. Moeller v. Advance Magazine Publishers, Inc., d/b/a Condé Nast 15-cv-05671 (NRB) S.D.N.Y. Mojica, et al. v. Securus Technologies, Inc. 14-CV-5258 W.D. Ark. Molnar v. 1-800-Flowers Retail, Inc. BC 382828 Cal. Super. Ct. Monteleone v. The Nutro Co. 14-cv-00801-ES-JAD D.N.J. Morel v. Lions Gate Entm’t Inc. 16-cv-1407 (JFC) S.D.N.Y. Muir v. Early Warning Services, LLC 16-cv-00521 D.N.J. Mylan Pharm., Inc. v. Warner Chilcott Pub. Ltd. 12-3824 E.D. Pa. Nasseri v. Cytosport, Inc. BC439181 Cal. Super. Ct. Nesbitt v. Postmates, Inc. CGC-15-547146 Cal. Super. Ct. New Orleans Tax Assessor Project Tax Assessment Program NMPA Late Fee Program Groups I-IVA Remediation Program CRB Nozzi v. Housing Authority of the City of Los Angeles CV 07-0380 PA (FFMx) C.D. Cal. Nwabueza v. AT&T C 09-01529 SI N.D. Cal. O'Donnell v. Financial American Life Ins. Co. 14-cv-01071 S.D. Ohio Ortez et al. v. United Parcel Service, Inc. 17-cv-01202 (CMA) (SKC) D. Colo. Paggos v. Resonant, Inc. et al. 15-cv-01970-SJO C.D. Cal. Palazzolo, et al. v. Fiat Chrysler Automobiles NV, et al. 16-cv-12803 E.D. Mich. Parker v. Time Warner Entm’t Co. L.P. 239 F.R.D. 318 E.D.N.Y. Parmelee v. Santander Consumer USA Holdings Inc., et al. 16-cv-783-K N.D. Tex. Pickett v. Simos Insourcing Solutions Corp. 17-cv-01013 N.D. Ill. Pierce, et al. v Anthem Ins. Cos., Inc. 15-cv-00562-TWP-TAB S. D. Ind. Podawiltz v. Swisher Int’l, Inc. 16CV27621 Or. Cir. Ct. Press, et al. v. J. Crew Group, Inc., et al. 56-2018-512503 (CU) (BT) (VTA) Cal. Super. Ct. Purcell v. United Propane Gas, Inc. 14-CI-729 Ky. 2nd Cir. Reirdon v. Cimarex Energy Co. 16-CIV-113 (KEW) E.D. Okla. 19 Case 1:17-md-02800-TWT Document 739-6 Filed 07/22/19 Page 41 of 57 CASE NAME CASE NUMBER LOCATION Rice v. Insync 30-2014-00701147-CUNP-CJC Cal. Super. Ct. Rich v. EOS Fitness Brands, LLC RIC1508918 Cal. Super. Ct. Roman v. Antelope Valley Newspapers, Inc., BC382639 Cal. Super. Ct. Rotatori v. TGI Fridays 14-0081-B Mass. Super. Rozeboom v. Dietz & Watson 17-cv-01266-RAJ W.D. Wash. Ruppel v. Consumers Union of United States, Inc. 16-cv-2444 (KMK) S.D.N.Y. Saccoccio v. JP Morgan Chase 13-cv-21107 S.D. Fla. San Antonio Fire & Police Pension Fund v. Dole Food Co., Inc. et al. 15-cv-1140 (LPS) E.D. Del. Sanders v The CJS Solutions Group, LLC 17-cv-03809 S.D.N.Y. Schlesinger, et al. v. Ticketmaster BC304565 Cal. Super. Ct. Schourup v. Private Label Nutraceuticals, LLC, et al. 2015cv01026 C.D. Cal. Schwartz v. Intimacy in New York, LLC 13-cv-5735 (PGG) S.D.N.Y. Schwartz v. Opus Bank, et al. 16-cv-7991 (AB) (JPR) C.D. Cal. Soderstrom v. MSP Crossroads Apartments LLC 16-cv-233 (ADM) (KMM) D. Minn. Solano v. Amazon Studios LLC 17-cv-01587 (LGS) S.D.N.Y. Soto v. Diakon Logistics (Delaware), Inc. 08-cv-33-L(WMC) S.D. Cal. Steele v. PayPal, Inc. 05-CV-01720 (ILG) (VVP) E.D.N.Y. Stillman v. Clermont York Assocs. LLC 603557/09E N.Y. Sup. Ct. Stretch v. State of Montana DV-04-713 (A) Mont. 11th Dist. Ct. Strickland v. Carrington Mortgage Services, LLC, et al. 16-cv-25237 S.D. Fla. Sudunagunta, et al. v. NantKwest, Inc., et al 16-cv-01947-MWF-JEM C.D. Cal. Sullivan, et al. v Wenner Media LLC 16−cv−00960−JTN−ESC W.D. Mich. Szafarz v. United Parcel Service, Inc. SUCV2016-2094-BLS2 Mass. Super. Ct. Terrell v. Costco Wholesale Corp. 16-2-19140-1-SEA Wash. Super. Ct. The City of Los Angeles, et al. v. Bankrate, Inc. et al. 14-cv-81323 (DMM) S.D. Fla. The People of the State of New York v. Steven Croman, et al. 450545/2016 N.Y. Sup. Ct. Tkachyk v. Traveler’s Ins., et al. 16-28-m (DLC) D. Mont. 20 Case 1:17-md-02800-TWT Document 739-6 Filed 07/22/19 Page 42 of 57 CASE NAME CASE NUMBER LOCATION T-Mobile Remediation Program Remediation Program Tolliver v. Avvo, Inc. 16-2-5904-0 (SEA) Wash. Super. Ct. Townes, IV v. Trans Union, LLC 04-1488-JJF D. Del. Tyus v. General Info. Solutions LLC 2017CP3201389 S.C. C.P. United States of America v. City of Chicago 16-c-1969 N.D. Ill. United States of America v. Consolidated City of Jacksonville 170-17M-393 U.S. D.O.J. United States of America v. Greyhound Lines, Inc. 16-67-RGA D. Del. United States v. The City of Austin 14-cv-00533-LY W.D. Tex. Viesse v. Saar's Inc. 17-2-7783-6 (SEA) Wash. Super. Ct. Wahl v. Yahoo! Inc. d/b/a Rivals.com 17-cv-2745 (BLF) N.D. Cal. Walton, et al. v. AT&T Services, Inc. 15-cv-3653 (VC) N.D. Cal. Weber v. KASA Delivery LLC 16-2-13761-0 SEA Wash. Super. Ct. WellCare Sec. Litig. 07-cv-01940-VMC-EAJ M.D. Fla. Williams et al. v. Naples Hotel Group, LLC 18-cv-422-Orl-37-DCI M.D. Fla. Williams, et al. v. Weyerhaeuser Co. 995787 Cal. Super. Ct. Wornicki v. Brokerpriceopinion.com, Inc. 13-cv-03258 (PAB) (KMT) D. Colo. Wright v. Lyft, Inc. 14-cv-00421-BJR W.D. Wash. 21 Case 1:17-md-02800-TWT Document 739-6 Filed 07/22/19 Page 43 of 57 IV. JUDICIAL RECOGNITION Courts have favorably recognized Ms. Keough’s work as outlined by the sampling of judicial comments from her programs at JND. 1. Judge Barbara Jacobs Rothstein Wright v. Lyft, Inc., (May 29, 2019) No. 17-cv-23307-MGC 14-cv-00421-BJR (W.D. Wash.) The Court also finds that the proposed method of distributing relief to the class is effective. JND Legal Administration (“JND”), an experienced claims administrator, undertook a robust notice program that was approved by this Court… 2. Judge Jonathan Goodman Belanger v. RoundPoint Mortgage Servicing, (March 28, 2019) No. 17-cv-23307-MGC (S.D. Fla.): Class Counsel has filed with the Court a declaration from Jennifer M. Keough, Chief Executive Officer at JND Legal Administration, the independent third-party Settlement Administrator for the Settlement, establishing that the Mail Notice, Claim Form, and Claim Form Instructions were mailed to Noticed Class Members on December 12, 2018; the Settlement Website and IVR toll-free telephone number system were established on December 12, 2018; internet advertising was published beginning December 14, 2018; and the Publication Notice was published on January 7, 2019. Adequate Class Notice was given to the Noticed Class Members in compliance with the Settlement Agreement and the Preliminary Approval Order. 3. Honorable P. Kevin Castel Hanks v. The Lincoln Life & Annuity Co. of New York, et al., (April 23, 2019) No. 16-cv-6399 PKC (S.D.N.Y.): The Court approves the form and contents of the Short-Form Notice and Long-Form Notice (collectively, the “Notices”) attached as Exhibits A and B, respectively, to the 22 Case 1:17-md-02800-TWT Document 739-6 Filed 07/22/19 Page 44 of 57 Declaration of Jennifer M. Keough, filed on April 2, 2019, at Docket No. 120…The form and content of the notices, as well as the manner of dissemination described below, therefore meet the requirements of Rule 23 and due process, constitute the best notice practicable under the circumstances, and shall constitute due and sufficient notice to all persons and entities entitled thereto…the Court approves the retention of JND Legal Administration LLC (“JND”) as the Notice Administrator. 4. Judge Cormac J. Carney In re ConAgra Foods Inc, (April 4, 2019) No. 11-cv-05379-CJC-AGR (C.D. Cal.): The bids were submitted to Judge McCormick, who ultimately chose JND Legal Administration to propose to the Court to serve as the settlement administrator. (Id. ¶ 65.) In addition to being selected by a neutral third party, JND Legal Administration appears to be well qualified to administer the claims in this case… The Court appoints JND Legal Administration as Settlement Administrator… JND Legal Administration will reach class members through a consumer media campaign, including a national print effort in People magazine, a digital effort targeting consumers in the relevant states through Google Display Network and Facebook, newspaper notice placements in the Los Angeles Daily News, and an internet search effort on Google. (Keough Decl. ¶ 14.) JND Legal Administration will also distribute press releases to media outlets nationwide and establish a settlement website and toll-free phone number. (Id.) The print and digital media effort is designed to reach 70% of the potential class members. (Id.) The newspaper notice placements, internet search effort, and press release distribution are intended to enhance the notice’s reach beyond the estimated 70%. (Id.) 5. Honorable William J. McGovern, III, J.S.C. Atl. Ambulance Corp. v. Cullum and Hitti, (March 29, 2019) No. MRS-L-264-12 (N.J. Super. Ct.): The Court finds that the manner and form of notice set forth in the Settlement Agreement (Class Notice) was provided to the Settlement Class Members 23 Case 1:17-md-02800-TWT Document 739-6 Filed 07/22/19 Page 45 of 57 and Settlement Sub-class Members by JND Legal Administration, the Court-appointed Administrator of the Settlement…The Class Notice satisfied the requirements of due process and R. 4:32-2 and constitutes the best practicable notice under the circumstances. 6. Judge Steven P. Shreder Chieftain Royalty Co., et al. v. Marathon Oil Co., (March 8, 2019) No. 17-cv-334 (E.D. Okla.): The Court also approves the efforts and activities of the Settlement Administrator, JND Legal Administration, and the Escrow Agent, Signature Bank, in assisting with certain aspects of the administration of the Settlement, and directs them to continue to assist Class Representatives in completing the administration and distribution of the Settlement in accordance with the Settlement Agreement, this Judgment, any Plan of Allocation approved by the Court, and the Court’s other orders. 7. Judge Thomas S. Zilly Connolly v. Umpqua Bank, (February 28, 2019) No. C15-517 (TSZ) (W.D. Wash.): Notice of the proposed class action settlement and of the final approval hearing scheduled for February 21, 2019, was sent to all members of the Class in the manner described in the Declaration of Jennifer M. Keough, the Chief Executive Officer of JND Legal Administration, which is the Settlement Administrator for this matter… the methods of transmitting notices to class members, along with the maintenance of a dedicated website, were the best notice practicable under the circumstances and comported with Federal Rule of Civil Procedure 23 and the Due Process Clause of the United States Constitution. 24 Case 1:17-md-02800-TWT Document 739-6 Filed 07/22/19 Page 46 of 57 8. Judge Kathleen M. Daily Podawiltz v. Swisher Int’l, Inc., (February 7, 2019) No. 16CV27621 (Or. Cir. Ct.): The Court appoints JND Legal Administration as settlement administrator…The Court finds that the notice plan is reasonable, that it constitutes due, adequate and sufficient notice to all persons entitled to receive notice, and that it meets the requirements of due process, ORCP 32, and any other applicable laws. 9. Honorable Robert W. Lehrburger Hines v. CBS Television Studios, et al., (February 5, 2019) No. 17-cv-7882 (PGG) (S.D.N.Y.): Class Members were provided with the best notice practicable under the circumstances. The Court further finds that the Notice and its distribution comported with all constitutional requirements, including those of due process. No Cass Member opted out of or objected to the Settlement. Moreover, approximately 57% of Class Members returned the Claim form, which represents a substantial response from the Settlement Class…On August 24, 2018 the Court preliminary appointed JND as the Settlement Claims Administrator in this action. JND is an experienced administrator of Class Action settlements nationwide. 10. Judge Naomi Reice Buchwald In re LIBOR-Based Financial Instruments Antitrust Litig., (December 20, 2018) No. 11-md-2262 (NRB) (S.D.N.Y.): The Court hereby finds that the forms and methods of notifying the Lender Class of the Settlements and their terms and conditions met the requirements of the United States Constitution (including the Due Process Clause), Rule 23 of the Federal Rules of Civil Procedure, and all other applicable law and rules; constituted the best notice practicable under the circumstances; and constituted due and sufficient notice to all Lender Class Members entitled thereto of these proceedings and the matters set forth herein, including the Settlements and Plan of Distribution. 25 Case 1:17-md-02800-TWT Document 739-6 Filed 07/22/19 Page 47 of 57 11. Judge Kimberly E. West Reirdon v. Cimarex Energy Co., (December 18, 2018) No. 16-CIV-113 (KEW) (E.D. Okla.): The Court further finds that due and proper notice, by means of the Notice and Summary Notice, was given to the Settlement Class in conformity with the Settlement Agreement and Preliminary Approval Order…The Court also approves the efforts and activities of the Settlement Administrator, JND Legal Administration, and the Escrow Agent, Signature Bank, in assisting with certain aspects of the administration of the Settlement, and directs them to continue to assist Class Representative in completing the administration and distribution of the Settlement in accordance with the Settlement Agreement, this Judgment, any Plan of Allocation approved by the Court, and the Court’s other orders. 12. Honorable Kenneth J. Medel Huntzinger v. Suunto Oy and Aqua Lung America, Inc., (December 14, 2018) No. 37-2018-27159 (CU) (BT) (CTL) (Cal. Super. Ct.): The Court finds that the Class Notice and the Notice Program implemented pursuant to the Settlement Agreement and Preliminary Approval Order constituted the best notice practicable under the circumstances to all persons within the definition of the Class and fully complied with the due process requirement under all applicable statutes and laws and with the California Rules of Court. 13. Judge Mark H. Cohen Liotta v. Wolford Boutiques, LLC, (November 30, 2018) No. 16-cv-4634 (N.D. Ga.): The Notice Program included written mail notice via post-card pursuant to addresses determined from a look-up on the telephone numbers using a historic look-up process designed to identify the owner of the relevant telephone numbers on July 7, 2016 and September 2, 2016. Keough Decl. ¶¶ 3-4. The Claims Administrator used multiple databases to determine addresses and names of the cellular telephone owners at the time the text messages were sent. Keough Decl. ¶ 3. The Parties’ 26 Case 1:17-md-02800-TWT Document 739-6 Filed 07/22/19 Page 48 of 57 filed evidence that the Claims Administrator provided notice in conformance with the Notice Program approved by the Court. Id. ¶ 4 & Ex. A; Settlement Agreement § C.4; Prelim. Approval Order at 16-17. This notice constituted the most effective and best notice practicable under the circumstances of the Settlement Agreement and the fairness hearing. The notice constituted due and sufficient notice for all other purposes to all persons entitled to receive notice. 14. Judge Kimberly E. West Cecil v. BP America Prod. Co., (November 19, 2018) No. 16-cv-410 (RAW) (E.D. Okla.): The form, content, and method of communicating the Notice of Settlement, together with the class settlement website referred to therein: (i) constituted the best notice practicable under the circumstances; (ii) constituted notice reasonably calculated, under the circumstances, to apprise potential Class Members of the pendency of the Litigation, the proposed Settlement Agreement, their right to exclude themselves from the proposed Settlement Agreement and resulting Settlement, their right to object to the same of any part thereof, and their right to appear at the Final Fairness Hearing; (iii) was reasonable and constituted due, adequate, and sufficient notice to all persons and entities entitled to such notice; and (iv) met all applicable requirements of the Federal Rules of Civil Procedure, the Due Process Clause of the United States Constitution, the Due Process protection of the State of Oklahoma, and any other applicable law. 15. Honorable Thomas M. Durkin In re Broiler Chicken Antitrust Litig., (November 16, 2018) No. 16-cv-8637 (N.D. Ill.): The notice given to the Class, including individual notice to all members of the Class who could be identified through reasonable efforts, was the best notice practicable under the circumstances. Said notice provided due and adequate notice of the proceedings and of the matters set forth therein, including the proposed settlement set forth in the Settlement Agreement, to all persons entitled to such notice, and said notice fully satisfied the requirements of Rules 23(c)(2) and 23(e)(1) of the Federal Rules of Civil Procedure and the requirements of due process. 27 Case 1:17-md-02800-TWT Document 739-6 Filed 07/22/19 Page 49 of 57 16. Honorable Beth Labson Freeman Wahl v. Yahoo! Inc. d/b/a Rivals.com, (November 15, 2018) No. 17-cv-2745 (BLF) (N.D. Cal.): The Settlement Class was provided with adequate notice of the settlement and an opportunity to object or opt out. The notice satisfied all applicable legal requirements, including those under Federal Rule of Civil Procedure 23 and the United States Constitution. 17. Honorable Tanya Walton Pratt Pierce, et al. v Anthem Ins. Cos., Inc., (November 13, 2018) No. 15-cv-00562-TWP-TAB (S. D. Ind.): The Court hereby finds and concludes that Notice and the Supplemental Notice was disseminated to members of the Settlement Class in accordance with the terms of the Agreement and that the Notice and its dissemination were in compliance with the Agreement and this Court’s Preliminary Approval. The Court further finds and concludes that the Notice implemented pursuant to the Settlement Agreement constitutes the best practicable notice; is notice that is reasonably calculated, under the circumstances, to apprise Class Members of the pendency of the Action, their right to accept, object to or exclude themselves from the proposed settlement and to appear at the fairness hearing; constitutes reasonable, due, adequate and sufficient notice to all persons entitled to receive notice; and meets all applicable requirements of the Federal Rules of Civil Procedure, the Due Process Clause of the United States Constitution and any Rules of the Court. 18. Judge Maren E. Nelson Granados v. County of Los Angeles, (October 30, 2018) No. BC361470 (Cal. Super. Ct.): JND’s Media Notice plan is estimated to have reached 83% of the Class. The overall reach of the Notice Program was estimated to be over 90% of the Class. (Keough Decl., at ¶12.). Based upon the notice campaign outlined in the Keough 28 Case 1:17-md-02800-TWT Document 739-6 Filed 07/22/19 Page 50 of 57 Declaration, it appears that the notice procedure was aimed at reaching as many class members as possible. The Court finds that the notice procedure satisfies due process requirements. 19. Judge Maren E. Nelson McWilliams v. City of Long Beach, (October 30, 2018) No. BC361469 (Cal. Super. Ct.): It is estimated that JND’s Media Notice plan reached 88% of the Class and the overall reach of the Notice Program was estimated to be over 90% of the Class. (Keough Decl., at ¶12.). Based upon the notice campaign outlined in the Keough Declaration, it appears that the notice procedure was aimed at reaching as many class members as possible. The Court finds that the notice procedure satisfies due process requirements. 20. Judge Cheryl L. Pollak Dover et al. v. British Airways, PLC (UK), (October 9, 2018) No. 12-cv-5567 (E.D.N.Y.), in response to two objections: JND Legal Administration was appointed as the Settlement Claims Administrator, responsible for providing the required notices to Class Members and overseeing the claims process, particularly the processing of Cash Claim Forms…the overwhelmingly positive response to the Settlement by the Class Members, reinforces the Court’s conclusion that the Settlement in fair, adequate, and reasonable. 21. Judge Edward J. Davila In re Intuit Data Litig., (October 4, 2018) No. 15-CV-1778-EJD (N.D. Cal.): The Court appoints JND Legal Administration (“JND”) to serve as the Settlement Administrator…The Court approves the program for disseminating notice to Class Members set forth in the Agreement and Exhibit A thereto (herein, the “Notice Program”). The Court approves the form and content of the proposed forms of notice, in the forms attached as Attachments 1 through 3 to Exhibit A to the Agreement. The 29 Case 1:17-md-02800-TWT Document 739-6 Filed 07/22/19 Page 51 of 57 Court finds that the proposed forms of notice are clear and readily understandable by Class Members. The Court finds that the Notice Program, including the proposed forms of notice, is reasonable and appropriate and satisfies any applicable due process and other requirements, and is the only notice to the Class Members of the Settlement that is required. 22. Judge Lucy H. Koh In re Yahoo! Inc. Sec. Litig., (September 7, 2018) No. 17-cv-373 (N.D. Cal.): The Court hereby finds that the forms and methods of notifying the Settlement Class of the Settlement and its terms and conditions: met the requirements of due process, Rule 23 of the Federal Rules of Civil Procedure, and 15 U.S.C. § 78u-4(a)(7) (added to the Exchange Act by the Private Securities Litigation Reform Act of 1995); constituted the best notice practicable under the circumstances; and constituted due and sufficient notice to all persons and entities entitled thereto of these proceedings and the matters set forth herein, including the Settlement and Plan of Allocation. 23. Judge Michael H. Watson O’Donnell v. Financial American Life Ins. Co., (August 24, 2018) No. 14-cv-01071 (S.D. Ohio): The Court finds that the Class Notice and the notice methodology implemented pursuant to this Settlement Agreement (as evidenced by the Declaration of Settlement Administrator Keough, JND Legal Administration): (1) constituted the best practicable notice; (2) constituted notice that was reasonably calculated, under the circumstances, to apprise Class Members of the terms of the Proposed Settlement, the available relief, the release of claims, their right to object or exclude themselves from the proposed Settlement, and their right to appear at the fairness hearing; (3) were reasonable and constitute due, adequate, and sufficient notice to all persons entitled to receive notice; and (4) met all applicable requirements of the Federal Rules of Civil Procedure, the Class Action Fairness Act, the United States Constitution (including the Due Process Clause), the Rules of the Court, and any other applicable law. 30 Case 1:17-md-02800-TWT Document 739-6 Filed 07/22/19 Page 52 of 57 24. Judge Timothy J. Corrigan Finerman v. Marriott Ownership Resorts, Inc., (August 15, 2018) No. 14-cv-1154-J-32MCR (M.D. Fla.): Notice was given by Mail in accordance with the Settlement Agreement and the Preliminary Approval Order. The Class Notice, Claim Form, Preliminary Approval Order, Petition for Attorney’s Fees, and Settlement Agreement (without exhibits) were also posted on the Settlement Website at www.cruisefaresettlement.com. These forms of class notice fully complied with the requirements of Rule 23(c)(2)(B) and due process, constituted the best notice practicable under the circumstances, and were due and sufficient notice to all persons entitled to notice of the settlement of this lawsuit. 25. Honorable Kenneth J. Medel Huntzinger v. Suunto Oy and Aqua Lung America, Inc., (August 10, 2018) No. 37-2018-27159 (CU) (BT) (CTL) (Cal. Super. Ct.): The Court finds that the notice to the Class Members regarding settlement of this Action, including the content of the notices and method of dissemination to the Class Members in accordance with the terms of Settlement Agreement, constitute the best notice practicable under the circumstances and constitute valid, due and sufficient notice to all Class Members, complying fully with the requirements of California Code of Civil Procedure § 382, California Civil Code § 1781, California Rules of Court Rules 3.766 and 3.769(f), the California and United States Constitutions, and any other applicable law. 26. Honorable Thomas M. Durkin In re Broiler Chicken Antitrust Litig., (June 22, 2018) No. 16-cv-8637 (N.D. Ill.): The proposed notice plan set forth in the Motion and the supporting declarations comply with Rule 23(c)(2)(B) and due process as it constitutes the best notice that is practicable under the circumstances, including individual notice vial mail and email 31 Case 1:17-md-02800-TWT Document 739-6 Filed 07/22/19 Page 53 of 57 to all members who can be identified through reasonable effort. The direct mail and email notice will be supported by reasonable publication notice to reach class members who could not be individually identified. 27. Honorable Stanley R. Chesler Muir v. Early Warning Services, LLC, (June 13, 2018) No. 16-cv-00521 (D.N.J.): Notice to the Class required by Rule 23(e) of the Federal Rules of Civil Procedure has been provided in accordance with the Court’s Preliminary Approval Order, and such notice has been given in an adequate and sufficient manner; constitutes the best notice practicable under the circumstances; and satisfies Rule 23(e) and due process. The Court is informed the Mail Notice was sent by first class mail to approximately 211 Settlement Class Members by JND Legal Administration, the third-party Settlement Administrator. 28. Honorable Lewis A. Kaplan Cline, et al. v. TouchTunes Music Corp., (May 24, 2018) No. 14-CIV-4744 (LAK) (S.D.N.Y.): The Court finds that the Notice Program has been implemented by the Claims Administrator and Parties, and that such Notice Program, including of the utilized Notice Form, constitutes the best notice practicable under the circumstances and fully satisfied due process, the requirements of Rule 23 of the Federal Rules of Civil Procedure, and all other applicable laws. 29. Judge Janet T. Neff Sullivan, et al. v Wenner Media LLC, (May 22, 2018) No. 16−cv−00960−JTN−ESC (W.D. Mich.): The Settlement Administrator completed the delivery of Class Notice according to the terms of the Agreement. The Class Notice given by the Settlement Administrator to the Settlement Class, which set forth the principal terms of the Agreement and other matters, was the best practicable notice under the circumstances. 32 Case 1:17-md-02800-TWT Document 739-6 Filed 07/22/19 Page 54 of 57 30. Honorable Otis D. Wright, II Chester v. The TJX Cos., Inc., et al., (May 14, 2018) No. 15-cv-1437 (C.D. Cal.): ... the Court finds and determines that the Notice to Class Members was complete and constitutionally sound, because individual notices were mailed and/or emailed to all Class Members whose identities and addresses are reasonably known to the Parties, and Notice was published in accordance with this Court’s Preliminary Approval Order, and such notice was the best notice practicable. 31. Honorable Susan J. Dlott Linneman, et al., v. Vita-Mix Corp., et al., (May 3, 2018) No. 15-cv-748 (S.D. Ohio): JND Legal Administration, previously appointed to supervise and administer the notice process, as well as oversee the administration of the Settlement, appropriately issued notice to the Class as more fully set forth in the Agreement, which included the creation and operation of the Settlement Website and more than 3.8 million mailed or emailed notices to Class Members. As of March 27, 2018, approximately 300,000 claims have been filed by Class Members, further demonstrating the success of the Court-approved notice program. 32. Honorable David O. Carter Hernandez/White v. Experian Info. Solutions, Inc., (April 6, 2018) No. 05-cv-1070 (C.D. Cal.): The White Objectors and the Green Objectors argue that the notice and administration expenses are too high, contending that these expenses are duplicative of the costs incurred in connection with the 2009 Proposed Settlement and should have been paid by Class Counsel. (See Dkt. 1107 at 7; Dkt. 1112 at 10.) The Court finds, however, that the notice had significant value for the Class, resulting in over 200,000 newly approved claims—a 28% increase in the number of Class members who will receive claimed benefits—not including the almost 100,000 33 Case 1:17-md-02800-TWT Document 739-6 Filed 07/22/19 Page 55 of 57 Class members who have visited the CCRA section of the Settlement Website thus far and the further 100,000 estimated visits expected through the end of 2019. (Dkt. 1114-1 at 3, 6). Furthermore, the notice and claims process is being conducted efficiently at a total cost of approximately $6 million, or $2.5 million less than the projected 2009 Proposed Settlement notice and claims process, despite intervening increases in postage rates and general inflation. In addition, the Court finds that the notice conducted in connection with the 2009 Proposed Settlement has significant ongoing value to this Class, first in notifying in 2009 over 15 million Class members of their rights under the Fair Credit Reporting Act (the ignorance of which for most Class members was one area on which Class Counsel and White Objectors’ counsel were in agreement), and because of the hundreds of thousands of claims submitted in response to that notice, and processed and validated by the claims administrator, which will be honored in this Settlement. 33. Judge Maren E. Nelson Djoric v. Justin Brands, Inc., (March 12, 2018) No. BC574927 (Cal. Super. Ct.): Based on the number of claims submitted the Court concludes that the notice was adequate and the best available means under the circumstances. 34. Judge Federico A. Moreno Brna v. Isle of Capri Casinos and Interblock USA, LLC, (February 20, 2018) No. 17-cv-60144 (FAM) (S.D. Fla.): Class Counsel has filed with the Court a Declaration from JND Legal Administration, the independent third-party Settlement Administrator for the Settlement, establishing the Settlement Notice and Claim Form were delivered by email and mail to the class members on November 27, 2017 and December 4, 2017, the Settlement website was established on November 27, 2017, and Claim Forms were also available electronically on the website. Adequate notice was given to the Settlement Class Members in compliance with the Settlement Agreement and the preliminary approval order. 34 Case 1:17-md-02800-TWT Document 739-6 Filed 07/22/19 Page 56 of 57 35. Honorable Percy Anderson Nozzi, et al. v. Housing Authority for the City of Los Angeles, et al., (February 15, 2018) No. CV 07-380 PA (FFMx) (C.D. Cal.): The notice given in this case was reasonably calculated to reach the Damages Class… Finally, a notice was published in the L.A. Times for three consecutive weeks on August 18, 2017, August 25, 2017, and September 1, 2017, and a 30-day internet advertising campaign was launched on Facebook, Instagram, and Twitter to inform Class Members about the settlement. (Keough Decl. ¶ 12.) The Court therefore concludes that the notice procedures satisfied the requirements of Due Process and Federal Rule of Civil Procedure 23(e). 36. Judge Ann D. Montgomery In re Wholesale Grocery Products Antitrust Litig., (November 16, 2017) No. 9-md-2090 (ADM) (TNL) (D. Minn.): Notice provider and claims administrator JND Legal Administration LLC provided proof that mailing conformed to the Preliminary Approval Order in a declaration filed contemporaneously with the Motion for Final Approval of Class Settlement. This notice program fully complied with Fed. R. Civ. P. 23, satisfied the requirements of due process, is the best notice practicable under the circumstances, and constituted due and adequate notice to the Class of the Settlement, Final Approval Hearing and other matters referred to in the Notice. 37. Honorable Robert S. Lasnik Gragg v. Orange Cab Co., Inc. and RideCharge, Inc., (October 5, 2017) No. C12-0576RSL (W.D. Wash.): The Settlement Administrator completed the delivery of Class Notice according to the terms of the Agreement. The Class Notice given by the Settlement Administrator to the Settlement Class, which set forth the principal terms of the Agreement and other matters, was the best practicable notice under the circumstances…The Class Notice given to the Settlement Class Members satisfied the requirements of Federal Rule of Civil Procedure 23 and the requirements of constitutional due process. 35 Case 1:17-md-02800-TWT Document 739-6 Filed 07/22/19 Page 57 of 57 38. The Honorable Philip S. Gutierrez Harris, et al. v. Amgen, Inc., et al., (April 4, 2017) No. CV 07-5442 PSG (PLAx) (C.D. Cal.): Class counsel retained JND to provide notice and administration services for this litigation. See generally Keough Decl. JND mailed 13,344 class action notices to class members by first-class mail on January 14, 2017. See Keough Decl., ¶ 6. If the mailings returned undeliverable, JND used skip tracing to identify the most updated addresses for class members. Id. To date, JND reports than only 179 notices are undeliverable. Id. ¶ 7. Moreover, as of March 21, 2017, the deadline for filing objections, JND had received no objections to the final settlement agreement. The lack of objections is an indicator that class members find the settlement to be fair, reasonable, and adequate. 39. Honorable Susan Illston Allagas v. BP Solar Int’l, Inc., (December 22, 2016) No. 14-cv-00560 (SI) (N.D. Cal.): The complexity, expense and likely duration of the litigation favors the Settlement, which provides meaningful and substantial benefits on a much shorter time frame than otherwise possible, and avoids risk to class certification and the Class’s case on the merits...The Court appoints Jennifer Keough of JND Legal Administration to serve as the Independent Claims Administrator (“ICA”) as provided under the Settlement. 36 Case 1:17-md-02800-TWT Document 739-7 Filed 07/22/19 Page 1 of 38 Exhibit 6 Declaration of Mary Frantz In re: Equifax Inc. Customer Data Security Breach Litigation, No. 17-md-2800-TWT (N.D. Ga.) Plaintiffs’ Motion to Direct Notice of Proposed Settlement Case 1:17-md-02800-TWT Document 739-7 Filed 07/22/19 Page 2 of 38 IN THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF GEORGIA ATLANTA DIVISION IN RE: Equifax, Inc., Customer Data Security Breach Litigation ) ) ) ) ) ) Case No.: 1:17-md-02800-TWT Consumer Actions Declaration of Mary T. Frantz Case 1:17-md-02800-TWT Document 739-7 Filed 07/22/19 Page 3 of 38 I, Mary T. Frantz, pursuant to 28 U.S.C. § 1746, hereby declare as follows, I. INTRODUCTION 1. Shortly after the commencement of this case, I was retained by counsel for the Consumer Plaintiffs to advise on the business practice changes needed to address the cyber security deficiencies in Equifax’s systems and to assist in negotiating those changes in connection with any potential resolution of the Consumer Plaintiffs’ claims. 2. I have been asked to consider whether the business practice changes proposed in Exhibit B to the Settlement Agreement, if approved, would provide a meaningful benefit to Consumer Plaintiffs’, the classes they seek to represent, and other parties whose information Equifax collects, processes, or stores. In addition, I have been asked to evaluate if the proposed changes would meaningfully improve Equifax’s overall security posture and remediate the deficiencies that enabled the data breach Equifax announced in 2017. 3. My opinions are based on my formal education and training, my review and assessment of information provided by Equifax and Consumer Plaintiffs’ Counsel, generally accepted sources within the field of information security, and my nearly 30 years’ of professional experience in cyber security, information technology, and compliance. -1- Case 1:17-md-02800-TWT Document 739-7 Filed 07/22/19 Page 4 of 38 4. In my opinion, the business practice changes included in the proposed Settlement Agreement address the technical and administrative deficiencies that contributed to the Equifax data breach and would meaningfully reduce the risk of Equifax suffering another data breach during the settlement term. As such, the proposed business practice changes would confer a substantial benefit to the Class Members and all other stakeholders. II. BACKGROUND AND QUALIFICATIONS 5. I am the Founder and Managing Partner of Enterprise Knowledge Partners, LLC (EKP) in Edina, Minnesota. EKP is a technology services firm specializing in eDiscovery, Forensics, Cyber Security and Enterprise Architecture. As a Managing Partner of EKP, I have provided a wide range of technology, compliance, and data security services to corporate clients. 6. My educational credentials include four Bachelor’s degrees from Northern Illinois University in the following fields: Mathematics, Information Systems, International Relations, and Foreign Translation of Spanish, with a minor in French. In addition, I hold a Master’s Degree in Business Administration from the University of Chicago (with emphasis on International Business Investment/Marketing). I also hold a Master’s Degree in Engineering from the Georgia Institute of Technology (with emphasis on Computer Science Engineering). A copy of my resume is attached as Exhibit -2- Case 1:17-md-02800-TWT Document 739-7 Filed 07/22/19 Page 5 of 38 A, which further details my education, professional experience, and expertise. 7. I hold multiple active and non-active certifications in information systems, data security, and technology architecture. I hold active certifications as a Certified Information Systems Auditor (CISA), Certified Ethical Hacker (CEH), Certified Information Systems Security Professional (CISSP), Certified Forensics Investigator (CFI), Certified Incident Handler (CIH), as well as several certifications specific to products or companies, such as EnCase (EnCE), Cellebrite, and Microsoft. I am a Certified Information Privacy Professional (CIPP) and a non-active APICS certified professional in materials requirements planning and inventory management. I currently teach the applied Certified Ethical Hacker Course at the University of Minnesota and participate in Cyber Range exercises at Metro State University in St. Paul, Minnesota. In addition, I am an Executive in Residence at both Northern Illinois University and the University of Chicago. I am also an advisory board member of the Minnesota Academy of Science and Engineering. 8. During my 28 years of professional experience, I have held multiple positions in technology, technology leadership, and information security. My job roles have included: multi-country implementations of large enterprise resource -3- Case 1:17-md-02800-TWT Document 739-7 Filed 07/22/19 Page 6 of 38 planning, customer relations management, and environmental resources management systems; artificial intelligence design using big data infrastructure; user interface and under experience design; global enterprise architectures; cloud architectures; cloud and on-premise infrastructure optimization; computer automated design implementations and configurations; and a variety of industry-specific technologies. I have performed both HIPAA (Health Insurance Portability and Accountability Act) and PCI DSS (Payment Card Industry Data Security Standards) security reviews, and am a non-active PCI-DSS Qualified Security Assessor, meaning I have been qualified by the PCI Security Standards Council to validate an entity’s adherence to the PCI-DSS standard. In addition, I have managed one of just four groups hired by the U.S. Department of Health and Human Services, Centers for Medicare and Medicaid Services (CMS) to perform data validation and compliance reviews for over 25 U.S. health provider and payer organizations. In connection with this work, I testified at CMS in Baltimore and before the U.S. Senate Committee on Health, Education, Labor, and Pensions. I also have testified before the U.S. Senate regarding specific cyber security controls and standards required for compliance with the European Union’s Data Directive and the U.S.-EU Safe Harbor Framework. -4- Case 1:17-md-02800-TWT Document 739-7 Filed 07/22/19 Page 7 of 38 9. My cyber security knowledge spans the length of my years of professional experience. I have managed responses to major security incidents, performed information security investigations relevant to insider trading, credit card fraud, and social engineering attacks. I have conducted dark net investigations, packet-sniffing of mobile/cellular technology, offensive security projects, LAN/WAN/Wireless packet sniffing and analysis, vulnerability scanning, threat intelligence, forensics, penetration testing, cyber incident response, cyber incident remediation, incident handler roles, and cyber security attestation and audits. 10.I have been retained as an expert in 29 data breach actions. In this capacity, I have submitted numerous declarations, affidavits, and reports, and have testified at deposition and trial. I was a designated expert in the following matters: • Kleen Products, LLC v. Packaging Corporation of America, No. 1:10cv-05711-HDL (N.D. Ill.); • Andrew Giancola v Lincare Holdings Inc., No. 8:17-cv-02427-MHC (M.D. Fla.); • Fidelity Insurance Co. v. Express Scripts, Inc., No. 4:03-cv-1521-SNL (E.D. Mo.); -5- Case 1:17-md-02800-TWT Document 739-7 Filed 07/22/19 Page 8 of 38 • Schmidt et al., v. Facebook, Inc., No. C 18-05982 WHA (N.D. Cal.); and • Yahoo! Customer Data Security Breach, No. 16-MD-02752-LHK (N.D. Cal.). 11.In this matter, I am being compensated purely on an hourly basis, plus actual expenses. My compensation is in no way dependent or contingent on my conclusions, opinions, or the outcome of the matter. III. INFORMATION REVIEWED 12.Over the past 16 months, I have worked as an expert for Consumer Plaintiffs’ Counsel in this matter. I have assisted Consumer Plaintiffs’ Counsel on cyber security matters related to this case, including identifying the pre- and postbreach security controls in place at Equifax, how the data breach occurred, and the business practice changes that Equifax should implement in response to the data breach. In the course of the engagement, I have reviewed documents that Equifax and other parties produced in formal and informal discovery, listened to and reviewed testimony and interviews given by current and former Equifax officers and employees and information security personnel, and conducted independent research into Equifax’s information security program. I have travelled to Atlanta to meet with and interview Equifax’s information security personnel, and advised Consumer Plaintiffs’ -6- Case 1:17-md-02800-TWT Document 739-7 Filed 07/22/19 Page 9 of 38 Counsel as they negotiated the details of the business practice changes. All of these sources inform the opinions I provide in this Declaration. IV. REVIEW AND EVALUATION OF BUSINESS PRACTICE CHANGES 13.From the information provided for my review during the litigation, it is clear that Equifax’s pre-breach cyber security controls fell short of industry standards. This deficiency was amplified by Equifax’s risk profile and the massive amounts of extremely sensitive consumer data that Equifax collected, processed, and stored. 14.If the Settlement Agreement is approved, the business practice changes required under the Settlement Agreement will improve Equifax’s information security controls. 15.In the sections below, I provide a high-level explanation for some of the business practice changes included in the Settlement Agreement. In this Declaration, I do not attempt to discuss every business practice change or comprehensively analyze all of the cyber security benefits these changes will provide. Nonetheless, I believe the layperson’s explanation I attempt to provide about the cyber security benefits of selected business practice changes amply illustrates the significant benefits these changes will provide to the Consumer Plaintiffs and the classes they seek to represent. V. IMPLEMENT AND MAINTAIN A COMPREHENSIVE SECURITY PROGRAM -7- Case 1:17-md-02800-TWT Document 739-7 Filed 07/22/19 Page 10 of 38 16.The Settlement Agreement requires Equifax to quickly implement, and then regularly review and revise a comprehensive information security program that is reasonably designed to protect the personal information that Equifax collects, processes, or stores on its network.1 17.This is a foundational information security requirement. As defined by NIST, a comprehensive written security program is an annually reviewed and executive-approved set of IT security policies, standards, control objectives, and guidelines. The security program is the entire collection of policies and procedures that govern the ability of an organization to protect the security, confidentiality, and integrity of the information it manages and includes all surrounding processes and infrastructure. The program’s guiding principle is that it is easily implemented and auditable. Furthermore, NIST defines a comprehensive security program as one that also: • Identifies and assigns roles and responsibilities among all organizational entities for managing the legal and regulatory compliance, confidentiality, integrity and availability of information assets; 1 Term Sheet Ex. B, § 2. -8- Case 1:17-md-02800-TWT Document 739-7 Filed 07/22/19 Page 11 of 38 • Reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical); • Contains the NIST required protocols such as standard security operating procedures, contacts, timelines, requirements, responsible parties, oversight and validation assessments; • Is approved by executive management with ultimate responsibility and accountability for the risk incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals and other organizations; • Encompasses the enterprise policies and procedures and incident response subprograms; • Updates the plan to address organizational changes and problems resulting from security control assessments; and • Protects the information security program and plan from unauthorized disclosure and modification. 18.My review of Equifax’s pre-breach information security program revealed three key areas for improvement, each of which is addressed by this provision. -9- Case 1:17-md-02800-TWT Document 739-7 Filed 07/22/19 Page 12 of 38 19.First, there were significant deficiencies in the substance of Equifax’s prebreach Information Security Program. On its face, this provision will require Equifax to fix those deficiencies. 20.Second, Equifax was slow to revise its pre-breach Information Security Program. For example, Equifax’s security program did not include policies and procedures governing patching until 20152 and did not develop other key policies until 2016. These policies should have been in place much earlier, particularly for an organization like Equifax. By requiring Equifax to regularly review and revise its Information Security Program—and by mandating independent third-party assessments of those changes as discussed below—this provision will ensure that Equifax’s Information Security Program adapts to addresses the changing cyber security landscape. 21.Finally, even where the policies contained within Equifax’s pre-breach Information Security Program were adequate, Equifax did not always comply with its own policies and procedures. By requiring Equifax maintain a comprehensive and appropriate Information Security Program, and mandating that the independent third-party assessments evaluate both 2 Staff of S. Comm. on Homeland Security and Governmental Affairs, Permanent Subcommittee on Investigations, How Equifax Neglected Cybersecruity and Suffered A Devastating Data Breach at 26 (available at https://www.hsgac.senate.gov/imo/media/doc/FINAL%20Equifax%20Report.pdf) (“Senate Report”). - 10 - Case 1:17-md-02800-TWT Document 739-7 Filed 07/22/19 Page 13 of 38 Equifax’s “policies and practices,”3 this provision will help ensure that Equifax’s Information Security Program meaningfully protects PII. VI. MANAGING CRITICAL ASSETS 22. The Settlement Agreement also requires Equifax to develop and maintain a comprehensive IT asset inventory.4 This is a fundamental information security control that is typically included in a comprehensive security program. 23.At its core, an IT asset inventory is a constantly updated list of the IT assets that comprise a network, including computers, software, databases and data stores, switches, routers, firewalls, and other devices. The time-tested principle behind maintaining and systematically validating a comprehensive asset inventory is that an organization cannot maintain and protect what it does not know it has. 24.Maintaining an asset inventory with corresponding classification has been an industry standard for decades. NIST states, “The use of automated mechanisms to track the location of system components can increase the accuracy of component inventories. Such capability may also help organizations rapidly identify the location and responsible individuals of 3 4 Term Sheet Ex. B, § 23(c) (emphasis added). Id. § 3. - 11 - Case 1:17-md-02800-TWT Document 739-7 Filed 07/22/19 Page 14 of 38 system components that have been compromised, breached, or are otherwise in need of mitigation actions.”5 25.Asset management provides the ability to measure utilization, centrally manage resources, and perform lifecycle and financial management. Most importantly, understanding what assets are allowed on a network or physically in a building provides for the ability to quickly identify, prevent, and/or eliminate unauthorized assets. 26. To effectively manage and classify assets, the inventory must also list other attributes for each asset. For example, the inventory must describe what, where, and how the asset is used and the types of information the asset accesses, stores, or processes. This lets the organization identify the appropriate privacy classification and criticality level of a given system and apply the appropriate information security and privacy policies and controls. 27.The IT asset inventory requirement is particularly important in the context of integrating acquired companies. Equifax has a documented history of acquiring companies with the potential for quick-to-market products and services and immediate revenue generation.6 Integrating new systems and 5 U.S. Dept of Comm., National Institute of Standards and Technology, Special Publication 800-53 Rev. 4, Security and Privacy Controls for Federal Information Systems and Organizations, at 227 (available at https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf). 6 Staff of H. Comm on Oversight and Government Reform, 115 th Congr., The Equifax Data Breach (Dec. 2018) at 2 (available at https://republicans-oversight.house.gov/wp-content/uploads/2018/12/Equifax-Report.pdf) (“House Report”). - 12 - Case 1:17-md-02800-TWT Document 739-7 Filed 07/22/19 Page 15 of 38 data into an existing network without a comprehensive understanding of the current network is a common way that acquiring companies make themselves vulnerable to cyber-attacks. 28.At the time of the data breach, Equifax did not have a comprehensive IT asset inventory. This directly contributed to Equifax’s failure to patch the Apache server, which allowed the attackers access into Equifax’s systems. 29.Accordingly, the Settlement Agreement’s detailed provision for managing critical assets will help secure the information in Equifax’s systems for the future. VII. IMPLEMENT AND ENFORCE A DATA CLASSIFICATION AND HANDLING STANDARD 30. The Data Classification provision addresses some of the same concerns as the Managing Critical Assets provision discussed just above. This provision requires Equifax to maintain and update a data classification and handling standard, which also must be evaluated by the third-party assessors.7 31.In the context of data security and privacy, data classification provisions require the company to identity the types of data in its systems and assign a defined sensitivity level to each data type, usually based upon the sensitivity 7 Term Sheet Ex. B, §§ 4 (Data Classification), 23 (Third-Party Assessments). - 13 - Case 1:17-md-02800-TWT Document 739-7 Filed 07/22/19 Page 16 of 38 of the data (e.g., privacy concerns) and the level of impact to the company if the data were compromised. Once categorized, the company can apply the appropriate security, privacy, and handling controls to the data and related IT assets. 32.If proper asset management and data classification and handling had been in place at the time of the Equifax breach, all or nearly all of the data and assets in the dispute portal would have been categorized as highly classified and subject to increased monitoring and other security controls. Had this been in place, there is a strong likelihood the breach would have been stopped or detected before the data was exfiltrated. VIII. LOGGING, MONITORING, SYSTEM INCIDENT AND EVENT MANAGEMENT 33.The Settlement Agreement provisions concerning Security Information and Event Management8 and logging and monitoring9 together require Equifax to implement security tools that will detect suspicious hacker activity so Equifax can repel the hackers before they are able to exfiltrate sensitive information. Equifax must remediate its pre-breach security deficiencies in this area and maintain and upgrade it its capabilities, under the oversight of the independent third-party assessor. 8 9 Id. § 5. Id. § 6. - 14 - Case 1:17-md-02800-TWT Document 739-7 Filed 07/22/19 Page 17 of 38 34.Security Information and Event Monitoring (SIEM) and other logging and monitoring processes and tools are akin to extremely sophisticated burglar alarms for computer networks. Put simply, logging and monitoring is the act of collecting and analyzing what happens on a computer system, comparing it to a baseline of normal behavior for the network, and alerting when predefined or anomalous behaviors are observed. When properly implemented, system activity will be automatically recorded in log files. A log may note, for example, that a particular user has accessed a system or that a user tried to use an incorrect password to log onto a database. The amount of log data collected generally increases with the sensitivity of the system. A SIEM is the common name for systems that mine vast quantities of real-time and historical log data for suspicious patterns of activity and issue a range of alerts based on that activity. Logging and monitoring and SIEM systems have been standard components of corporate information security programs for several years. 35.At the time of the data breach, Equifax had implemented some of these security controls in some parts of its network. In critical areas, however, these systems were never installed, had been misconfigured, or even disabled. Given the sensitivity of the information they stored, the breached portions of - 15 - Case 1:17-md-02800-TWT Document 739-7 Filed 07/22/19 Page 18 of 38 Equifax’s network should have been carefully monitored for intrusions, which would have led to the pre-breach detection of these hackers. 36.Stated simply, the Settlement Agreement requires Equifax to implement and correctly configure the processes and tools to log, monitor, and alert when anomalous behavior occurs. The provision contains the detail required to ensure meaningful security improvements, while providing Equifax flexibility to further improve security as technology changes of the course of the Settlement term. Furthermore, periodic third-party validation and testing to ensure the proper implementation and configuration will provide assurances that confidential data is being protected. These provisions are a critical security component that will allow Equifax to protect all consumer confidential data and the systems on which they reside. IX. VULNERABILITY PLANNING, VULNERABILITY SCANNING, AND PATCH MANAGEMENT 37. The Settlement Agreement’s provisions concerning vulnerability planning,10 vulnerability scanning,11 and patch management are complementary provisions designed to ensure that Equifax systematically anticipates, detects, assesses, and remediates vulnerabilities in the Equifax Network. In 10 11 Id. § 9. Id. § 7. - 16 - Case 1:17-md-02800-TWT Document 739-7 Filed 07/22/19 Page 19 of 38 this context, the term vulnerability simply means a potential information security weakness. 38.Vulnerability planning refers to an organization’s overall strategy for identifying vulnerabilities, applying a risk categorization to each vulnerability, and remediating or eliminating the vulnerabilities on a timeline and in the manner appropriate for the risk category. It also includes processes for responding to third-party notices of proven or potential vulnerabilities. For example, when a vulnerability is ranked as “critical,” the most severe rating, an organization should begin remediation planning within 24 hours and, if possible, complete remediation within one week. If remediation is impossible, then the company should instead implement appropriate compensating controls within that same week. 39.Vulnerability scanning is one process used to identify certain types of vulnerabilities. Vulnerability scanning tools search for known vulnerabilities one device, application, port, etc. at a time. The scan results should then be considered as part of the broader vulnerability planning and overall security program. 40.Patches are software updates that are released to fix bugs or address security vulnerabilities. Patch management is the administrative process of ensuring - 17 - Case 1:17-md-02800-TWT Document 739-7 Filed 07/22/19 Page 20 of 38 that appropriate patches are implemented where they are needed and on an appropriate time frame. 41.The Equifax data breach is the textbook case for why vulnerability planning, vulnerability scanning, and patch management are vital components of an information system. Even before the Apache struts vulnerability exploited in this data breach was formally announced, online videos surfaced detailing how to take advantage of the Apache Struts vulnerability were available.12 The videos had millions of hits and the step-by-step hacking process shown in the videos did not require advanced tech experience to perform. In addition, the actual scanning process to find out if a vulnerable Apache server was exposed to the Internet was free. 42.On March 8, 2017, the Apache Struts vulnerability was formally announced by the United States Computer Emergency Readiness Team. Two days later, unidentified individuals were scanning Equifax’s systems for the vulnerability. Equifax did not ask system owners to install the patch that would fix the vulnerability until a week later. The vulnerability planning provision in the Settlement Agreement mandates a faster response. 43.Similarly, Equifax did not have an asset management system to identify all potential Apache servers, nor did it perform vulnerability scanning to find 12 Senate Report at 34. - 18 - Case 1:17-md-02800-TWT Document 739-7 Filed 07/22/19 Page 21 of 38 and validate that it had remediated all of its vulnerable systems, and therefore overlooked the unpatched server. The vulnerability scanning provision of the Settlement Agreement squarely addresses this issue. 44.Implementation of a comprehensive vulnerability planning and scanning process and tools would have mitigated, and most likely prevented, the Equifax data breach. Accordingly, these provisions provide important reassurances for the Class Members going forward. X. FILE INTEGRITY MONITORING 45. Another important provision of the proposed business practice changes is the requirement that Equifax implement a governance process for file integrity monitoring.13 46.File integrity monitoring is a security control that involves detecting and alerting if security-relevant files on a system change unexpectedly or without authorization. While it is common for the files on a given system change to change, certain unauthorized changes can indicate that a cyber attack is underway. File integrity monitoring processes identify and isolate changes that are concerning and flag them for additional review. For example, hackers often disguise malware as a legitimate system file to avoid detection. By comparing the contents of such files to a known baseline, the file integrity 13 Term Sheet Ex. B, § 13. - 19 - Case 1:17-md-02800-TWT Document 739-7 Filed 07/22/19 Page 22 of 38 monitoring system can see through the disguise, delete the malware, and issue an appropriate alert. 47.File integrity monitoring has been a standard control in most comprehensive information security programs since 2012. Nonetheless, I was unable to find evidence of Equifax implementing file integrity monitoring on the breached dispute portal at the time of the breach, and publicly available sources indicate it was not in use.14 Had file integrity monitoring been implemented on the dispute portal, it likely would have prevented the hackers from exfiltrating consumer data. XIII. LEGACY SYSTEMS 48.Another key business practice change covered by the Settlement Agreement concerns remediating so-called legacy systems within five years of final settlement approval.15 49.In information technology parlance, a legacy system is an antiquated or outdated computer system that is still in use. Organizations sometimes obtain legacy systems through acquisitions. Alternatively, after long enough, the organization may have no employees who are sufficiently familiar with the outdated system to move the data onto a state-of-the-art system. Regardless of the reasoning, continued use of legacy systems often introduces many 14 15 See, e.g., Senate Report at 46. Term Sheet Ex. B, § 14. - 20 - Case 1:17-md-02800-TWT Document 739-7 Filed 07/22/19 Page 23 of 38 security vulnerabilities, particularly because they often are not supported by their vendors. 50.At the time of the data breach, Equifax relied on a large number of legacy systems. Many of these systems were over 20 years old. Notably, the Automated Consumer Interview System (ACIS) that the hackers accessed was built in the 1970s. It is practically impossible to adequately secure data in a system of such antiquity. Nor was ACIS the only antiquated system in use at Equifax. 51.To address these vulnerabilities, the Settlement Agreement requires Equifax to fully remediate its legacy systems within five years of final settlement approval. Equifax also will be required to implement compensating controls to secure the systems pending remediation. Then, to ensure that Equifax does not continue to rely on legacy systems, the Settlement Agreement requires it to maintain an active lifecycle management process. This process will require Equifax to replace and deprecate legacy systems on an ongoing basis. 52.On its own, requiring Equifax to ending its reliance on legacy systems will substantially improve the security of Equifax’s systems and the consumer information Equifax stores. XI. MANDATORY TRAINING - 21 - Case 1:17-md-02800-TWT Document 739-7 Filed 07/22/19 Page 24 of 38 53.The Settlement Agreement requires Equifax to provide at least annual training in information security to all employees, with additional training provided as appropriate based on the employees’ job duties.16 54.Providing at least annual information security training to all employees is a standard component of an enterprise information security program and meaningfully reduces the likelihood that employees will fall prey to a phishing attack. Employees whose job duties require them to access sensitive information should augment the annual training with specific training that is appropriate for their job duties. Finally, even more specific training should be provided to employees working in information security. 55.In reviewing materials related to this case, I observed that the lack of adequately trained personnel was a factor that contributed to the data breach. Equifax had an information security training policy in place before the data breach, but no evidence the policy was followed. In addition, key personnel failed to fulfill their information security responsibilities. From this, I conclude that Equifax’s pre-breach training program was inadequate. Because the types of training required will evolve over time, the Settlement Agreement permits Equifax wide latitude in designing a better training program for its employees. The sufficiency of that program, however, will be 16 Id. § 18. - 22 - Case 1:17-md-02800-TWT Document 739-7 Filed 07/22/19 Page 25 of 38 evaluated by the Third-Party Assessors, to ensure that the training is effective and appropriate. XII. INFORMATION SECURITY SPENDING 56.To ensure that Equifax is able to complete the broad-ranging security upgrades required in the Settlement Agreement, the parties agreed that Equifax will spend at least $1 billion on data security and related technology over the next five years.17 This represents a substantial increase over Equifax’s pre-breach security spending. Further, in the course of my work, I have observed a pattern across many industries in which corporations provide ample funding to information security departments in the aftermath of a data breach. After a year or two, however, the companies drastically scale back information security funding, often before all of the planned security improvements have been completed. By requiring Equifax to spend at least $1 billion over five years, the Settlement Agreement aims to ensure that the business practice changes will be appropriately funded. XIII. THIRD PARTY ASSESSMENTS 17 Id. § 22. - 23 - Case 1:17-md-02800-TWT Document 739-7 Filed 07/22/19 Page 26 of 38 57.The third-party assessment provision is the lynchpin of the business practice changes, and to my knowledge is more stringent than what has been obtained in any other private data breach settlement.18 This provision requires Equifax to retain a qualified and unbiased cybersecurity organization approved by a regulator that will conduct rigorous assessments of its cyber security policies and practices, evaluate them consistent with established auditing procedures and information security standards, and establish deadlines for Equifax to shore up any deficiencies identified. 58.First, the organization conducting the Third-Party Assessment must be unbiased, independent, and qualified. To prevent any appearance of bias, the Third-Party Assessor must be approved by a regulator after Equifax discloses any compensated engagements with the Third-Party Assessor in the previous two years.19 The provision also mandates that the Third-Party Assessor have appropriate qualifications and experience for the job.20 59.Second, the Third-Party Assessments will be procedurally rigorous. The assessor must either conduct an audit that meets the SOC 2 Type 2 attestation requirements or adhere to an industry-recognized auditing procedure that is approved by a regulator for use in the assessment.21 18 Id. § 23. Id. § 23(a). 20 Id. 21 Id. § 23. 19 - 24 - Case 1:17-md-02800-TWT Document 739-7 Filed 07/22/19 Page 27 of 38 60.Third, the Third-Party Assessments will be substantively rigorous. The assessor is required to evaluate both Equifax’s policies and its actual practices, and how they meet the requirements of NIST or a comparable cyber security standard.22 And to the extent the specified business practice changes differ or exceed the applicable cyber security standard, the ThirdParty Assessor also must confirm that Equifax has complied with the agreedupon business practice changes.23 61.Fourth, the Third-Party Assessor has the authority to define the scope of the assessment.24 This is a crucial requirement. Even the most wide-ranging cyber security assessment cannot examine every configuration setting on every system in a large corporate network. There is always some degree of sampling performed. In less rigorous assessments, the organization being audited chooses what the assessor examines—and they frequently avoid choosing vulnerable portions of their environments. In contrast, this Settlement Agreement gives the Third-Party Assessor sole authority to establish the scope of the assessment in consultation with Equifax. 62.Fifth, while it is common for cyber security assessments to identify vulnerabilities or areas for improvement, many companies are slow to fix the 22 Id. § 23(c). Id. § 23(e). 24 Id. § 23(b). 23 - 25 - Case 1:17-md-02800-TWT Document 739-7 Filed 07/22/19 Page 28 of 38 problems that are identified. The Settlement Agreement, however, requires the Third-Party Assessor to “establish dates by which Equifax shall remediate the deficiencies identified or implement compensating controls.”25 Thus, this provision is not merely a way to identify problems; it will drive their resolution. 63.As a final oversight measure, any material deficiencies identified by the Third-Party Assessor will be reported to Consumer Plaintiffs’ Counsel along with the plan for remediating them.26 64.Altogether, this Third-Party Assessment provision is a real oversight mechanism that provides substantial benefits to consumers. XIV. ADDITIONAL BUSINESS PRACTICE CHANGES 65.In addition to the business practice changes detailed above, the Settlement Agreement requires Equifax to develop and maintain information security controls in a number of key areas. These include penetration testing, threat management, access control and account management, encryption, data retention, vendor management, incident response exercises, treatment of data gathered through TrustedID, and breach notification.27 Each of these controls 25 Id. § 23(f) Id. § 23(g). 27 Id. §§ 8, 11-12, 15-16, 19, and 20-21. 26 - 26 - Case 1:17-md-02800-TWT Document 739-7 Filed 07/22/19 Page 29 of 38 helps to safeguard the consumer information in Equifax’s systems. But effectively implementing these controls will require Equifax to make many system-specific determinations, and the implementations may need to adapt over time as Equifax’s security posture improves. To avoid freezing Equifax’s security at current levels for the next five years, the Settlement Agreement requires that these controls be “reasonably designed” or “adequate.” But because the Third-Party Assessments must evaluate settlement compliance, these provisions ensure that the Third-Party Assessors will make appropriate findings in light of security standards and risk postures at the time of the assessment. In my opinion, this managed flexibility improves the quality of the overall settlement for consumers. SUMMARY AND CONCLUSION 66.In my assessment, comprehensive implementation of the proposed business practice changes should substantially reduce the likelihood that Equifax will suffer another data breach in the future. These changes address serious deficiencies in Equifax’s information security environment. Had they been in place on or before 2017 per industry standards, it is unlikely the Equifax data breach would ever have been successful. These measures provide a substantial benefit to the Class Members that far exceeds what has been achieved in any similar settlements. - 27 - Case 1:17-md-02800-TWT Document 739-7 Filed 07/22/19 Page 30 of 38 I declare under penalty of perjury, under the laws of the United States of America, that the above statements are true and correct. Executed on this the 19th day of July, 2019, in Edina, Minnesota. - 28- Case Document 739-7 Filed 07/22/19 Page 31 of 38 EXHIBIT A Case 1:17-md-02800-TWT Document 739-7 Filed 07/22/19 Page 32 of 38 5151 Edina Industrial Blvd Suite 550 Edina, MN 554371 MARY T. FRANTZ Office: (952) 496-2460 Mobile: (612) 239-5195 Maryf@ekpartner.com Professional Summary • • • • • • • • • • • • • • • • • • Both full time and interim executive leadership roles in technology, security and operations for Fortune 100 and multiple start-ups; Lead teams in excess of 300, managed a successful business for 15 years’ with over 17 full time consultants and more than 35 subcontractors. IT Security and Audit experience and certifications including CISA, CIPv3/5, CEH v7/9, CPT, CMS / HHS Data Validation certified auditor, CIPP, HITRUST, FINRA, Sarbanes-Oxley, HIPAA / HITECH, CMS, GLBA, PCI, CFR Part 11, Basel III, ISO 27002, SSAE16/18, GDPR, FedRAMP, NYCRR 500, and CMS Data Validations. Expert witness in 12 national data breach investigation and litigation cases; primary expert in over 19 data breach (including EU data directive sanctions) investigations, 27 corporate investigations including but not limited to IP theft, contract disputes, data analysis, medical/healthcare fraud, financial compliance, insider trading and foreign corrupt practices (FCPA). As a senior executive consultant with two major energy companies; provide input into the smart grid privacy, security and rate case reviews. Provided expert testimony and deposed in cyber security incidents, CMS data validations for health care issues and fraud, financial issues, telecommunication, voice/data / telemetric implementations, investigations, data/call/billing detail and VOIP. Over 20 years’ experience working with in health payer, provider, device and pharma organizations. Experienced executive leader (Director and Officer); interim CIO, CISO, and CCO (Chief Compliance Officer) for several clients. Designed the CMS federal data validation audit template and lead audits on over 25 health plans nationwide. Performed and / or lead the forensic investigations, extractions, review and production in over 30 national and international cases. Lead multiple distinct global ERP / CRM / EMR implementations at Fortune 500 firms over 15 years (Oracle, JDE, SAP, Exact, Sage, EPIC, McKesson, Cerner, Infor, Lawson, and others). Fluent in design, development of cloud and virtual systems. Lead and participated in over 15 process design improvements and reengineering for global energy and manufacturing organizations. Designed and implemented IDM / IAM solutions in multiple organizations and part of he original IDM architecture at Novell, Microsoft and Cisco. Extensive business process re-design at all corporate levels with proven savings in excess of $20M Aggregate project savings in excess of $25M through strategic consolidations, architecture and development methodology alignment Paneled executive round-table discussions, taught over 7 CLEs on eDiscovery, Legal Hold, Cybersecurity, Data Breach prevention and currently one of the few non-attorney leaders requested to contribute and lead subsections on the MN e-Discovery Working Group and Civil Task Report on improving eDiscovery and forensic technology processes for the State and Federal Judiciary Fluent in engineering platforms, manufacturing systems, telecommunications, and other environments, non-active APICS certified Multi-lingual with extensive multinational experience Mary T. Frantz -2- Case 1:17-md-02800-TWT Document 739-7 Filed 07/22/19 Page 33 of 38 Professional Experience ENTERPRISE KNOWLEDGE PARTNERS, LLC, (2004 - Present), Founder and Managing Partner Founded EKP, LLC in 2004. Mary is a keynote speaker, publisher, and quoted in over 10 technology and industry journals. EKP is vendor agnostic and will not act as a reseller in any capacity. Services offered: Technology Strategy • Enterprise Architecture and Infrastructure • Technology Strategy & Alignment • M&A Consolidations, Data Mapping • ERM, Claims, ERP (SAP, Oracle, Lawson, Facets, Epic, Infor, Exact, and more) • Testified on identity management systems and health care claims adjudication, Managed Care Benefit Utilization statistical calculations, RICO, ERISA • Big Data (Hadoop frameworks, Mongo, Cassandra, Hive and more) Security / Incident Response: • Breach Remediation • Vulnerability Scanning, Penetration Testing • IR/DC/BC Strategy and Testing • Internal Investigations • Expert Testimony (variety of cases) Forensics: • Collection: Onsite and Remote • Computer, Network, Cloud, Mobile, Specialty Products • Fraud Detection • Internal Investigations • Expert Testimony (variety of cases) Audit / Compliance • Security and Privacy policy frameworks • FISMA, NIST CSF, HIPAA Security, CSA, OCC, Sarbanes Oxley, FedRAMP, SSAE16/18 • Specialists in Safe Harbor / GDPR • Security / Privacy / Risk Posture Assessments / PIA • Security Architecture, Design • IT Risk Management and Controls • Clients: Current and past clients include, but not limited to: Imagine! Print Solutions, Mayo Clinic, Hewlett Packard, Zimmer Medical, MaxMind, Patterson Companies, Compeer Financial, Amplifon, MedNet, Glen Eagle Financial Advisors, Cabela’s, John Deere, Office Depot/Office Max, Carlson Companies, Allianz Life, Novartis, International Truck, CH Robinson, Starkey Labs, ATS Medical, St. Jude Medical, Nystrom, US Department of Homeland Security, US Department of Defense, US Center for Medicare and Medicaid (CMS), US Department of Health and Human Services (HHS), Fairview Health Services, Select Comfort, Post Foods, Gander Mountain, HeathEast Care Systems, Sanford Health, Prime Therapeutics, WellPoint, Anthem, Uromedica, Xcel Energy, United Bankers Mary T. Frantz -3- Case 1:17-md-02800-TWT Document 739-7 Filed 07/22/19 Page 34 of 38 • • • Bank, Exxon, Sunoco, Johns Hopkins, Herman Gerel, LLP, Seyfarth Shaw, LLP, Winthrop & Weinstein, Lockridge Grindal Naun, Mendoza Law, Skadden, Weitz & Luxemberg, Stohl Rives, Littler Mendelson, Briggs & Morgan, Principal Financial, Delta Dental of MI/IN/OH/NC, Blue Cross / Blue Shield organizations (25), State of Illinois Department of Insurance, Minnesota State Court Administration, Minnesota Judicial Department, Washington County, Shutterfly, Pentair, Whirlpool Corporation, McGough Construction, Delta Dental, MedNet Study, HP, Google, Goodwin Proctor, Verata Health, Health, Seeger & Weiss, various other national law firms and corporations Client Leadership Roles: Interim Director of IT; CSO / CISO, Chief Compliance Officer, Chief Privacy Officer, Interim Chief Information Officer, Interim Board Member; Acting Sr. Business Strategy Manager; Senior Program / Project Manager; Sr. eDiscovery Advisor; and Chief Auditor Speaking Engagements: Computer Enterprise and Investigations Conference (CEIC), Upper Midwest Employment Law Institute , Twin Cities Privacy Retreat, IQPC eDiscovery for Financial Services (NY and DC), ARMA (Dallas, Chicago, and Minneapolis), Financial Executives International (FEI), Midwest Society of Association Executives (MSAE), Cyber Security Summit, Secure 360, Women in eDiscovery (WIE), Forbes CIO Retreat, Health Information Management Systems Society (HIMSS), guest lecturer at NYU Law School and Cardozo School of Law (NY) for both e-Discovery and Health Law topics, Cardinal Stritch Marketing and Business Communications lecturer, Northern Illinois University, StemCONNECTOR, ACC (Association of Corporate Counsel), University of Minnesota, University of Chicago, Enterprising Women International Conferences ( Cape Town, SA, Lisbon, and Miami FL), eClub International, Cyber Security Summit, RSA, Federal Bar Association, 2018 UBB National Conference, 2018 MN IT Government Symposium Lecture/Education: Guest Instructor University of Minnesota Humphrey School of Law – eDiscovery and Forensic Seminar; University of Minnesota, St. Paul and Metro State, St. Paul - Security and Ethical Hacking; Guest Lecture University of Chicago and Northern Illinois University: Master’s in Information Systems Lecture on Information Governance; MNCaps Corporate Sponsor, Student Mentor in Business Pathways, Guest Expert Capstone Projects Anoka Hennepin School District (Jackson Middle School), Guest Instructor University of Virginia and University of Virginia Law School. CARLSON MARKETING GROUP, INC., Plymouth, MN July 2003 – May 2004 Sr. Director, Architecture & Security Services: Responsible for IT applications architecture, security and audit compliance, privacy, litigation support, application development and IT service marketing strategy for both internal and external customers. Customers included US Government Travel Office, Merck, Visa, Target Corp., Northwest Airlines, British Airways, Certegy, State Farm Insurance, MBNA, Bates Casket Co., Hewlett Packard, and Hallmark. • • • • • Achieved eight commendations for innovative leadership Developed the common architecture and security framework for marketing to external customers Created defensible practices and responsible for contract drafting oversight and contract audit Implemented enterprise IDM solution Led and managed matrix teams throughout IT and Operations to perform the following: • An enterprise service-oriented architecture and identity management strategy • Infrastructure (server /mainframe, and network capacity) planning strategy and implementation • Enterprise business architecture strategy planning, including marketing and sales organizational structure • Development of product and service pricing strategies; sales presentations and RFP responses • Developed two-year strategy plan for compliance with SOX, HIPAA, Visa CISP / MC DSP and ISO17799 • Primary representative for litigation support and eDiscovery for corporate systems Mary T. Frantz -4- Case 1:17-md-02800-TWT Document 739-7 Filed 07/22/19 Page 35 of 38 June 2001 – July 2003 CONSULTANT Hired on retainer or hourly for multiple roles: • • • • • • • • Lead eDiscovery of email; help desk and eCommerce systems for Land O’Lakes v Farmland Feed. Created successful bid for large corporate partnership agreement on behalf of two local consulting companies for Data Warehouse / CRM implementation and Oracle 11i upgrade. Assessment and merger recommendations; due diligence New business venture development assessments RFP and proposal project management Applications Architecture Strategy and Business Process Assessment for medium sized medical manufacturing firm; resulted in operational savings in excess of $1M annually after expenses (Centerpulse / SpineTec). Integration of Purina Mills and Terra Industries for Land O Lakes with subsequent relocation and closing of farm animal feed locations; simultaneous management of 119 networked co-op locations throughout the US for feed and seed JDE, Oracle, PeopleSoft, SAP conversions and implementations ORION CONSULTING, INC., Bloomington, MN October 2000 - June 2001 ERP, Compliance Technology and Operations Strategy Practice Lead Overall responsibilities included directing the individual consulting industry verticals in strategic assessments primarily based on technological support of business strategy objectives for world-wide client base. • • • • • Formulated proposals, client presentations and advising on strategic directions for business functional and technical teams Contracted team for large defense manufacturing organization to develop long term business and technology strategy Developed BPA strategy for realignment within Oracle 11i applications (improved use of BOM, Inventory, and eProcurement modules; implementation of VAT tax systems, GL consolidations of multi-org environments Managed and developed industry partnerships in the CRM, ERP (Oracle), and the B2B/C software applications practices. Authored white papers on CRM, Knowledge Management, and Identity Management November 1997 – September 2000 NOVELL, INC., Provo, UT / San Jose, CA Sr. Director, Global e-Business Engineering New Product Management & Architecture: Senior director of global IT architecture and identity management product engineering for 5 countries. Business duties included promoting security products and congressional lobbying for tools designed to reduce identity theft, lobbying for EU recognized safe harbor provisions, and other security and privacy considerations. Internally, responsible for business engineering product/project management regarding all enterprise applications including Oracle ERP and Seibel, PeopleSoft, VAT taxing in EMEA, and ecommerce “bolt-ons” for Novell’s ASP / ISP presence for channel on-line sales, outsourcing retail sales distribution and product warehousing, IDM zero-day start. In addition, achieved proven operational savings exceeding $2.5M. External clients included, but not limited to, Hewlett Packard, Oracle, Republic of Germany (country), CNN, US Airforce, and 3M. Performed expert witness testimony in multiple lawsuits. Global Program Director, ITS Applications Architecture: Responsible for global teams in 5 countries implementing and managing global data warehousing and web portal solutions (Cognos, Brio, Microstrategies, and Hyperion); Enterprise project/program management guidelines / governance; implemented collections system for Finance; ISO 9000 certification; all Mary T. Frantz -5- Case 1:17-md-02800-TWT Document 739-7 Filed 07/22/19 Page 36 of 38 manufacturing systems of gold master CD’s and related global distribution of product via online sales and distributers. Manager, Business Applications and New Technology: Developed hardware specifications and budget for strategic 3-year implementation plans and provided technical consultation with executive level customers explaining business values of technical decisions and computing ROI. Direct reports consisted of 45 contractors and 12 Novell senior developers. Managed employees in the Dublin (Ireland), San Jose (CA), and Orem/Provo (UT) offices. Manager, Global Financial Applications: Management of all business financial application services for Novell in 7 different countries including contract management and sales tools. TOTAL SYSTEMS SERVICES, Columbus, GA / Global February 1996 – June 1997 Product Manager / Assistant VP, Total Access: Ms. Frantz created the Total Access SAS team providing on-site consulting services for portfolio and custom credit analysis applications. Customers included but not limited to GECF, GE Fleet, Banjercito, Banco Central de Mexico, Royal Bank of Canada, Peoples Bank, Bank of America, Federal Reserve of Chicago and Minneapolis, Nations Bank, and Wells Fargo. Overall quarterly net revenue generation exceeded $1M in consulting services / licensing fees, and $800K in custom package development. In addition, Mary provided language translation for South and Central American customers and worked with international partners to monitor and prevent credit card and banking fraud. FMC / MCI TELECOMMUNICATIONS, Atlanta, GA / Dallas TX May 1991 – February 1996 MCI Team Lead/Project Lead Corporate Business Engineering, Atlanta GA Overall responsibility for customer-based and MCI enterprise projects for large corporate voice and data accounts. MCI Team Lead: Sr. Systems Analyst, Atlanta, GA Awarded small business Director’s Club award three consecutive quarters for highest performing team. Team was responsible for managing the outsourced Microsoft call center systems and analyzing voice and data line minutes and revenue for small business services division. FMC Consultant / Project Team Lead, Dallas, TX Managed resource measurement analysts team including production conversion of MVS 3.3 to MVS 4.2; conversion from Pace Kommand Chargeback systems to MICS Accounting and Chargeback; upgrade from SAS 5.18 to SAS 6.07. Resource measurement for all defense and navel R&D and manufacturing facilities, FMC Gold, Food Manufacturing (FMG) and Airline Equipment divisions (AED). Analyzed and testified for the Tariff 12 AT&T agreement on behalf of FMC, US Senate hearings FMC Resource Measurement Analyst, San Jose CA and Dallas TX Responsible for primary support and maintenance for internal and external customer chargeback systems on all platforms and Capacity planning on four platforms including voice and data primarily to support Gulf War activities including Telco fraud investigations, system security and contract base-lining for Department of Defense, foreign language translation of project requirements for international customers. Mary T. Frantz -6- Case 1:17-md-02800-TWT Document 739-7 Filed 07/22/19 Page 37 of 38 Education & Professional Certifications Education / Honors: Minnesota Academy of Science and Engineering • Lead Judge State Science and Engineering Fair for MS and HS– Technology, Physics and Ecology (2014 – present) STEMConnector • Top 100 Leaders in STEM 2016 Enterprising Women Magazine • 2016 Enterprising Woman of the Year • 2017 Foundation Award Winner Northern Illinois University – Appointed Executive In-Resident • MIS Experiential Learning Center for MIS candidates Business Journal – Twin Cities • 2008 Top 25 Women to Watch National Organization for Women Business Owners – National and MN Chapter • 2007 Young Business Woman of the Year National Organization for Women Business Owners – MN Chapter • 2005 Recipient of the “Woman on the Way” Bachelor of Science 1991 – Northern Illinois University, Dekalb, IL • Concentration: Information Systems and Operations Management Bachelor of Science 1991 – Northern Illinois University, Dekalb, IL • Concentration: International Relations Bachelor of Arts 1991 – Northern Illinois University, Dekalb, IL • Concentration: Foreign Language Business Translation (Spanish & French) Bachelor of Arts 1991 – Northern Illinois University, Dekalb, IL • Concentration: Math / Statistics MBA, University of Chicago • Concentration: International Business/International Finance and Investment MS, Georgia Institute of Technology, Atlanta, GA and University of Texas at Arlington • Maters of Engineering - Computer Science Engineering Activities, Boards, Memberships & Certifications • • • • • • • • • • • MN Cyber Range – Instructor via Metro State College Certified Ethical Hacking Adjunct Professor – University of Minnesota Board Director, Minnesota Academy of Science, Minnesota Academy of Applied Sciences - Treasurer Advisory Board, Enterprising Women International and Enterprising Woman Magazine Advisory Board, Cyber Security Summit Elected School Board Director – Prior Lake / Savage District 719 (2016 – present) SouthWest Metro Intermediate District – Board of Directors Adjunct/Guest Expert, Mayo Clinic - Board of Trustees Association for Records Management (ARMA) - chapters in MN, Chicago, and Dallas Millennial Leaders, Upper Midwest Chapter Women in e-Discovery, Lead Sponsor, Twin Cities Mary T. Frantz -7- Case 1:17-md-02800-TWT Document 739-7 Filed 07/22/19 Page 38 of 38 • • • • • • • • • • • • APICS – Chicago chapter, non-active certification in Inventory and MRP II National Organization for Women Business Owners (NAWBO) Information Systems Audit and Control Association (ISACA) Performance Measurement Association (PMA) International Standards Organization (ISO) - contributing member Enterprise Architecture Community (EA) HITRUST CSF CISSP Certified Information Systems Security Professional CISA Certified Information Systems Auditor 2007, recertified June 2012 CEH Certified Ethical Hacker certified 2009, re-certified March 2013 CEHv7, CEHv9, CEHv10 CPT Certified Penetration Tester (InfoSec Institute) CIPP Certified Privacy Professional – US and EU ( EU is non-active, waiting re-cert test) REFERENCES and LEGAL MATTERS AVAILABLE UPON REQUEST Mary T. Frantz -8- Case 1:17-md-02800-TWT Document 739-8 Filed 07/22/19 Page 1 of 23 Exhibit 7 Declaration of James Van Dyke In re: Equifax Inc. Customer Data Security Breach Litigation, No. 17-md-2800-TWT (N.D. Ga.) Plaintiffs’ Motion to Direct Notice of Proposed Settlement Case 1:17-md-02800-TWT Document 739-8 Filed 07/22/19 Page 2 of 23 UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF GEORGIA ATLANTA DIVISION IN RE: Equifax, Inc., Customer Data Security Breach Litigation ) ) Case No.: 1:17-md-02800-TWT ) ) Consumer Actions ) ) Declaration of James Van Dyke Case 1:17-md-02800-TWT Document 739-8 Filed 07/22/19 Page 3 of 23 I. Introduction and Relevant Qualifications I, James Van Dyke, pursuant to 28 U.S.C. § 1746 hereby declare as follows: 1. I am the Founder and CEO of Futurion.digital, Inc., a research-based consulting firm specializing in areas including consumer identity fraud and security, as well as financial and payments technology. I am also the founder, CEO, and inventor of Breach Clarity, launched in March of 2019 to compute risks and recommend action steps for all publicly-reported US data breaches (currently covering January 2017 to the present, plus some earlier prominent breaches).1 I currently serve on the Board of Directors of The Identity theft Resource Center, a 501(c)3 non-profit focused on mitigating consumer risks created by data breaches. From 2013 to 2016, I also served on the Consumer Advisory Board of the Consumer Financial Protection Bureau—an agency of the United States responsible for consumer protection in the financial sector. Prior to establishing Futurion, I founded and served as CEO of Javelin Strategy & Research, a leading provider of quantitative and qualitative research on subjects including consumer security, fraud, digital banking, payments, and financial transaction innovation. Before that, I started the financial services research unit of Jupiter Research, a New York company providing similar offerings to Javelin’s. 1 Any outputs from the publicly-available free, algorithm-driven, and extremely high-level version of Breach Clarity are not intended to in any way be a substitute for my in-depth and personalized opinion that was created for this or any other expert witness report through my traditional research methods. 2 Case 1:17-md-02800-TWT Document 739-8 Filed 07/22/19 Page 4 of 23 2. My pertinent qualifications include substantial research and leadership in the fields of fraud and security, particularly harms including identity theft and fraud that result from data compromise. This expertise builds on over a decade of conducting and publishing primary research of consumers, banks, merchants, and vendor-solutions directly concerned with the subject of consumer identity theft and the enabling act of personal data compromise. This research was primarily purchased by organizations that sought to mitigate or minimize the damage from identity crimes, such as financial institutions, merchants, government agencies, and specialty vendors. 3. Directly, or through my staff members, I have provided strategic and research-driven advice to most of the nation’s largest consumer financial institutions, retail financial tech-sector vendors, as well as a select number of identity-protection services vendors who generally are focused on creating services that empower or protect consumers’ financial health. 4. I have a Bachelor of Science degree from San Jose State University and a Master of Business Administration from Golden Gate University—both of which I earned with honors. 5. My former company, Javelin Strategy & Research, is the leading provider of research on the subject of consumers’ experience in harms stemming from compromise of personal identity data, including identity theft or fraud and 3 Case 1:17-md-02800-TWT Document 739-8 Filed 07/22/19 Page 5 of 23 other related topics, which includes a focus on financial services and payment transaction systems (because this is one area where identity criminals frequently seek to profit from the results of data compromise).2 Javelin continues to be known for its industry-leading, rigorous, and annually-recurring research studies of consumer financial services behaviors, attitudes, industry practices, and technology trends, related to such topics as mobile banking, personal financial management, payments, security, cybercrime, and identity fraud or theft. In particular, Javelin uniquely provides annual primary research-based studies of the consumer, business, and financial services impact of identity theft and fraud, including its link to data compromise. In 2012, I sold 100% of my interest in the company to Greenwich Associates, a privatelyheld research company focused on commercial financial institution operations. I concluded my post-sale relationship with Javelin on December 31, 2015. Javelin’s studies represent the largest body of available identity-theft research, with at least four major methodologies: 1) surveying over 5,000 consumers each year to assess the latest patterns of identity crimes, along with the relationship to the enabling component of data compromise (such as data breaches); 2) merchants’ experiences with consumer identity theft; 3) bank efforts to empower consumers to protect themselves against identity fraud and related security incidents; and 4) a comparison of identity-protection service providers. Because Javelin produces some of the most rigorous and widely-cited studies on identity theft, I cite them frequently. First published in 2005 to build on methodologies created by the Federal Trade Commission, Javelin’s annual identity-theft survey report asks consumers a wide variety of questions related to their experiences with identity fraud or other misuse, notifications of data breaches, and practices related to security, payments, and other areas of financial services. Over the years, over 50,000 consumers have been cumulatively surveyed in the annual Javelin identity theft reports. Javelin’s work was under my supervision through December 31, 2015. In Appendix A of this study, I have provided a methodology statement for Javelin’s most significant report, the Identity Theft Survey Report, which is cited extensively in this report because it is the nation’s only annually-deployed and nationallyrepresentative consumer identity fraud survey. 2 4 Case 1:17-md-02800-TWT Document 739-8 Filed 07/22/19 Page 6 of 23 6. Original research from Javelin is used or has been cited by the U.S. Congress,3 Consumer Financial Protection Bureau,4 United States Department of Justice,5 Board of Governors of the Federal Reserve System,6 regional Federal Reserve banks,7 the Federal Deposit Insurance Corporation,8 the U.S. Department of the Treasury, Federal Trade Commission,9 and all or nearly all of the largest banks, payments firms, and associated financial technology vendors operating in the United States. 7. I have been interviewed for hundreds of news media articles or featured stories including Bloomberg, Financial Times, Fox News live television, National Public Radio (NPR), the front page of The New York Times, The Washington Post, and Wired. The widest coverage of my research-based opinions has been on the subject of identity theft or fraud, and in particular in response to research released under my supervision that surveys consumer fraud victims or benchmarks bank and merchants’ efforts to fight identity theft. 3 https://fas.org/sgp/crs/misc/R40599.pdf https://files.consumerfinance.gov/f/201511_cfpb_mobile-financial-services.pdf 5 https://www.justice.gov/sites/default/files/usao/legacy/2008/04/16/usab5602.pdf 6 https://www.federalreserve.gov/pubs/bulletin/2012/articles/MobileFinancialServices/mobilefinancial-services.htm#f24 7 https://www.frbatlanta.org/-/media/documents/rprf/rprf_pubs/130408surveypaper.pdf 8 https://www.fdic.gov/regulations/examinations/supervisory/insights/siwin12/siwinter12article1.pdf 9 https://www.ftc.gov/system/files/documents/public_comments/2017/10/00008-141502.pdf 4 5 Case 1:17-md-02800-TWT Document 739-8 Filed 07/22/19 Page 7 of 23 8. Within at least the last four years, I have testified as an expert at trial or by deposition in numerous data breach cases. II. Scope of Assignment & Compensation 9. I have been asked by Consumer Plaintiffs’ counsel to evaluate the Identity Theft Protection Solution (IDPS) being offered as part of the proposed settlement of this class action and opine on its suitability for the harms that Equifax data breach victims are likely to face as a result of the breach. 10. Consumer Plaintiffs’ counsel are compensating me at my standard hourly rate. No aspect of my compensation depends upon my reaching any particular conclusions or on the outcome of this case. 11. I have personal knowledge of the facts set forth below, or I am informed of certain facts as described below based on my review of documents or discussions with counsel for Consumer Plaintiffs. If called to testify, I could and would do so competently. 6 Case 1:17-md-02800-TWT Document 739-8 Filed 07/22/19 Page 8 of 23 III. Individuals Whose Personal Data Is Compromised Experience Increased Risks Resulting from that Compromise 12. Individuals whose personal data is comprised are subject to increased risk because of that compromise. Without a data breach or other data exposure, there can generally be no fraud, “identity theft”, or other personal information misuse. This is true because unauthorized access to PII is what makes identity fraud (sometimes called “identity theft”) possible. Furthermore, increased access to private data—either in the form of repeated breaches or increased breadth of exposures—increases the risk of injury to levels above what they otherwise would have been.10 13. Consumer victims of data breaches are much more likely to become victims of identity fraud. For example, individuals who reported that they were victims of one or more data breaches were also more likely to report being a victim of identity fraud.11 14. The average victim of identity theft or fraud pays a significant personal toll. Identity theft or fraud often directly causes unreimbursed losses such as legal fees, bounced checks, late charges, service reinstatement fees, credit 10 Rising Number of Data Breaches Increases Threat of Identity Fraud http://consumerfed.org/press_release/rising-number-data-breaches-increases-threat-identityfraud/, Sept 06, 2016. 11 2014 LexisNexis True Cost of Fraud Study, https://www.lexisnexis.com/risk/downloads/assets/true-cost-fraud-2014.pdf, accessed May 14, 2019. 7 Case 1:17-md-02800-TWT Document 739-8 Filed 07/22/19 Page 9 of 23 freezes, and other related expenses (e.g., copying, postage, notary fees). Some victims pay fraudulent debts to avoid further problems. Importantly, multiple government, private sector, and non-profit organization research studies have reported on the emotional toll from which victims of identity theft and fraud suffer. 15. Fraud figures for any given year add up to a substantial amount of crime, representing losses to commercial organizations, individuals, and others. For instance, in 2016 the face-value total of all identity fraud incidents encountered by 15.4 million victims of identity fraud in 2016 was $16 billion.12 IV. 16. The Immutable Data Taken in the Equifax Breach Place Victims At Risk In Perpetuity According to Equifax’s SEC filings, nearly all of the Equifax data breach victims in the U.S. had their name, date of birth, and Social Security number taken by the hackers.13 Because these credentials are of a persistent nature—meaning they cannot be changed—these individuals will remain at a heightened risk of identity theft for the rest of their lives. And every additional data point taken increases the breach victim’s exposure. The chart below lists the numbers of U.S. consumers who had each type of data taken:14 12 https://www.javelinstrategy.com/press-release/identity-fraud-hits-record-high-154-million-usvictims-2016-16-percent-according-new 13 https://www.sec.gov/Archives/edgar/data/33185/000119312518154706/d583804d8k.htm 14 Id. 8 Case 1:17-md-02800-TWT Document 739-8 Filed 07/22/19 Page 10 of 23 Type of Data Taken Approximate Number of U.S. Consumers Affected 146.6 million 146.6 million 145.5 million 99 million 27.3 million 20.3 million 17.6 million 1.8 million 209,000 97,500 27,000 Name Date of Birth Social Security Number Address Gender Phone Number Drivers License Number Email Address Payment Card Information Tax ID Drivers License State 17. These types of data are commonly used by criminals in a variety of ways. First, the data can be combined with information from other sources to create detailed identity profiles, of ‘fullz,’ which command a price premium in criminal marketplaces. Because these illicit marketplaces have become pervasive, particularly on the global dark web (also called the ‘dark net’), criminals can either use the data to commit fraud immediately or offer it for sale at various points of time in the future (which in turn enables it to be used for other frauds at some future point in time). 18. In fact, the specific credentials taken on over 99% of Equifax breach victims – names, dates of birth, and Social Security numbers – are often termed 9 Case 1:17-md-02800-TWT Document 739-8 Filed 07/22/19 Page 11 of 23 “The Holy Trinity,”15 because they so effectively (or even foundationally) work together as the basis for criminal identity misuse. V. Types of Fraud Equifax Breach Victims Are Most Likely to Suffer 19. The types of fraud that Equifax breach victims are most likely to suffer include financial account fraud, tax refund fraud, account takeover fraud, criminal identity theft, and phone / utility fraud. 20. New account fraud (NAF) generally refers to the act of fraudulently opening accounts, usually financial accounts, with the goal of conducting expensive transactions that are ultimately charged to the victim. NAF is strongly correlated to Social Security number (SSN) breaches, particularly where the SSNs are paired with corroborating information like name, date of birth, and address. 21. One of the pernicious aspects of NAF is that it often takes victims an exceedingly long time to even realize that a new account has been opened in their name. Victims often discover the accounts when they are contacted by debt collection agencies (and often after the victims have had their credit scores lowered). In 2016, NAF victims spent on average over $150 and 15 hours 15 Dr. Daniel Dimov, Identity Theft:, The Means, Methods and Recourse, Infosec Institute, https://resources.infosecinstitute.com/identity-theft-means-methods-recourse/#gref, January 14, 2013. 10 Case 1:17-md-02800-TWT Document 739-8 Filed 07/22/19 Page 12 of 23 responding to the fraud. 16 SSN breach victims face more than 5 times more new account fraud than all average US adults.17 22. Tax refund fraud a. Due to the PII exposed, the Equifax data breach victims face increased risk of tax refund fraud, in which criminals impersonate the victim and a file false tax return to obtain a tax refund in their name. The GAO reports that there was $3.1B paid out in fraudulent IRS tax returns in 2014.18. b. Tax fraud occurs when criminals file fraudulent tax returns in another individual’s name, in order to obtain a refund owing to that individual. This occurs after an identity criminal obtains necessary PII (which includes name, SSN, and DOB) and uses it to create fake tax returns that appear convincing enough to result in distribution of the payment. Criminals cash the refund check before the authentic taxpayer has time to submit their own genuine version. Tax fraud also causes significant delays in receipt of funds owed to “true name”19 consumers. c. Consumers can experience debilitating financial impact from tax refund fraud, which can require substantial investment of time to resolve, and 16 2017 Identity Fraud: Securing the Connected Life, Javelin Strategy & Research. 2016 Data Breach Fraud Impact Report, Javelin Strategy & Research, page 15. 18 IDENTITY THEFT AND TAX FRAUD, GAO, http://www.gao.gov/assets/680/677405.pdf, May 2016. 19 ‘True name’ is a label used by fraud mitigation professionals to refer to the legitimate identity holder, in contrast to one or more ‘fraudsters’ who are impersonating them. 17 11 Case 1:17-md-02800-TWT Document 739-8 Filed 07/22/19 Page 13 of 23 frequently delays their receiving refunds correctly owed to them. As the IRS has stated: “[i]nnocent taxpayers are victimized because their refunds are delayed.”20 A report from the Treasury Department confirms that “the IRS informs taxpayers who inquire about the status of their identity theft case that cases are resolved within 180 days,” yet the report goes on to cite its own “statistically-valid sample” in finding that “Resolution averaged 312 days with tax accounts assigned to an average of 10 assistors during processing. In addition, 25 percent (of) tax accounts were not correctly resolved, resulting in (further) delayed and incorrect refunds.”21 23. Account takeover fraud a. Account takeover (ATO) of financial or other accounts is another risk now faced by the victims of the Equifax data breach. ATO occurs when the fraudster gains compromised credentials to access a victim’s existing financial and other accounts to create fraudulent transactions, and by definition generally involves changing the victim’s contact information. Equifax’s data breach compromised several mostly persistent identifiers including names, addresses, and most importantly SSNs, which are frequently used by customer service representatives or automated authentication systems to verify identities. 20 https://www.irs.gov/uac/newsroom/tips-for-taxpayers-victims-about-identity-theft-and-taxreturns-2014 January 2014. 21 Victims Of Identity Theft Continue To Experience Delays And Errors In Receiving Refunds, U.S. Treasury, https://www.treasury.gov/tigta/auditreports/2015reports/201540024fr.pdf , March 20, 2015. 12 Case 1:17-md-02800-TWT Document 739-8 Filed 07/22/19 Page 14 of 23 b. Criminal use of compromised PII to change account settings and take over an existing account has grown significantly in recent years. A total of $5.1 billion in ATO losses were reported in 2017, a 120 percent increase from the prior year. c. ATO is one of the most damaging of fraud types for victims, who pay an average of $290 in out-of-pocket costs and spend an average of 16 hours resolving the crime. In 2017, ATO victims devoted more than 62.2 million hours to resolving issues from ATO fraud.22 PII, particularly the types of data taken in the Equifax breach, is used to perpetrate ATO because financial providers use SSNs and such information to authenticate the identity-holder. 24. Existing account fraud a. Existing account non-card fraud (ENCF) occurs when individuals suffer fraud within a non-card account that they legitimately opened, generally a financial account such as a depository bank account, investment account, internet account (e.g., Amazon or PayPal), utility account, or medical account. In 2017, ENCF victims suffered average out-of-pocket losses of $160.23 The key to enable this type of fraudulent conduct, as with other types of fraud, is access to the consumer’s SSN. The risk of both new and existing account fraud 22 https://www.javelinstrategy.com/press-release/identity-fraud-hits-all-time-high-167-millionus-victims-2017-according-new-javelin# . 23 2017 Identity Fraud: Securing the Connected Life, Javelin Strategy & Research 13 Case 1:17-md-02800-TWT Document 739-8 Filed 07/22/19 Page 15 of 23 (including card and non-card accounts) is increased for the victims of Equifax’s data breach because the breach released the “holy trinity” of data criminals generally require to carry out their fraud. 25. Risks to minors a. When minors have their private data exposed in a breach–as happened to millions of children in Equifax’s data breach, the –risk of what is sometimes called ‘child identity theft’ increases in ways that bear resemblance to that of adults. The most current nationally-representative study on child identity theft—commissioned by Identity Guard and conducted by Javelin Strategy & Research—found: i. In 2017, there were over one million child identity fraud ii. The fraud losses incurred totaled $2.4 billion; iii. Out of pocket losses to victims and their families were victims; $540 million; and iv. The average child identity theft losses were particularly severe, likely because children are not yet active managers of their own financial affairs and thus not generally able to mitigate the risk of such crimes, like an adult would. The average child identity theft victim suffered over $500 in out-of-pocket losses, requiring over 20 hours of resolution time 14 Case 1:17-md-02800-TWT Document 739-8 Filed 07/22/19 Page 16 of 23 (usually incurred by a parent). The total average fraud amount (covering all fraud types) for child identity theft victims was over $2,000.24 For comparison purposes, the 2017 Javelin report on adult identity theft reports a mean out-of-pocket cost of more than $40, more than 5 hours spent on resolution, and a total average fraud amount was over $1,000.25 This contrast illustrates that child identity theft risks that are made more likely as a result of a data breach should not be ignored even though the overall incident rate of identity crimes against minors is generally lower than that for adults. b. Prior research studies conducted by Javelin have found that Social Security numbers are highly correlated with child identity theft, and also that crimes are more difficult to detect and resolve than adult ID fraud, at 334 days to detect, and 17% of children were victimized for a year or longer.26 26. Other relevant categories or methods of identity misuse and harms include” 24 2018 Child Identity Fraud Study, Javelin Strategy & Research, page 7. 2017 Identity Fraud: Securing the Connected Life, Javelin Strategy & Research, page 16. 26 ITAC Child ID Fraud Survey Report, https://www.prweb.com/releases/2012/12/prweb10197105.htm , announced December 4, 2012. 25 15 Case 1:17-md-02800-TWT Document 739-8 Filed 07/22/19 Page 17 of 23 a. Employment or wage-related fraud (which is part of the 82,051 self-reported ‘employment and tax-related fraud’ crimes in 2017 tracked by the FTC27); b. Phone or utilities fraud (55,045 reported to the FTC);28 c. Government documents or benefits (25,849 self-reported victims in the same study);29 d. Evading the law (also called ‘criminal identity theft’). As accessed from the FTC’s web site, “Criminal identity theft occurs when certain credentials are presented to law enforcement (and) the results could be criminal record or arrest warrants. The consumer may never know until they are stopped for a driving violation and realize there is an arrest warrant in their name.”30 e. Other account misuse–in all manner of accounts such as Amazon, Netflix, discussion boards, social media accounts, and nearly any other type of service not discussed above–can lead to a broad range of harms, including interruption of service, embarrassment, and reputation damage, hours of resolution time, and out-of-pocket financial losses. This final ‘catch-all’ category of identity 27 Consumer Sentinel Network, March 2018, https://www.ftc.gov/system/files/documents/reports/consumer-sentinel-network-data-book2017/consumer_sentinel_data_book_2017.pdf Federal Trade Commission. 28 Ibid. 29 Ibid 30 Lanny Britnell, Identity Theft America, The Changing Face of Identity Theft, https://www.ftc.gov/sites/default/files/documents/public_comments/credit-report-freezes534030-00033/534030-00033.pdf , accessed May 15, 2019 16 Case 1:17-md-02800-TWT Document 739-8 Filed 07/22/19 Page 18 of 23 misuse also results from breached identity credentials being used in ‘social engineering’ or knowledge-based authentication attacks. In these attacks, criminals convince customer service personnel or an organization’s self-service systems that a criminal is the breached identity holder. VI. 27. IDPS Provided in The Proposed Equifax Data Breach Settlement At the request of Consumer Plaintiffs’ counsel, I have reviewed the contract governing the IDPS services to be provided under the proposed settlement. Below, I summarize the key features and explain the potential and relative benefits of each. 28. IDPS Vendor. The Settlement Agreement proposes using Experian. Experian is a large player in the IDPS market. Accordingly, I expect that it will have the resources to service a class of this magnitude without being swamped. 29. Credit Monitoring Services. Experian will provide three-bureau credit monitoring and alerting and provide consumer reports to class members on a monthly basis. Though many IDPS monitor only one bureau, the most effective solutions monitor each of the three major credit bureaus. As a convenience, the proposed IDPS would permit the class members to obtain their full Experian credit reports for free on a monthly basis. 30. I expect that the proposed IDPS will be a substantial beneficial to class members in protecting their privacy, particularly in the early detection of new 17 Case 1:17-md-02800-TWT Document 739-8 Filed 07/22/19 Page 19 of 23 account fraud and account takeover fraud. By alerting on credit inquiries and new accounts being opened, the class member will be able to close down new accounts quickly. The IDPS also would alert on changes to the class members’ address, which is useful in stopping account takeover fraud. a. Early Warning System Alerts. This feature provides almost instantaneous notifications when a class member’s PII is used to open or apply for a new account. This is a very valuable feature for class members. These types of early warning systems help prevent or detect New Account Fraud, and are particularly useful in detecting the opening of high-risk financial accounts. This feature, which is generally reserved for ‘high end’ IDPS packages, is very beneficial for class members. b. Unusual Credit Activity Alerts. This set of services would warn class members when unusual credit activity is detected. For example, if the class member’s credit limits, balances, or utilization increase or decrease by a certain threshold, the class member will receive an alert about the change. Or when an inactive or dormant credit account suddenly reports a balance, the class member will be notified and able to respond. These are important features that are easy to miss by a person or service casually reviewing a credit report, and are beneficial to the class members. 18 Case 1:17-md-02800-TWT Document 739-8 Filed 07/22/19 Page 20 of 23 31. Non Credit Protections. The proposed IDPS also would monitor for types of fraud that traditional credit monitoring would miss. This monitoring, though often omitted from less sophisticated IDPS products, is at least as important as true credit monitoring to preventing identity fraud. Below, I list the key noncredit protections under the proposed IDPS. a. Account Takeover Notifications. Chief among the non-credit protections offered in the proposed IDPS is financial account takeover notification. This type of service monitors the class member’s bank accounts for changes to the contact and other profile information and for attempts to open new, linked accounts. This is one of the most important protections for Equifax data breach victims to obtain and would confer a substantial benefit. b. Change of Address (COA) Notifications. This notifies the individual if his or her postal address is surreptitiously changed, which is one technique used in carrying out various other types of identity fraud. c. Court Records Notifications. This type of monitoring searches for the individual’s credentials in a variety of criminal and court records. This is one of the few ways of detecting criminal identity fraud before the individual is wrongly arrested or fined. d. Social Security Number Tracing. This type of investigation searches through public records to determine if a class member’s SSN is being 19 Case 1:17-md-02800-TWT Document 739-8 Filed 07/22/19 Page 21 of 23 used, particularly in connection with other identities. This is very useful in detecting the use of a class member’s information in a “synthetic identity,” a fake identity generally made of composite PII from several people. Without this type of service synthetic identity theft is usually very difficult for an individual to detect. e. Dark Web Monitoring. As the name suggests, this is a service in which the IDPS vendor or its affiliates search for the individual’s information on the dark web and alerts if that information is found. Dark web searches cannot currently provide comprehensive monitoring because illicit identity marketplaces are designed to hamper comprehensive surveillance. Nonetheless, this is a beneficial technology that will improve throughout the long duration of the settlement. f. Pay-day loan notifications. Pay-day loan and other unsecured credit services often do not check the borrower’s credit files and are invisible to traditional credit monitoring services. This IDPS, however is able to monitor payday loan applications and report when the class member’s SSN is used. 32. Child Monitoring. The IDPS services also provides special monitoring for minors. Because minors often lack credit files, they are more difficult to protect. The proposed IDPS addresses this issue by providing minors dark web monitoring, SSN trace and credit header monitoring, along with identity theft restoration and ID theft insurance. In addition, when the minor reaches age 18, he 20 Case 1:17-md-02800-TWT Document 739-8 Filed 07/22/19 Page 22 of 23 or she can enroll in the adult IDPS product. This is an important set of protections for a vulnerable population. 33. Miscellaneous Details. Finally, I appreciate that the proposed IDPS allows class members to obtain the benefits on their own terms. Many IDPS are available only to individuals who can use the vendor’s website or receive email notifications. Because people who have suffered from identity fraud are understandably reluctant to provide PII over the internet, even if it will help protect them, I am pleased to see that this feature was included. 34. Identity Theft Insurance. Identity theft insurance provides additional potential value for class members, for instance in extreme cases where fraud victims encountered extreme unreimbursable costs associated with restoring their identity. 35. Identity Restoration Services. Identity restoration services provide for dedicated representatives who can advise identity theft victims on the steps needed to remedy the fraud and in some cases even act directly on the victim’s behalf. This concierge service provides some measure of additional value because it is available to the entire class, not just those people who sign up for the IDPS product. 36. As the above discussion demonstrates, the IDPS in the proposed settlement includes a full suite of services that are tailored to address the type of 21 Case 1:17-md-02800-TWT Document 739-8 Filed 07/22/19 Page 23 of 23 information taken in the Equifax data breach, and the ramifications of the misuse of that information. In the current retail market, I would expect this product to cost at least $25 per-person per-month, with the amount increasing over the duration of the settlement. In short, it is my opinion that the IDPS and ID restoration services made available to class members under the settlement provide valuable relief and are tailored to redress the types of injuries that class members may experience as a result of their data having been exposed in the breach. I declare under penalty of perjury, under the laws of the United States of America, that the above statements are true and correc . Executed on this the 21 st day of July, 2019, i 22 Case 1:17-md-02800-TWT Document 739-9 Filed 07/22/19 Page 1 of 8 Exhibit 8 Declaration of Hon. Layn Phillips (Ret.) In re: Equifax Inc. Customer Data Security Breach Litigation, No. 17-md-2800-TWT (N.D. Ga.) Plaintiffs’ Motion to Direct Notice of Proposed Settlement Case 1:17-md-02800-TWT Document 739-9 Filed 07/22/19 Page 2 of 8 UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF GEORGIA ATLANTA DIVISION In re: Equifax Inc. Customer Data Security Breach Litigation MDL Docket No. 2800 No. 1:17-md-2800-TWT ALL ACTIONS Chief Judge Thomas W. Thrash, Jr. I, LAYN R. PHILLIPS, declare pursuant to 28 U.S.C. § 1746 as follows: 1. I submit this Declaration in my capacity as the mediator in connection with the proposed settlement of the above-captioned class action. While the mediation process is confidential, the parties have authorized me to inform the Court of the procedural and substantive matters set forth herein in support of approval of the Settlement. My statements and those of the parties during the mediation process are subject to a confidentiality agreement and Federal Rule of Evidence 408, and there is no intention on either my part or the parties’ part to waive the agreement or the protections of Rule 408. I make this declaration based on personal knowledge and am competent to so testify. 2. I am a former U.S. District Judge, a former United States Attorney, and a former litigation partner with the law firm of Irell & Manella LLP. I currently Case 1:17-md-02800-TWT Document 739-9 Filed 07/22/19 Page 3 of 8 serve as a mediator and arbitrator with my own alternative dispute resolution company, Phillips ADR Enterprises, which is based in Corona Del Mar, California. I am a member of the bars of Oklahoma, Texas, California and the District of Columbia, as well as the U.S. Courts of Appeals for the Ninth and Tenth Circuits and the Federal Circuit. 3. I earned my Bachelor of Science in Economics as well as my J.D. from the University of Tulsa. I also completed two years of L.L.M. work at Georgetown University Law Center in the area of economic regulation of industry. After serving as an antitrust prosecutor and an Assistant United States Attorney in Los Angeles, California, I was nominated by President Reagan to serve as a United States Attorney in Oklahoma, and did so for approximately four years. 4. I personally tried many cases and oversaw the trials of numerous other cases as a United States Attorney. While serving as a United States Attorney, I was nominated by President Reagan to serve as a United States District Judge for the Western District of Oklahoma. While on the bench, I presided over a total of more than 140 federal trials and sat by designation in the United States Court of Appeals for the Tenth Circuit. I also presided over cases in Texas, New Mexico and Colorado. 2 Case 1:17-md-02800-TWT Document 739-9 Filed 07/22/19 Page 4 of 8 5. I left the federal bench in 1991 and joined Irell & Manella, where for 23 years I specialized in alternative dispute resolution, complex civil litigation and internal investigations. In 2014, I left Irell & Manella to found my own company, Phillips ADR Enterprises, which provides mediation and other alternative dispute resolution services. 6. Over the past 25 years, I have devoted a considerable amount of my professional life to serving as a mediator and arbitrator in connection with large, complex cases such as this one. I have successfully mediated numerous complex commercial cases, including large-scale data breach actions. 7. I was first contacted by the parties in the Fall of 2017 regarding assisting with discussions concerning a potential resolution of this litigation and agreed to serve as mediator to facilitate such discussions. On November 27 and 28, 2017, the parties and their counsel participated in their first of five separate mediation sessions before me that together covered six full days of mediation. The parties engaged in additional in-person mediation sessions on May 25, 2018, August 9, 2018, November 16, 2018, and March 30, 2019. The participants during these various sessions included Co-Lead Counsel for the Consumer Plaintiffs and members of the Plaintiffs’ Steering Committee, and representatives from Equifax along with their outside counsel from King & Spalding and Hogan Lovells. 3 Case 1:17-md-02800-TWT Document 739-9 Filed 07/22/19 Page 5 of 8 8. Prior to the mediation sessions, the parties provided me detailed mediation statements that addressed key factual issues, and the important legal issues related to both liability and damages. Many of the issues presented by the parties were novel and unsettled. For example, Equifax maintained the position that plaintiffs could not establish a common law duty to protect confidential information under Georgia law, plaintiffs could not certify a class, and plaintiffs had suffered no cognizable injuries. Plaintiffs countered on all these points. I found these mediation statements to be extremely valuable in helping me understand the relative merits of each party’s positions, and to identify the issues that were likely to serve as the primary drivers and obstacles to achieving a settlement. It was apparent to me from the first mediation session that both sides possessed strong, non-frivolous arguments, and that neither side was assured of victory if the case was litigated to final judgment. 9. Because the parties submitted their mediation statements and arguments in the context of a confidential mediation process pursuant to Federal Rule of Civil Procedure 408, I cannot reveal their content. I can say, however, that the arguments and positions asserted by all involved were the product of much hard work, and they were complex and highly adversarial. After reviewing all of the written mediation statements and exhibits, I believed that the negotiation would 4 Case 1:17-md-02800-TWT Document 739-9 Filed 07/22/19 Page 6 of 8 be a difficult and adversarial process through which all involved would hold strong to their convictions that they had the better legal and substantive arguments, and that a resolution without further litigation or trial was by no means certain. 10. The November 2017 mediation session concluded with the parties far apart in their respective negotiation positions. It did, however, provide a framework for the parties’ continued dialogue. Over the course of the next 16 months, the parties regularly advised me as to their direct communications regarding potential resolution of the case and attempts to make progress on specific issues including Equifax’s business practice changes, coordination with Equifax’s efforts to resolve certain regulatory investigations related to the 2017 data breach, the amount of any settlement fund, and the form of the parties’ settlement Term Sheet. The parties’ additional mediation sessions on May 25, 2018, August 9, 2018, and November 16, 2018 resulted in incremental movement towards settlement. But while productive in some respects, these additional sessions were, like the first session, difficult and adversarial, and the session on November 16, 2018 ended with a substantial chasm remaining between the parties’ respective settlement positions. 11. In late 2018, I was informed that the parties were at impasse and that settlement discussions had ceased. After the Court’s January 28, 2019 ruling on 5 Case 1:17-md-02800-TWT Document 739-9 Filed 07/22/19 Page 7 of 8 Equifax’s Motion to Dismiss, I contacted both sides and concluded that the parties had widely divergent views on the meaning and import of the Court’s order and the prospects for the case moving forward. Nevertheless, I encouraged the parties to continue their evaluations of their respective positions and prospects for settlement. The parties subsequently agreed to mediate a fifth time on Saturday, March 30, 2019. 12. In advance of the March 30 mediation I instructed the parties to meet in my office on the evening on March 29 to discuss the progress on the proposed business practice changes and the form of the parties’ draft Term Sheet. When the mediation commenced the morning of March 30, the parties exchanged settlement proposals related to the amount of the settlement fund and continued to finalize the non-monetary terms of the settlement including the business practice changes and form of the Term Sheet. Although the parties reached consensus on the nonmonetary terms, the parties were at impasse on the amount of the settlement fund. Late into the evening of March 30, I made a double-blind mediator’s proposal, which was accepted by both parties, and the parties executed a binding Term Sheet at approximately 11 p.m. subject to approval by Equifax’s Board of Directors which was received the following business day. 6 Case 1:17-md-02800-TWT Document 739-9 Filed 07/22/19 Page 8 of 8 13. Based on my experience as a litigator, a former U.S. District Judge and a mediator, I believe that this settlement represents a reasonable and fair outcome given the parties’ strongly held positions throughout the 16 months of negotiations. As such, I strongly support the approval of the settlement in all respects. 14. Finally, the advocacy on both sides of the case was outstanding. Co- Lead Counsel for the Plaintiffs – Norman Siegel, Ken Canfield, and Amy Keller – and counsel from King & Spalding – David Balser, Phyllis Sumner, and Stewart Haskins and Michelle Kisloff from Hogan Lovells – represented their clients with tremendous effort, creativity, and zeal. All counsel displayed the highest level of professionalism in carrying out their duties on behalf of their respective clients and the settlement is the direct result of all counsel’s experience, reputation, and ability in complex class actions including the evolving field of privacy and data breach class actions. I declare under penalty of perjury under the laws of the United States that the foregoing facts are true and correct and that this declaration was executed this 17 day of July, 2019. LAYN R. PHILLIPS 7