Plaintiff's Motion for Award of Attorneys Fees, Service Awards

Home , Aaron Frey, Edward Manibusan, Vermont Attorney General

Case 2:20-cv-02246-JAR-TJJ Document 37 Filed 05/11/21 Page 1 of 26

IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF KANSAS

MICHAEL BAHNMAIER, individually and on behalf of all others similarly situated,

Plaintiff, Case No. 2:20-cv-02246-JAR-TJJ v.

WICHITA STATE UNIVERSITY,

Defendant.

PLAINTIFF’S MEMORANDUM OF LAW IN SUPPORT OF HIS UNOPPOSED MOTION FOR FINAL APPROVAL OF THE CLASS ACTION SETTLEMENT

Case 2:20-cv-02246-JAR-TJJ Document 37 Filed 05/11/21 Page 2 of 26

TABLE OF CONTENTS

I. INTRODUCTION ...... 1 II. FACTUAL BACKGROUND ...... 1 A. Summary of the Allegations ...... 1 B. The Settlement Negotiations ...... 2 C. The Settlement ...... 2 D. Attorneys’ Fees and Expenses, and Service Award to Plaintiff ...... 3 E. Settlement Class Notice ...... 4 III. THE SETTLEMENT IS FAIR, REASONABLE, AND ADEQUATE ...... 7 A. Legal Standard ...... 7 B. The Proposed Settlement Meets the Standard for Final Approval ...... 7 1. The Settlement was Fairly and Honestly Negotiated ...... 7 2. The Action Involves Serious Questions of Law and Fact ...... 9 3. The Settlement Provides Exceptional Immediate Relief to the Class, Outweighing the Mere Possibility of Future Relief after Protracted Litigation ...... 10 4. The Judgment of the Parties is that the Settlement is Fair and Reasonable .... 12 C. The Settlement is Fair, Adequate and Reasonable Under Rule 23(e)(2) ...... 13 IV. THE NOTICE PROVIDED SATISFIES RULE 23 AND DUE PROCESS ...... 15 V. CERTIFICATION OF THE SETTLEMENT CLASS ...... 16 A. The Requirements Under Fed. R. Civ. P. 23(a) Are Satisfied ...... 17 1. The Settlement Class is so Numerous that Joinder of Individual Members is Impracticable...... 18 2. There are Questions of Law and Fact Common to the Settlement Class...... 18 3. Plaintiff’s Claims are Typical of the Claims of the Settlement Class...... 19 4. The Interests of Plaintiff and Proposed Settlement Class Counsel are Aligned with the Interests of the Settlement Class ...... 19 B. The Requirements Under Fed. R. Civ. P. 23(b)(3) Are Satisfied ...... 20 VI. CONCLUSION ...... 21

i Case 2:20-cv-02246-JAR-TJJ Document 37 Filed 05/11/21 Page 3 of 26

TABLE OF AUTHORITIES

Cases

Adamson v. Bowen, 855 F.2d 668 (10th Cir. 1988) ...... 19 Amchem Prod., Inc. v. Windsor, 521 U.S. 591 (1997) ...... 16 Billing Prac. Litig., 219 F.R.D. 661 (D. Kan. 2004)...... 21 CGC Holding Co., LLC v. Broad & Cassel, 773 F.3d 1076 (10th Cir. 2014) ...... 20 City P’ship Co. v. Atl. Acquisition Ltd. P’ship, 100 F.3d 1041 (1st Cir. 1996) ...... 8 Colorado Cross Disability Coal. v. Abercrombie & Fitch Co., 765 F.3d 1205 (10th Cir. 2014) ...... 19 DG v. Devaughn, 594 F.3d 1188 (10th Cir. 2010) ...... 18 Eisen v. Carlisle & Jacquelin, 417 U.S. 156 (1974) ...... 16 In re Gen. Motors Corp. Pick-Up Truck Fuel Tank Prods. Liab. Litig., 55 F.3d 768 (3d Cir. 1995)...... 16 In re Prudential Sec. Ltd. P’ship Litig., 163 F.R.D. 200 (S.D.N.Y. 1995) ...... 17 In re Ribozyme Pharms., Inc. Sec. Litig., 205 F.R.D. 572 (D. Colo. 2001) ...... 19 Lucas v. Kmart Corp., 234 F.R.D. 688 (D. Colo. 2006) ...... 9, 12 Marcus v. State of Kan., Dep’t of Revenue, 209 F. Supp. 2d 1179 (D. Kan. 2002) ...... 8, 12 Mullane v. Cent. Hanover Bank & Tr. Co., 339 U.S. 306 (1950) ...... 16

Case 2:20-cv-02246-JAR-TJJ Document 37 Filed 05/11/21 Page 4 of 26

Pliego v. Los Arcos Mexican Rest., Inc., 313 F.R.D. 117 (D. Colo. 2016) ...... 17, 18, 20 Rhodes v. Olson Assocs., P.C., 308 F.R.D. 664 (D. Colo. 2015) ...... 9, 12 Tennille v. W. Union Co., 785 F.3d 422 (10th Cir. 2015) ...... 16 Wal-Mart Stores, Inc. v. Dukes, 564 U.S. 338 (2011) ...... 18

Rules

FED. R. CIV. P. 23 ...... passim

iii

Case 2:20-cv-02246-JAR-TJJ Document 37 Filed 05/11/21 Page 5 of 26

Plaintiff Michael Bahnmaier (“Plaintiff”) submits this memorandum of law in support of his Unopposed Motion for Final Approval of the Class Action Settlement with Defendant Wichita

State University (“WSU” or “Defendant”).

I. INTRODUCTION

On February 10, 2021, this Court entered an Order Conditionally Certifying a Settlement

Class, Granting Preliminary Approval of the Class Action Settlement, Approving the Form and

Manner of Notice, and Scheduling a Final Approval Hearing. See Dkt. No. 33 (“Preliminary

Approval Order”). As set forth below, the notice plan has now been completed and to date no

Class Members have objected to the terms of the Settlement. For the reasons discussed below, and because the criteria for final approval under Fed. R. Civ. P. 23(e) are met, Plaintiff respectfully requests that the Court grant final approval of the Settlement.

II. FACTUAL BACKGROUND

A. Summary of the Allegations

Plaintiff and Class Members are current and former students and employees of WSU whose personally identifiable information (“PII”), including their names, email addresses, dates of birth,

Social Security numbers, and other information was allegedly compromised in a security breach at WSU between December 3, 2019 and December 5, 2019 (the “Data Incident”). Plaintiff sought to represent a class consisting of “all persons whose sensitive personal information was compromised as a result of the Data Breach at Wichita State University announced in March

2020.”1 The Complaint brought claims to redress WSU’s alleged failure to adequately safeguard the PII of Plaintiff and Class Members.

1 Plaintiff also sought to represent a subclass of all residents of the State of Kansas who are former or current students of Wichita State University whose sensitive personal information was compromised as a result of the Data Breach at Wichita State University announced in March 2020.

1 Case 2:20-cv-02246-JAR-TJJ Document 37 Filed 05/11/21 Page 6 of 26

B. The Settlement Negotiations

On May 14, 2020, Plaintiff, a former WSU student, filed his Complaint alleging, among

other things, that Defendant failed to take adequate measures to protect his and other putative Class

Members’ PII and failed to disclose that WSU’s systems were susceptible to a cyber-attack. See

Dkt. No. 1. Rather than committing to protracted litigation, after WSU was served, counsel for the

parties began to exchange information and discuss the possibility of resolving the case. The

Settlement took many months to negotiate, during which time Defendant filed an aggressive

motion to dismiss, which Plaintiff was in the process of opposing when the Settlement was

reached. During the months of negotiation of the Settlement terms, the parties exchanged key

information relating to the facts and scope of Data Incident. On October 30, 2020, following

multiple exchanges of information and negotiations of terms, the parties were able to reach a

settlement in principle. Id. Thereafter, the parties negotiated the remaining terms, circulating drafts

back and forth of the settlement agreement and its exhibits. The agreement was finalized and

executed on January 12, 2021. The parties finalized and executed an Amended Settlement

Agreement (the “Settlement Agreement” or “Agreement”) on February 9, 2021.2

C. The Settlement

The Settlement provides for cash payments to Settlement Class Members that will

compensate them for lost time and a variety of expenses associated with the potential exposure of

their PII.

Under the Agreement, Settlement Class Members are eligible to receive payments of

$20.00 per hour for up to three (3) hours of time spent dealing with issues relating to the Data

2 All capitalized terms not otherwise defined herein shall have the same meanings as set forth in the Settlement Agreement (Dkt. No. 33).

Case 2:20-cv-02246-JAR-TJJ Document 37 Filed 05/11/21 Page 7 of 26

Incident. See Settlement Agreement (Dkt. No. 33-1) at ¶ 2.1.2. To receive this benefit, Settlement

Class Members need only attest that any claimed lost time was spent related to the Data Incident and provide a written description of how the claimed lost time was spent related to the Data

Incident. Id.

Pursuant to the Agreement, Settlement Class Members are also eligible for reimbursement

of up to $300.00 for out-of-pocket costs to mitigate damage due to the Data Incident and/or for

losses associated with any identity theft or misuse of PII. Id. at ¶ 2.1.1.3 Examples of out-of-

pocket costs that are eligible for reimbursement through the Settlement include (but are not limited

to): (i) costs of credit report(s) purchased by Class Members; (ii) costs of credit monitoring and

identity theft protection; (iii) unreimbursed bank fees or card fees as well as unreimbursed charges

from banks or credit card companies (iv) cell minutes, internet usage charges, and text message

charges where such charges are incurred as a result of the Data Incident; (v) interest on payday

loans incurred solely as a result of the Data Incident; and (v) other losses incurred that are fairly

traceable to the Data Incident. Id. The “fairly traceable” standard will allow Class Members to be

compensated for a broad range of harm likely to flow from the Data Incident.

D. Attorneys’ Fees and Expenses, and Service Award to Plaintiff

Under the Settlement Agreement, WSU will separately pay Class Counsel’s reasonable

attorney fees and reimbursement of litigation expenses. Class Counsel’s application for attorney

fees and reimbursement of litigation expenses will not exceed $325,000. Id. at ¶ 7.2. Class

Counsel will also apply for a service award of $1,500 to be paid by WSU to Plaintiff Bahnmaier

in recognition of his efforts spent in prosecuting this action on behalf of the Settlement Class. Id.

3 Claims made for lost time can be combined with reimbursement for out-of-pocket expenses but are subject to the same $300.00 cap for all Settlement Class Members.

Case 2:20-cv-02246-JAR-TJJ Document 37 Filed 05/11/21 Page 8 of 26

at ¶ 7.3. WSU will pay any awarded attorneys’ fees and expenses and any service award to Plaintiff in addition to relief it is providing to the Settlement Class. Id. at ¶ 7.5. Thus, the attorneys’ fees and expenses and service award to Plaintiff will not in any way reduce the Settlement benefits to the Class. Id. In compliance with the schedule entered by the Court in its Preliminary Approval

Order, Class Counsel will file their application for attorney fees and expenses and for a service award to Plaintiff by May 26, 2021.

E. Settlement Class Notice

As part of the Settlement, WSU agreed to pay for a comprehensive Notice and Claims

Administration program. Id. at ¶ 3. Promptly after the Court granted preliminary approval, the parties began working with the claims administrator to provide the Class with the Court-approved notice in accordance with the Settlement. As set forth in the accompanying Declaration of Brian

Smitheman, attached as Exhibit 1 hereto (“Smitheman Decl.”), Manager of Kroll Settlement (f/k/a

Heffler Claims Group) (“Kroll”), the claims administrator provided notice of the proposed settlement reflected in the Settlement Agreement pursuant to the Class Action Fairness Act 28

U.S.C. § 1715(c) (the “CAFA Notice”). See Smitheman Decl. at ¶ 4. Kroll sent the CAFA Notice and an accompanying CD containing the documents required under 28 U.S.C. §1715(b)(1)-(8) to the Attorney General of the United States and 56 state Attorneys General identified in the Manifest for the CAFA Notice via First-Class Certified Mail on January 22, 2021. Id. Importantly, none of the state Attorneys General or other government officials who received notice of the Settlement pursuant to CAFA, 28 U.S.C. § 1715(b), have objected to any aspect of the proposed Settlement.

See George v. Acad. Mortg. Corp., 369 F. Supp. 3d 1356, 1373 (N.D. Ga. 2019) (citation omitted)

(“Not one CAFA notice recipient objected to the settlement, which also weighs in favor of its approval here.”).

Case 2:20-cv-02246-JAR-TJJ Document 37 Filed 05/11/21 Page 9 of 26

On January 21, 2021, Kroll received a data file containing 440,968 records from Defendant.

See Smitheman Decl. (Exh. 1) at ¶ 5. The data file’s key components were first name, last name, address, city, state zip code and enroll code. Id. On March 2, 2021 Kroll received an email data file containing 205,688 records. Id. The data file key components were first name, last name, address, city, state zip code, Wichita State University email addresses and primary email addresses.

Kroll determined that there were 440,968 unique records. Id.

On February 17, 2021, Kroll obtained a P.O. Box in order to receive requests for exclusion, claim forms, objections, and correspondence from Class Members. Id. at ¶ 6. On February 25,

2021, Kroll created and is currently hosting a dedicated settlement website available at www.WichitaStateUniversitySettlement.com. Id. at ¶ 7. The website went live on March 12,

2021. Id. The website contains a summary of the Settlement, frequently asked questions, the Class

Action Complaint, the Motion for Preliminary Approval Order, the Preliminary Approval Order, the Settlement Agreement, the Claim Form in both English and Spanish, the Long Form Notice in both English and Spanish, the Email Notice and information on the claim filing/exclusion/objection deadlines, and allows Class Members the opportunity to file a Claim

Form online. Id. Class Members have access to the Settlement Website 24 hours a day. On March

2, 2021, Kroll established and is still maintaining a toll-free number for Class Members to call and obtain additional information regarding the Settlement using both Live Operators and an interactive voice response (IVR) system. So far, approximately 600 Class Members have called the IVR, and approximately 300 Class Members have called to speak to Live Operators. Id. at ¶ 8.

On or about February 10, 2021, Kroll received Microsoft Word versions of the Short Form

Notice, Long Form Notice and Claim Form from counsel. Id. at ¶ 9. Kroll prepared and formatted drafts of these Court-approved documents. See id. at Exhibit B. On March 12, 2021, following

Case 2:20-cv-02246-JAR-TJJ Document 37 Filed 05/11/21 Page 10 of 26

the removal of 30,892 duplicate email addresses Kroll caused the email Notice to be emailed to

174,796 Class Members. Id. at ¶ 11. Of the 174,796 emails attempted for delivery, 29,465 emails bounced. Of the 29,465 bounced records, all had a physical address. Id.

On March 12, 2021, Kroll caused the mailing of Notices to 266,172 Class Members. Id.

at ¶ 12. On March 25, 2021 Kroll caused the mailing of Notices to an additional 29,465 Class

Members. Id. After its mailings, Kroll received 1,200 Notices returned by the USPS with a

forwarding address. Id. at ¶ 13. Kroll has re-mailed 1,200 of the forwarded Notices to the updated addresses provided by the USPS and will continue to re-mail any other Notices as they are received. Id.

Kroll also received 102,958 Notices returned by the USPS as undeliverable as addressed.

After skip tracing, Kroll obtained 57,953 updated addresses. Id. at ¶ 14. Kroll re-mailed Notices to the 57,953 addresses obtained through the skip-trace process. Id. Kroll received additional

Notices returned by the USPS as undeliverable as addressed, and Kroll is in the process of sending

10,619 records through a skip-trace process with LexisNexis. Id. at ¶15. Once the skip-trace process is complete, Kroll will re-mail Notices to the updated addresses. Id.

In addition to this direct notice of Settlement, WSU also provided Notice through publication in WSU’s alumni newsletter and on WSU’s website, which included a hyperlink to the

Settlement Website. Id. at ¶ 16.

As of May 5, 2021, Kroll received only eight requests for exclusion and no objections to the Settlement. Id at ¶ 19. No objections have been filed with the Court nor received by the parties.

Hundreds of Class Members have already filed claims to date. Id. The deadline for the submission of claims is July 12, 2021. Id. at ¶ 20.

Case 2:20-cv-02246-JAR-TJJ Document 37 Filed 05/11/21 Page 11 of 26

III. THE SETTLEMENT IS FAIR, REASONABLE, AND ADEQUATE

A. Legal Standard

“A district court may approve a proposed settlement only after finding that it is fair, reasonable, and adequate.” Fager v. CenturyLink Commc’ns, LLC, 854 F.3d 1167, 1174 (10th Cir.

2016) (internal quotations omitted); Fed. R. Civ. P. 23(e)(2). Approval of a proposed settlement is “committed to the sound discretion” of the district court. Rutter & Wilbanks Corp. v. Shell Oil

Co., 314 F.3d 1180, 1187 (10th Cir. 2002) (citation omitted). As a matter of public policy, the law favors and encourages settlements. Amoco Prod. Co. v. Fed. Power Comm’n, 465 F.2d 1350,

1354-55 (10th Cir. 1972).

The Tenth Circuit has identified the following four factors as central to the district court’s analysis of whether a class action settlement is “fair, reasonable, and adequate” under Rule

23(e)(2):

(1) whether the proposed settlement was fairly and honestly negotiated;

(2) whether serious questions of law and fact exist, placing the ultimate outcome of the

litigation in doubt;

(3) whether the value of an immediate recovery outweighs the mere possibility of future

relief after protracted and expensive litigation; and

(4) the judgment of the parties that the settlement is fair and reasonable.

Fager, 854 F.3d at 1174. As explained below, this Settlement readily satisfies each factor.

B. The Proposed Settlement Meets the Standard for Final Approval

1. The Settlement was Fairly and Honestly Negotiated

“The fairness of the negotiating process is to be examined ‘in light of the experience of counsel, the vigor with which the case was prosecuted, and [any] coercion or collusion that may

Case 2:20-cv-02246-JAR-TJJ Document 37 Filed 05/11/21 Page 12 of 26

have marred the negotiations themselves.’” Ashley v. Reg’l Transp. Dist., 2008 WL 38457 at *5

(D. Colo. Feb. 11, 2008) (citation omitted); see City P’ship Co. v. Atl. Acquisition Ltd. P’ship, 100

F.3d 1041, 1043 (1st Cir. 1996) (“[When] the parties have bargained at arms’ length, there is a

presumption in favor of the settlement”).

The Settlement took many months to negotiate, during which time Defendant filed an aggressive motion to dismiss, which Plaintiff was in the process of opposing when the Settlement was reached. During the months of negotiation of the Settlement terms, the parties exchanged key information relating to the facts and scope of Data Incident. Based on their familiarity with the factual and legal issues, the parties were able to negotiate a fair settlement, taking into account the costs and risks of continued litigation. The negotiations were at all times hard-fought and at arm’s length and produced a result that the parties believe to be in their respective best interests.

Counsels’ vast experience with class-action litigation further suggests that the negotiations were fair, and likewise weighs in favor of approval. Marcus v. State of Kan., Dep’t of Revenue,

209 F. Supp. 2d 1179, 1182 (D. Kan. 2002) (“When a settlement is reached by experienced counsel after negotiations in an adversarial setting, there is an initial presumption that the settlement is fair and reasonable.”). Counsel who negotiated this Settlement are highly experienced in complex consumer class action litigation, including data breach class actions. Defense counsel, Baker &

Hostetler, LLP and Husch Blackwell, LLP, are prominent national litigation law firms with considerable experience. Baker Hostetler, LLP in particular is well noted as one of the top-rated data breach defense law firms in the U.S. Class Counsel for Plaintiff, Federman & Sherwood, has

successfully prosecuted and settled numerous data breach class actions, consumer class actions,

and other complex litigation throughout the country and has a strong reputation in this field. See

Case 2:20-cv-02246-JAR-TJJ Document 37 Filed 05/11/21 Page 13 of 26

Exhibit A to the Declaration of William B. Federman in Support of Plaintiff’s Unopposed Motion for Final Approval of Settlement (the “Federman Decl.”), attached hereto as Exhibit 2.

Because the Settlement “resulted from arm’s length negotiations between experienced counsel . . . the Court may presume the settlement to be fair, adequate, and reasonable” for purposes of approval. Lucas, 234 F.R.D. at 693.

2. The Action Involves Serious Questions of Law and Fact

“Although it is not the role of the Court at this stage of the litigation to evaluate the merits, it is clear that the parties could reasonably conclude that there are serious questions of law and fact that exist such that they could significantly impact this case if it were litigated.” Lucas v. Kmart

Corp., 234 F.R.D. at 693-94 (internal citation omitted); see also Rhodes, 2015 WL 3657586 at *2.

This case faced serious obstacles. Defendant filed an extensive motion to dismiss that challenged nearly every aspect of Plaintiff’s allegations. Dkt. No. 19. Among other things, WSU argued that Plaintiff lacked standing to bring the present action, that Plaintiff’s tort claims were barred under the economic loss doctrine, that Plaintiff’s Kansas Consumer Protection Act Claims were unsustainable, that Plaintiff’s breach of implied contract claims were too attenuated, and that

WSU was immune from liability. See id. While Plaintiff had arguments and authorities that could support his allegations, the number of issues in this case, which centers around an emerging area of law—data breach litigation—created significant uncertainty.

Historically, data breach cases have faced meaningful hurdles even in making it past the pleading stage. See Hammond v. The Bank of N.Y. Mellon Corp., 2010 WL 2643307, at *1

(S.D.N.Y. June 25, 2010) (collecting data breach cases dismissed at the Rule 12(b)(6) or Rule 56 stage). Indeed, the Tenth Circuit has not yet considered what a plaintiff must allege in order to demonstrate standing to bring a data breach action. Even assuming Plaintiff could defeat

Case 2:20-cv-02246-JAR-TJJ Document 37 Filed 05/11/21 Page 14 of 26

Defendant’s motion to dismiss, WSU was prepared to vigorously argue, among other things, that no class member data was actually stolen in the Data Incident. Further, class certification has been denied in other data breach cases. See, e.g., In re Hannaford Bros. Co. Customer Data Sec. Breach

Litig., 293 F.R.D. 21 (D. Me. 2013).

While the law has gradually adapted to this relatively new type of litigation, the path to a class-wide monetary judgment remains untrodden, and it will take some time before litigants and courts navigate all the unique issues posed by data breach lawsuits and some level of certainty sets in—particularly in the area of damages. For now, data breach cases are best characterized as uncertain, making settlement the more prudent course when the parties are able to reach a resolution that addresses all the goals of the litigation. Even if this case proceeded to trial, there is a risk that the Class may not recover anything despite the high costs and delay of further discovery, motion practice, trial, and appeal. See, e.g., Federman Decl. at Exhibit B at 18 (study finding that 81% of data breach victims did not have any out-of-pocket costs).

Accordingly, despite Plaintiff’s confidence in the strength of this case, numerous legal issues and factual disputes existed that undermined the certainty of a more favorable outcome for the Class. The presence of doubt about the outcome of this litigation favors settlement “because settlement creates a certainty of some recovery, and eliminates doubt, meaning the possibility of no recovery after long and expensive litigation.” In re Qwest Commc’ns Int’l, Inc. Sec. Litig., 625

F. Supp. 2d 1133, 1138 (D. Colo. 2009).

3. The Settlement Provides Exceptional Immediate Relief to the Class, Outweighing the Mere Possibility of Future Relief after Protracted Litigation

This action has been pending for nearly a year, and many more months/years and significant additional costs would be required for the parties and the Court to complete the pre-

Case 2:20-cv-02246-JAR-TJJ Document 37 Filed 05/11/21 Page 15 of 26

trial proceedings, including resolution of the motion to dismiss, class certification, summary

judgment, and Daubert motions. After trial, the parties could appeal the Court’s class certification

and summary judgment decisions to the Tenth Circuit (and possibly beyond), which could take

years to complete. See, e.g., Lucas, 234 F.R.D. at 694 (“If this case were to be litigated, in all

probability it would be many years before it was resolved.”). Assuming the parties went to trial

and verdict, there would remain the possibility that the verdict could be reversed by this Court or

on appeal.

“By contrast, the proposed settlement agreement provides the class with substantial,

guaranteed relief” now. Lucas, 234 F.R.D. at 694; see also McNeely, 2008 WL 4816510, at *13

(“The class . . . is better off receiving compensation now as opposed to being compensated, if at

all, several years down the line, after the matter is certified, tried, and all appeals are exhausted.”).

The Settlement provides substantial relief for all 443,000 Settlement Class Members. As

explained above, all Settlement Class Members are eligible for cash payments of $20.00 per hour

for up to three (3) hours for time spent dealing with issues relating to the Data Incident plus

reimbursement for out-of-pocket costs to mitigate damage due to the Data Incident and/or for

losses associated with any identity theft or misuse of PII up to $300.00. See Settlement Agreement

at ¶ 2. These amounts are well within the range of fair, reasonable, and adequate, particularly when considered in light of reported average out-of-pocket expenses attributable to a data breach.

According to a research study sponsored by Experian Data Breach Resolution and conducted and reported by Ponemon Institute, “[e]ighty-one percent of respondents who were victims of a data breach did not have any out-of-pocket costs” and nine percent had less than $10 in out-of-pocket costs. See Federman Decl. at Exhibit B at 7, 18. Further, for those respondents who incurred out- of-pocket costs, the average amount was $38.00. Id. at 7.

Case 2:20-cv-02246-JAR-TJJ Document 37 Filed 05/11/21 Page 16 of 26

A relatively early settlement is especially warranted in the data breach context because

Class Members benefit immediately from protections like reimbursement for the purchase of credit monitoring and identity theft protection, which can help detect and prevent identity theft and fraud before misuse occurs and can assist Class Members in promptly addressing any issues that arise.

See Federman Decl. at ¶ 8.

An evaluation of the benefits of the settlement also should be tempered by the recognition that any compromise involves concessions on the part of the settling parties. Indeed, “the very essence of a settlement is compromise, ‘a yielding of absolutes and an abandoning of highest hopes.’” Officers for Justice v. Civil Serv. Comm’n of City & Cnty. of S.F., 688 F.2d 615, 624 (9th

Cir. 1982) (citation omitted). Thus, the “value of an immediate recovery” factor weighs in favor of approval.

By settling the action now, Plaintiff and the Class can share in significant all-cash compensation, including reimbursement for the purchase of protective services like credit monitoring and identity theft protection, while avoiding the risk that continued litigation may result in a smaller recovery or quite possibly no recovery at all.

4. The Judgment of the Parties is that the Settlement is Fair and Reasonable

“Counsel’s judgment as to the fairness of the agreement is entitled to considerable weight” and supports approval of the Settlement. Marcus, 209 F. Supp. 2d at 1183; accord Lucas, 234

F.R.D. at 695; Rhodes, 308 F.R.D. at 667. Plaintiff’s attorneys have carefully evaluated the

Settlement, and believe it provides exceptional value to Plaintiff and the Class, especially given that, despite the apparent strength of Plaintiff’s case, there is no guarantee that the Class would not walk away empty-handed. Furthermore, the Settlement is supported by Plaintiff, who has been

Case 2:20-cv-02246-JAR-TJJ Document 37 Filed 05/11/21 Page 17 of 26

apprised of the strengths and weaknesses of this case. Other proposed Class Members will have the opportunity to weigh in on the Settlement at the Fairness Hearing if the Court grants approval.

The reaction of the Class also weighs heavily in favor of approval. Pursuant to the Court’s

Preliminary Approval Order, more than 470,000 Notices have either been mailed or emailed to

Class Members. See Smitheman Decl. at ¶¶ 11-12. Only eight Class Members, out of hundreds

of thousands, have requested exclusion from the Settlement. Id. at ¶ 19. More importantly, there

have been no objections to the Settlement to date. Id. This positive response from Class Members

provides substantial support for final approval of the Settlement. See Hanlon v. Chrysler Corp.,

150 F.3d 1011, 1027 (9th Cir. 1998) (“[T]he fact that the overwhelming majority of the class

willingly approved the offer and stayed in the class presents at least some objective positive

commentary as to its fairness.”); Hapka v. CareCentrix, Inc., No. 2:16-CV-02372-KGG, 2018 WL

1871449, at *3 (D. Kan. Feb. 15, 2018) (finding that two objections and one request for exclusion

in a class of nearly 2,000 members constitutes “strong support for the Settlement,” which “weighs

strongly in favor of final approval.”).

C. The Settlement is Fair, Adequate and Reasonable Under Rule 23(e)(2)

Under Rule 23(e)(2), courts determining the fairness of a class action settlement must

consider whether:

(A) the class representatives and class counsel have adequately represented the class; (B) the proposal was negotiated at arm’s length; (C) the relief provided for the class is adequate, taking into account: (i) the costs, risks, and delay of trial and appeal; (ii) the effectiveness of any proposed method of distributing relief to the class, including the method of processing class member claims; (iii) the terms of any proposed award of attorney's fees, including timing of payment; and (iv) any agreement required to be identified under Rule 23(e)(3); and (D) the proposal treats class members equitably relative to each other.

Fed. R. Civ. P. 23(e). The proposed Settlement readily satisfies all of the foregoing factors such

that the Court will likely be able to grant final approval of the Settlement.

Case 2:20-cv-02246-JAR-TJJ Document 37 Filed 05/11/21 Page 18 of 26

The first two factors—that the class representatives and counsel adequately represent the

Class and that the settlement was negotiated at arm’s length, Fed. R. Civ. P. 23(e)(2)(A) and (B)— largely parallel the first Rutter factor (fair and honest negotiation) and are satisfied for the reasons the Settlement satisfies that Rutter factor. See Section III.B.1, supra. Class counsel are highly experienced in complex consumer class-action litigation and negotiated this settlement at arm’s length. Plaintiff has no conflicts of interest with the other members of the Settlement Class, had the same PII potentially exposed in the Data Incident as the other Settlement Class Members, and shares the Class’s interests of maximizing their recovery.

The proposed Settlement also satisfies the third factor, which focus on the adequacy of relief to the class. In particular, the Court must “take into account”:

• “[T]he costs, risks, and delay of trial and appeal.” Fed. R. Civ. P. 23(e)(2)(C)(i). This parallels the second and third Rutter factors (whether serious questions of law and fact exist and whether the value of an immediate recovery outweighs the mere possibility of future relief). Thus, this factor is satisfied for the same reasons Plaintiff satisfies the Rutter factors. See Section III.B.2-3, supra.

• The method of processing claims and distributing relief to the class. See Fed. R. Civ. P. 23(e)(2)(C)(ii). Here, the Settlement builds on the notification process WSU undertook in response to the Data Incident and the class member information gathered through it. Accordingly, the notice program includes a high rate of direct notice to Settlement Class Members. See Section IV, infra. Further, the Settlement provides for a claims-made procedure that requires minimal documentation from Settlement Class Members while conferring significant benefits to the Class. See Settlement Agreement at ¶ 2.

• The terms of the Settlement regarding attorneys’ fees. See Fed. R. Civ. P. 23(e)(2)(C)(iii). The proposed attorneys’ fees and expenses are fair and, importantly, do not deduct from the relief secured for the Class. See Settlement Agreement at ¶ 7.5. Such fees were negotiated as an independent term of the Settlement and were only negotiated after the parties had agreed to the benefits that would be provided to the Settlement Class. Id. at ¶ 7.1. Further, payment of attorneys’ fees comes only after final approval of the Settlement. Id. at ¶ 7.4.

• The presence of any agreements between the parties separate from the Settlement Agreement. See Fed. R. Civ. P. 23(e)(2)(C)(iv). There are no such agreements in this case. As such, this factor weighs in favor of approval.

Case 2:20-cv-02246-JAR-TJJ Document 37 Filed 05/11/21 Page 19 of 26

The fourth factor, whether Class Members are treated equitably relative to each other, Fed.

R. Civ. P. 23(e)(2)(D), also supports approval. The proposed Settlement treats the Settlement Class

Members equitably relative to each other, as all Class Members whose PII was potentially exposed in the Data Incident will have the exact same remedy options. See Section II.C supra.

IV. THE NOTICE PROVIDED SATISFIES RULE 23 AND DUE PROCESS

The Notice plan, approved in advance by this Court in its Preliminary Approval Order, constituted “the best means of providing notice under the circumstances and, when compared, shall constitute due and sufficient notice of the proposed Settlement Agreement and Final Approval hearing to all persons affected by and/or entitled to participate in the Settlement Agreement, in full compliance with the notice requirements of Rule 23 of the Federal Rules of Civil Procedure and due process of law.” Dkt. No. 33 at ¶ 11.

After the Court appointed Heffler Claims Group (now known as Kroll) as Claims

Administrator and directed that notice be given to the Class, Kroll promptly launched the

Settlement Website and send notice to the Class. See Ex. 1 (Smitheman Decl.) ¶¶ 7, 11-12.

Because WSU agreed to provide, and did provide, names, addresses, and email addresses for all

Class Members who were potentially impacted by, and thus received notice of, the Data Incident

(to the extent available to WSU), the Claims Administrator was able to send direct notice to over

400,000 Class Members. Id. ¶ 11-12. In addition to this direct notice of Settlement, WSU also provided Notice through publication in WSU’s alumni newsletter and on WSU’s website. Id. at ¶

16.

The notice itself included all the requirements of Rule 23(c)(2)(B), identifying:

(i) the nature of the action; (ii) the definition of the class certified; (iii) the class claims, issues, or defenses; (iv) that a class member may enter an appearance through an attorney if the member so desires; (v) that the court will exclude from the class any member who requests exclusion; (vi) the time and manner for

Case 2:20-cv-02246-JAR-TJJ Document 37 Filed 05/11/21 Page 20 of 26

requesting exclusion; and (vii) the binding effect of a class judgment on members under Rule 23(c)(3).

See Smitheman Decl. at Exhibit B. The notice further informed Class Members of their right to submit a claim form or opt-out, their right to object, and Class Counsel’s motion for attorneys’

fees, expenses, and service awards, and also directed Class Members to the Settlement Website

and the toll-free number established by KCC for this Settlement. See id. This Court granted Class

Members 90 days to file an objection or opt out, and 120 days to file a claim. See Dkt. No. 33 at

¶ 18. This was sufficient time to give Class Members a fair opportunity to respond. Cf. Torrisi v.

Tucson Elec. Power Co., 8 F.3d 1370, 1375 (9th Cir. 1993) (approving notice sent 31 days before

the deadline for objections).

The proposed notice program is “reasonably calculated, under all the circumstances, to

apprise interested parties of the pendency of the action and afford them an opportunity to present

their objections.” Mullane v. Cent. Hanover Bank & Tr. Co., 339 U.S. 306, 314 (1950); Tennille

v. W. Union Co., 785 F.3d 422, 436 (10th Cir. 2015) (similar). Thus, the proposed method of

notice described above satisfies due process requirements. See Eisen v. Carlisle & Jacquelin, 417

U.S. 156, 173 (1974).

V. CERTIFICATION OF THE SETTLEMENT CLASS

The Court provisionally certified for settlement purposes only the Settlement Class here.

See Dkt. No. 33 at ¶ 4-6. Nothing has changed since that time that would now prevent final

certification.

As the Supreme Court recognized, the “settlement only class” has become a “stock device”

and all federal Circuits have recognized its utility. See Amchem Prod., Inc. v. Windsor, 521 U.S.

591, 618 (1997); see also In re Gen. Motors Corp. Pick-Up Truck Fuel Tank Prods. Liab. Litig.,

55 F.3d 768, 784 (3d Cir. 1995) (stating that courts favor the use of settlement classes “to foster

Case 2:20-cv-02246-JAR-TJJ Document 37 Filed 05/11/21 Page 21 of 26

negotiated conclusions to class actions”). A settlement class in complex litigation “actually

enhances absent class members’ opt-out rights because the right to exclusion is provided

simultaneously with the opportunity to accept or reject the terms of a proposed settlement.” In re

Prudential Sec. Ltd. P’ship Litig., 163 F.R.D. 200, 205 (S.D.N.Y. 1995). When granting approval

of a class action settlement, it is appropriate for a court to certify a class for settlement purposes.

See Amchem, 521 U.S. at 620 (explaining that the same standards apply to class certification for purposes of settlement as to any other motion for class certification, except that an inquiry into trial management problems is unnecessary). Courts routinely find that data breach cases are appropriate for settlement class treatment. See, e.g., Corona v. Sony Pictures Entertainment Inc.,

No. 2:14-cv-09600-RGK-E (C.D. Cal. Nov. 24, 2015) (ECF No. 151); In re: The Home Depot,

Inc. Customer Data Security Breach Litig., No. 14-md-02583-TWT, 2016 WL 6902351, at *2-3

(N.D. Ga. August 23, 2016).

At the final approval stage, after the Court has preliminarily certified the class for

settlement purposes, the Court makes a final determination that the proposed class satisfies the

four requirements of Rule 23(a) and Rule 23(b)(3). Nieberding v. Barrette Outdoor Living, Inc.,

129 F. Supp. 3d 1236, 1244 (D. Kan. 2015).

A. The Requirements Under Fed. R. Civ. P. 23(a) Are Satisfied

Rule 23(a) sets forth the following prerequisites for certifying a class: “(1) the class is so

numerous that joinder of all members is impracticable, (2) there are questions of law or fact

common to the class, (3) the claims or defenses of the representative parties are typical of the

claims or defenses of the class, and (4) the representative parties will fairly and adequately protect

the interests of the class.” Fed. R. Civ. P. 23(a). Additionally, where certification is sought under

Rule 23(b)(3), the plaintiffs must demonstrate that common questions of law or fact predominate

Case 2:20-cv-02246-JAR-TJJ Document 37 Filed 05/11/21 Page 22 of 26

over individual issue and that a class action is superior to other methods of adjudicating the claims.

Fed. R. Civ. P. 23(b)(3). These requirements are satisfied here.

1. The Settlement Class is so Numerous that Joinder of Individual Members is Impracticable

First, the Settlement Class is so numerous that joinder of all individual members is impracticable. Here, numerosity is satisfied because, according to WSU’s investigation into the

Data Incident, approximately 443,000 individuals had PII that was potentially viewed as a result of the Incident. See Settlement Agreement at p. 2. This meets the numerosity requirement. See

Pliego, 313 F.R.D. at 126 (finding that class of 177 members met the numerosity requirement).

2. There are Questions of Law and Fact Common to the Settlement Class

Second, there are questions of law and fact common to all Settlement Class Members. Rule

23(a)(2) is satisfied if class claims raise at least one common question that will generate “common answers” likely to “drive the resolution of the litigation.” Wal-Mart Stores, Inc. v. Dukes, 564 U.S.

338, 350 (2011); accord DG v. Devaughn, 594 F.3d 1188, 1194-95 (10th Cir. 2010). Here, there are questions of law and fact common to the proposed Settlement Class that predominate over any individual questions. These questions include, but are not limited to:

• Whether Defendant owed a duty to Plaintiff and the Class to protect their PII;

• Whether Defendant breached this duty;

• Whether Defendant violated data security statutes and data breach notification statutes applicable to Plaintiff and the Class;

• Whether Defendant knew or should have known that its email, computer systems, and/or data security practices were inadequate and vulnerable to attack;

• Whether Defendant’s conduct, including its failure to act, was the proximate cause of the Data Incident resulting in the potential compromise of Class Members’ PII;

• Whether Defendant failed to notify Plaintiff and the Class about the Data Incident expeditiously and without unreasonable delay;

Case 2:20-cv-02246-JAR-TJJ Document 37 Filed 05/11/21 Page 23 of 26

• Whether Plaintiff and members of the Class suffered injury as a proximate result of Defendant’s conduct or failure to act; and

• Whether Plaintiff and the Class are entitled to recover damages from Defendant.

These common questions predominate over any individual questions that may exist. See Colorado

Cross Disability Coal. v. Abercrombie & Fitch Co., 765 F.3d 1205, 1216 (10th Cir. 2014) (single

common question of law, whether defendants’ stores violated disability statute, satisfied Rule

23(a)(2)).

3. Plaintiff’s Claims are Typical of the Claims of the Settlement Class

Third, the claims and defenses of Plaintiff are typical of the claims and defenses of the

Settlement Class. The facts surrounding all the claims need not be identical, but the claims of the

class representative and the class must be “based on the same legal or remedial theory.” Adamson

v. Bowen, 855 F.2d 668, 676 (10th Cir. 1988). Here, Plaintiff’s claims are typical because the

claims brought by the Plaintiff arise out of the same course of conduct by Defendant and rest on

exactly the same legal theory as those of the potential Class Members. In re Ribozyme Pharms.,

Inc. Sec. Litig., 205 F.R.D. 572, 578 (D. Colo. 2001); see also Colorado Cross Disability Coal. v.

Abercrombie & Fitch Co., 765 F.3d 1205, 1216 (10th Cir. 2014) (“Differing fact situations of class members do not defeat typicality under Rule 23(a)(3) so long as the claims of the class representative and class members are based on the same legal or remedial theory.”). In this case,

Rule 23(a)(3)’s typicality requirement is satisfied.

4. The Interests of Plaintiff and Proposed Settlement Class Counsel are Aligned with the Interests of the Settlement Class

Fourth, Plaintiff and Class Counsel will fairly and adequately protect the interests of the

Settlement Class. Plaintiff has demonstrated that he is well-suited to represent the Settlement

Class, as he has prosecuted this action on behalf of and to the benefit of the Settlement Class.

Case 2:20-cv-02246-JAR-TJJ Document 37 Filed 05/11/21 Page 24 of 26

Representative Plaintiff has already provided information for pleadings and settlement

discussions, engaged with Plaintiff’s Counsel regarding the litigation, participated in the settlement negotiations via email, and approved the proposed Settlement terms. See Pliego, 313 F.R.D. at 127

(“[I]n this ‘settlement only class’ determination, it is clear from the settlement itself that Plaintiff has prosecuted the action vigorously on behalf of the class through counsel.”). Similarly, Class

Counsel is well-qualified to represent the Settlement Class, as the firm has handled many complex class actions, including data breach class actions. See Federman Decl. at Exhibit A. Indeed, Class

Counsel has worked diligently on behalf of the Class to obtain information from WSU regarding the Data Incident and used that information to negotiate the Settlement now before the Court.

B. The Requirements Under Fed. R. Civ. P. 23(b)(3) Are Satisfied

Rule 23(b)(3) requires that “questions of law or fact common to the members of the class predominate over any questions affecting only individual members of the class, and that a class action is superior to other available methods for the fair and efficient adjudication of the controversy.” Fed. R. Civ. P. 23(b)(3).

Here, the numerous questions common to the Class, including those listed above to demonstrate commonality under Rule 23(a)(2), predominate over any individual issues. The key elements of the Plaintiff’s claims—the existence of inadequate data security protections, WSU’s knowledge or constructive knowledge of those failures, the exposure of Class Members’ PII as a result of the data breach, and the existence and amount of resulting damages, for example—are

common issues, and thus the class is “sufficiently cohesive to warrant adjudication by

representation.” CGC Holding Co., LLC v. Broad & Cassel, 773 F.3d 1076, 1087 (10th Cir. 2014).

Further, class resolution is superior to other available means for the fair and efficient

adjudication of the claims in this case. Here, the potential damages suffered by individual Class

Case 2:20-cv-02246-JAR-TJJ Document 37 Filed 05/11/21 Page 25 of 26

Members could be relatively low dollar amounts and may be uneconomical to pursue on an

individual basis given the burden and expense of prosecuting individual claims. Moreover, there

is little doubt that resolving all Class Members’ claims jointly, particularly through a class-wide

settlement negotiated on their behalf by counsel well-versed in class action litigation, is superior

to a series of individual lawsuits and promotes judicial economy. See In re Universal Serv. Fund.

Tele. Billing Practices Litig., 219 F.R.D. 661, 679 (D. Kan. 2004).

In sum, because the requirements of Rule 23(a) and Rule 23(b)(3) are satisfied, certification

of the proposed Settlement Class is appropriate.

VI. CONCLUSION

Because the Settlement is fair, reasonable, and adequate, and because the Settlement Class

meets all applicable requirements of Rule 23(a) and 23(b)(3), Plaintiffs respectfully submit that

certification of the class and final approval of the Settlement is warranted. For the reasons set forth

herein, Plaintiff respectfully requests that the Court certify the Settlement Class for purposes of the Settlement and grant final approval of the Settlement pursuant to Federal Rule of Civil

Procedure 23(e).

Dated: May 11, 2021 Respectfully Submitted,

/s/ Brandon J. B. Boulware Brandon J.B. Boulware (KS # 25840) BOULWARE LAW LLC 1600 Genessee Street, Suite 416 Kansas City, MO 64102 Tel: (816) 492-2826 Email: [email protected]

William B. Federman (admitted pro hac vice) FEDERMAN & SHERWOOD 10205 N. Pennsylvania Ave. Oklahoma City, Oklahoma 73120 -and- 212 W. Spring Valley Road Richardson, TX 75081

Case 2:20-cv-02246-JAR-TJJ Document 37 Filed 05/11/21 Page 26 of 26

(405) 235-1560 (405) 239-2112 (facsimile) [email protected]

Counsel for Plaintiff and the Putative Class

CERTIFICATE OF SERVICE

The undersigned hereby certifies that on May 11, 2021, the foregoing document was filed via the Court’s ECF system, which will cause a true and correct copy of the same to be served electronically on the following ECF-registered counsel of record.

/s/ Brandon J. B. Boulware Brandon J.B. Boulware

Case 2:20-cv-02246-JAR-TJJ Document 37-1 Filed 05/11/21 Page 1 of 33

EXHIBIT 1 Case 2:20-cv-02246-JAR-TJJ Document 37-1 Filed 05/11/21 Page 2 of 33

IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF KANSAS

MICHAEL BAHNMAIER, individually and CASE NO. 2:20-cv-02246-JAR-TJJ on behalf of all others similarly situated,

Plaintiffs, DECLARATION OF SCOTT M. FENWICK OF KROLL SETTLEMENT v. ADMINISTRATION LLC IN SUPPORT WICHITA STATE UNIVERSITY, OF FINAL APPROVAL

Defendant.

I, Scott Fenwick, declare as follows:

1. I am a Senior Director of Kroll Settlement Administration LLC (“Kroll”, f/k/a Heffler

Claims Group) in Philadelphia, Pennsylvania. I am over twenty-one years of age and am authorized to make this declaration on behalf of Kroll and myself. The following statements are based on my personal knowledge and information provided by other experienced Kroll employees working under my supervision.

This declaration is being filed in support of final approval.

2. Kroll has extensive experience in class action matters, having provided services in class action settlements involving antitrust, securities fraud, employment and labor, consumer, and government enforcement matters. Kroll has provided notification and/or claims administration services in more than

3,000 cases.

3. Kroll was appointed as the Claims Administrator to provide notification and claims administration services in the Bahnmaier v Wichita State University Case No. 2:20-cv-02246-JAR-TJJ, referred to herein as the “Settlement.” Kroll’s duties in this Settlement have and will include: (a) preparing and sending CAFA notice; (b) receiving and analyzing the Class Member data (“the Class List”) from defense counsel; (c) establishing a post office box for the receipt of general mail and correspondence; (d) Case 2:20-cv-02246-JAR-TJJ Document 37-1 Filed 05/11/21 Page 3 of 33

creating a website with online claim filing capabilities; (e) establishing a toll-free number with an

Interactive Voice Response (IVR) system and live operators; (f) preparing and sending Notice; (g) processing Notices returned with a forwarding address; (h) processing Notices returned as undeliverable as addressed; (i) receiving and processing opt-outs and objections; (j) receiving and processing claim forms; and (k) such other tasks as counsel for the Parties or the Court orders Kroll to perform.

4. On behalf of the Defendant, Kroll provided notice of the proposed Settlement reflected in the Settlement Agreement pursuant to the Class Action Fairness Act 28 U.S.C. §1715(b) (“the CAFA

Notice”). At Defense Counsel’s direction, Kroll sent the CAFA Notice, attached hereto as Exhibit A, and an accompanying CD containing the documents required under 28 U.S.C. §1715(b)(1)-(8) to the Attorney

General of the United States and 56 state Attorneys General identified in the Manifest for the CAFA Notice via First-Class Certified Mail, on January 22, 2021.

5. On January 21, 2021, Kroll received a data file containing 440,968 records. The data file’s key components were first name, last name, address, city, state zip code and enroll code. On March 2, 2021

Kroll received an email data file containing 205,688 records. The data file key components were first name, last name, address, city, state zip code, Wichita State University email addresses and primary email addresses. Kroll determined that there were 440,968 unique records.

6. On February 17, 2021, Kroll obtained a post office box with the mailing address Bahnmaier v. WSU, c/o Claims Administrator, P.O Box 70, Warminster, PA 18974-0070 in order to receive requests for claim forms and correspondence from Class Members.

7. On February 25, 2021, Kroll created and is currently hosting a dedicated website entitled www.WichitaStateUniversitySettlement.com The website went live on March 12, 2021. The website contains a summary of the Settlement, frequently asked questions, the Class Action Complaint, the Motion for Preliminary Approval Order, the Preliminary Approval Order, the Settlement Agreement, the Claim

Form both English and Spanish, the Long Form Notice both English and Spanish, the Email Notice and information on the claim filing/exclusion/objection deadlines and allows Class Members the opportunity to Case 2:20-cv-02246-JAR-TJJ Document 37-1 Filed 05/11/21 Page 4 of 33

file a Claim Form online. Class Members have access to the Settlement Website 24 hours a day. The

Settlement Website continues to be fully operational and fully functional.

8. On March 2, 2021, Kroll established and is still maintaining a toll-free number, 1-844-367-

8804, for Class Members to call and obtain additional information regarding the Settlement using both Live

Operators and an IVR system. As of May 10, 2021, 627 Class Members have called the IVR, and 302 Class

Members have called to speak to Live Operators.

9. On or about February 10, 2021, Kroll received Word versions of the Short Form Notice,

Long Form Notice and Claim Form from counsel. Kroll prepared and formatted drafts of the materials that counsel reviewed and approved. True and correct copies of the Short Form Notice, Long Form Notice and

Claim Form are attached hereto as Exhibit B.

10. To ensure the notice emails are seen by as many Class Members as practicable, the Claims

Administrator will take steps to avoid its communications being flagged in spam filters. Such measures include using a reputable email service provider, avoiding spam trigger words in subject lines, avoiding embedding forms and video, and staggering email batches. The Claims Administrator will also use reasonable efforts to obtain updated mailing addresses for those Class Members whose emails “bounce back” and to resend notices to the updated mailing addresses. The Claims Administrator has not received any information in this matter that the emails sent as part of the Notice program implemented in this matter has had problems being received due to spam filters or other types of filters.

11. On March 12, 2021, following the removal of 30,892 duplicate email addresses Kroll caused the emailing of the email Notices to 174,796 Class Members with an email in the Class List. Of the

174,796 emails attempted for delivery, 29,465 emails bounced. Of the 29,465 bounced records, all had a physical address.

12. In order to provide the best notice practicable, Kroll ran the data through the United States

Postal Services’ (USPS) National Change of Address (NCOA) database and updated the data with the changes received from NCOA. On March 12, 2021, Kroll caused the mailing of Notices to the 266,172 Case 2:20-cv-02246-JAR-TJJ Document 37-1 Filed 05/11/21 Page 5 of 33

Class Members. On March 25, 2021 Kroll caused the mailing of Notices to the 29,465 Class Members whose email notice bounced.

13. As of May 11, 2021, Kroll has received 1,200 Notices returned by the USPS with a forwarding address. Kroll has re-mailed 1,200 of the forwarded Notices to the updated addresses provided by the USPS and will continue to re-mail Notices as they are received.

14. As of May 11, 2021, Kroll has received 102,958 Notices returned by the USPS as undeliverable as addressed. Kroll has updated the records in the database to identify these as undeliverable.

Kroll sent 92,339 records through a skip trace process with LexisNexis and obtained 57,953 updated addresses. As of May 11, 2021, Kroll has re-mailed Notices to the 57,953 addresses obtained through the skip-trace process.

15. As of May 11, 2021, Kroll has received additional Notices returned by the USPS as undeliverable as addressed. Kroll has updated the records in the database to identify these as undeliverable.

Kroll is in the process of sending 10,619 records through a skip-trace process with LexisNexis.

16. I have been advised that WSU has also provided Notice through additional publication in its alumni newsletter and on WSU’s website. On March 12, 2021 a link to the settlement website was posted to WSU’s website. On March 15, 2021 a newsletter was distributed to 71,120 alumni that had an email advising of the settlement.

17. As of May 11, 2021, Kroll has received and processed eight requests for exclusion from the Settlement. The names of the individuals who requested exclusion from the Settlement are attached hereto as Exhibit C.

18. As of May 11, 2021, Kroll has received no objections to the Settlement.

19. As of May 11, 2021, Kroll has received eighteen claim forms received through the mail and 580 claims filed electronically through the Settlement Website. Kroll is still in the process of reviewing and validating claims. To prevent claims from individuals outside the Class and to prevent fraud, Class Case 2:20-cv-02246-JAR-TJJ Document 37-1 Filed 05/11/21 Page 6 of 33

Members were provided a unique Class Member ID on their respective Notices. The Class Member ID is required for Class Members to file a claim online.

20. In accordance with the Settlement Agreement, the claim period will end on July 12, 2021.

21. As of May 11, 2021, Kroll has sent invoices totaling $128,086.48 covering fees and costs associated with administering the Settlement. Kroll anticipates to bill $132,400 for the duration of the

Settlement.

I declare under penalty of perjury under the laws of the United States that the above is true and correct to the best of my knowledge and that this declaration was executed on May 11, 2021 in Woodbury,

Minnesota.

Scott M. Fenwick Case 2:20-cv-02246-JAR-TJJ Document 37-1 Filed 05/11/21 Page 7 of 33

Exhibit A Case 2:20-cv-02246-JAR-TJJ Document 37-1 Filed 05/11/21 Page 8 of 33

January 22, 2021

VIA FIRST CLASS CERTIFIED MAIL

To: All “Appropriate” Federal and State Officials Per 28 U.S.C. § 1715 (see attached distribution list)

Re: CAFA Notice for the Proposed Settlement in Bahnmaier v. Wichita State University, Case No. 2:20-cv-02246-JAR-TJJ in the United States District Court for the District of Kansas

Ladies and Gentlemen:

Pursuant to Section 3 of the Class Action Fairness Act (“CAFA”), 28 U.S.C. § 1715, Defendant Wichita State University. (“Defendant” or “WSU”) hereby notifies you of the proposed settlement of the above-captioned action (the “Action”) currently pending in the United States District Court for the District of Kansas (the “Court”).

28 U.S.C. § 1715(b) lists eight items that must be provided to you in connection with any proposed class action settlement. Each of these items is addressed below:

1. 28 U.S.C. § 1715 (b)(l) - a copy of the complaint and any materials filed with the complaint and any amended complaints.

The Class Action Complaint is provided in electronic form on the enclosed CD as Exhibit A.

2. 28 U.S.C. § 1715 (b)(2) - notice of any scheduled judicial hearing in the class action.

On January 13, 2021, Plaintiff filed a motion for preliminary approval of the class action. Neither a Preliminary Approval Hearing nor a Final Approval Hearing date has been set. A copy of the Plaintiffs’ Motion for Preliminary Approval of Class Action, Declaration of William B. Federman in support of Plaintiff’s Motion for Preliminary Approval of Class Action and Proposed Preliminary Approval Order are provided in electronic form on the enclosed CD as Exhibit B, B1 and B2, respectively.

3. 28 U.S.C. § 1715(b)(3) - any proposed or final notification to Class Members.

A copy of the proposed Short Notice and Long Notice of Settlement that will be provided to Class Members by first-class mail and/or email and that will be available on the website created for the administration of this matter are provided in electronic form on the enclosed CD as Exhibit C and C1, respectively. The

1515 Market Street, Suite 1700 ◼ Philadelphia, PA 19102

www.HefflerClaims.com Case 2:20-cv-02246-JAR-TJJ Document 37-1 Filed 05/11/21 Page 9 of 33

Notices describe among other things, claim submission and the Class Members’ rights to object or exclude themselves from the Class.

4. 28 U.S.C. § 1715(b)(4) - any proposed or final class action settlement.

The Settlement Agreement is provided in electronic form on the enclosed CD as Exhibit D.

5. 28 U.S.C. § 1715(b)(5) - any settlement or other agreement contemporaneously made between class counsel and counsel for defendants.

There are no other settlements or other agreements between Class Counsel and counsel for Defendants beyond what is set forth in the Agreement.

6. 28 U.S.C. § 1715(b)(6) - any final judgment or notice of dismissal.

The Court has not yet entered a final judgment or notice of dismissal. Accordingly, no such document is presently available.

7. 28 U.S.C. § 1715(b)(7) – (A) If feasible, the names of class members who reside in each State and the estimated proportionate share of the claims of such members to the entire settlement to that State’s appropriate State official; or (B) if the provision of the information under subparagraph (A) is not feasible, a reasonable estimate of the number of class members residing in each State and the estimated proportionate share of the claims of such members to the entire settlement.

The definition of the class in the proposed Settlement Agreement means all persons who were sent notification by WSU that their personal identifying information may have been exposed in the Data Incident announced by WSU in March 2020. Attached as Exhibit E is an estimated breakdown by state for known Class Members.

8. 28 U.S.C. § 1715(b)(8) - any written judicial opinion relating to the materials described in 28 U.S.C. § 1715(b) subparagraphs (3) through (6).

There has been no written judicial opinion. Accordingly, no such document is presently available.

If you have any questions about this notice, the Action, or the enclosed materials, please contact the undersigned Claims Administrator listed below.

Sincerely,

Scott M. Fenwick Senior Director [email protected]

1515 Market Street, Suite 1700 ◼ Philadelphia, PA 19102

www.HefflerClaims.com Case 2:20-cv-02246-JAR-TJJ Document 37-1 Filed 05/11/21 Page 10 of 33

South Dakota Attorney General Jason Ravnsborg Virginia Attorney General 1302 East Highway 14, Suite 1 Mark Herring Pierre, SD 57501-8501 202 North Ninth St. Richmond, VA 23219 Tennessee Attorney General Herbert H. Slatery, III Washington Attorney General 425 5th Avenue North Bob Ferguson Nashville, TN 37243 1125 Washington St. SE P.O. Box 40100 Texas Attorney General Olympia, WA 98504-0100 Ken Paxton Capitol Station West Virginia Attorney General P.O. Box 12548 Patrick Morrisey Austin, TX 78711-2548 State Capitol 1900 Kanawha Blvd., E. Utah Attorney General Charleston, WV 25305 Sean Reyes State Capitol, Rm. 236 Wisconsin Attorney General Salt Lake City, UT 84114-0810 Josh Kaul Wisconsin Department of Justice Vermont Attorney General State Capitol, Room 114 East TJ Donovan P.O. Box 7857 109 State St. Madison, WI 53707-7857 Montpelier, VT 05609-1001 Wyoming Attorney General Virgin Islands Attorney General Bridget Hill Denise N. George State Capitol Bldg. 34-38 Kronprindsens Gade Cheyenne, WY 82002 G.E.R.S. Building, 2nd Fl St. Thomas, VI 00802

1515 Market Street, Suite 1700 ◼ Philadelphia, PA 19102

www.HefflerClaims.com Case 2:20-cv-02246-JAR-TJJ Document 37-1 Filed 05/11/21 Page 11 of 33

Nebraska Attorney General Northern Mariana Islands Attorney Doug Peterson General State Capitol Edward Manibusan P.O. Box 98920 Administration Building Lincoln, NE 68509-8920 P.O. Box 10007 Saipan, MP 96950-8907 Nevada Attorney General Aaron D. Ford Ohio Attorney General Old Supreme Ct. Bldg. Dave Yost 100 N. Carson St. State Office Tower Carson City, NV 89701 30 E. Broad St., Columbus, OH 43266-0410 New Hampshire Attorney General Gordon MacDonald Oklahoma Attorney General 33 Capitol St. Mike Hunter Concord, NH 03301 313 NE 21st Street Oklahoma City, OK 73105 New Jersey Attorney General Gurbir S. Grewal Oregon Attorney General Richard J. Hughes Justice Complex Ellen F. Rosenblum 25 Market Street, P.O. Box 080 Justice Bldg. Trenton, NJ 08625 1162 Court St., NE Salem, OR 97301 New Mexico Attorney General Hector Balderas Pennsylvania Attorney General P.O. Drawer 1508 Josh Shapiro Pennsylvania Office of Attorney General, Santa Fe, NM 87504-1508 th 16 Fl. Strawberry Square New York Attorney General Harrisburg, PA 17120 Letitia A. James Department of Law - The Capitol, 2nd fl. Puerto Rico Attorney General Albany, NY 12224 Domingo Emanuelli Hernandez P.O. Box 9020192 North Carolina Attorney General San Juan. PR 00902-0192 Josh Stein Dept. of Justice Rhode Island Attorney General P.O. Box 629 Peter F. Neronha Raleigh, NC 27602-0629 150 S. Main St. Providence, RI 02903 North Dakota Attorney General Wayne Stenehjem South Carolina Attorney General State Capitol Alan Wilson 600 E. Boulevard Ave. Rembert C Dennis Office Building Bismarck, ND 58505-0040 P.O. Box 11549, Columbia, SC 29211-1549

1515 Market Street, Suite 1700 ◼ Philadelphia, PA 19102

www.HefflerClaims.com Case 2:20-cv-02246-JAR-TJJ Document 37-1 Filed 05/11/21 Page 12 of 33

Maine Attorney General Idaho Attorney General Aaron Frey Lawrence Wasden State House Station 6 700 W. Jefferson Street, Suite 210 Augusta, ME 04333 P.O. Box 83720 Boise, ID 83720-1000 Maryland Attorney General Brian Frosh Illinois Attorney General 200 St. Paul Place Kwame Raoul Baltimore, MD 21202-2202 James R. Thompson Ctr. 100 W. Randolph St. Massachusetts Attorney General Chicago, IL 60601 Maura Healey 1 Ashburton Place Indiana Attorney General Boston, MA 02108-1698 Todd Rokita th Indiana Government Center South – 5 Michigan Attorney General Floor Dana Nessel 302 West Washington Street P.O. Box 30212 Indianapolis, IN 46204 525 W. Ottawa St. Lansing, MI 48909-0212 Iowa Attorney General Tom Miller Minnesota Attorney General Hoover State Office Building Keith Ellion 1305 E. Walnut Suite 102, State Capital Des Moines, IA 50319 75 Dr. Martin Luther King Jr. Blvd. Saint Paul, MN 55155 Kansas Attorney General Derek Schmidt Mississippi Attorney General 120 S.W. 10th Ave., 2nd Fl. Lynn Fitch Topeka, KS 66612-1597 Department of Justice P.O. Box 220 Kentucky Attorney General Jackson, MS 39205 Daniel Cameron 700 Capitol Avenue Missouri Attorney General Capitol Building, Suite 118 Eric Schmitt Frankfort, KY 40601 Supreme Ct. Bldg. 207 W. High St. Louisiana Attorney General Jefferson City, MO 65101 Jeff Landry P.O. Box 94095 Montana Attorney General Baton Rouge, LA 70804-4095 Austin Knudsen Justice Bldg. 215 N. Sanders Helena, MT 59620-1401

1515 Market Street, Suite 1700 ◼ Philadelphia, PA 19102

www.HefflerClaims.com Case 2:20-cv-02246-JAR-TJJ Document 37-1 Filed 05/11/21 Page 13 of 33

SERVICE LIST FOR CAFA NOTICE

U.S. Attorney General Colorado Attorney General Jeffrey A. Rosen Phil Weiser U.S. Department of Justice Ralph L. Carr Colorado Judicial Center 950 Pennsylvania Ave, NW 1300 Broadway, 10th Floor Washington, DC 20530-0001 Denver, CO 80203

Alabama Attorney General Connecticut Attorney General Steven Marshall William Tong 501 Washington Ave. P.O. Box 300152 165 Capitol Avenue Montgomery, AL 36130-0152 Hartford, CT 06106

Alaska Attorney General Delaware Attorney General Clyde “Ed” Sniffen Jr. Kathy Jennings 1031 W 4th Ave, Suite 200 Carvel State Office Building Anchorage, AK 99501-1994 820 N. French St., Wilmington, DE 19801 American Samoa Attorney General Fainu’ulei Falefatu Ala’ilima-utu District of Columbia Attorney General American Samoa Gov’t, Exec. Ofc. Bldg, Karl A. Racine Utulei 400 6th St., NW Territory of American Samoa Washington, DC 20001 Pago Pago, AS 96799 Florida Attorney General Arizona Attorney General Ashley Moody Mark Brnovich The Capitol, PL 01 2005 N. Central Ave Tallahassee, FL 32399-1050

Phoenix, AZ 85004 Georgia Attorney General Chris Carr Arkansas Attorney General 40 Capitol Square, SW Leslie Rutledge Atlanta, GA 30334-1300 323 Center St., Suite 200 Little Rock, AR 72201-2610 Guam Attorney General Leevin T. Camacho California Attorney General Office of The Attorney General Xavier Becerra Itc Building 1300 I St., Ste. 1740 590 S. Marine Corps Dr, Ste. 706 Sacramento, CA 95814 Tamuning, Guam 96913

Hawaii Attorney General Clare E. Connors 425 Queen St. Honolulu, HI 96813

1515 Market Street, Suite 1700 ◼ Philadelphia, PA 19102

www.HefflerClaims.com Case 2:20-cv-02246-JAR-TJJ Document 37-1 Filed 05/11/21 Page 14 of 33

Exhibit B Case 2:20-cv-02246-JAR-TJJ Document 37-1 Filed 05/11/21 Page 15 of 33

If Wichita State University (“WSU”) notified you of a December 2019 Data Incident, you may be eligible for a payment from a class-action settlement. Si desea recibir esta notificación en español, llámenos o visite nuestra página web. A settlement has been reached in a class-action lawsuit concerning a cyber-attack against Wichita State University whereby criminals accessed WSU’s computer systems resulting in the potential compromise of personal information (the “Data Incident”). The Data Incident happened between December 3, 2019 and December 5, 2019, and may have resulted in unauthorized access to certain student and employee web portals. The lawsuit alleges that the Data Incident exposed personally identifying information, including email addresses, dates of birth, and Social Security Numbers. WSU denies the claims in the lawsuit, including that any personal information was accessed, and says it did not do anything wrong.

Who is included? WSU’s records show you are a likely member of the Settlement Class. The settlement class includes all persons who were sent notification by WSU that their personal identifying information may have been exposed in the Data Incident announced by WSU in March 2020.

What are the settlement benefits? The settlement provides payments to people who submit valid claims for reimbursement of up to $300 for documented out-of-pocket expenses and up to three hours of lost time at the rate of $20 per hour that resulted from the Data Incident. Claims made for time spent dealing with the Data Incident can be combined with reimbursement for documented out-of-pocket expenses and are subject to the same $300 cap for all settlement class members. Visit the settlement website or call the toll-free number below for complete benefit details.

What are my options. The only way to get a benefit is to file a claim. The claim deadline is [Month, day, year]. If you do nothing, you will remain in the class, you will not be eligible for benefits, and you will be bound by the decisions of the Court and give up your rights to sue WSU for the claims resolved by this settlement. If you do not want to be legally bound by the settlement, you must exclude yourself by [Month Day Year]. If you stay in the settlement, you may object to it by [Month, Day, Year].

On July 27, 2021 at 2:00 p.m. Central Standard Time, the Court will hold a Fairness Hearing to determine whether to approve the settlement. The Court will also consider class counsel’s request for attorneys’ fees and expenses of no more than $325,000 for litigating the case and negotiating the Settlement, and a service award of $1,500 for the plaintiff. Any award of attorneys’ fees, expenses, and service award to the plaintiff will be paid separately by WSU and will not reduce the amount of payments to class members who submit valid claims. The motion for settlement approval and motion for attorneys’ fees will be posted on the settlement website after they are filed. You or your own lawyer, if you have one, may ask to appear and speak at the hearing at your own cost, but you do not have to.

This is only a summary of the settlement. Detailed information concerning benefits, how to file a claim or how to object is available at the website www.WichitaStateUniversitySettlement.comor by calling toll-free at 844-367- 8804.

www.WichitaStateUniversitySettlement.com 1- 844-367-8804

H0093520. Case 2:20-cv-02246-JAR-TJJ Document 37-1 Filed 05/11/21 Page 16 of 33 9

UNITED STATES DISTRICT COURT FOR THE DISTRICT OF KANSAS If Wichita State University notified you of a December 2019 Data Incident, you may be eligible for a payment from a class action settlement.

A court authorized this Notice. This is not a solicitation from a lawyer. • A settlement has been reached in a proposed class-action lawsuit called Bahnmaier v. Wichita State University, Case No. 2:20-cv-02246-JAR-TJJ in the United States District Court for the District of Kansas, concerning a cyber-attack that occurred as a result of criminals accessing the computer systems at Wichita State University (“WSU”) and potentially compromising personal information (“Data Incident”). • The Data Incident happened between December 3, 2019 and December 5, 2019. WSU was the victim of a cyber-attack in which criminals may have gained unauthorized access to certain student and employee web portals. The lawsuit alleges that the Data Incident potentially exposed personally identifiable information (“PII”), including names, email addresses, dates of birth, and Social Security Numbers of approximately 443,000 individuals. WSU denies the claims in the lawsuit, including that any personal information was accessed, and says it did not do anything wrong. • The Settlement includes all persons who were sent notification by WSU of the Data Incident announced by WSU in March 2020. It specifically excludes: (i) WSU and its officers and directors; (ii) all class members who timely and validly request exclusion from the class; (iii) Judge Julie A. Robinson, who is assigned to evaluate the fairness of this settlement, and her staff and family; (iv) Magistrate Judge Teresa J. James and her staff and family; and (v) any other person found by a court of competent jurisdiction to be guilty under criminal law of initiating, causing, aiding or abetting the criminal activity occurrence of the Data Incident or who pleads nolo contendere to any such charge. • The Settlement provides payments, up to $300 per person, to people who submit valid claims for documented out-of-pocket expenses related to the Data Incident and for up to three hours of time spent dealing with the Data Incident, at $20 per hour.

Your legal rights are affected even if you do nothing. Read this Notice carefully.

YOUR LEGAL RIGHTS AND OPTIONS IN THIS SETTLEMENT

Submit a Claim The only way to get a payment. You must file a claim by Month 00, 2021.

Get no payment. The only option that allows you to sue WSU over the Ask to Opt-Out of the claims resolved by this settlement. Settlement You must request to opt-out of the settlement by Month 00, 2021.

Object Write to the Court about why you do not like the settlement. You must submit an objection by Month 00, 2021.

Do Nothing Get no payment. Give up rights to sue WSU for the claims in this case.

These rights and options – and the deadlines to exercise them – are explained in this Notice.

Questions? Call 1-844-367-8804or visit www.WichitaStateUniversitySettlement.com Case 2:20-cv-02246-JAR-TJJ Document 37-1 Filed 05/11/21 Page 17 of 33

The Court in charge of this case still has to decide whether to grant final approval of the settlement. Payments will only be made after the Court grants final approval of the settlement and after any appeals are resolved.

Questions? Call 1-844-367-8804 or visit www.WichitaStateUniversitySettlement.com 4832-9799-9572.15 Case 2:20-cv-02246-JAR-TJJ Document 37-1 Filed 05/11/21 Page 18 of 33

WHAT THIS NOTICE CONTAINS

BASIC INFORMATION ...... Page 3 1. Why was this notice issued? 2. What is this lawsuit about? 3. Why is this lawsuit a class action? 4. Why is there a settlement?

WHO IS IN THE SETTLEMENT? ...... Page 3 5. How do I know if I am included in the settlement? 6. What if I am not sure whether I am included in the settlement?

THE SETTLEMENT BENEFITS ...... Page 4 7. What does the settlement provide? 8. What payments are available for expense reimbursement? 9. What payments are available for lost-time reimbursement?

HOW TO GET BENEFITS ...... Page 5 10. How do I get benefits? 11. How will claims be decided?

REMAINING IN THE SETTLEMENT ...... Page 5 12. Do I need to do anything to remain in the settlement? 13. What am I giving up as part of the settlement?

EXCLUDING YOURSELF FROM THE SETTLEMENT ...... Page 5 14. If I opt-out of the settlement, can I get a payment from this settlement? 15. If I do not opt-out of the settlement, can I sue WSU for the same thing later? 16. How do I opt-out of the Settlement?

THE LAWYERS REPRESENTING YOU ...... Page 7 17. Do I have a lawyer in this case? 18. How will the lawyers be paid?

OBJECTING TO THE SETTLEMENT ...... Page 7 19. How do I tell the Court that I do not like the settlement? 20. What is the difference between objecting and asking to be excluded?

THE COURT’S FAIRNESS HEARING ...... Page 8 21. When and where will the Court decide whether to approve the settlement? 22. Do I have to attend the hearing? IF YOU DO NOTHING ...... Page 9 23. What happens if I do nothing?

GETTING MORE INFORMATION ...... Page 9 24. How do I get more information?

Questions? Call 1-844-367-8804 or visit www.WichitaStateUniversitySettlement.com 4832-9799-9572.15 Case 2:20-cv-02246-JAR-TJJ Document 37-1 Filed 05/11/21 Page 19 of 33

BASIC INFORMATION

1. Why was this notice issued?

The Court authorized this notice because you have a right to know about the proposed settlement in this lawsuit and about all of your options before the Court decides whether to give “final approval” to the settlement. This notice explains the legal rights and options that you may exercise before the Court decides whether to approve the settlement. The Honorable Julie A. Robinson of the United States District Court for the District of Kansas is overseeing this case. The case is known as Bahnmaier v. Wichita State University, Case No. 2:20-cv- 02246-JAR-TJJ. The person who sued is called the Plaintiff. WSU is the Defendant in this case.

2. What is this lawsuit about?

The lawsuit claims that WSU was responsible for the Data Incident that occurred, and asserts claims such as: negligence, negligence per se, breach of implied contract, unjust enrichment and violations of the Kansas consumer protection statutes. The lawsuit seeks compensation for people who had losses as a result of the Data Incident. WSU denies all of the Plaintiff’s claims and says it did not do anything wrong.

3. Why is this lawsuit a class action?

In a class action, one or more people called “class representatives” sue on behalf of all people who have similar claims. All of these people together are the “class” or “class members.” In this case, the class representative is Michael Bahnmaier. One court resolves the issues for all class members, except for those who exclude themselves from the class.

4. Why is there a settlement?

By agreeing to settle, both sides avoid the cost and risk of a trial, and people who submit timely, valid claims will get compensation. The class representative and his attorneys believe the settlement is fair, reasonable, and adequate and, thus, best for the class and its members. The settlement does not mean that WSU did anything wrong.

WHO IS IN THE SETTLEMENT?

5. How do I know if I am included in the settlement?

You are included in the class if you reside in the United States and were notified by WSU in March 2020 of the Data Incident that occurred between December 3, 2019 and December 5, 2019. The Settlement Class specifically excludes: (i) WSU and its officers and directors; (ii) all class members who timely and validly request exclusion from the class; (iii) Judge Julie A. Robinson, who is assigned to evaluate the fairness of this settlement, and her staff and family; (iv) Magistrate Judge Teresa J. James and her staff and family;; and (v) any other person found by a court of competent jurisdiction to be guilty under criminal law of initiating, causing, aiding or abetting the criminal activity occurrence of the Data Incident or who pleads nolo contendere to any such charge.

Questions? Call 1-844-367-8804 or visit www.WichitaStateUniversitySettlement.com 4832-9799-9572.15 Case 2:20-cv-02246-JAR-TJJ Document 37-1 Filed 05/11/21 Page 20 of 33

6. What if I am not sure whether I am included in the settlement?

If you are not sure whether you are included in the settlement, you may call 1-844-367-8804 with questions or visit www.WichitaStateUniversitySettlement.com. You may also write with questions to WSU Data Breach Settlement, c/o Claims Administrator, PO Box 00000, Philadelphia, PA 19101-0000. Please do not contact the Court with questions.

THE SETTLEMENT BENEFITS

7. What does the settlement provide?

The settlement will provide payments to people who submit valid claims. There are two types of payments that are available: (1) Expense Reimbursement (Question 8) and (2) Lost-Time Reimbursement (Question 9). You may submit a Claim for either or both types of payments. The maximum amount of money you may claim is $300 per person. In order to claim expense reimbursement, you must provide related documentation with the claim form. In order to claim lost-time reimbursement, you must (1) attest on the claim form that any claimed lost time was spent related to the Data Incident; and (2) provide with the claim form a written description of how the claimed lost time was spent related to the Data Incident.

8. What payments are available for out-of-pocket expense reimbursement?

Class members are eligible to receive reimbursement of up to $300 (in total) for the following categories of out-pocket expenses resulting from the Data Incident: 1. Unreimbursed bank fees or penalties; 2. Unreimbursed card reissuance fees or penalties; 3. Unreimbursed overdraft fees or penalties; 4. Unreimbursed charges related to unavailability of funds; 5. Unreimbursed late fees or penalties; 6. Unreimbursed over-limit fees or penalties; 7. Long distance telephone charges; 8. Cell minutes (if charged by minute), Internet usage charges (if charged by the minute or by the amount of data usage and incurred solely as a result of the Data Incident), and text messages (if charged by the message and incurred solely as a result of the Data Incident); 9. Unreimbursed charges from banks or credit card companies; 10. Interest on payday loans that were taken out solely as a result of the Data Incident; 11. Costs of credit report(s) purchased by Settlement class members between December 3, 2019 and [Month day, 2021] (with affirmative statement by the class member that it was purchased primarily because of the Data Incident); 12. Costs of credit monitoring and identity theft protection purchased by Settlement Class Members between December 3, 2019 and [Month day, 2021] (with affirmative statement by the class member that it was purchased primarily because of the Data Incident and not for other purposes, and with proof of purchase); and 13. Other losses incurred by class members determined to be traceable to the Data Incident by the settlement administrator.

Questions? Call 1-844-367-8804 or visit www.WichitaStateUniversitySettlement.com 4832-9799-9572.15 Case 2:20-cv-02246-JAR-TJJ Document 37-1 Filed 05/11/21 Page 21 of 33

9. What payments are available for lost -time reimbursement?

Class members are also eligible to receive up to three hours for time spent dealing with issues resulting from the Data Incident. • Time spent dealing with issues resulting from the Data Incident is calculated at the rate of $20 per hour. • You can only claim lost time if at least one full hour was spent dealing with issues resulting from the Data Incident, and you must both attest to the time spent and describe how the time was spent on the claim form. • Lost time claims can be combined with reimbursement for out-of-pocket expenses and are subject to the same $300 maximum reimbursement per person. More details are provided in the Amended Settlement Agreement (“Settlement Agreement”), which is available at www.WichitaStateUniversitySettlement.com.

HOW TO GET BENEFITS

10. How do I get benefits?

If you want to get money from this settlement, you must complete and submit a claim form online or by mail, postmarked, no later than Month 00, 2021 to: WSU Data Breach Settlement c/o Claims Administrator PO Box 0000 Philadelphia, PA 19101-0000 Please read the instructions carefully. You must include reasonable documentation for any out-of-pocket expenses and charges incurred. If you cannot provide documentation, you must provide a statement explaining why you cannot provide documentation.

You can get a claim form online at www.WichitaStateUniversitySettlement.com, or you may request one by mail by calling 1-844-367-8804.

11. How will claims be decided?

The claims administrator will initially decide whether the information provided on a claim form is complete and valid. The claims administrator may require additional information from any claimant. If the required information is not provided timely, the claim will be considered invalid and will not be paid.

If the claim is complete and the claims administrator denies the claim entirely or partially, the claimant will be provided an opportunity to have their claim reviewed by an impartial claims referee.

Questions? Call 1-844-367-8804 or visit www.WichitaStateUniversitySettlement.com 4832-9799-9572.15 Case 2:20-cv-02246-JAR-TJJ Document 37-1 Filed 05/11/21 Page 22 of 33

REMAINING IN THE SETTLEMENT

12. Do I need to do anything to remain in the settlement?

You do not have to do anything to remain in the settlement, but if you want a payment you must submit a claim form either online or via mail, postmarked by Month 00, 2021. See Question 10 for instructions on filing a claim.

13. What am I giving up as part of the settlement?

If the settlement becomes final, you will give up your right to sue WSU for the claims being resolved by this settlement. The specific claims you are giving up against WSU are identified in Section 1.17 and described in Section 6 of the Settlement Agreement. You will be “releasing” WSU as described in Section 6 of the Settlement Agreement. The Settlement Agreement is available at www.WichitaStateUniversitySettlement.com.

The Settlement Agreement describes the released claims with specific descriptions, so read it carefully. If you have any questions you can talk to the law firms listed in Question 17 for free or you can, of course, talk to your own lawyer at your own expense if you have questions about what this means.

EXCLUDING YOURSELF FROM THE SETTLEMENT If you do not want a payment from this settlement, but you want to keep the right to sue WSU over issues in this case, then you must take steps to opt-out of the class. This is called excluding yourself from—or is sometimes referred to as “opting out” of—the class.

14. If I opt-out of the settlement can I get a payment from this settlement?

No. If you opt-out, you will not be entitled to any benefits of the settlement, but you will not be bound by any judgment in this case.

15. If I do not opt-out, can I sue WSU for the same thing later?

No. Unless you opt-out, you give up any right to sue WSU for the claims that this settlement resolves. You must opt-out of the class to start your own lawsuit or to be part of any different lawsuit relating to the claims in this case. If you opt-out, do not submit a claim form to ask for a payment.

16. How do I opt-out of the settlement?

To opt-out of the settlement, send a letter that says you want to opt-out of the settlement in Bahnmaier v. Wichita State University, Case No. 2:20-cv-02246-JAR-TJJ. You must include your name, address, and signature. You must mail your opt-out request postmarked by Month 00, 2021, to: WSU Settlement Exclusions c/o Claims Administrator PO Box 0000 Philadelphia, PA 19101-0000

Questions? Call 1-844-367-8804 or visit www.WichitaStateUniversitySettlement.com 4832-9799-9572.15 Case 2:20-cv-02246-JAR-TJJ Document 37-1 Filed 05/11/21 Page 23 of 33

THE LAWYERS REPRESENTING YOU

17. Do I have a lawyer in this case?

Yes. The Court appointed Federman & Sherwood as “class counsel” to represent you and all class members. You will not be charged for these lawyers. If you want to be represented by your own lawyer, you may hire one at your own expense.

18. How will the lawyers be paid?

For litigating the case and negotiating the Settlement, class counsel will request the Court’s approval of an award for attorneys’ fees and reasonable costs and expenses of no more than $325,000. Class counsel will also request approval of a service award of $1,500 to be given to the class representative. Any amount that the Court awards for attorneys’ fees, expenses, and a service award to the class representative will be paid separately by WSU and will not reduce the amount of payments to class members who submit valid claims.

OBJECTING TO THE SETTLEMENT You can tell the Court that you do not agree with the Settlement or some part of it.

19. How do I tell the Court that I do not like the settlement?

You can object to the settlement if you do not like it or some part of it. The Court will consider your views. To do so, you must file a written objection in this case, Bahnmaier v. Wichita State University, Case No. 2:20-cv-02246-JAR-TJJ, with the Clerk of the Court at the address below.

Your objection must include all the following information: 1. your full name, address, telephone number, and e-mail address (if any); 2. information identifying you as a class member, including proof that you are a member of the class (e.g., copy of settlement notice, copy of original notice of the Data Incident); 3. a written statement of all grounds for your objection, accompanied by any legal support for the objection you believe is applicable; 4. the identity of any and all counsel representing you in connection with the objection; 5. a statement whether you and/or your counsel will appear at the Final Fairness Hearing; 6. your signature and the signature of your duly authorized attorney representing you in connection with the objection or other duly authorized representative (along with documentation setting forth such representation); and 7. a list, by case name, court, and docket number, of all other cases in which you and/or your counsel have filed an objection to any proposed class action settlement within the last three (3) years.

To be timely, your objection must be postmarked to the Clerk of the Court for the United States District Court for the District of Kansas no later than Month 00, 202. In addition, you must mail a copy of your objection to both Class Counsel and Defense Counsel, postmarked no later than Month 00, 2021:

Questions? Call 1-844-367-8804 or visit www.WichitaStateUniversitySettlement.com 4832-9799-9572.15 Case 2:20-cv-02246-JAR-TJJ Document 37-1 Filed 05/11/21 Page 24 of 33

COURT DEFENSE COUNSEL CLASS COUNSEL Clerk of the Court Casie D. Collignon William B. Federman 500 State Ave. Baker & Hostetler, LLP, Federman & Sherwood Kansas City, KS 66101 1801 California Street, Suite 4400 10205 N. Pennsylvania Ave. Denver, Colorado 80202-2662 Oklahoma City, Ok 73120

20. What is the difference between objecting and opting out?

Objecting is telling the Court that you do not like the settlement and why you do not think it should be approved. You can object only if you do not opt-out of the Class. Opting out of the settlement is telling the Court that you do not want to be part of the class. If you opt-out, you have no basis to object because the case no longer affects you.

THE COURT’S FAIRNESS HEARING The Court will hold a hearing to decide whether to grant final approval of the settlement.

21. When and where will the Court decide whether to approve the settlement?

The Court will hold a Fairness Hearing at 2:00 p.m. on July 27, 2021, at the United States District Court for the District of Kansas located at 500 State Ave., Kansas City, KS 66101. The hearing may be moved to a different date or time without additional notice, so it is a good idea to check www.WichitaStateUniversitySettlement.com or call 1-844-367-8804. The hearing may also be held via zoom or telephonically. Instructions on how to appear at the Final Fairness Hearing will be posted on the settlement website, located at www.WichitaStateUniversitySettlement.com or you can call 1- 844-367-8804.

At this hearing, the Court will consider whether the settlement is fair, reasonable, and adequate. If there are timely objections, the Court will consider them and will listen to people who have asked to speak at the hearing if such a request has been properly made. The Court will also rule on the request for an award of attorneys’ fees and expenses, as well as the request for a service award for the class representative. After the hearing, the Court will decide whether to approve the settlement. We do not know how long these decisions will take.

22. Do I have to attend the hearing?

No. Class counsel will present the Settlement Agreement to the Court. You or your own lawyer are welcome to attend at your expense, but you are not required to do so.

If you send an objection, you do not have to come to the Court to talk about it. As long as you filed your written objection on time with the Court and mailed it according to the instructions provided in Question 19, the Court will consider it. If, however, you would also like to attend and speak at the hearing, you must state your intention to do so as part of your objection, as discussed in Question 19.

Questions? Call 1-844-367-8804 or visit www.WichitaStateUniversitySettlement.com 4832-9799-9572.15 Case 2:20-cv-02246-JAR-TJJ Document 37-1 Filed 05/11/21 Page 25 of 33

IF YOU DO NOTHING

24. What happens if I do nothing?

If you do nothing, you will get no benefits from this settlement. Unless you opt-out of the settlement after the settlement is granted final approval and the judgment becomes final, you will not be able to start a lawsuit, continue with a lawsuit, or be part of any other lawsuit against WSU about the legal issues in this case, ever again.

GETTING MORE INFORMATION

25. How do I get more information?

This notice summarizes the proposed settlement. More details are in the Settlement Agreement. You can get a copy of the Settlement Agreement at www.WichitaStateUniversitySettlement.com. You may also write with questions to: WSU Data Breach Settlement c/o Claims Administrator PO Box 00000 Philadelphia, PA 19101-0000 You can also get a claim form and further information at the website, or by calling the toll-free number, 1-844-367-8804.

Questions? Call 1-844-367-8804 or visit www.WichitaStateUniversitySettlement.com 4832-9799-9572.15 Case 2:20-cv-02246-JAR-TJJ Document 37-1 Filed 05/11/21 Page 26 of 33 *«RefNum»* «RefNum»

CLAIM FORM

A settlement has been reached in a proposed class-action lawsuit (“Lawsuit”) concerning a cyber-attack against Wichita State University (“WSU”), whereby criminals accessed WSU’s computer systems resulting in the potential compromise of personal information (the “Data Incident”). Specifically, the lawsuit alleged that in December 2019, WSU “learned that ‘an unauthorized person gained access’ to a ‘computer server that WSU used to operate various student and employee web portals’ between December 3, 2019 and December 5, 2019.” The lawsuit alleges that the Data Incident exposed personally identifiable information of Plaintiff and the Class, including names, email addresses, dates of birth, and Social Security Numbers (“PII”). WSU denies all of the claims in the lawsuit, including that any personal information was accessed, and says it did not do anything wrong.

You are a “class member” if you were sent notification by WSU that your personal identifying information may have been exposed in the Data Incident announced by WSU in March 2020, and you may be entitled to share in the settlement benefits.

As a class member, you are eligible to receive up to $300 in (1) documented out-of-pocket expenses and (2) up to three hours of time spent dealing with the Data Incident, at $20.00 per hour.1

TO BE ELEGIBLE FOR ANY SETTLEMENT BENEFITS, YOU MUST COMPLETE AND SIGN THIS CLAIM FORM AND SUBMIT IT NO LATER THAN [MONTH 00], 2021.

This claim form should be filled out online or submitted by mail. Checks will be mailed to eligible class members if the settlement is approved by the Court.

The settlement notice describes your legal rights and options. Please visit the official settlement administration website, www.WichitaStateUniversitySettlement.com, or call 1-844-367-8804 for more information. Claim submission options: • File a claim online at www.WichitaStateUniversitySettlement.com. Your form must be submitted by 11:59 p.m. Central Time on xxx xx, 20XX. • Print this form, complete the form in its entirety, and mail to the claims administrator at the address listed below. YOU MUST INCLUDE YOUR CLASS MEMBER ID. You can locate your class member ID at the top of the postcard notice that was sent to you. Your claim form must be postmarked by XXXX XX, 20XX. • You can contact the claims administrator to request a claim form be mailed to you. You must complete the claim form in its entirety and then mail the completed claim form so that it is postmarked by XXXX XX, 20XX.

1 Documented out-of-pocket expenses include: (i) unreimbursed bank fees or penalties; (ii) unreimbursed card reissuance fees or penalties; (iii) unreimbursed overdraft fees or penalties; (iv) unreimbursed charges related to unavailability of funds; (v) unreimbursed late fees or penalties; (vi) unreimbursed over-limit fees or penalties; (vii) long distance telephone charges; (viii) cell minutes (if charged by minute), internet usage charges (if charged by the minute or by the amount of data usage and incurred solely as a result of the Data Incident), and text messages (if charged by the message and incurred solely as a result of the Data Incident); (ix) unreimbursed charges from banks or credit card companies; (x) interest on payday loans due to card cancellation or due to over-limit situation incurred solely as a result of the Data Incident; (xi) costs of credit report(s) purchased by class members between December 3, 2019 and the date of the preliminary approval order (with affirmative statement by the class member that it was purchased primarily because of the Data Incident); (xii) costs of credit monitoring and identity theft protection purchased by class members between December 3, 2019 and forty-five (45) days after the date on which notice of the settlement is sent to the class members (with affirmative statement by the class member that it was purchased primarily because of the Data Incident and not for other purposes, and with proof of purchase); and (xiii) other losses incurred by class members determined to be fairly traceable to the Data Incident by the settlement administrator.

You are also eligible for up to 3 hours of time spent dealing with the Data Incident, valued at $20 per hour. In order to receive this benefit, you must (1) have spent at least one hour of time dealing with the Data Incident; (2) attest that any claimed lost time was spent dealing with the Data Incident; and (3) provide a written description of how the claimed lost time was spent related to the Data Incident.

Case 2:20-cv-02246-JAR-TJJ Document 37-1 Filed 05/11/21 Page 27 of 33 *«RefNum»* «RefNum»

1. CLASS MEMBER INFORMATION.

Class Member ID: XXXXX ______

Name (REQUIRED): ______First Name Mi Last Name

______Number and Street Address (REQUIRED)

______- ______City (REQUIRED) State (REQUIRED) Zip Code (REQUIRED)

Telephone Number (REQUIRED): ( ______) ______- ______

Email Address (optional): ______@______

*XXXXX* *CF* *Page 1 of 4*

2. PAYMENT ELIGIBILITY INFORMATION. Please provide as much information as you can to help us figure out if you are entitled to a settlement payment. For more information on who is eligible for a payment and the nature of the expenses or losses that can be claimed, please review the notice and section 2.1 the Settlement Agreement (available at www.WichitaStateUniversitySettlement.com).

PLEASE PROVIDE THE INFORMATION LISTED BELOW:

a. Reimbursement of Lost Time Resulting from the Data Incident: (between one and 3 hours of time spent dealing with the Data Incident, which will be calculated and paid at a rate of $20.00 per hour)

Total number of hours claimed ______

Description of how you spent your time responding to the Data Incident:

______

If the time was spent online or on the telephone, briefly describe what you did, or attach a copy of any letters or emails you wrote. If the time was spent trying to reverse fraudulent charges, briefly describe what you did. If the time was spent checking or updating accounts, identify the accounts that had to be checked or updated.

Please note that the time that it takes to fill out this Claim Form is not reimbursable and should not be included in the total.

b. Expense Reimbursement Resulting from the Data Incident: (not to exceed $300 per Settlement Class Member)

4835-6623-8420.10 Case 2:20-cv-02246-JAR-TJJ Document 37-1 Filed 05/11/21 Page 28 of 33 *«RefNum»* «RefNum»

Check the box for each category of documented out-of-pocket expenses you had to pay as a result of the Data Incident or lost time that you spent dealing with the Data Incident. Please be sure to fill in the total amount you are claiming for each category and attach documentation of the charges as described in bold type (if you are asked to provide account statements as part of proof required for any part of your claim, you may mark out any unrelated transactions if you wish).

_____ Credit reports, identity theft insurance, or credit monitoring charges.

Examples - The cost of a credit report, identity theft insurance, or credit monitoring services that you purchased after hearing about the Data Incident.

Total amount for this category $______

Attach a copy of a receipt or other proof of purchase for each credit report or product purchased.

You may mark out any information that is not relevant to your claim before sending in the documentation. □ Check this box to confirm that any and all credit reports, identity theft insurance, or credit monitoring claimed for reimbursement were purchased primarily because of the Data Incident.

_____ Bank fees or penalties due to fraudulent activity.

Examples - Overdraft fees, over-the-limit fees, late fees, or charges due to insufficient funds or interest.

Total amount for this category $______

Attach a copy of a bank or credit card statement or other proof of the fees or charges.

You may mark out any information that is not relevant to your claim before sending in the documentation.

Date reported ______

Description of the person(s) to whom you reported the fraud:

______

_____ Fees or charges relating to the reissuance of your credit or debit card.

Examples – Fees that your bank charged you because you requested a new credit or debit card.

Total amount for this category $______

Attach a copy of a bank or credit card statement or other receipt showing these fees.

*XXXXX* *CF* *Page 2 of 4*

You may mark out any information that is not relevant to your claim before sending in the documentation.

_____ Fees or costs relating to your account being frozen or unavailable.

4835-6623-8420.10 Case 2:20-cv-02246-JAR-TJJ Document 37-1 Filed 05/11/21 Page 29 of 33 *«RefNum»* «RefNum»

Examples -You were charged a late fee or interest by another company because your payment was declined. You had to pay a fee for a money order or other form of alternative payment because you could not access funds in your account. You had to take out a payday loan as a result of funds being unavailable.

Total amount for this category $______

Attach a copy of receipts, bank or credit card statements, or other proof that you had to pay these expenses.

You may mark out any information that is not relevant to your claim before sending in the documentation.

_____ Other incidental telephone, internet, or postage expenses directly related to the Data Incident.

Examples - Long distance phone charges, cell phone charges (only if charged by the minute), data charges (only if charged based on the amount of data used)

Total amount for this category $______

Attach a copy of the bill from your telephone or mobile phone company or internet service provider that shows the charges.

You may mark out any information that is not relevant to your claim before sending in the documentation.

_____ Other losses or costs directly related to the Data Incident.

Total amount for this category $______

Attach documentation supporting these costs and demonstrating how they are directly related to the Data Incident.

You may mark out any information that is not relevant to your claim before sending in the documentation.

□ Check this box to confirm that you have exhausted all applicable insurance policies, including credit monitoring insurance and identity theft insurance, and that you have no insurance coverage for the losses or charges for which you seek reimbursement in this claim form.

If you are unable to provide documentation for any out-of-pocket expenses for which you seek reimbursement, you must submit a sworn declaration, under oath with penalty of perjury, explaining why supporting documentation cannot be provided and explaining the details of the out-of-pocket expenses.

*XXXXX* *CF* *Page 3 of 4*

3. SIGN AND DATE YOUR CLAIM FORM. I declare under penalty of perjury under the laws of the United States and the laws of my State of residence that the information supplied in this claim form by the undersigned is true and correct to the best of my recollection, and that this form was executed on the date set forth below.

I understand that I may be asked to provide supplemental information by the claims administrator or claims referee before my claim will be considered complete and valid.

______/ ______/ ______

4835-6623-8420.10 Case 2:20-cv-02246-JAR-TJJ Document 37-1 Filed 05/11/21 Page 30 of 33 *«RefNum»* «RefNum»

Signature Print Name Month/Day/Year (mm/dd/yyyy)

4. MAIL YOUR CLAIM FORM.

This claim form must be either submitted online or postmarked by XXXX XX, 20XX and mailed to:

Bahnmaier v. Wichita State University Settlement c/o Claims Administrator PO Box XXXX Philadelphia, PA XXXXX-XXXX

*XXXXX* *CF* *Page 4 of 4*

4835-6623-8420.10 Case 2:20-cv-02246-JAR-TJJ Document 37-1 Filed 05/11/21 Page 31 of 33

Bahnmaier v Wichita State University Settlement c/o Claims Administrator PO Box XXXXX Philadelphia, PA XXXXX-XXXX

*«RefNum»* «RefNum» «FirstName» «LastName» «Address1» «Address2» «City», «State» «Zip»

Case 2:20-cv-02246-JAR-TJJ Document 37-1 Filed 05/11/21 Page 32 of 33

Exhibit C Case 2:20-cv-02246-JAR-TJJ Document 37-1 Filed 05/11/21 Page 33 of 33

EXCLUSION LIST

# FIRST NAME LAST NAME STATE 1 MICHAEL HASTINGS KS 2 KENT THOMPSON KS 3 CAROL GIARDINA GA 4 JONATHAN AXFORD KS 5 RHONDA SHIBOLD TN 6 MARK CHADWELL KS 7 KYLE REBER KS 8 JONATHAN BLACK UT

Case 2:20-cv-02246-JAR-TJJ Document 37-2 Filed 05/11/21 Page 1 of 36

EXHIBIT 2 Case 2:20-cv-02246-JAR-TJJ Document 37-2 Filed 05/11/21 Page 2 of 36

IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF KANSAS

MICHAEL BAHNMAIER, individually and on behalf of all others similarly situated,

Plaintiff, Case No. 2:20-cv-02246-JAR-TJJ v.

WICHITA STATE UNIVERSITY,

Defendant.

DECLARATION OF WILLIAM B. FEDERMAN IN SUPPORT OF PLAINTIFF’S UNOPPOSED MOTION FOR FINAL APPROVAL OF THE CLASS ACTION SETTLEMENT

William B. Federman declares under penalty of perjury on May 11, 2021:

1. I am the founder and member of the law firm Federman & Sherwood, Counsel for

Plaintiff Michael Bahnmaier (“Plaintiff”) and the putative class. I am a member of the Bars of the

States of Texas, New York, and Oklahoma, as well as numerous United States District Courts and

Courts of Appeals. I am admitted pro hac vice in this action. I submit this Declaration in Support of Plaintiff’s Unopposed Motion for Final Approval of Class Action Settlement.

2. Plaintiff and Defendant Wichita State University (“WSU” or “Defendant”) have reached a proposed settlement (the “Settlement”) of this class action. The proposed Settlement, if approved, will resolve all claims in this action pursuant to the terms of the Settlement Agreement, submitted herewith.

3. The Settlement resulted from extensive arm’s-length negotiations between the parties. Plaintiff and Class Counsel were well informed about the strengths and weaknesses of the

Case 2:20-cv-02246-JAR-TJJ Document 37-2 Filed 05/11/21 Page 3 of 36

action as a result of their extensive pre-complaint investigation, their review of Defendant’s motion to dismiss and the arguments raised therein, and their exchange of information with Defendant as part of the settlement negotiation process. Additionally, as part of the proposed Settlement,

Defendant agreed to produce certain documents relating to the Data Incident for purposes of confirmatory discovery, which Plaintiff’s Counsel have reviewed and considered. In my view, the documents produced provide further support for the proposed Settlement.

4. Federman & Sherwood has extensive experience in complex class action litigation, including data breach class actions. Indeed, Federman & Sherwood has successfully prosecuted and settled numerous data breach class actions, consumer class actions, and other complex litigation throughout the country, and the firm a strong reputation in this field. A copy of Federman

& Sherwood’s firm resume is attached hereto as Exhibit A.

5. I believe and submit that the proposed Settlement is fair and reasonable and satisfies all of the relevant legal standards for approval under Rule 23(e) of the Federal Rules of

Civil Procedure.

6. The proposed Settlement will provide significant benefits to the Class Members.

Specifically, pursuant to the Settlement Agreement, Class Members will be eligible for cash payments of $20.00 per hour for up to three (3) hours for time spent dealing with issues relating to the Data Incident plus reimbursement for out-of-pocket costs up to $300.00 incurred as a result of the Data Incident.1 These amounts are well within the range of fair, reasonable, and adequate, particularly when considered in light of reported average out-of-pocket expenses attributable to a data breach. According to a research study sponsored by Experian Data Breach Resolution and conducted and reported by Ponemon Institute, “[e]ighty-one percent of respondents who were

1 Claims made for lost time can be combined with reimbursement for out-of-pocket expenses but are subject to the same $300.00 cap for all Settlement Class Members. 2

Case 2:20-cv-02246-JAR-TJJ Document 37-2 Filed 05/11/21 Page 4 of 36

victims of a data breach did not have any out-of-pocket costs” and nine percent had less than $10 in out-of-pocket costs. See The Aftermath of a Data Breach: Consumer Settlement at pgs. 7, 18. A copy of this report is attached hereto as Exhibit B.

7. The Settlement is additionally supported by the fact that it will provide immediate benefits to the proposed Settlement Class without the risks and costs of further protracted litigation.

WSU raised several arguments in its motion to dismiss Plaintiff’s complaint. Among other things,

WSU argued that Plaintiff lacked standing to bring the present action, that Plaintiff’s tort claims were barred under the economic loss doctrine, that Plaintiff’s Kansas Consumer Protection Act

Claims were unsustainable, that Plaintiff’s breach of implied contract claims were too attenuated, and that WSU was immune from liability. While Plaintiff had arguments and authorities that could support his allegations, the number of issues in this case, which centers around an emerging area of law—data breach litigation—created significant uncertainty. Were the Court to be persuaded by any of Defendant’s arguments, it could result in the dismissal of Plaintiff’s claims. Further, during the parties’ settlement negotiations, WSU expressed that it is prepared to argue and defend that no Class Member data was actually stolen in the Data Incident. The number of legal issues and factual disputes that exist in this action creates significant uncertainty as to Plaintiff’s ability to obtain a recovery for the Class that is better than the recovery available under the present

Settlement.

8. The immediacy of the benefits are particularly meaningful in this case since the

Settlement provides for the reimbursement of credit monitoring and identity theft protection, even credit monitoring and identity theft protection purchased after Class Members received the notice of Settlement. See Amended Settlement Agreement (Dkt. No. 33-1) at ¶ 2.1.1.

Case 2:20-cv-02246-JAR-TJJ Document 37-2 Filed 05/11/21 Page 5 of 36

9. For the foregoing reasons and for the reasons further discussed in Plaintiff’s

Memorandum of Law in Support of Unopposed Motion for Final Approval of Class Action

Settlement, filed contemporaneously herewith, I believe that the Settlement represents an outstanding result for the Settlement Class and should be finally approved by the Court.

I declare under penalty of perjury that the foregoing is true and correct.

Dated: May 11, 2021 /s/William B. Federman William B. Federman (admitted pro hac vice) FEDERMAN & SHERWOOD 10205 N. Pennsylvania Ave. Oklahoma City, Oklahoma 73120 -and- 212 W. Spring Valley Road Richardson, Texas 75801 (405) 235-1560 (405) 239-2112 (facsimile) [email protected]

Counsel for Plaintiff and the Putative Class

Case 2:20-cv-02246-JAR-TJJ Document 37-2 Filed 05/11/21 Page 6 of 36

EXHIBIT A Case 2:20-cv-02246-JAR-TJJ Document 37-2 Filed 05/11/21 Page 7 of 36

FEDERMAN & SHERWOOD (An Association of Attorneys and Professional Corporations)

10205 N. P ENNSYLVANIA A VENUE 212 W. S PRING V ALLEY R OAD O KLAHOMA C ITY, O KLAHOMA 73120 R ICHARDSON, T EXAS 75081 T ELEPHONE: 405-235-1560 T ELEPHONE: 214- 696-1100 F ACSIMILE: 405-239-2112 F ACSIMILE: 214-740-0112 FIRM RESUME

WILLIAM B. FEDERMAN. Education: Boston University (B.A., cum laude, 1979); University of Tulsa (J.D., 1982); Phi Alpha Delta (Treasurer, 1980-1982). Admitted to practice: United States District Courts for the following Districts: Western, Northern and Eastern, Oklahoma; Eastern and Southern, New York; Southern, Northern, Eastern and Western, Texas; Eastern and Western, Arkansas; District of Columbia; District of Colorado; Northern, Ohio; United States Court of Appeals for the following Circuits: First, Second, Third, Fourth, Fifth, Sixth, Seventh, Eighth, Ninth, Tenth and Eleventh and Federal; and United States Supreme Court. Lectures/Publications: “Class Actions, New Rules and Data Breach Cases,” 40th Annual OCBA Winter Seminar 2019; “A Case Study of Ethical Issues in Complex Litigation and Trends in Class Certification,” 39th Annual OCBA Winter Seminar, 2018; “Talkin’ About Insurance Coverage and Complex Litigation: What Every Lawyer and Client Should Know,” 38th Annual OCBA Winter Seminar, 2017; “Securities Litigation: Using Data to Make the Case,” by Bloomberg BNA, 2016; “The Changing Landscape for Prosecution of Financial Claims Involving Insolvent Companies” 37th Annual OCBA Winter Seminar, 2016; “Current Status of Securities Class Actions: Where are the Courts Taking Us?” Houston Bar Association, 2014. “Class & Derivative Actions and Securities Litigation,” 2013 Annual Meeting of the American Bar Association; “Litigation and Employment Law Update,” Securities Industry Association Compliance and Legal Division; “Inside a Disclosure Crisis”, 30th Annual Northwest Securities Institute Annual Meeting and sponsored by the Washington Bar Association; “Managing Directors’ Liability,” 3rd Annual Energy Industry Directors Conference and sponsored by Rice University; “Executive Liability - 2009 D & O Market Trends,” Chartis Insurance; “Derivative Actions and Protecting the Corporation – Critical Issues in Today’s Banking,” Oklahoma Bar Association and the Oklahoma Bankers Association; “Arbitration - What Is It? Why Should a Lawyer Suggest or Use It?,” Oklahoma Bar Association; “The Attorney and Accountant as Targets in Failed Financial Institution Litigation,” American Bar Association Trial Practice Committee; “Effective Arbitration in the 1990's - Adapting to Build a Successful Practice,” Oklahoma County Bar Association; “Current Issues in Direct Investments and Limited Partnerships: The Litigation Scene From All Perspectives,” American Bar Association Litigation Section; “Stockbroker Litigation and Arbitration,” Securities Arbitration Institute. Author: “Who’s Minding the Store: The Corporate Attorney-Client Privilege,” 52 O.B.J. 1244, 1981; “Potential Liability From Indirect Remuneration in Private Oil and Gas Offerings,” 11 Sec. Reg. L.J. 135, 1983; “Capitalism and Reality Meet in the Courts. . . Finally,” 59 O.B.J. 3537, 1987; “Class Actions, New Rules & Data Breach Cases,” Annual OCBA Winter Seminar, 2019. Membership: Arbitration Panel, New York Stock Exchange; Federal Bar Association; Oklahoma County Bar Association (Committee on Professionalism, 1987-1990; Oklahoma Bar Association (Civil Procedure/Evidence Code, Lawyers Helping Lawyers Assistance Program and Rules of Professional Conduct Committees, 2017-2020); American Bar Association (Committee on Securities Litigation and Corporate Counsel); American Inns of Court (Barrister 1990-1993 and Master 2002-2004); inducted into the Outstanding Lawyers of America, 2003; received the Martindale-Hubbell peer review rating of AV Preeminent in both ethical standards and legal ability; recognized as one of the “Top Lawyers of 2013” for excellence and achievements in the legal community; Litigation Counsel of America (Trial Lawyer & Appellate Lawyer Honorary Society); Oklahoma Bar Association, Rules of Professional Conduct Committee, 2020. Awards/Honors: Securities Litigation and Arbitration Law Firm of the Year in Oklahoma – 2018 (Global Law Experts Annual Awards); Securities Litigation and Arbitration Law Firm of the Year in Oklahoma – 2019, 2020 (Corporate INTL Magazine); Oklahoma Super Lawyers list Case 2:20-cv-02246-JAR-TJJ Document 37-2 Filed 05/11/21 Page 8 of 36

FEDERMAN & SHERWOOD Page 2

by Thomson Reuters – 2019 (Recognized for Exceptional Service and Outstanding Performance on behalf of the Federal Bar Association (Oklahoma City Chapter) Pro Bono Program – 2018-2019), 2020.

STUART W. EMMONS. (In Memoriam) Education: University of Oklahoma (J.D., 1987, with distinction); University of Oklahoma (B.B.A., Accounting, 1984, with distinction). Admitted to practice: 1987, Oklahoma; 1987, U.S. District Court for the Western District of Oklahoma; 1990, U.S. District Court for the Northern District of Oklahoma; 1992, U.S. Court of Appeals, Tenth Circuit; 1994, U.S. Court of Appeals, Eighth Circuit; U.S. Patent and Trademark Office; 2002, U.S. District Court for the District of Colorado; U.S. District Court for the Southern District of Texas; 2003, U.S. Court of Appeals, Second Circuit; 2004, U.S. District Court for the Northern District of Texas; U.S. Court of Appeals, Fifth Circuit; 2005, United States Supreme Court; 2005 U.S. Court of Appeals, Fourth Circuit; 2015, U.S. Court of Appeals, First Circuit; 2016, U.S. Court of Appeals, Ninth Circuit and U.S. Court of Appeals for the First Circuit. 1988-1989, Law Clerk to the Hon. Layn R. Phillips, U.S. District Court for the Western District of Oklahoma. Published Decisions: American Fidelity Assurance Company v. The Bank of New York Mellon, 810 F.3d 1234 (10th Cir. 2016); Paul Spitzberg v. Houston American Energy Corporation, et al., 758 F.3d 676 (5th Cir. 2014); Patipan Nakkhumpun v. Daniel J. Taylor, et al., 782 F.3d 1142 (10th Cir. 2015); Membership: Oklahoma County and Oklahoma Bar Associations.

SARA E. COLLIER. Education: Oklahoma Christian University (B.S. 2000); Oklahoma City University School of Law (J.D. 2004). Admitted to practice: 2005, Oklahoma; 2005, U.S. District Courts for the Western, Eastern and Northern Districts of Oklahoma; 2007, U.S. District Court for the Southern District of Texas; and 2007, United States Court of Appeals for Veterans Claims in Washington, DC. Membership: Oklahoma Bar Association, American Bar Association.

MOLLY E. BRANTLEY. Education: University of Oklahoma (B.A., 2013); Oklahoma City University School of Law (J.D., 2017; Merit Scholar 2014-2017). Admitted to practice: Oklahoma, 2017; United States District Court for the Northern District of Oklahoma; United States District Court for the Western District of Oklahoma, 2020. Membership: Oklahoma Bar Association, Federal Bar Association.

TYLER J. BEAN. Education: University of Oklahoma Michael F. Price College of Business (B.A., 2015); Oklahoma City University School of Law (2016-17; Merit Scholar; Faculty Honor Roll; Dean’s List); University of Oklahoma College of Law (2017-19, J.D.; Editor, Oil and Gas, Natural Resources, and Energy Law Journal; Dean’s List; Completion of Pro Bono and Public Service 100-Hour Pledge). Admitted to Practice: 2019, Oklahoma; 2020, United States District Court for the Western District of Oklahoma. Experience: In-House Counsel for Hobby Lobby Stores, Inc., 2018-2020. Membership: Oklahoma Bar Association; Oklahoma Bar Association - Business and Corporate Law Section; Oklahoma County Bar Association; American Bar Association; Federal Bar Association; International Council of Shopping Centers (“ICSC”); Language Fluency (English, Spanish).

OF COUNSEL:

JOHN CHARLES SHERWOOD. Education: Texas Christian University, (BBA, magna cum laude, 1981); Baylor School of Law (J.D., 1984). Areas of Practice: Litigation. Board Certified: Civil Trial Law, Personal Injury Trial Law, Texas Board of Legal Specialization. Organizations: Texas Trial Lawyers, Association of Trial Lawyers of America, Dallas Trial Lawyers Association, Dallas Bar Association, Former Chairperson of the Solo and Small Firm Section of the Dallas Bar Association (1999), Member of the College of the State Bar of Texas, and founding President of Citizens For a Fair Judiciary (Political Action Committee). Licenses and Courts of Practice: Member of the State Bar of Texas, National Board of Trial Advocacy, Licensed as a Certified Public Accountant by the Texas State Board of Public Accountancy, admitted to practice before the United States Tax Court, United States District Court, Northern District of Texas, United States Fifth Circuit Court of Appeals, and the United Case 2:20-cv-02246-JAR-TJJ Document 37-2 Filed 05/11/21 Page 9 of 36

FEDERMAN & SHERWOOD Page 3

States Supreme Court. Papers Presented: Other People’s Money, Presented to the Dallas Bar Association, Solo and Small Firm Section; Recognition: “Top Attorneys in Texas, Business Litigation,” (2012).

CARIN L. MARCUSSEN. Education: United States Air Force Academy (attended 1996-1997); Oklahoma State University (B.S., 2000); University of Oklahoma (J.D. with honors, 2003). Admitted to practice: Supreme Court of Oklahoma, 2003; U. S. District Court for the Western District of Oklahoma, 2003; U.S. District Court for the Northern District of Oklahoma, 2004; U.S. District Court for the Eastern District of Oklahoma, 2005; U.S. Court of Appeals for the Tenth Circuit, 2006; U.S. Bankruptcy Court for the Western District of Oklahoma, 2012. Membership: Oklahoma Bar Association (Civil Procedure & Evidence Code Committee; Disaster Relief Committee). Publication: Democracy for Sale: The United States Supreme Court’s Decision in Citizens United,” The Advocate, Spring 2010. Honors: Marquis Who’s Who of American Women, 2007; Pro Bono Award, Oklahoma County Bar Association, 2010; President’s Award, Oklahoma Association for Justice, 2013; “Rising Star”, Oklahoma Super Lawyers, 2008, 2009, 2011, 2013, 2014, 2015, 2017.

A. BROOKE MURPHY. Education: Oklahoma City University (B.A. summa cum laude, 2005; Robert L. Jones Outstanding Senior Paper Award; Women’s Leadership Award); University of Oklahoma College of Law (J.D. 2010, with honors; Dean’s List; First Amendment Moot Court Team; Assistant Articles Editor of Oklahoma Law Review). Admitted to practice: Oklahoma, 2010; U.S. District Court for the Western District of Oklahoma, 2010; U.S. District Court for the Northern District of Texas, 2010; Tenth Circuit Court of Appeals, 2014; First Circuit Court of Appeals and Ninth Circuit Court of Appeals, 2016. Published Decisions: Paul Spitzberg v. Houston American Energy Corporation, et al., 758 F.3d 676 (5th Cir. 2014); Patipan Nakkhumpun v. Daniel J. Taylor, et al., 782 F.3d 1142 (10th Cir. 2015). Publication: Credit Rating Immunity? How the Hands-Off Approach Toward Credit Rating Agencies Led to the Subprime Credit Crisis and the Need for Greater Accountability, 62 Okla. L. Rev. 735 (2010). Membership: Oklahoma Bar Association.

PARALEGALS:

NANCY G. BEATTY. Ms. Beatty has over thirty years of legal experience. She primarily works on coordinating and administrating of class action product liability and other complex litigation. Ms. Beatty has served on several professional advisory boards in Oklahoma and Tennessee.

SHARON J. KING. Ms. King has worked in the legal community for over ten years, after having worked in the securities and insurance industry for over fifteen years. She primarily works on insurance bad faith, personal injury, wrongful death and civil litigation.

ROBIN K. HESTER. Ms. Hester has been a litigation legal assistant for over thirty-five years. Before joining Federman & Sherwood, Ms. Hester was a litigation case manager handling over 150 securities and civil litigation cases and managing a staff of legal assistants. She primarily works in securities and civil litigation, as well as providing technology support for the firm.

FRANDELIND V. TRAYLOR. Ms. Traylor has worked in the legal community for over twelve years. She attended the University of Central Oklahoma, where she majored in liberal arts and was on the Dean’s Honor Roll. She provides class action, securities litigation and product liability support for the firm.

TIFFANY R. PEINTNER. Mrs. Peintner has worked in the legal community for over ten years. Before joining Federman & Sherwood, Mrs. Peintner’s worked in patent law, oil and gas, probate, banking and Case 2:20-cv-02246-JAR-TJJ Document 37-2 Filed 05/11/21 Page 10 of 36

FEDERMAN & SHERWOOD Page 4

real estate, family law, personal injury and insurance defense. She works in securities and civil litigation for the firm.

Case 2:20-cv-02246-JAR-TJJ Document 37-2 Filed 05/11/21 Page 11 of 36

SELECT CASES WHERE FEDERMAN & SHERWOOD HAS SERVED AS LEAD OR CO-LEAD COUNSEL SHAREHOLDER DERIVATIVE CASES COURT Abercrombie & Fitch Company USDC Southern District of Ohio American Superconductor Corporation Superior Court, Commonwealth of Massachusetts Antares Pharma, Inc. USDC District of New Jersey Arrowhead Research Corporation Superior Court, State of California, County of Los Angeles Carrier Access Corporation USDC District of Colorado Catalina Marketing Corporation Chancery Court of the State of Delaware Cell Therapeutics, Inc. USDC Western District of Washington Computer Associates USDC Eastern District of New York Delcath Systems, Inc. USDC Southern District of New York Dendreon Corporation USDC Western District of Washington Doral Financial Corporation USDC Southern District of New York Dynavax Technologies Corporation Superior Court of the State of California; county of Alameda First BanCorp. USDC District of Puerto Rico Flowers Foods, Inc. USDC Middle District of Georgia Genta, Inc. USDC District of New Jersey GMX Resources, Inc. District Court of Oklahoma County, Oklahoma Great Lakes Dredge & Dock Corporation Circuit Court of Illinois, Dupage County Chancery Division Host America Corporation USDC District of Connecticut Motricity Inc. USDC Western District of Washington NutraCea Superior Court of Maricopa County, Arizona Nuverra Environmental Solutions, Inc. Superior Court of Maricopa County, Arizona Nyfix, Inc. USDC District of Connecticut OCA, Inc. USDC Eastern District of Louisiana ONEOK, Inc. District Court of Tulsa County, Oklahoma PainCareHoldings, Inc. USDC Middle District of Florida Seitel, Inc. USDC Southern District of Texas Spectrum Pharmaceuticals, Inc. USDC District of Nevada The Spectranetics Corporation USDC District of Colorado ValueClick, Inc. USDC Central District of California Zix Corporation USDC Northern District of Texas SECURITIES CLASS ACTIONS Amyris, Inc. USDC, Northern District of California Bellicum Pharmaceuticals, Inc. USDC Southern District of Texas Broadwind Energy, Inc. USDC Northern District of Illinois China Valves Technology, Inc. USDC Southern District of New York Cryo-Cell International, Inc. USDC Middle District of Florida Delta Petroleum, Inc. USDC District of Colorado Direxion Shares ETF Trust USDC Southern District of New York Ener1, Inc. USDC Southern District of New York Exide Technologies USDC Central District of California Galena Biopharma, Inc. USDC, District of New Jersey Houston American Energy Corp. USDC Southern District of Texas Image Innovations Holdings, Inc. USDC Southern District of New York IZEA, Inc. USDC Central District of California Motive, Inc. USDC Western District of Texas Quest Energy Partners LP USDC Western District of Oklahoma Secure Computing Corporation USDC Northern District of California Superconductor Technologies, Inc. USDC Central District of California UTi Worldwide, Inc. USDC Central District of California Unistar Financial Service Corp. USDC Northern District of Texas MDL PROCEEDINGS In re: Anthem, Inc. (Data Breach–Participating Counsel) USDC, Northern District of California In re: Equifax, Inc. (Data Breach–Participating Counsel) USDC Northern District of Georgia In re: Farmers Insurance Co. USDC Western District of Oklahoma In re: Home Depot, Inc. (Executive Committee) USDC Northern District of Georgia In re: Premera Blue Cross (Data Breach–Participating Counsel) USC, District of Oregon In re: Samsung Electronics America, Inc. USDC Western District of Oklahoma In re: Sonic Corp. USDC Northern District of Ohio DEAL CASES (MERGERS) Easylink Services International Corp. Superior Court of Gwinnett County, Georgia Genon Energy, Inc. Chancery Court of the State of Delaware Lawson Software, Inc. Chancery Court of the State of Delaware Network Engines, Inc. Chancery Court of the State of Delaware Paetec Holding Corp. Shareholder Litig. Chancery Court of the State of Delaware Williams Pipeline Partners, L.P. District Court of Tulsa County, Oklahoma Xeta Technologies, Inc. District Court of Tulsa County, Oklahoma ERISA LITIGATION Winn-Dixie Stores USDC Middle District of Florida

Case 2:20-cv-02246-JAR-TJJ Document 37-2 Filed 05/11/21 Page 12 of 36

CONSUMER CLASS ACTIONS Altice USA, Inc. (Data Breach) USDC Southern District of New York Brinker International, Inc. (Chili’s) (Data Breach) USDC Middle District of Florida Bullseye Energy, Inc. (Royalty Owners / Pipeline) USDC Northern District of Oklahoma Burgerville, LLC (Data Breach) Circuit Court, State of Oregon, Multnomah County Dakota Growers Pasta Company, Inc. (Food Mislabeling) USDC District of Minnesota/District of New Jersey Hy-Vee, Inc. (Data Breach) USDC Central District of Illinois LeafFilterNorth, LLC/LeafFilter North of Texas, LLC (Data Breach) USDC Western District of Texas Lime Crime, Inc. (Data Breach) USDC Central District of California Solara Medical Supplies, LLC (Data Breach) USDC Southern District of California

Page 2 4/10/2020 Case 2:20-cv-02246-JAR-TJJ Document 37-2 Filed 05/11/21 Page 13 of 36

EXHIBIT B Case 2:20-cv-02246-JAR-TJJ Document 37-2 Filed 05/11/21 Page 14 of 36

The Aftermath of a Data Breach:

Consumer Sentiment

Sponsored by Experian® Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: April 2014

The Aftermath of a Data Breach: Consumer Sentiment Ponemon Institute, April 2014

Part 1. Introduction

Data breaches are in the headlines and on the minds of both businesses and consumers. While much of the dialog has been driven by companies that experienced a data breach, this new study sponsored by Experian® Data Breach Resolution explores consumers’ sentiments about data breaches. Our goal is to learn the affect data breaches have on consumers’ privacy and data security concerns. A similar study was conducted in 2012 and reveals some interesting trends in consumers’ perceptions.

As part of the study, we asked consumers who were victims of a data breach questions about their experience. It may not come as a surprise that individuals who have had their personal information lost or stolen increased 100 percent since the 2012 study when only 25 percent of individuals surveyed were victims of a data breach.

For purposes of this research, we define a data breach as the loss or theft of information that can be used to uniquely identify, contact or locate you. This includes, but is not limited to, such information as Social Security number, IP address, driver’s license number, credit card numbers and medical records.

A total of 797 individuals were surveyed and approximately 400 of these respondents say they were the victims of a data breach. By far, the primary consequence of a data breach is suffering from stress (76 percent of respondents) followed by having to spend time resolving problems caused by the data breach (39 percent of respondents).

The major themes of this research are as follows:

. Consumers’ perceptions about organizations’ responsibility to the victims. . Trends in the experiences of data breach victims. . The impact of media coverage on consumer sentiment about data breaches.

Following are some of the most salient findings of this research:

What companies should do following a data breach. Most consumers continue to believe that organizations should be obligated to provide identity theft protection (63 percent of respondents), credit monitoring services (58 percent) and such compensation as cash, products or services (67 percent). These findings are similar to the findings in the 2012 study.

Credit card companies and retail stores sent the most notifications. Sixty-two percent of respondents say they received two data breach notifications involving separate incidents. These notifications can be in the form of a letter, telephone call, email or public notice.

Becoming a victim of a data breach increases fears about becoming an identity theft victim. Prior to having their personal information lost or stolen, 24 percent say they were extremely or very concerned about becoming a victim of identity theft. Following the data breach, this concern increased significantly to 45 percent. Forty-eight percent of respondents say their identity is at risk for years or forever.

How important is media coverage of data breaches? The majority of respondents believe it is important for the media to report details about data breaches. Mainly because it requires companies to be more responsive to victims followed by the creation of greater awareness about how the data breach could affect individuals and alerts potential victims to take action to protect their personal information from identity theft.

Part 2. Key findings

In this section, we provide an analysis of the key results. The complete audited findings are presented in the appendix of this report.

. Consumers’ perceptions about organizations’ responsibility to the victims . Trends in the experiences of data breach victims . The impact of media coverage on consumer sentiment about data breaches

Consumers’ perceptions about organizations’ responsibility to the victims

What companies should do following a data breach. Most consumers continue to believe that organizations should be obligated to provide identity theft protection (63 percent of respondents), credit monitoring services (58 percent) and such compensation as cash, products or services (67 percent), as shown in Figure 1. These findings are similar to the findings in the 2012 study.

Figure 1. Organization’s obligation following a data breach Strongly agree and agree responses combined

Compensate data breach victims with cash, 67% products or services they make 63%

63% Provide identity theft protection 58%

58% Provide credit-monitoring services 55%

0% 10% 20% 30% 40% 50% 60% 70% 80%

2014 2012

Trends in the experiences of data breach victims

As part of the study, we asked consumers who were victims of a data breach questions about their experience. Fifty percent of respondents in this year’s study say they received at least one data breach notification. Only respondents who had a data breach in the past two years participated in this part of the study.

Credit card companies and retail stores sent the most notifications. According to Figure 2, 62 percent of respondents say they received two data breach notifications involving separate incidents. These notifications can be in the form of a letter, telephone call, email or public notice.

Figure 2. Number of data breach notifications received for different incidents in the past 2 years 40% 35% 35% 32% 30% 30% 30%

25%

20% 15% 14% 15% 10% 9% 10% 7% 7% 6% 5% 5%

0% 1 2 3 4 5 More than 5

FY 2014 FY 2012

Respondents say most notifications came from credit card companies, retail stores, social media, web retailer, banks and schools & universities, as shown in Figure 3. Since 2012, there were significant increases in notifications from certain industries.

Figure 3. Types of organizations that sent notifications More than one response permitted

35% Retail Store 7% 35% Credit Card Company 3% 19% Social Media 3% 17% Web Retailer 10% 16% School & University 7% 16% Bank 10% 15% Hospitals & Clinics 8% 11% Telephone & Wireless 4%

0% 5% 10% 15% 20% 25% 30% 35% 40%

FY 2014 FY 2012

Identity theft protection is not often offered in the notification. As shown in Figure 4, only 25 percent of data breach notifications offered identity theft protection such as credit monitoring or fraud resolution services. This is a slight decrease from 2012 when 29 percent of respondents received such an offer.

Figure 4. Did any of the notifications offer identity theft protection? 80% 70% 70% 67%

60%

50%

40% 29% 30% 25%

20%

10% 5% 4% 0% Yes No Unsure

FY 2014 FY 2012

Notifications should focus on facts and what harms are possible. Consumers’ sentiments about how data breach notifications can be improved have not changed since 2012. However, respondents are even more adamant that notifications should explain the risks or harms they are most likely to experience as a result of a data breach and disclose all the facts, as shown in Figure 5. They also do not want companies to “sugar coat” the message.

Figure 5. What could the organization do to improve the communication? Two responses permitted

Explain the risks or harms that I will experience 67% as a result of the breach 56% 56% Disclose all facts 45% 33% Do not “sugar coat” the message 28% 25% Make the communication more personal 27% 23% Reduce technical or legal terms 24% 10% Make the font or type size larger 12% The notification should be in the native language 5% of the victim 6%

0% 10% 20% 30% 40% 50% 60% 70% 80%

FY 2014 FY 2012

Consumers mostly ignore the notification. The most frequent response to a notification is to ignore it and do nothing (32 percent of respondents) followed by the acceptance of free identity theft protection measures such as credit monitoring or fraud resolution services, as shown in Figure 6.

Figure 6. How did you respond to the notifications you received in the past two years?

I ignored the notification(s) and did nothing 32%

I accepted the offer of free identity theft protection 29% measures

I contacted the organization for more information 21%

I followed the advice provided in the notification 18% (s)

0% 5% 10% 15% 20% 25% 30% 35%

Becoming a victim of a data breach increases fears about becoming an identity theft victim. Prior to having their personal information lost or stolen, 24 percent say they were extremely or very concerned about becoming a victim of identity theft, as revealed in Figure 7. Following the data breach, this concern increased significantly to 45 percent. Forty-eight percent of respondents say their identity is at risk for years or forever.

Figure 7. Concerned about becoming an identity theft victim 35% 30% 30% 25% 25% 23% 23% 23% 20% 21% 20% 13% 15% 11% 11% 10% 5% 0% Extremely Very concerned Concerned Somewhat Not concerned concerned concerned

Becoming an identity theft victim prior to a data breach Becoming an identity theft victim after a data breach

Respondents worry about their Social Security numbers and passwords. While 50 percent say the specific data stolen or lost was their name, 43 percent do not know what personal information was involved in the data breach. Figure 8 reveals the personal data respondents are most concerned about. Seventy-eight percent of respondents say they worry most about having their Social Security number stolen followed by passwords and PIN (71 percent) and credit card or bank payment information (65 percent).

Figure 8. Personal data if lost or stolen would cause the most stress and financial loss Five responses permitted

Social Security number 78%

Password/PIN 71%

Credit card or bank payment information 65%

Social media accounts/handles 49%

CVV number from credit card 43%

Driver’s license number 43%

Health plan provider account number 37%

Taxpayer identification number/Employer 23% identification number Address 16%

Prescriptions 15%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

By far, the biggest impact of the data breach was stress (76 percent of respondents). This is followed by having to spend time resolving problems caused by the data breach (39 percent of respondents). Only 6 percent say they found out that their identity was stolen, see Figure 8.

Figure 9. What happened as a result of the data breach? More than one response permitted

It was stressful 76% Time spent resolving problems caused by the 39% breach Fraudulent charges on a credit card 25%

Credit report shows fraudulent activity 21%

Lost money 13%

My identity was stolen 6%

Other 1%

None of the above 21%

0% 10% 20% 30% 40% 50% 60% 70% 80%

Financial consequences of a data breach are insignificant. Eighty-one percent of respondents who were victims of a data breach did not have any out-of-pocket costs. If they did, it averaged about $38. Thirty-four percent say they were able to resolve the consequences of the breach in one day. Perhaps because the financial consequences are insignificant, 55 percent say they have done nothing to protect themselves and their family from identity theft, as shown in Figure 10.

Figure 10. Steps taken to protect yourself from identity theft More than one response permitted

55% Nothing 49% Cancelled all credit or debit card account affected 28% by the breach 35% 21% Closely monitoring my credit reports 15% 10% Enrolled in an identity theft protection 16% 6% Cancelled bank accounts affected by the breach 5% 5% Hired a paid service to monitor my credit reports 4% Hired a lawyer to file lawsuit against the 1% organization 6%

0% 10% 20% 30% 40% 50% 60%

FY 2014 FY 2012

Respondents rarely discontinued their relationship with the company that had a data breach. Seventy-one percent of respondents say they did not leave the company primarily because it is too difficult to find another company with comparable products and services (67 percent of respondents) and data breaches affect most companies and they think it is unavoidable (61 percent of respondents), as shown in Figure 11.

Figure 11. Reasons for continuing a relationship with the company after a data breach Two responses permitted

It is too difficult to find another company with 67% comparable products and services

Data breaches affect most companies and I think 61% it's unavoidable

The company resolved the data breach to my 45% satisfaction

I am very pleased with the quality of service and 23% products

Other 4%

0% 10% 20% 30% 40% 50% 60% 70% 80%

What would encourage someone to stay a customer? According to Figure 12, the majority of those respondents (54 percent) who say they discontinued the relationship said nothing would make a difference. This is followed by a sincere and personal apology (43 percent of respondents) and free identity theft protection and credit monitoring services (41 percent of respondents).

Figure 12. What could be done to prevent you from discontinuing your relationship? Two responses permitted

A sincere and personal apology 43%

Free identity theft protection and credit monitoring 41% services

Access to a call center to respond to my 15% concerns and provide information

Discounts on products or services 15%

None of the above would make a difference 54%

0% 10% 20% 30% 40% 50% 60%

The impact of media coverage on consumer sentiment about data breaches

How aware are respondents about media coverage of data breaches? Seventy-two percent of all respondents in this research say that they have heard or read about at least three stories about a data breach reported in the media in the past two years and 13 percent can’t recall how many media stories they heard or read about, as shown in Figure 13. The Internet and newspapers are the primary source for the news about data breaches.

Figure 13. How frequently did you hear or read about a data breach reported in the media in the past two years? 50% 44% 45% 40% 35% 30% 28% 25% 20% 15% 15% 13% 10% 5% 0% 1 to 2 media stories 3 to 5 media stories More than six stories Can’t recall

Media coverage about data breaches involving retail stores, social media and credit card companies were the most memorable for respondents. However, 41 percent of respondents reading or hearing about the data breaches say it did not change their opinion about the company, as shown in Figure 13. Only 29 percent say they are less likely to have a relationship with the company.

Figure 13. How did reading about the data breach affect your opinion about the company?

Did not change my opinion 41%

I am less likely to have a relationship with the 29% company

I will discontinue my relationship with the 15% company

I will not have a relationship with the company 13%

Don’t know 2%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

How important is media coverage? According to Figure 14, the majority of respondents believe it is important for the media to report details about data breaches. Mainly because it requires companies to be more responsive to victims followed by the creation of greater awareness about how the data breach could affect individuals and alerts potential victims to take action to protect their personal information from identity theft.

Figure 14. How important is it for the media to report details about data breaches? 35% 32% 29% 30%

25% 23%

20% 16% 15%

10%

0% Very important Important Somewhat important Not important

What affects reputation most? Data breaches are in the top 3 of incidents that affect reputation. As shown, the biggest reputation spoiler is poor customer service, according to 75 percent of respondents, as shown in Figure 15.

Figure 15. The incident that would have the greatest impact on a company’s reputation Two responses permitted

Poor customer service 75%

Environmental incident 33%

Data breach 30%

Publicized lawsuits 29%

Government fines 18%

Labor or union disputes 13%

Other 2%

0% 10% 20% 30% 40% 50% 60% 70% 80%

Part 3. Methods

A randomized sampling frame consisting of 20,088 adult-aged individuals who reside within the United States were selected to participate in this survey. A total of 906 respondents completed the survey. Screening and failed reliability checks required us to remove 109 surveys. The final sample includes 797 surveys with a 4.0 percent response rate.

Table 1. Sample response Freq Pct% Sampling frame 20,088 100% Returned surveys 906 4.5% Screened or rejected surveys 109 0.5% Final sample 797 4.0%

Pie Chart 1 shows 47 present of respondents say they are between the ages of 26 and 45. Eleven percent are above 65 years.

Pie Chart 1. Age range of respondents

8% 16% 18 to 25

10% 26 to 35 36 to 45 46 to 55 16% 24% 56 to 65 66 to 75 75+ 23%

Pie Chart 2 shows 54 percent of respondents say the have attended a university or college. Twenty-five percent say they completed a bachelor’s degree.

Pie Chart 2. Highest level of education attained by respondents

8% High School 20% Vocational

25% University or college, attended

17% University or college, with degree

Post Graduate

29% Doctorate

According to Pie Chart 3, 45 percent of respondents say they have household incomes at or below $60,000. Less than 2 percent say their household income is above $250,000.

Pie Chart 3. Annual household income of respondents

3% 2% 6% 8% Less than $25,000 12% $25,000 to $40,000

12% $40,001 to $60,000 $60,001 to $80,000 $80,001 to $100,000 27% $100,001 to $150,000 $150,001 to $250,000 30% More than $250,000

Pie Chart 4. U.S. regional location of respondents

Pie Chart 4 shows 20 percent of respondents are located in the Northeast region and 19 percent located in the Mid-Atlantic region. Both the Midwest and Pacific-West regions each represents 18 percent of the sample. The Southeast represents the smallest regional segment at 12 percent.

18% 20% Northeast Mid-Atlantic Midwest 13% Southeast 19% Southwest 12% Pacific-West

18%

Part 4. Caveats

There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to consumer-based surveys.

. Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of adult-aged consumers located in all regions of the United States, resulting in a large number of usable returned responses. Despite non- response tests, it is always possible that individuals who did not participate are substantially different in terms of their underlying beliefs than those who decided to complete the survey. . Sampling-frame bias: The accuracy is based on contact information and the degree to which the sample is representative of individuals who are likely to receive data breach notifications. We also acknowledge that the results may be biased by external events such as media coverage at the time we fielded our survey. Because we used a web-based collection method, it is possible that non-web responses would have resulted in a different pattern of findings. . Self-reported results: The quality of survey research is based on the integrity of confidential responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that certain respondents did not provide accurate responses.

Appendix: Detailed Survey Results

The following tables provide the frequency or percentage frequency of responses to all survey questions contained in this study. All survey responses were captured over a six-week period ending in March, 2014.

Part 1: Attributions: Please rate the following statements using the five-point Strongly scale provided below each item. agree Agree Q1. Organizations should be obligated to provide identity theft protection following a data breach involving the loss or theft of my personal information. 31% 32% Q2. Organizations should be obligated to provide credit-monitoring services following a data breach involving the loss or theft of my personal information. 30% 28% Q3. Organizations should be obligated to compensate data breach victims with cash, products or services they make. 40% 27%

Part 2. Data breach experience Q4. Has any organization ever notified you about a data breach that involved your personal information? FY 2014 Yes 50% No [Proceed to Part 3] 18% Cannot recall [Proceed to Part 3] 32% Total 100% Only victims of a data breach will respond to the following questions: Q5 to Q20.

Q5. How many data breach notifications as described above, representing different incidents, have you received in the past 2 years? FY 2014 1 32% 2 30% 3 15% 4 6% 5 7% More than 5 10% Total 100%

Q6. Did any of the notifications offer identity theft protection such as credit monitoring or fraud resolution services? FY 2014 Yes 25% No 70% Unsure 5% Total 100%

Q7. What could the organization do to improve the communication? Please check the top two choices only. FY 2014 Reduce technical or legal terms 23% Do not “sugar coat” the message 33% Make the communication more personal 25% Disclose all facts 56% Explain the risks or harms that I will most likely experience as a result of the breach 67% Make the font or type size larger 10% The notification should be in the native language of the victim 5% Other (please specify) 0% Total 219%

Q8. How did you respond to the one or more notifications you received in the past two years? Please check one response only FY 2014 I ignored the notification(s) and did nothing 32% I followed the advice provided in the notification(s) 18% I contacted the organization for more information 21% I accepted the offer of free identity theft protection measures such as credit monitoring or fraud resolution services 29% Total 100%

Q9. Have you been the victim of one of the following mega data breaches? Check all that apply. FY 2014 Target 33% Snapchat 2% Coca-Cola 0% Michaels 5% Adobe 22% LinkedIn 16% J P Morgan Chase 3% Twitter 11% Facebook 16% Apple 15% Walgreens 2% Google Chrome 6% Nationwide Mutual Insurance 8% South Carolina Dept of Revenue 9% Sony 29% Nieman Marcus 4% None of the above 34% Total 215%

Q10. Prior to the data breach(s), how concerned were you that you would become an identity theft victim? FY 2014 Extremely concerned 11% Very concerned 13% Concerned 23% Somewhat concerned 30% Not concerned 23% Total 100%

Q11. Following the data breach(s), how concerned are you that you will now become an identity theft victim? FY 2014 Extremely concerned 20% Very concerned 25% Concerned 11% Somewhat concerned 23% Not concerned 21% Total 100%

Q12. Please indicate the specific data that was lost or stolen? Check all that apply FY 2014 Name 50% Address 26% Email address 22% Telephone or mobile number 27% Age/DOB 5% Driver’s license number 1% Gender 2% Marital status 1% Employer 6% Insurance policy number 6% CVV number from credit card 15% Educational background 0% Credit card or bank payment information 38% Credit or payment history 9% Password/PIN 21% Prescriptions 2% Social media accounts/handles 15% Health plan provider account number 10% Taxpayer identification number/Employer identification number 2% Social Security number 26% Other (please specify) 2% Don’t know 43%

Q13. What personal data if lost or stolen in this data breach do you believe would cause you the most stress and financial loss? Please select the top 5 only. FY 2014 Name 5% Address 16% Email address 12% Telephone or mobile number 6% Age/DOB 5% Driver’s license number 43% Gender 1% Marital status 0% Employer 11% Insurance policy number 10% CVV number from credit card 43% Educational background 1% Credit card or bank payment information 65% Credit or payment history 9% Password/PIN 71% Prescriptions 15% Social media accounts/handles 49% Health plan provider account number 37% Taxpayer identification number/Employer identification number 23% Social Security number 78% Other (please specify) 0% Total 500%

Q14. Please indicate the type of organization that reported the data breach to you? Please check all organizations that sent you a notice. FY 2014 Airline 0% Bank 16% Cable Company 0% Catalogue Merchant 0% Charitable Organization 6% Court & Public Records 0% Credit Card Company 35% Drug Store 0% Electric & Gas Utility 0% Gaming 5% Grocery Store 8% Hospitals & Clinics 15% Hotel 8% Information Broker 0% Insurance Company 8% Internet Service Provider 5% Financial Advisor 2% Law Enforcement 0% Legal & Accounting Firms 0% Mail or Postal Services 0% Railways or Bus Line 0% Retail Store 35% School & University 16% Social Media 19% State & Local Gov Agency 9% Telephone & Wireless 11% Travel Agency 0% Web Retailer 17% Other (please specify) 2%

Q15. What happened to you as a result of the data breach? Check all that apply. FY 2014 I found out that my identity was stolen 6% I have had to spend time resolving problems caused by the breach 39% I have had fraudulent charges on my credit card 25% My credit report shows fraudulent activity 21% It was stressful 76% I lost money 13% None of the above 21% Other (please specify) 1% Total 202%

Q16. What were your out-of-pocket costs to resolve the consequences of the data breach? FY 2014 Zero 81% Less than $10 9% Between $10 and $50 5% Between $51 and $100 3% Between $101 and $500 1% Between $501 and $1,000 0% Between $1,001 and $5,000 1% Between $5,001 and $10,000 0% Between $10,001 and $25,000 0% Between $25,001 and $50,000 0% Between $50,001 and $100,000 0% Greater than $100,000 0% Total 100%

Q17. How long did it take to resolve the consequences of the breach? FY 2014 1 day 34% 1 week 21% 1 month 12% 3 months 4% 6 months 2% 12 months 5% More than 1 year 7% Never resolved 15% Total 100%

Q18. What are you doing to protect yourself from identity theft? Check all that apply.. FY 2014 Nothing 55% Cancelled all credit or debit card account affected by the breach 28% Cancelled bank accounts affected by the breach 6% I am closely monitoring my credit reports 21% I hired a paid service to monitor my credit reports 5% I enrolled in an identity theft protection 10% I hired a lawyer to file lawsuit against the organization 1% Total 126%

Q19a. Did you discontinue your relationship with the company after the data breach? FY 2014 Yes 29% No 71% Total 100%

Q19b. If yes, what could the company have done to prevent you from discontinuing the relationship? Please select the top two reasons FY 2014 Free identity theft protection and credit monitoring services 41% A sincere and personal apology (not a generic notification) 43% Discounts on products or services 15% Gift cards 8% Access to a call center to respond to my concerns and provide information 15% None of the above would make a difference 54% Total 176%

Q19c. If no, why did you continue your relationship with the company? Please select the top two reaches FY 2014 I am very pleased with the quality of service and products 23% The company resolved the data breach to my satisfaction 45% Data breaches affect most companies and I think unavoidable 61% It is too difficult to find another company with comparable products and services 67% Other 4% Total 200%

Q20. How long following the data breach do you believe your identity is at risk? FY 2014 Days 23% Weeks 14% Months 15% Years 22% Forever 26% Total 100%

Part 3. Media coverage of data breaches (all respondents) Q21. How frequently did you hear or read about a data breach reported in the media in the past two years? FY 2014 None 0% 1 to 2 media stories 15% 3 to 5 media stories 44% More than six stories 28% Can’t recall how many media stories 13% Total 100%

Q22. If you heard or read about a data breach in the media, what was the source of the news? Check all that apply. FY 2014 Radio 19% Television 39% Newspapers 40% Internet 48% Social media 26% Total 172%

Q23. After reading about the data breach in the media, how did it affect your opinion about the company? FY 2014 Did not change my opinion 41% I am less likely to have a relationship with the company 29% I will not have a relationship with the company 13% I will discontinue my relationship with the company 15% Don’t know 2% Total 100%

Q24. From the list below, please check the types of organizations that you remember had their data breach reported in the media. FY 2014 Airline 0% Bank 26% Cable Company 0% Catalogue Merchant 0% Charitable Organization 12% Court & Public Records 0% Credit Card Company 44% Drug Store 2% Electric & Gas Utility 0% Gaming 3% Grocery Store 8% Hospitals & Clinics 13% Hotel 16% Information Broker 4% Insurance Company 10% Internet Service Provider 11% Financial Advisor 2% Law Enforcement 8% Legal & Accounting Firms 0% Mail or Postal Services 0% Railways or Bus Line 0% Retail Store 91% School & University 24% Social Media 67% State & Local Gov Agency 39% Telephone & Wireless 20% Travel Agency 0% Web Retailer 60% Other (please specify) 5%

Q25a. How important is it for the media to report details about data breaches? FY 2014 Very important 23% Important 29% Somewhat important 32% Not important 16% Total 100%

Q25b. If important, why? FY 2014 Provides information about the data breach before the company can notify the victims 11% Creates greater awareness about how the data breach could affect individuals 54% Alerts potential victims to take action to protect their personal information from identity theft 53% Requires companies to be more responsive to victims 67% Could increase the services and financial compensation to victims 12% None of the above 30% Total 227%

Q26. In your opinion, what incident involving a company would have the greatest impact on its reputation? Select the top two. FY 2014 Poor customer service 75% Labor or union disputes 13% Environmental incident 33% Data breach 30% Government fines 18% Publicized lawsuits 29% Other 2% Total 200%

Part 4. Demographics D1. Gender FY 2014 Female 51% Male 49% Total 100%

D2. Age range FY 2014 18 to 25 17% 26 to 35 23% 36 to 45 23% 46 to 55 16% 56 to 65 9% 66 to 75 8% 75+ 4%

D3. Household income range FY 2014 Less than $25,000 6% $25,000 to $40,000 12% $40,001 to $60,000 27% $60,001 to $80,000 30% $80,001 to $100,000 12% $100,001 to $150,000 8% $150,001 to $250,000 3% More than $250,000 2% Total 100%

D4. Highest level of education FY 2014 High School 19% Vocational 18% College (attended, no degree) 28% College (4 year degree) 25% Post Graduate 9% Doctorate 1% Total 100%

Are you or another member of your immediate family an identity theft victim? FY 2014 Yes 17% No 68% Unsure 15% Total 100%

Region where you are located FY 2014 Northeast 19% Mid-Atlantic 19% Midwest 17% Southeast 12% Southwest 13% Pacific-West 20% Total 100%

For more information about this study, please contact Ponemon Institute by sending an email to [email protected] or calling our toll free line at 1.800.887.3118.

Ponemon Institute Advancing Responsible Information Management

Ponemon Institute is dedicated to independent research and education that advances responsible information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations.

As a member of the Council of American Survey Research Organizations (CASRO), we uphold strict data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable information from individuals (or company identifiable information in our business research). Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper questions.