A data breach letter is a legal document written by lawyers. It was not written for you.
Complete Payroll Solutions — a company whose entire value proposition is "trust us with your employees' most sensitive data" — discovered a breach in March 2024. They began notifying people in February 2025. The letter, when it arrived, almost certainly said they take your security seriously.
Data breach notification letters are the legal minimum — shaped by attorneys, not written to fully inform you. The CPS breach is a useful case study: your SSN, financial data, and health insurance info were potentially exposed for nearly a year before you heard anything. The letter told you what the law required. Here's what it didn't say — and the two steps that actually protect you. If you received a CPS notice, the settlement claim deadline is June 18, 2026 at CPSSettlement.com.
What is a data breach notification letter actually required to say?
Most states legally require companies to notify affected individuals when personal data is exposed. What the law mandates is narrower than what you'd want to know: that an incident occurred, which categories of data were involved, and what the company is doing about it. Everything else — how many people were affected, whether your specific data was confirmed stolen or merely accessible, who the attacker was, what security failure made it possible — the letter is not required to address, and typically doesn't.
The letter is drafted by a legal team managing the company's liability exposure at the same time it's informing you of a risk to yours. That's not a conspiracy. It's just the document's actual purpose, which is different from what most people assume when they open it.
Why did CPS wait eleven months to say anything?
Complete Payroll Solutions discovered the breach on March 10, 2024. Notification letters began going out February 25, 2025. That gap is legal — companies are generally permitted to delay disclosure while conducting forensic investigations to determine exactly what was accessed. Regulators allow this, within limits that vary by state.
What the investigation timeline doesn't change: your Social Security number, bank account details, driver's license number, and health insurance information were potentially in circulation for eleven months before you had any reason to check your credit or freeze your accounts. The notification letter, whenever it arrives, cannot reach back and close that window. It can only tell you, belatedly, that the window was open — and that the company takes your security very seriously going forward.
Is the free credit monitoring in the settlement actually useful?
Credit monitoring is the standard remedy in data breach settlements, and the CPS settlement is no exception — three years of it, with dark web scanning and up to $1,000,000 in identity theft insurance. Take it. Just understand what it does.
Monitoring tells you when something has already happened to your credit — a new account opened in your name, an inquiry you didn't authorize. It does not prevent that from happening. Given that CPS breach data was potentially accessible for nearly a year before notification, the monitoring arrived on roughly the same schedule as your data may have already traveled.
A credit freeze does what monitoring only watches for. Placed directly with Equifax, Experian, and TransUnion — all three, separately — it blocks new credit accounts from being opened in your name entirely. It's free, reversible when you need it, and the single most effective step available after an SSN exposure. Breach letters mention it in small print, if at all. It deserves the headline.
The two things that actually protect you
Browse other active settlements
Every link on eosguide goes directly to the official source.
Browse Settlements →