Convergys/GDX Offshore Outsourcing Timeline

1. Qui Tam (or False Claims Act) lawsuit filed on March 1, 2005 alleging that data covered under the DMS contract with Convergys was being sent overseas by a subcontractor for processing. The relators (whistle blowers) allege that the contract calls for all work to be done in the United States, if not all in Florida.

2. Following meetings with counsel for the relators, the Attorney General's Office was satisfied that relators are well represented by highly competent legal counsel, experienced in the prosecution of Qui Tam cases and that the legal issue did not yet represent a classic false claim against the state and chose not to intervene. This occurred on September 2, 2005. The Attorney General's Office had no reason to believe that the relators were anything other than sincere and highly motivated to prosecute the Qui Tam claim themselves.

3. Pursuant to the Florida False Claims Act (Ch. 68, Florida Statutes) the Attorney General's Office retains the right to intervene in the future and will monitor future activity such as filings, depositions, etc. Such monitoring continues to this day.

4. In the months following the filing of the lawsuit, concern was raised about the possibility that employee records had been sent overseas.

5. The Attorney General's Office was made aware of Department of Management Services Secretary Tom Lewis's efforts to ascertain the facts. Correspondence between Secretary Lewis and Christopher Emerick, the Convergys Vice-President in charge of the Florida Project indicates Secretary Lewis was asking important questions.

6. On May 20, 2005, Mr. Emerick assured Secretary Lewis in writing that all pertinent work had been done in the United States, mostly in Florida. This assurance was given after Mr. Emerick indicated he had been assured by all Convergys subcontractors that all of their pertinent work had been done within the United States (the whistle blowers, for instance, worked for a subcontractor based in Colorado).

7. On August 23, 2005, DMS was made aware of allegations that, among other things, Convergys employees were improperly accessing the personnel records of senior state officials, such as Governor Bush, Attorney General Crist and Chief Financial Officer Gallagher, as well as law enforcement officers.

8. On December 23, Secretary Lewis informed agencies of this matter and outlined steps taken to address the situation and specific steps to prevent future occurrences.

9. On December 21, 2005, the Attorney General's Office was contacted by Bill Cotterell of the Tallahassee Democrat seeking comment on the decision not to intervene in the Qui Tam case as well as the personnel records viewing.

10. Around Christmas, Cotterell had 2 articles published that focused on 1) the Qui Tam case/overseas outsourcing, and 2) the improper viewing of personnel records.

11. In mid-January, the Attorney General's Office was contacted by the American Federation of State, County, and Municipal Employees Florida Council 79 (AFSCME) seeking a meeting on the matters presented in Cotterell's article.

12. That meeting occurred on January 17, 2006 in the Attorney General's Office with Deputy Attorneys General Clay Roberts and Paul Huck and External Affairs Director Bob Sparks representing the Office. Cotterell attended the meeting in the Attorney General's Office. AFSCME felt strongly that state employees should be notified of a possible security breach concerning their records. Chapter 817.5681 is appropriate law covering this issue.

13. Roberts, Huck and Sparks met with DMS officials on January 18, 2006 regarding the issues raised by AFSCME. Specifically, the focus was on the part of law that provides that an appropriate party "...shall provide notice of any breach of the security of the system, following a determination of that breach,..."

The law defines breach in this manner (817.5681 (4) "For purposes of this section, the terms Abreach" and "breach of the security of the system" mean unlawful and unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information maintained by the person. Good faith acquisition of personal information by an employee or agent of the person is not a breach or breach of the security system, provided the information is not used for a purpose unrelated to the business or subject for further unauthorized use." 14. The parties met again on January 19. After consultation with the Attorney General, it was suggested by his staff that the legal requirements for a breach had not been met, but that notifying state employees of the situation and precautions they could take would be the right thing to do. DMS agreed and further committed to a thorough investigation. The Attorney General would be kept informed of its progress.

15. On January 25, 2006, Senators Les Miller and Walter Campbell wrote to Florida Department of Law Enforcement Commissioner Guy Tunnell seeking a criminal investigation of the Convergys/GDX issue.

16. On February 1, 2006, Commissioner Tunnell responded to both Senators that a criminal investigation was "premature,...since there is no clear evidence that a criminal violation has occurred."

17. On February 3, 2006, despite no legal requirement to do so, Secretary Lewis wrote to all state employees informing them of the situation and providing resources on ways to prevent identity theft.

18. On February 6, 2006, AFSCME issued a press release under the headline "AFSCME THANKS ATTORNEY GENERAL CRIST FOR HELP WITH PEOPLE FIRST IDENTITY THEFT RISK, E-MAILS WARNING TO 44,000 STATE WORKERS"

19. In February, 2006, Attorney General Crist appointed an internal Convergys Task Force headed by Chief of State Programs Litigation Chesterfield Smith, Jr. The task force consists of three attorneys and an investigator. Their work continues.

20. In March, 2006, it was revealed before the Legislature that Convergys subcontractor GDX had indeed outsourced "indexing" (electronic labeling and filing) projects offshore, but that actual scanning of personnel files had been, and continues to be, done entirely within Florida. The DMS investigation revealed that the improper outsourcing occurred between January 1, 2003 and June 30, 2004.

21. On March 16, DMS and Secretary Lewis again notified employees with a "People First! Security Update" which revealed their findings, a hotline for any potentially affected employee and, in an abundance of caution, suggestions on preventing identity theft. In the 21 months since the situation was rectified, ADMS has received no reports of identity theft as a result of the offshore work."

22. On March 27, DMS affected employees were mailed a third notification and information on resources that are available to them resulting from an agreement between DMS and Convergys (at Convergys's expense) to provide these resources.