Following hack, Equifax offers free identity theft services with a big hidden cost

Those hoping to find out if they were affected may be prevented from taking legal action later on.

Rick Smith, Chairman and CEO of Equifax Inc., speaks about the data breach which left information for as many as 143 million Americans vulnerable, in a video statement on September 7, 2017. (Credit: Equifax/YouTube)
Rick Smith, Chairman and CEO of Equifax Inc., speaks about the data breach which left information for as many as 143 million Americans vulnerable, in a video statement on September 7, 2017. (Credit: Equifax/YouTube)

Millions of Americans who were potentially impacted by a massive data breach at credit monitoring firm Equifax may find themselves in another quandary, should they choose to take advantage of the company’s free identity theft services.

Equifax announced on Thursday that it had experienced a data breach affecting at least 143 million U.S. consumers. Credit card numbers for approximately 209,000 customers were also hacked.

In the aftermath, Equifax began advertising a free service for anyone that may have been affected, called TrustedID Premier. TrustedID Premier offers “a suite of security products to protect them from digital theft,” according to TechCrunch; anyone concerned that their information may have been leaked was instructed to enroll in the program this week by visiting a sub-site (www.equifaxsecurity2017.com) and entering their social security number and personal information.

However, according to TrustedID Premier’s terms of use policy, those who use its services also inadvertently limit their own ability to participate in class-action arbitration against the company later on.

“Conveniently (for Equifax), those who sign up for TrustID might waive their right to any class-action lawsuit against the company, as stated at the bottom of TrustID’s terms of service,” explained TechCrunch’s Sarah Buhr.

TrustedID Premier states explicitly in its terms of use that customers are barred from entering into “any arbitration on a class or representative basis.” Any claims against the company must be brought through an independent arbitrator.

“You should be aware that [this] also limits your rights to discovery and appeal,” the company notes.

A class-action lawsuit against Equifax is already underway in Oregon; the suit, filed on behalf of plaintiffs Mary McHill and Brook Reinhard by attorney Michael Fuller, requires the company to “preserve all records related to the breach” and establishes the case as a class-action suit “for all consumers affected by the cyberattack”, according to USA Today.

“In an attempt to increase profits, Equifax negligently failed to maintain adequate technological safeguards to protect Ms. McHill and Mr. Reinhard’s information from unauthorized access by hackers,” Fuller wrote. “Equifax knew and should have known that failure to maintain adequate technological safeguards would eventually result in a massive data breach.”

Equifax site’s general terms of service stipulates a similar arbitration clause, though it does offer an opt-out provision. Those wishing to take advantage must notify the company in writing within 30 days of accepting any agreement on the site itself. Although it wasn’t immediately clear whether this same opt-out provision applied to customers utilizing the TrustedID Premier services, the company reportedly added one on Friday, following “public pressure”, according to CNN.

Equifax spokespersons did not immediately respond to a request for comment.

On Friday, Sen. Elizabeth Warren (D-MA) weighed in on the arbitration clause.

“.@Equifax is forcing you to give up your right to join a class action against the company if you want their credit protection product,” she tweeted. “That’s right: @Equifax fails to protect your data and then they demand you give up legal rights if you want to limit the damage they caused. [The Consumer Financial Protection Bureau]’s new rule would stop companies like @Equifax from avoiding legal accountability like this — as long as @GOP doesn’t reverse it.”

Warren was referring to a CFPB rule that prevents banks and credit card companies from using forced arbitration clauses that prevent customers from taking legal action against them or filing class-action lawsuits. The rule goes into effect in 2018. Republican senators like Arkansas Sen. Tom Cotton (R) have blasted the rule as “anti-business” and previously voted to repeal the rule in July, though the resolution failed nearly 100 percent along party lines, a spokesperson for Rep. Mark Takano (D-CA) pointed out.

In a statement on Friday, the CFPB said that it was “looking into the data breach and Equifax’s response” and that the “mandatory arbitration clause…is troubling.”


UPDATE: In an updated FAQ section on its website later on Friday, Equifax noted that the arbitration clause and class action waiver applied only “to the free credit file monitoring and identity theft protection products and not the cybersecurity incident.”

“To confirm, enrolling in the free credit file monitoring and identity theft protection products that we are offering as part of this cybersecurity incident does not prohibit consumers from taking legal action,” the company wrote. “We have already removed that language from the Terms of Use on the site www.equifaxsecurity2017.com. The Terms of Use on www.equifax.com do not apply to the TrustedID Premier product being offered to consumers as a result of the cybersecurity incident.”