Millions of Americans who were potentially impacted by a massive data breach at credit monitoring firm Equifax may find themselves in another quandary, should they choose to take advantage of the company’s free identity theft services.
Equifax announced on Thursday that it had experienced a data breach affecting at least 143 million U.S. consumers. Credit card numbers for approximately 209,000 customers were also hacked.
In the aftermath, Equifax began advertising a free service for anyone that may have been affected, called TrustedID Premier. TrustedID Premier offers “a suite of security products to protect them from digital theft,” according to TechCrunch; anyone concerned that their information may have been leaked was instructed to enroll in the program this week by visiting a sub-site (www.equifaxsecurity2017.com) and entering their social security number and personal information.
(2/2) We apologize to our consumers and business customers for the concern and frustration this causes. Learn more: https://t.co/ivVHFb2xA4.
— Equifax Inc. (@Equifax) September 7, 2017
“Conveniently (for Equifax), those who sign up for TrustID might waive their right to any class-action lawsuit against the company, as stated at the bottom of TrustID’s terms of service,” explained TechCrunch’s Sarah Buhr.
“You should be aware that [this] also limits your rights to discovery and appeal,” the company notes.
A class-action lawsuit against Equifax is already underway in Oregon; the suit, filed on behalf of plaintiffs Mary McHill and Brook Reinhard by attorney Michael Fuller, requires the company to “preserve all records related to the breach” and establishes the case as a class-action suit “for all consumers affected by the cyberattack”, according to USA Today.
“In an attempt to increase profits, Equifax negligently failed to maintain adequate technological safeguards to protect Ms. McHill and Mr. Reinhard’s information from unauthorized access by hackers,” Fuller wrote. “Equifax knew and should have known that failure to maintain adequate technological safeguards would eventually result in a massive data breach.”
Equifax site’s general terms of service stipulates a similar arbitration clause, though it does offer an opt-out provision. Those wishing to take advantage must notify the company in writing within 30 days of accepting any agreement on the site itself. Although it wasn’t immediately clear whether this same opt-out provision applied to customers utilizing the TrustedID Premier services, the company reportedly added one on Friday, following “public pressure”, according to CNN.
Equifax spokespersons did not immediately respond to a request for comment.
On Friday, Sen. Elizabeth Warren (D-MA) weighed in on the arbitration clause.
“.@Equifax is forcing you to give up your right to join a class action against the company if you want their credit protection product,” she tweeted. “That’s right: @Equifax fails to protect your data and then they demand you give up legal rights if you want to limit the damage they caused. [The Consumer Financial Protection Bureau]’s new rule would stop companies like @Equifax from avoiding legal accountability like this — as long as @GOP doesn’t reverse it.”
— Mark Takano (@RepMarkTakano) September 8, 2017
Warren was referring to a CFPB rule that prevents banks and credit card companies from using forced arbitration clauses that prevent customers from taking legal action against them or filing class-action lawsuits. The rule goes into effect in 2018. Republican senators like Arkansas Sen. Tom Cotton (R) have blasted the rule as “anti-business” and previously voted to repeal the rule in July, though the resolution failed nearly 100 percent along party lines, a spokesperson for Rep. Mark Takano (D-CA) pointed out.
In a statement on Friday, the CFPB said that it was “looking into the data breach and Equifax’s response” and that the “mandatory arbitration clause…is troubling.”
UPDATE: In an updated FAQ section on its website later on Friday, Equifax noted that the arbitration clause and class action waiver applied only “to the free credit file monitoring and identity theft protection products and not the cybersecurity incident.”