Whenever there is a security breach compromising sensitive information, corporations affected typically offer free credit monitoring services for a specified period of time.
On Thursday, credit agency Equifax experienced a data breach that impacted at least 143 million U.S. consumers who had their birth dates, names, and addresses hacked, including 209,000 customers’ credit card numbers.
Immediately, Equifax extended to those concerned about their information a free service called TrustedID Premier.
Upon reading the site’s terms of service, however, one might be caught a little off guard over a slight technicality.
Sarah Buhr from TechCrunch explains:
“Conveniently (for Equifax), those who sign up for TrustID might waive their right to any class-action lawsuit against the company, as stated at the bottom of TrustID’s terms of service,”
In other words, customers are prohibited from entering into “any arbitration on a class or representative basis.” Only an independent arbitrator–personal attorney–can file claims against the company.
Equifax adds:
“You should be aware that [this] also limits your rights to discovery and appeal.”
Not even one week since the data breach, a class-action lawsuit against Equifax has already commenced, in Oregon.
According to USA Today, the suit attorney Michael Fuller filed on behalf of plaintiffs Mary McHill and Brook Reinhard, requires Equifax to “preserve all records related to the breach,” and establishes the case as a class-action suit “for all consumers affected by the cyberattack.”
Fuller states:
“In an attempt to increase profits, Equifax negligently failed to maintain adequate technological safeguards to protect Ms. McHill and Mr. Reinhard’s information from unauthorized access by hackers. Equifax knew and should have known that failure to maintain adequate technological safeguards would eventually result in a massive data breach.”
Equifax general terms of service provides a similar arbitration clause, though it offers an opt-out provision. Those wishing to opt out must notify the company in writing within 30 days of agreeing to its terms.
It wasn’t clear initially whether this same opt-out condition applied to customers using the TrustedID Premier services. According to CNN, though, following “public pressure,” the company reportedly added one Friday.
Referring to a Consumer Financial Protection Bureau (CFPB) rule preventing banks and credit card companies from forcing arbitration clauses to prevent customers’ legal action set to take effect next year, Sen. Elizabeth Warren (D-Mass.) tweeted on Friday:
“@Equifax is forcing you to give up your right to join a class action against the company if you want their credit protection product. That’s right: @Equifax fails to protect your data and then they demand you give up legal rights if you want to limit the damage they caused. [The CFPB]’s new rule would stop companies like @Equifax from avoiding legal accountability like this — as long as @GOP doesn’t reverse it.”
On Friday, Equifax noted in its website FAQ section the arbitration clause and class action waiver apply only “to the free credit file monitoring and identity theft protection products and not the cybersecurity incident.”
The company states:
“To confirm, enrolling in the free credit file monitoring and identity theft protection products that we are offering as part of this cybersecurity incident does not prohibit consumers from taking legal action. We have already removed that language from the Terms of Use on the site www.equifaxsecurity2017.com. The Terms of Use on www.equifax.com do not apply to the TrustedID Premier product being offered to consumers as a result of the cybersecurity incident.”
Tim Herrera’s piece in the New York Times, “Four Things You Should Do About the Equifax Hack,” recommends customers do the following:
Image credit: Investopedia
