Equifax, the credit reporting bureau that on Thursday admitted one of the largest data breaches in history, affecting 143 million U.S. consumers, is maneuvering to prevent victims from banding together to sue the company, according to consumer protection advocates and elected officials.
Equifax is offering all those affected by the breach a free, one-year credit monitoring service called TrustedID Premier, which will watch credit reports for suspicious activity, lock and unlock Equifax credit reports, scan the internet for Social Security numbers, and add insurance for identity theft. But the service includes a forced arbitration clause, which pushes all disputes over the monitoring out of court. It also includes a waiver of the right to enter into a class-action lawsuit.
This shields TrustedID Premier from legal exposure, instead relying on a process that’s very favorable to corporate interests. At first the arbitration clause was a non-negotiable feature of the contract. Now Equifax says you can opt out, but only if you contact them in writing within 30 days.
There’s already a proposed class-action suit against Equifax itself, arguing that the company failed to protect consumer data and exposed hundreds of millions to identity theft. But if you can’t sue over the credit monitoring but only the credit breach, it could significantly lessen the damages at issue. Also the language of the arbitration clause is fairly broad, saying that those who agree to the credit monitoring “will be forfeiting your right to bring or participate in any class action … or to share in any class awards, even if the facts and circumstances upon which the claims are based already occurred or existed.” Presumably some defense lawyer is thinking up a clever way to apply that to the Equifax breach itself.
Equifax’s terms of service also include an arbitration clause, which is almost identical to the one in the credit monitoring agreement. It also includes an opt-out, but it’s not clear when the clock starts on that, since people are not informed of Equifax monitoring their credit in the first place. “Look up ‘shameless.’ There’s a new first definition: Equifax,” said Public Citizen president Robert Weissman in a statement.
In short, nobody asked Equifax to monitor their credit and then let hackers steal their data. But if these same victims have a problem with the company’s remedy for this massive breach, they have to do all the work to make sure they’re allowed to sue.
This has inspired fury, to put it mildly. New York Attorney General Eric Schneiderman has asked Equifax to take down the arbitration clause entirely, calling it “unacceptable and unenforceable.”
Sen. Sherrod Brown, D-Ohio, ranking Democrat on the Senate Banking Committee, did the same. “It’s shameful that Equifax would take advantage of victims by forcing people to sign over their rights in order to get credit monitoring services they wouldn’t even need if Equifax hadn’t put them at risk in the first place,” he said in a statement.
The breach, which includes names, Social Security numbers, birthdates, and driver’s license numbers, encompasses roughly three-quarters of all people with credit reports in the U.S. Even to check to see if you’re a victim of the breach, you have to give Equifax the last six digits of your Social Security number, which, given their track record, is a bit unnerving.
These arbitration clauses have been deemed so harmful to consumers that the Consumer Financial Protection Bureau issued rules to ban the waiver of class-action rights within them. That rule was finalized in July, but doesn’t take effect on contracts until next March. This arbitration clause, in other words, would be illegal if it were presented in consumer contracts in the future.
[ed. ...but wait, there's more!] Equifax also faces investigation because three of its top managers sold $1.8 million in company stock after they learned of the data breach but before the company released that information to the public.
Equifax is offering all those affected by the breach a free, one-year credit monitoring service called TrustedID Premier, which will watch credit reports for suspicious activity, lock and unlock Equifax credit reports, scan the internet for Social Security numbers, and add insurance for identity theft. But the service includes a forced arbitration clause, which pushes all disputes over the monitoring out of court. It also includes a waiver of the right to enter into a class-action lawsuit.
This shields TrustedID Premier from legal exposure, instead relying on a process that’s very favorable to corporate interests. At first the arbitration clause was a non-negotiable feature of the contract. Now Equifax says you can opt out, but only if you contact them in writing within 30 days.There’s already a proposed class-action suit against Equifax itself, arguing that the company failed to protect consumer data and exposed hundreds of millions to identity theft. But if you can’t sue over the credit monitoring but only the credit breach, it could significantly lessen the damages at issue. Also the language of the arbitration clause is fairly broad, saying that those who agree to the credit monitoring “will be forfeiting your right to bring or participate in any class action … or to share in any class awards, even if the facts and circumstances upon which the claims are based already occurred or existed.” Presumably some defense lawyer is thinking up a clever way to apply that to the Equifax breach itself.
Equifax’s terms of service also include an arbitration clause, which is almost identical to the one in the credit monitoring agreement. It also includes an opt-out, but it’s not clear when the clock starts on that, since people are not informed of Equifax monitoring their credit in the first place. “Look up ‘shameless.’ There’s a new first definition: Equifax,” said Public Citizen president Robert Weissman in a statement.
In short, nobody asked Equifax to monitor their credit and then let hackers steal their data. But if these same victims have a problem with the company’s remedy for this massive breach, they have to do all the work to make sure they’re allowed to sue.
This has inspired fury, to put it mildly. New York Attorney General Eric Schneiderman has asked Equifax to take down the arbitration clause entirely, calling it “unacceptable and unenforceable.”
Sen. Sherrod Brown, D-Ohio, ranking Democrat on the Senate Banking Committee, did the same. “It’s shameful that Equifax would take advantage of victims by forcing people to sign over their rights in order to get credit monitoring services they wouldn’t even need if Equifax hadn’t put them at risk in the first place,” he said in a statement.
The breach, which includes names, Social Security numbers, birthdates, and driver’s license numbers, encompasses roughly three-quarters of all people with credit reports in the U.S. Even to check to see if you’re a victim of the breach, you have to give Equifax the last six digits of your Social Security number, which, given their track record, is a bit unnerving.
These arbitration clauses have been deemed so harmful to consumers that the Consumer Financial Protection Bureau issued rules to ban the waiver of class-action rights within them. That rule was finalized in July, but doesn’t take effect on contracts until next March. This arbitration clause, in other words, would be illegal if it were presented in consumer contracts in the future.
[ed. ...but wait, there's more!] Equifax also faces investigation because three of its top managers sold $1.8 million in company stock after they learned of the data breach but before the company released that information to the public.
by David Dayen, The Intercept | Read more:
Image: Mike Stewart/AP
