Equifax, the credit reporting bureau that on Thursday admitted one of the largest data breaches in history, affecting 143 million U.S. consumers, is maneuvering to prevent victims from banding together to sue the company, according to consumer protection advocates and elected officials.
Equifax is offering all those affected by the breach a free, one-year credit monitoring service called TrustedID Premier, which will watch credit reports for suspicious activity, lock and unlock Equifax credit reports, scan the internet for Social Security numbers, and add insurance for identity theft. But the service includes a forced arbitration clause, which pushes all disputes over the monitoring out of court. It also includes a waiver of the right to enter into a class-action lawsuit.
This shields TrustedID Premier from legal exposure, instead relying on a process that’s very favorable to corporate interests. At first the arbitration clause was a non-negotiable feature of the contract. Now Equifax says you can opt out, but only if you contact them in writing within 30 days.
There’s already a proposed class-action suit against Equifax itself, arguing that the company failed to protect consumer data and exposed hundreds of millions to identity theft. But if you can’t sue over the credit monitoring but only the credit breach, it could significantly lessen the damages at issue. Also the language of the arbitration clause is fairly broad, saying that those who agree to the credit monitoring “will be forfeiting your right to bring or participate in any class action … or to share in any class awards, even if the facts and circumstances upon which the claims are based already occurred or existed.” Presumably some defense lawyer is thinking up a clever way to apply that to the Equifax breach itself.
Equifax’s terms of service also include an arbitration clause, which is almost identical to the one in the credit monitoring agreement. It also includes an opt-out, but it’s not clear when the clock starts on that, since people are not informed of Equifax monitoring their credit in the first place. “Look up ‘shameless.’ There’s a new first definition: Equifax,” said Public Citizen president Robert Weissman in a statement.
In short, nobody asked Equifax to monitor their credit and then let hackers steal their data. But if these same victims have a problem with the company’s remedy for this massive breach, they have to do all the work to make sure they’re allowed to sue.
This has inspired fury, to put it mildly. New York Attorney General Eric Schneiderman has asked Equifax to take down the arbitration clause entirely, calling it “unacceptable and unenforceable.”
Sen. Sherrod Brown, D-Ohio, ranking Democrat on the Senate Banking Committee, did the same. “It’s shameful that Equifax would take advantage of victims by forcing people to sign over their rights in order to get credit monitoring services they wouldn’t even need if Equifax hadn’t put them at risk in the first place,” he said in a statement.
The breach, which includes names, Social Security numbers, birthdates, and driver’s license numbers, encompasses roughly three-quarters of all people with credit reports in the U.S. Even to check to see if you’re a victim of the breach, you have to give Equifax the last six digits of your Social Security number, which, given their track record, is a bit unnerving.
These arbitration clauses have been deemed so harmful to consumers that the Consumer Financial Protection Bureau issued rules to ban the waiver of class-action rights within them. That rule was finalized in July, but doesn’t take effect on contracts until next March. This arbitration clause, in other words, would be illegal if it were presented in consumer contracts in the future.
That CFPB rule is now under threat from Congress, and the Equifax controversy is now at the heart of that. Under a law called the Congressional Review Act, Congress has 60 legislative days from the finalizing of an agency rule to formally disapprove of it. Since President Donald Trump’s inauguration, Congress has used this 14 times to kick out rules they didn’t like. And a disapproval of the CFPB arbitration rule has already passed in the House.
However, it has run into some resistance in the Senate. Some Republicans, like Sen. Lindsey Graham, R-S.C., have already announced their support for the arbitration rule, and others have wavered. With the Equifax breach showing what arbitration clauses mean in practice, Republicans may find the CFPB rule too hot to touch. “This is just one more example why the Consumer Financial Protection Bureau’s rule banning forced arbitration is badly needed to protect the rights of working Americans,” Brown said.
Equifax also faces investigation because three of its top managers sold $1.8 million in company stock after they learned of the data breach but before the company released that information to the public.
“Equifax just gave 143 million reasons why Americans should tell Congress not to take away their day in court when companies like Equifax abuse their trust,” said Lauren Saunders, associate director of the National Consumer Law Center.