Equifax Clarifies Arbitration Clause After Massive Hack

Last week, Equifax revealed that the names, addresses, and Social Security numbers of roughly 143 million people were stolen from its website. (Other information, such as credit card and driver's license numbers, about hundreds of thousands of people was also compromised.) Now the company has released several updates to let people know how it's handling the hack's aftermath and to clarify the terms of TrustedID Premier.

Equifax's response to this breach attracted plenty of criticism—and not just because three executives reportedly sold around $1.8 million worth of stock in between the hack's discovery and its disclosure. Of particular concern was how it planned to protect the identities of people whose personal data was compromised. These aren't usernames or passwords that can be changed at a moment's notice; they're permanent identifiers.

So the company said it would provide free credit monitoring, identity theft insurance, and other protections via its TrustedID Premier service. The problem was that Equifax will foot the bill for this service for only a year, after which people will either have to put their financial health at risk or pony up for the service themselves, and that TrustedID Premier's terms of service include an arbitration clause that waives users' right to sue.

New York State Attorney General Eric T. Schneiderman said on Twitter that "this language is unacceptable and unenforceable" and that his staff contacted Equifax to "demand that they remove it." (He later published a guide to protecting yourself in the wake of the breach and announced that he launched a formal investigation into the hack.) The company then issued an update on the website dedicated to the incident, which read:

In response to consumer inquiries, we have made it clear that the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident.

In the days since, Equifax has also more than tripled the number of agents working in its call centers, updated its PIN generation process, and updated its main website to more prominently feature a link to the site dedicated to the breach. The company said it has also "arranged to ramp up agents quickly to replace agents" affected by Hurricane Irma in an effort to keep call center wait times to a minimum.

The company also clarified TrustedID Premier's terms of service again:

We’ve added an FAQ to our website to confirm that enrolling in the free credit file monitoring and identity theft protection that we are offering as part of this cybersecurity incident does not waive any rights to take legal action. We removed that language from the Terms of Use on the website, www.equifaxsecurity2017.com. The Terms of Use on www.equifax.com do not apply to the TrustedID Premier product being offered to consumers as a result of the cybersecurity incident.

Equifax also told several people on Twitter that using TrustedID Premier as a result of the incident won't affect their legal rights. It's clear that the company wants to address one of the primary criticisms of its response to the hack. (Although the stock sale and limited time offer of TrustedID Premier largely remain unaddressed.)

The good news is that you can now use the protective services without signing away your rights.

The bad news is that you still have to choose between paying a company that collected your personal information without your consent—credit reporting companies are nigh-ubiquitous but oft-forgotten—to protect you or living in fear of having your identity stolen. Sure, going with the first option right now means you get a free year of TrustedID Premier. But if you're planning to live any longer than that, you're still at risk.

Create a new thread in the News comments forum about this subject
This thread is closed for comments
14 comments
Comment from the forums
    Your comment
  • darkguy2
    Of course it was just a misunderstanding. In no way did they think they could skirt lawsuits by opting out a large majority of future litigants without telling them. They are just a small company and don't have access to highly paid lawyers who would tell them this. (/sarcasm)

    Really makes me sick that even in 2017 companies are not investing in proper data protections. Even more since this data is so critical to every person and cannot be changes like a CC number. They need to be made an example out of the make sure this does not happen in the future.
    2
  • smashjohn
    Life Lock actually provided protective services for individuals and families, but they were sued by Experian in 2008 and forced to stop the practice. Basically they acted as your proxy and enabled/disabled fraud protection on your credit accounts at a moment's notice, allowing users to open credit easily and then lock their credit when they were done. Now we have no proactive protection available, and companies like Equifax, Experian and Transunion can profit from the breach by charging us for monitoring and insurance. Wouldn't it make more sense to let me control when a line of credit is can be opened rather than have to deal with the aftermath of fraud every time? Yes, but it would be less profitable for these companies.
    3
  • TJ Hooker
    darkguy2 said:
    Even more since this data is so critical to every person and cannot be changes like a CC number.

    Did you mean SSN? Because getting a different credit card number is easy.

    Edit: Oops, misunderstood darkguy2's comment. Nevermind.
    0