Equifax Clarifies Arbitration Clause After Massive Hack

Last week, Equifax revealed that the names, addresses, and Social Security numbers of roughly 143 million people were stolen from its website. (Other information, such as credit card and driver's license numbers, about hundreds of thousands of people was also compromised.) Now the company has released several updates to let people know how it's handling the hack's aftermath and to clarify the terms of TrustedID Premier.

Equifax's response to this breach attracted plenty of criticism—and not just because three executives reportedly sold around $1.8 million worth of stock in between the hack's discovery and its disclosure. Of particular concern was how it planned to protect the identities of people whose personal data was compromised. These aren't usernames or passwords that can be changed at a moment's notice; they're permanent identifiers.

So the company said it would provide free credit monitoring, identity theft insurance, and other protections via its TrustedID Premier service. The problem was that Equifax will foot the bill for this service for only a year, after which people will either have to put their financial health at risk or pony up for the service themselves, and that TrustedID Premier's terms of service include an arbitration clause that waives users' right to sue.

New York State Attorney General Eric T. Schneiderman said on Twitter that "this language is unacceptable and unenforceable" and that his staff contacted Equifax to "demand that they remove it." (He later published a guide to protecting yourself in the wake of the breach and announced that he launched a formal investigation into the hack.) The company then issued an update on the website dedicated to the incident, which read:

In response to consumer inquiries, we have made it clear that the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident.

In the days since, Equifax has also more than tripled the number of agents working in its call centers, updated its PIN generation process, and updated its main website to more prominently feature a link to the site dedicated to the breach. The company said it has also "arranged to ramp up agents quickly to replace agents" affected by Hurricane Irma in an effort to keep call center wait times to a minimum.

The company also clarified TrustedID Premier's terms of service again:

We’ve added an FAQ to our website to confirm that enrolling in the free credit file monitoring and identity theft protection that we are offering as part of this cybersecurity incident does not waive any rights to take legal action. We removed that language from the Terms of Use on the website, www.equifaxsecurity2017.com. The Terms of Use on www.equifax.com do not apply to the TrustedID Premier product being offered to consumers as a result of the cybersecurity incident.

Equifax also told several people on Twitter that using TrustedID Premier as a result of the incident won't affect their legal rights. It's clear that the company wants to address one of the primary criticisms of its response to the hack. (Although the stock sale and limited time offer of TrustedID Premier largely remain unaddressed.)

The good news is that you can now use the protective services without signing away your rights.

The bad news is that you still have to choose between paying a company that collected your personal information without your consent—credit reporting companies are nigh-ubiquitous but oft-forgotten—to protect you or living in fear of having your identity stolen. Sure, going with the first option right now means you get a free year of TrustedID Premier. But if you're planning to live any longer than that, you're still at risk.

Nathaniel Mott
Freelance News & Features Writer

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.

  • darkguy2
    Of course it was just a misunderstanding. In no way did they think they could skirt lawsuits by opting out a large majority of future litigants without telling them. They are just a small company and don't have access to highly paid lawyers who would tell them this. (/sarcasm)

    Really makes me sick that even in 2017 companies are not investing in proper data protections. Even more since this data is so critical to every person and cannot be changes like a CC number. They need to be made an example out of the make sure this does not happen in the future.
    Reply
  • smashjohn
    Life Lock actually provided protective services for individuals and families, but they were sued by Experian in 2008 and forced to stop the practice. Basically they acted as your proxy and enabled/disabled fraud protection on your credit accounts at a moment's notice, allowing users to open credit easily and then lock their credit when they were done. Now we have no proactive protection available, and companies like Equifax, Experian and Transunion can profit from the breach by charging us for monitoring and insurance. Wouldn't it make more sense to let me control when a line of credit is can be opened rather than have to deal with the aftermath of fraud every time? Yes, but it would be less profitable for these companies.
    Reply
  • TJ Hooker
    darkguy2 said:
    Even more since this data is so critical to every person and cannot be changes like a CC number.
    Did you mean SSN? Because getting a different credit card number is easy.
    Edit: Oops, misunderstood darkguy2's comment. Nevermind.
    Reply
  • spdragoo
    20162313 said:
    Life Lock actually provided protective services for individuals and families, but they were sued by Experian in 2008 and forced to stop the practice. Basically they acted as your proxy and enabled/disabled fraud protection on your credit accounts at a moment's notice, allowing users to open credit easily and then lock their credit when they were done. Now we have no proactive protection available, and companies like Equifax, Experian and Transunion can profit from the breach by charging us for monitoring and insurance. Wouldn't it make more sense to let me control when a line of credit is can be opened rather than have to deal with the aftermath of fraud every time? Yes, but it would be less profitable for these companies.

    I had to pay for Lifelock last summer -- aside from the issue with the IRS (!?!) getting hacked & someone attempting to use our information to file a fake return with them, someone stole my wife's identity & opened a bunch of store credit cards in her name (happened to luck out & catch her because she opened a CostCo membership the same day that we were trying to, just 30 minutes before we applied, & she was still at the other store; their staff delayed her until the police could show up). So we paid for their middle plan, which includes monitoring your accounts for transactions as well as regular sweeps of known "Darkweb" sites for your personal information. It's expensive, to be sure...but a) we've already been burned once, & b) it's cheaper than Experian's protection (which only covers you with their bureau, not the other 3). And boy, do they catch them. We originally had the alert threshold set at $500, so every month it asks us if we really meant to make our house payment. We just had a transaction they missed, though, because it was under that threshold, so now I've had to drop it to the $200 level (which now means the monthly car payment, as well as the semiannual car insurance payments, are going to trigger alerts). They're mildly irritating...but it gives us greater peace of mind.

    Probably what they meant, though, was that they didn't want Lifelock handling the 'fraud alert' or 'credit freeze' options. Fraud alert flags on your account isn't necessarily a big thing because it's done for free (the 90-day alert gets shared with the other 2 credit bureaus, but the 7-year version has to be set with each one individually), & basically means that any financial institution (bank, credit union, loan company, auto dealership, etc.) has to contact you personally before opening any account. The credit freeze, though, is a major thing because a) as long as it's enabled no company is allowed to see your credit score/report (unless you already have a pre-existing & active account with them, or the company is an authorized collection agency acting on that company's behalf), & b) they charge a fee.

    Fair warning on the fraud alerts: it makes a really big flag pop up with the Social Security Administration, & if you haven't already set up an online login for their site you'll have to go to a local office in person to get access to it.

    Funny thing is, LifeLock sent me an alert back in May about a potential issue with 1 of my credit reports (possible name/address change, etc.). I called all 3 bureaus & went over the name/address information on them, but couldn't find anything that was out of place, & since the name/address in question actually belonged to my father (similar name, & they live close by) I didn't think anything more of it....now I'm wondering, since I had the alert in June, if it wasn't somehow tied into this hack.

    20162323 said:
    darkguy2 said:
    Even more since this data is so critical to every person and cannot be changes like a CC number.
    Did you mean SSN? Because getting a different credit card number is easy.

    No, I'm pretty sure he meant that, unlike changing CC numbers, it's really difficult to change the rest of the information. You have to go to a judge to legally change your name, changing your address means physically moving all of your stuff/buying a new place or finding a new place to rent/other financial issues, & I don't know if you can even change your SSN at all.
    Reply
  • d_kuhn
    Soo... their leak means that key information that we're unable to alter will forever be compromised making our credit 'at risk' for the remainder of our lives. I'd like to see a class action suit that forces protective support for the duration of the risk (until I die or the system that uses these fixed identifiers changes). Next year I"m not going to start paying them to protect me from a f-up that THEY'RE responsible for.
    Reply
  • ubercake
    When my bank card or credit card numbers are compromised, they send me a new number. Can I get a new SSN please?
    Reply
  • blunion05
    20162785 said:
    When my bank card or credit card numbers are compromised, they send me a new number. Can I get a new SSN please?

    God, I wish it was that simple. I don't know much about encryption or cybersecurity but with how much encryption there is to go around these days, I wonder if our SSNs could get a treatment like how Credit Cards got treatment with the chips.
    Reply
  • wiyosaya
    20162313 said:
    Life Lock actually provided protective services for individuals and families, but they were sued by Experian in 2008 and forced to stop the practice. Basically they acted as your proxy and enabled/disabled fraud protection on your credit accounts at a moment's notice, allowing users to open credit easily and then lock their credit when they were done. Now we have no proactive protection available, and companies like Equifax, Experian and Transunion can profit from the breach by charging us for monitoring and insurance. Wouldn't it make more sense to let me control when a line of credit is can be opened rather than have to deal with the aftermath of fraud every time? Yes, but it would be less profitable for these companies.
    The thing is that anyone can do what LifeLock was doing.

    Everyone has two choices: 1. Place a fraud alert with any of these credit reporting agencies, and they are required to notify the others for free. If someone tries to take out credit in your name, lenders are required to verify with that it is really you requesting the credit. The only difficulty is that this is only good for one quarter, however, you can renew it indefinitely for free.

    Choice 2: Place a credit freeze with the agency, which costs $5-$10 depending on where you live. This means that lenders cannot pull your credit report and, therefore, are not able to issue credit in your name. If you need to get additional credit, you can contact the agency and have them temporarily remove the credit freeze so that you can apply for any credit needed.

    It may be a bit more difficult to take these actions yourself, however, I bet it is far cheaper than LifeLock. Why pay them for something that can be done for free, Fraud Alert, or for what may be only a one-time fee of $5 - $10?

    See http://money.cnn.com/2017/09/07/pf/victim-equifax-hack-how-to-find-out/index.html
    Reply
  • 60FPS
    I don't understand why ppl aren't taking this seriously. Nearly half the us population could have their lives ruined from identity theft. WTF do we do now?
    Reply
  • blunion05
    20163546 said:
    I don't understand why ppl aren't taking this seriously. Nearly half the us population could have their lives ruined from identity theft. WTF do we do now?

    The problem is non-tech savvy folks don't realize the severity of this situation.

    It's a "hasn't happened to me, so how bad could it possibly be?" reaction.

    This security breach is so disgusting. These corporations don't care for our sensitive information in any way shape or form.
    Reply