Last week, Equifax revealed that the names, addresses, and Social Security numbers of roughly 143 million people were stolen from its website. (Other information, such as credit card and driver's license numbers, about hundreds of thousands of people was also compromised.) Now the company has released several updates to let people know how it's handling the hack's aftermath and to clarify the terms of TrustedID Premier.
Equifax's response to this breach attracted plenty of criticism—and not just because three executives reportedly sold around $1.8 million worth of stock in between the hack's discovery and its disclosure. Of particular concern was how it planned to protect the identities of people whose personal data was compromised. These aren't usernames or passwords that can be changed at a moment's notice; they're permanent identifiers.
So the company said it would provide free credit monitoring, identity theft insurance, and other protections via its TrustedID Premier service. The problem was that Equifax will foot the bill for this service for only a year, after which people will either have to put their financial health at risk or pony up for the service themselves, and that TrustedID Premier's terms of service include an arbitration clause that waives users' right to sue.
New York State Attorney General Eric T. Schneiderman said on Twitter that "this language is unacceptable and unenforceable" and that his staff contacted Equifax to "demand that they remove it." (He later published a guide to protecting yourself in the wake of the breach and announced that he launched a formal investigation into the hack.) The company then issued an update on the website dedicated to the incident, which read:
In response to consumer inquiries, we have made it clear that the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident.
In the days since, Equifax has also more than tripled the number of agents working in its call centers, updated its PIN generation process, and updated its main website to more prominently feature a link to the site dedicated to the breach. The company said it has also "arranged to ramp up agents quickly to replace agents" affected by Hurricane Irma in an effort to keep call center wait times to a minimum.
The company also clarified TrustedID Premier's terms of service again:
We’ve added an FAQ to our website to confirm that enrolling in the free credit file monitoring and identity theft protection that we are offering as part of this cybersecurity incident does not waive any rights to take legal action. We removed that language from the Terms of Use on the website, www.equifaxsecurity2017.com. The Terms of Use on www.equifax.com do not apply to the TrustedID Premier product being offered to consumers as a result of the cybersecurity incident.
Equifax also told several people on Twitter that using TrustedID Premier as a result of the incident won't affect their legal rights. It's clear that the company wants to address one of the primary criticisms of its response to the hack. (Although the stock sale and limited time offer of TrustedID Premier largely remain unaddressed.)
The good news is that you can now use the protective services without signing away your rights.
The bad news is that you still have to choose between paying a company that collected your personal information without your consent—credit reporting companies are nigh-ubiquitous but oft-forgotten—to protect you or living in fear of having your identity stolen. Sure, going with the first option right now means you get a free year of TrustedID Premier. But if you're planning to live any longer than that, you're still at risk.