Sharp-eyed social media users have combed through the Equifax data breach site's fine print — and found what they argue is a red flag.
Buried in the terms of service is language that appears to bar those who enroll in an Equifax credit monitoring program from participating in any class-action lawsuits that may arise from the incident. Here's the relevant passage of the terms of service:
AGREEMENT TO RESOLVE ALL DISPUTES BY BINDING INDIVIDUAL ARBITRATION. PLEASE READ THIS ENTIRE SECTION CAREFULLY BECAUSE IT AFFECTS YOUR LEGAL RIGHTS BY REQUIRING ARBITRATION OF DISPUTES (EXCEPT AS SET FORTH BELOW) AND A WAIVER OF THE ABILITY TO BRING OR PARTICIPATE IN A CLASS ACTION, CLASS ARBITRATION, OR OTHER REPRESENTATIVE ACTION. ARBITRATION PROVIDES A QUICK AND COST EFFECTIVE MECHANISM FOR RESOLVING DISPUTES, BUT YOU SHOULD BE AWARE THAT IT ALSO LIMITS YOUR RIGHTS TO DISCOVERY AND APPEAL.
This language is commonly known in the industry as an “arbitration clause.” In theory, arbitration clauses are meant to streamline the amount of work that's dumped onto the court system. But the Consumer Financial Protection Bureau concluded in the summer that arbitration clauses do more harm to consumers than good — and the agency put in place a rule to ban them.
“In practice, companies use these clauses to bar groups of consumers from joining together to seek justice by vindicating their legal right,” Richard Cordray, the CFPB’s director, told reporters in July, according to my colleague Jonnelle Marte.
Here's a further look into why the language raised concerns.
There is already at least one class-action suit brewing against Equifax. Arbitration clauses make it hard if not impossible for consumers to join such suits. Arbitration is weaker than class-action suits, critics say, because it limits consumers’ ability to find facts to support their case, to appeal decisions or to present their case before a jury.
Despite the CFPB's move to ban arbitration clauses, the rule has not yet gone into effect, according to the agency. That won't happen until Sept. 18, the CFPB said. What's more, the rule doesn't work retroactively, meaning that the Equifax legalese would not be covered anyway. The ban only affects contracts made after March 19, 2018, six months after the rule takes effect.
The CFPB said earlier Friday that Equifax's arbitration clause was "troubling" and that the agency is investigating the data breach and Equifax's response.
"Equifax could remove this clause so that consumers can receive this service without condition," the CFPB said in a statement.
The future of the ban is itself in doubt; just after the CFPB approved the rule, House lawmakers voted to repeal it. The motion to repeal must still be voted on by the Senate and signed by President Trump to become official, but if it does, then the CFPB's regulation could be nixed.
Friday afternoon, New York Attorney General Eric Schneiderman took aim at Equifax's arbitration clause, tweeting that his staff has contacted the company urging it to remove that part of the fine print.
"This language is unacceptable and unenforceable," the state's top lawyer said in his tweet. Minutes later, Schneiderman's office announced a formal probe into the Equifax breach. In a release, the state attorney general's office said Schneiderman had sent a letter to Equifax asking for more information. Among the questions were whether any consumer information has found its way to the "black market," according to a person familiar with the investigation.
A spokesperson for Schneiderman declined to comment on whether officials were investigating the sale of company stock by Equifax executives prior to the discovery of the hack.
It's up to you, but you should know going into the process what you're signing up for. Equifax issued a statement Friday evening apologizing for consumers' inconvenience and said that the arbitration clause and class-action waiver "does not apply to this cybersecurity incident."
This language may appear to limit Equifax's ability to block class-action lawsuits, said Joel Winston, a former deputy attorney general for the state of New Jersey and a privacy and data protection lawyer — but don't get complacent.
Meanwhile, there's something else that you should know if you do decide to use Equifax's website to check if you were affected.
The site demands even more information from you to prove your identity.
To make sure that the person checking the database is really you, Equifax's data breach site asks for your last name and the final six digits of your Social Security number. This is extremely unusual. While the site is legitimate, the fact that you must volunteer more of what would otherwise be private information may not inspire much confidence.
You can still monitor your own credit by obtaining a copy of your credit report. Every year, you can request a free copy of your report from each of the three major credit reporting agencies. This means that you can effectively check your credit for free every four months or so. You can also put a proactive freeze on your credit, which will prevent unauthorized use.