Credit reporting agency Equifax reported a massive security breach on Thursday. The breach may have exposed Social Security numbers, driver’s license numbers, and other important personal information that has left 143 million US consumers vulnerable to ID theft.
Equifax immediately offered a complimentary ID-theft monitoring program called TrustedID. However, blowback ensued quickly on Friday as the TrustedID terms of service require users to waive their right to sue or join a class action lawsuit to receive the monitoring.
An Equifax spokesperson said the waiver “applies to the free credit file monitoring and identity theft protection products, and not the cybersecurity incident.”
‘The language is broad’
However, that waiver may still limit the effectiveness of a new, multibillion-dollar proposed class action over the breach, or any other litigation stemming from the incident, according to F. Paul Bland, an attorney and executive director for Public Justice and an expert in arbitration cases.
“The language is broad,” he said. “An arbitrator, not a court, will probably decide it. Defendants win most challenges to scope of clause.” Bland said that he has lost many cases due to the generous scope afforded by arbitration agreements.
The broad language in the agreement makes it so that Equifax could change its mind down the road when facing severe legal liabilities, according to Bland. “Its lawyers may argue the opposite in a year and won’t be bound by what its press people said,” said Bland.
Even without signing up for TrustedID, consumers may not be able to sue if they’ve ever used Equifax’s products, which include credit scores and reporting. Equifax’sown terms of service mandate that consumers pursue arbitration rather than class-action lawsuits if they have disputes over the credit-monitoring company’s service.
‘A gross insult to customers’
Bland sees the offer of a free service as a ploy to cover liability.
“Under the guise of offering a year of credit monitoring, they’re trying to get consumers to sign or click something to get them to give up legal rights,” Bland said. “[Equifax] is tricking people that it’s helping them when they’re signing up to steal rights from them. It’s a gross insult to customers.”
After a breach like this, many consumers generally spring into action to prevent damage, by freezing credit reporting or by taking the steps recommended or offered by the hacked party. Equifax established a website specifically to deal with the breach. The TrustedID service is prominently linked and portrayed as a “complimentary” service (Trusted ID is a subsidiary of Equifax.)
Even if this doesn’t apply to TrustedID users, Equifax’s Terms of Use does
If Equifax is correct that the monitoring waiver is unconnected with the cybersecurity breach, suing over the data breach might be a problem because of the company’s own arbitration clause that relates to the use of Equifax’s services.
According to Bland, forced arbitration clauses are generally enforceable and enforced, unless the terms drafted by the lawyers somehow contain an error. Instead of taking place with a court and a judge, arbitration is a private process with an arbitrator and is generally preferred by companies as it can require individuals to each pursue restitution individually instead of banding together as a group.
Like many terms of use in fine print, Equifax does have an option to opt out. However, a consumer is required to send a letter within 30 days of agreement to opt out, something that is extremely unlikely.
‘The percentage of people who would get what it means is very small’
A day following the announcement of the data breach, the National Consumer Law Center called for Equifax to “immediately remove the forced arbitration clause and class action ban” from its terms of use.
In its 728-page 2015 report on arbitration clauses, the Consumer Financial Protection Bureau found that the vast majority of people didn’t comprehend the clauses. In one study, 668 people were presented in a contract with an arbitration clause bolded and in all caps.
Just 43% of respondents indicated they knew an arbitration clause was present when asked a close-ended question, but just 14% actually understood that it foreclosed the right to sue. It’s important to note that these people had just read the terms, unlike many people who do not read the fine print.
“How many will click and find the arbitration?” said Bland. “Even if they did, the percentage who would get what it means is very small. They are trying to slip this by people.”
Earlier this year, the CFPB issued a new rule to make it easier to mount a class action against banks and financial institutions by banning forced arbitration. However, it doesn’t apply to credit reporting institutions, and is not in effect yet.
In a statement to Yahoo Finance, the CFPB said it was looking into the data breach and Equifax’s response. “The CFPB has authority over the consumer reporting industry, including supervisory and enforcement authority. The CFPB is authorized to take enforcement action against institutions engaged in unfair, deceptive, or abusive acts or practices, or that otherwise violate federal consumer financial laws.”
The Bureau also said that“it is troubling that Equifax is forcing people to waive legal rights in order to receive fraud monitoring after the company’s breach put their personal information at risk. Equifax could remove this clause so that consumers can receive this service without condition.”
Ethan Wolff-Mann is a writer at Yahoo Finance focusing on consumer issues, tech, and personal finance. Follow him on Twitter@ewolffmann. Got a tip? Send to: emann@oath.com.