Following Equifax's disclosure Thursday (Sept. 7) that data pertaining to 143 million U.S. residents may have been stolen from the credit-reporting agency, the company set up a website, https://www.equifaxsecurity2017.com/, where individuals could check to see whether they were impacted.
But a Terms of Use page linked to from that site contained a disturbing legal clause. It stated that persons who enrolled in the free credit-monitoring service offered by Equifax would give up the right to join a class-action lawsuit and would have any legal dispute forced into private arbitration rather than open court. (Click here for instructions on how to sign up for that service, and to take other steps to protect yourself in the wake of the Equifax breach.)
So here's some good news: Equifax has now made clear that you won't be giving up any rights.
The waiver/arbitration clause set off a mild firestorm on social media Friday, with some angry commenters taking it to mean that even checking to see whether you were affected by the Equifax breach would cause you to forfeit your legal rights. (That wasn't accurate.)
By Friday afternoon, New York Attorney General Eric Schneiderman stated on Twitter: "This language is unacceptable and unenforceable. My staff has already contacted @Equifax to demand that they remove it."
MORE: Best Identity-Theft Protection
A close read of the offending clause made pretty clear, at least to this non-lawyer, that the class-action waiver and agreement to arbitration applied to TrustedID, not to Equifax.
The language referred only to the former company, and, in a detail doubtless unnoticed by many visitors, the Terms of Use was hosted on TrustedIDPremier.com, not Equifax.com. (The fact that both sites were branded "Equifax" at the top of each page didn't help settle matters.)
The clause was also not unusual, as many technology-service Terms of Service, Terms of Use or End User License Agreements have similar language.
However, TrustedID is a fully owned subsidiary of Equifax, so a legal argument that the clause applied to the entire company might have been possible. And a similar clause was, and still is as of Monday, in the Terms of Use on the Equifax website.
In any case, the issue is moot for now. In the wake of the public brouhaha (and Schneiderman's tweet), Equifax on Friday (Sept. 8) added to the breach-notification page that "In response to consumer inquiries, we have made it clear that the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident."
It's not clear whether Equifax had always intended to suspend the waiver/arbitration clause for victims of the data breach. But the fact that the Terms of Use page was updated on Sept. 6 — the day before the company chose to go public with the data breach — would indicate that the company was fully aware of what was in the Terms of Use page.
By Monday (Sept. 11), the entire waiver/arbitration clause had been removed, and Equifax had added a new passage to its main breach-notification page.
"We’ve added an FAQ to our website to confirm that enrolling in the free credit file monitoring and identity theft protection that we are offering as part of this cybersecurity incident does not waive any rights to take legal action. We removed that language from the Terms of Use on the website, www.equifaxsecurity2017.com. The Terms of Use on www.equifax.com do not apply to the TrustedID Premier product being offered to consumers as a result of the cybersecurity incident."
