No, Equifax Isn't Taking Away Your Right to Sue

News
By
published

Equifax yanks clause from a Terms of Use page that implied data-breach victims seeking protection would lose the right to sue the company.

Following Equifax's disclosure Thursday (Sept. 7) that data pertaining to 143 million U.S. residents may have been stolen from the credit-reporting agency, the company set up a website, https://www.equifaxsecurity2017.com/, where individuals could check to see whether they were impacted.

Credit: Alexander Kirch/Shutterstock

(Image credit: Alexander Kirch/Shutterstock)

But a Terms of Use page linked to from that site contained a disturbing legal clause. It stated that persons who enrolled in the free credit-monitoring service offered by Equifax would give up the right to join a class-action lawsuit and would have any legal dispute forced into private arbitration rather than open court. (Click here for instructions on how to sign up for that service, and to take other steps to protect yourself in the wake of the Equifax breach.)

So here's some good news: Equifax has now made clear that you won't be giving up any rights.

The waiver/arbitration clause set off a mild firestorm on social media Friday, with some angry commenters taking it to mean that even checking to see whether you were affected by the Equifax breach would cause you to forfeit your legal rights. (That wasn't accurate.)

By Friday afternoon, New York Attorney General Eric Schneiderman stated on Twitter: "This language is unacceptable and unenforceable. My staff has already contacted @Equifax to demand that they remove it."

MORE: Best Identity-Theft Protection

A close read of the offending clause made pretty clear, at least to this non-lawyer, that the class-action waiver and agreement to arbitration applied to TrustedID, not to Equifax.

The language referred only to the former company, and, in a detail doubtless unnoticed by many visitors, the Terms of Use was hosted on TrustedIDPremier.com, not Equifax.com. (The fact that both sites were branded "Equifax" at the top of each page didn't help settle matters.)

The clause was also not unusual, as many technology-service Terms of Service, Terms of Use or End User License Agreements have similar language.

However, TrustedID is a fully owned subsidiary of Equifax, so a legal argument that the clause applied to the entire company might have been possible. And a similar clause was, and still is as of Monday, in the Terms of Use on the Equifax website.

In any case, the issue is moot for now. In the wake of the public brouhaha (and Schneiderman's tweet), Equifax on Friday (Sept. 8) added to the breach-notification page that "In response to consumer inquiries, we have made it clear that the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident."

It's not clear whether Equifax had always intended to suspend the waiver/arbitration clause for victims of the data breach. But the fact that the Terms of Use page was updated on Sept. 6 — the day before the company chose to go public with the data breach — would indicate that the company was fully aware of what was in the Terms of Use page.

By Monday (Sept. 11), the entire waiver/arbitration clause had been removed, and Equifax had added a new passage to its main breach-notification page.

"We’ve added an FAQ to our website to confirm that enrolling in the free credit file monitoring and identity theft protection that we are offering as part of this cybersecurity incident does not waive any rights to take legal action. We removed that language from the Terms of Use on the website, www.equifaxsecurity2017.com. The Terms of Use on www.equifax.com do not apply to the TrustedID Premier product being offered to consumers as a result of the cybersecurity incident."

See more Computing News
TOPICS
Paul Wagenseil
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

More about online security
A hand typing at a computer in a dark room, lit up by the laptop's keyboard LEDs and red LED light

Hackers are posing as Apple and Google to infect Macs with malware — don’t fall for these fake browser updates
and image of the Google Chrome logo on a laptop

Google Docs under attack from info-stealing malware — how to keep your data and your emails safe
England's Millie Bright during the Women's international friendly between England and Germany at Wembley Stadium on October 25, 2024 in London, England.

Portugal vs England live stream: How to watch Women's Nations League 2025 game online and for free
See more latest
2 Comments Comment from the forums
  • mgerardy
    I respectfully disagree. In light of two Equifax executive's selling off stock just before the news of the cyber security incident went public, in-addition to Equifax's draconian legal disclaimer - craftily-written and snuck into their "Terms and Agreement policy" - I think that Equifax is trying to play two sides of the fence: The public relations side and the legal side.

    Problem is, Equifax's PR department's alleged-promises to reassure customers that claim that customers are not signing away their legal rights, and therefore induce the public to continue to sign up for TrustedID - Equifax's promises might not be hold up in court that protect your own legal rights as party to a class-action suit. Equifax could later renege in order to limit their scope of liability if a class action lawsuit prevailed, fencing out as many plaintiffs as possible as not being party to the suit. All of the alleged promises that Equifax's PR department can release to the press might not necessarily contractually bind any amendments clarifying the arbitration clause and class action waiver. How Equifax could argue in court that their PR's department's public statement did not establish promissory estoppel, is that these public statements were independent of Equifax's legal department who authored the policy. In addition, there was no explicit acceptance from each plaintiff regarding this amendment that clarifies applicability of the waiver signed by each individual, or for those who subsequently signed the agreement relying upon Equifax's promise, therefore Equifax promise from their PR department was therefore not binding.

    The arbitration clause and class action waiver are plainly codified and written, and it is clear that Equifax's sole-intent is limit their own exposure to legal liability. Why else, or what other situation would Equifax possibly be referring-to regarding an arbitration clause and class action waiver? If this really was the situation of 'does not apply to this cybersecurity incident' - then why would they insert the language for a policy which is germane to this situation only, but in reference to a different situation?

    It is common-knowledge that almost no one sits down and reads every word of legalese, every single time that they are presented with another too-common "Terms and Agreement policy". Equifax was bold enough to believe that no one nationwide would bother to read the policy. Fortunately, at least one sharp person did bother to read the policy and subsequently alerted the press, effectively calling-out Equifax again.

    When a person explicitly agrees to a company's policy, then it is questionable that future promises offered by the company will be honored by the courts if a company simply issues a blanket press release that purports to unilaterally-amend the legal agreement after the fact. Equifax's intent is to reassure the impressionable public that somehow the agreement that they signed just suddenly no longer applies to this situation pertaining to the breach - when this very obvious material fact was omitted in the original agreement to begin with.

    The onus still may remain with each individual to be discerning regarding Equifax's claims that might not amend the policy agreement or change how the courts will interpret individuals signing away their legal rights as plaintiffs in a class action suit. A statement from Equifax's PR department might not rise to the level of undue influence in the eyes of the court.

    Given the stock sell-off, I think this speaks volumes to Equifax's ongoing business concerns, given that a class action lawsuit could have the potential to cause them irreparable damage. Between the stock sell-off, the sneaky waiver craftily-inserted into the terms and agreement policy, then doubling-down with a PR stunt that makes claims that might not hold up in court - I see no reason to provide yet more information (last six digits of my social security number) as well as comply to Equifax's terms in exchange for a service which should not have contained the arbitration clause and class action waiver language in the first place.

    I do not recommend signing anything as an individual regarding agreements which originate from Equifax. The best way to protect yourself is through a security freeze on your credit with all three bureaus.
    Reply
  • Paul Wagenseil
    20166940 said:
    I respectfully disagree. In light of two Equifax executive's selling off stock just before the news of the cyber security incident went public, in-addition to Equifax's draconian legal disclaimer - craftily-written and snuck into their "Terms and Agreement policy" - I think that Equifax is trying to play two sides of the fence: The public relations side and the legal side.

    Problem is, Equifax's PR department's alleged-promises to reassure customers that claim that customers are not signing away their legal rights, and therefore induce the public to continue to sign up for TrustedID - Equifax's promises might not be hold up in court that protect your own legal rights as party to a class-action suit. Equifax could later renege in order to limit their scope of liability if a class action lawsuit prevailed, fencing out as many plaintiffs as possible as not being party to the suit. All of the alleged promises that Equifax's PR department can release to the press might not necessarily contractually bind any amendments clarifying the arbitration clause and class action waiver. How Equifax could argue in court that their PR's department's public statement did not establish promissory estoppel, is that these public statements were independent of Equifax's legal department who authored the policy. In addition, there was no explicit acceptance from each plaintiff regarding this amendment that clarifies applicability of the waiver signed by each individual, or for those who subsequently signed the agreement relying upon Equifax's promise, therefore Equifax promise from their PR department was therefore not binding.

    The arbitration clause and class action waiver are plainly codified and written, and it is clear that Equifax's sole-intent is limit their own exposure to legal liability. Why else, or what other situation would Equifax possibly be referring-to regarding an arbitration clause and class action waiver? If this really was the situation of 'does not apply to this cybersecurity incident' - then why would they insert the language for a policy which is germane to this situation only, but in reference to a different situation?

    It is common-knowledge that almost no one sits down and reads every word of legalese, every single time that they are presented with another too-common "Terms and Agreement policy". Equifax was bold enough to believe that no one nationwide would bother to read the policy. Fortunately, at least one sharp person did bother to read the policy and subsequently alerted the press, effectively calling-out Equifax again.

    When a person explicitly agrees to a company's policy, then it is questionable that future promises offered by the company will be honored by the courts if a company simply issues a blanket press release that purports to unilaterally-amend the legal agreement after the fact. Equifax's intent is to reassure the impressionable public that somehow the agreement that they signed just suddenly no longer applies to this situation pertaining to the breach - when this very obvious material fact was omitted in the original agreement to begin with.

    The onus still may remain with each individual to be discerning regarding Equifax's claims that might not amend the policy agreement or change how the courts will interpret individuals signing away their legal rights as plaintiffs in a class action suit. A statement from Equifax's PR department might not rise to the level of undue influence in the eyes of the court.

    Given the stock sell-off, I think this speaks volumes to Equifax's ongoing business concerns, given that a class action lawsuit could have the potential to cause them irreparable damage. Between the stock sell-off, the sneaky waiver craftily-inserted into the terms and agreement policy, then doubling-down with a PR stunt that makes claims that might not hold up in court - I see no reason to provide yet more information (last six digits of my social security number) as well as comply to Equifax's terms in exchange for a service which should not have contained the arbitration clause and class action waiver language in the first place.

    I do not recommend signing anything as an individual regarding agreements which originate from Equifax. The best way to protect yourself is through a security freeze on your credit with all three bureaus.

    The arbitration/waiver clause was removed from the TrustedID Terms of Service. Saw it myself. But you're right about the security freeze.
    Reply