Future Tense

The Equifax Hack Conundrum

Will merely checking to see whether you were a victim of the breach waive your right to sue?

What a massive headache.


Late Thursday the credit reporting agency Equifax revealed that it was subject to one of the most damaging data breaches in recent memory: Intruders accessed up to 143 million Americans’ names, Social Security numbers, birthdates, and driver’s license numbers. Credit card numbers for about 209,000 consumers were also exposed, according to Equifax.

Equifax set up a website, Equifaxsecurity2017.com, where you can check whether you’ve been affected. (And if you are an adult in the U.S., it’s a pretty safe bet that you were affected.) The company is also offering a year of free credit monitoring and identity theft protection, called TrustedID, for people who had their info stolen. (Whether such services really work is another matter.) TrustedID also appears to be running the part of Equifaxsecurity2017.com that allows people to see whether they were impacted by the hack.

The problem with using Equifax’s free ID protection, though, is that in signing up, you have to agree to terms of service that appear to force you into arbitration and waive the right to participate in any class-action lawsuit against TrustedID, the credit monitoring service. (Arbitration is the technical term for settling a dispute outside of court.)

Some outlets, such as the Washington Post and Ars Technica, are saying that the Equifax program that checks if you were a victim of the hack has terms of service conditions that could bar people from participating in class-action lawsuits. But that’s not necessarily the case. The terms of service for the TrustedID service that lets people check whether they’re impacted by the data breach are different than the terms of service for Equifax.

Simply checking whether you were affected by the breach or signing up for TrustedID doesn’t automatically make you ineligible to participate in a class-action suit against Equifax about the breach. According to Robert Weissman, the president of Public Citizen, a prominent public-interest advocacy organization, those terms may mean instead that you can’t engage in a class action against TrustedID, the service that checks if you were a part of the breach.

But if you’ve ever been a customer of Equifax, like by obtaining a credit report from the company, then you’ve already likely waived your right to sue Equifax with regard to the breach. That’s because Equifax has inserted a clause into its own terms of service that forces customers to go into arbitration, too. It’s confusing, because although the TrustedID’s terms of service—that’s the site used to check if you were a victim of the Equifax breach and obtain identity protection services—only appears to apply to TrustedID, Equifax itself has broadly worded terms of service that bar anyone who uses “all other websites owned and operated by Equifax and its affiliates” from engaging in class action, too.

But Equifax’s terms might not be enforceable anyway. As Joanne Doroshow, the executive director of the Center for Justice and Democracy at New York Law School explained to me, a clause in Equifax’s terms of service says that claims that fall under the Fair Credit Reporting Act are exempted. The FCRA is supposed to protect the privacy of information kept by consumer-reporting agencies like Equifax, which would mean that customers would not be forced to arbitration and thus could particulate in a class-action suit.

So to clarify:

  1. Checking whether you were a victim of the hack doesn’t necessarily automatically bar you from engaging in a class-action lawsuit against Equifax.
  2. But it does bar you from launching a class-action suit against TrustedID.
  3. However, Equifax’s larger terms of service could be interpreted as barring forced arbitration that would cover checking whether you’re a victim of the hack, too.
  4. That is, unless the claim is being filed under this one law: the Fair Credit Reporting Act.

Confused yet? So are the lawyers.

Complicating things further is that financial institutions often try to force customers into arbitration. Wells Fargo, for example, asked a judge last year to force people into arbitration who were suing the company for opening fake accounts in their name without their permission.  Outrageously, the court agreed with Wells Fargo, and the bank settled outside of court.

So what to do? “I’d recommend waiting until Equifax states where it will permit anyone harmed by the hack to have their day in court,” says Michael Fuller, the Oregon attorney working on the first class-action lawsuit that was brought against Equifax on Thursday evening.

“It seems to be pretty outrageous to say, ‘Hey, I’m looking at your website to look up whether or not I’m a victim, and therefore when I look to see if I’ve been harmed by you, just by looking I’ve now found myself to not go to court,’ I think that may be a bridge too far, even for our courts,” says Ira Rheingold, the executive director of the National Association of Consumer Advocates.

Still, if you think you might want to engage in a class-action suit, it might be better not to check whether you’ve been a victim on Equifax’s free site at all. Instead, you should keep a close eye on accounts—like a bank account or insurance—that authenticate your identity by using your Social Security number or date of birth. If you’re (understandably, given the news of this week—and really, the past decade) reticent to trust a private company but still want to check for unusual activity, the Consumer Financial Protection Bureau has a free credit-reporting service.

To put the Equifax hack in perspective, it affects about 44 percent of the U.S. population. And it includes people who have never signed up for any Equifax services or don’t even necessarily know what Equifax is. That’s because the credit-reporting agency is also as a massive multibillion-dollar data compilation company.

“People go to Equifax for credit reports, but what their business really is about is commoditizing your financial and personal information by slicing and dicing it and selling it in all sorts of manners,” says Rheingold. In other words: A company has been collecting private financial information on millions of people (many of whom have no relationship with it), making money off of it, and not even keeping it secure.

You can also lodge complaints to your state attorney general, as well as with the Consumer Financial Protection Bureau, according to Rheingold. Some people may even wish to put a credit freeze on their accounts to prevent their financial information getting into the wrong hands, like an imposter applying for credit in your name, for example.

Equifax, according to Fuller, appears to be a $17 billion company. “We’re estimating up to $70 billion for the cost to make everyone whole,” Fuller continues. That money could go to all the consumers who now need to pay for credit repair services for the next several years.

This article is part of Future Tense, a collaboration among Arizona State University, New America, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, follow us on Twitter and sign up for our weekly newsletter.