Not only did Equifax suffer a massive data breach that potentially compromised the personal data of up to 143 million in the U.S. and then wait 6 weeks to inform the public--the credit-reporting company is directing those who want to know if they were a victim of the breach to a service that forces them into a "rip-off clause" that makes them give up their right to file or join class-action lawsuit against the company.
Robert Weissman, president of advocacy group Public Citizen, called it "one of the most brazen corporate wrongdoer maneuvers in memory."
MarketWatchreported:
Equifax's terms require "arbitration of disputes" and "a waiver of the ability to bring or participate in a class action, class arbitration, or other representative action." The terms were written in block capitals. However, experts say research has shown that customers rarely read the terms and conditions when signing up for services. (The company was not immediately available for comment.)
A new rule from the Consumer Financial Protection Bureau (CFPB) bans companies from using these consumer-unfriendly mandatory arbitration clauses. But it doesn't go into effect until Sept. 18. It's also already in the cross-hairs of Republicans--a point noted CFPB creator Sen. Elizabeth Warren (D-Mass.), who called the breach "Exhibit A for why we must stop @GOP from reversing the @CFPB's rule protecting your right to join class actions."
That tweet was included in a series from Warren that took aim at Equifax:
The clause also drew from Amanda Werner, arbitration campaign manager at Public Citizen and Americans for Financial Reform. "It is despicable that Equifax would exploit consumers' need for identity theft monitoring to avoid accountability for this devastating breach. Perhaps more despicable, at this very moment, U.S. senators are weighing legislation to take away our right to hold companies like Equifax accountable in court," she said.
Brian Fung writes at Washington Post's "The Switch" blog that
There appears to be an escape hatch from the arbitration clause in Equifax's main terms of use, but it's unclear if that applies to the credit monitoring program known as TrustedID Premier, whose more specific terms of use may be found here. Both documents contain an arbitration clause.
In addition, he writes,
Some readers have pointed out that Equifax maintains an FAQ about TrustedID Premier, and that the FAQ appears to limit the scope of TrustedID Premier's terms of use to "the free credit file monitoring and identity theft protection products, and not the cybersecurity incident" that was disclosed this week.
But according to Joel Winston, a former deputy attorney general for the state of New Jersey and a privacy and data protection lawyer, that may not reign in Equifax's ability to stop people from banding together in a suit. Fung continues:
"Just because someone in the marketing department wrote that the terms of service don't apply to the cybersecurity incident means nothing compared to the contractual obligations of the terms of use," he said.
"You could say, 'What you're saying here is deceitful,' but it's a real gray area," he said. "If you look back at the TrustedID terms of use, the last paragraph says 'entire agreement between us,' which basically reiterates that the terms of service is the entire agreement and anything else you read on the website have no applicability."
New York Attorney General Eric T. Schneiderman announced Friday that he is launching a formal investigation into the breach. On Twitter, Schneider blasted the rip-off clause, writing: "This language is unacceptable and unenforceable. My staff has already contacted @Equifax to demand that they remove it."
House Financial Services Committee Chairman Jeb Hensarling (R-Texas), meanwhile, announced that it would hold a hearing into the breach.