This story has been updated with comments from the CFPB and the New York Attorney General’s office.
Worried you may be affected by Equifax’s massive data breach? The credit bureau has set up a site, equifaxsecurity2017.com, that allows you to check whether your personal information was exposed. But regulators are becoming concerned that the site could pose risks to consumers. As a result, you may want to think twice about using it. Here’s why.
The website’s terms of service potentially restricts your legal rights.
Sharp-eyed social media users have combed through the data breach site’s fine print — and have found what they argue is a red flag. Buried in the terms of service is language that bars those who enroll in the Equifax checker program from participating in any class-action lawsuits that may arise from the incident. Here’s the relevant passage of the terms of service:
AGREEMENT TO RESOLVE ALL DISPUTES BY BINDING INDIVIDUAL ARBITRATION. PLEASE READ THIS ENTIRE SECTION CAREFULLY BECAUSE IT AFFECTS YOUR LEGAL RIGHTS BY REQUIRING ARBITRATION OF DISPUTES (EXCEPT AS SET FORTH BELOW) AND A WAIVER OF THE ABILITY TO BRING OR PARTICIPATE IN A CLASS ACTION, CLASS ARBITRATION, OR OTHER REPRESENTATIVE ACTION. ARBITRATION PROVIDES A QUICK AND COST EFFECTIVE MECHANISM FOR RESOLVING DISPUTES, BUT YOU SHOULD BE AWARE THAT IT ALSO LIMITS YOUR RIGHTS TO DISCOVERY AND APPEAL.
This language is commonly known in the industry as an “arbitration clause.” In theory, arbitration clauses are meant to streamline the amount of work that’s dumped onto the court system. But the Consumer Financial Protection Bureau concluded in the summer that arbitration clauses do more harm to consumers than good — and the agency put in place a rule to ban them.
“In practice, companies use these clauses to bar groups of consumers from joining together to seek justice by vindicating their legal right,” Richard Cordray, the CFPB’s director, told reporters in July, according to my colleague Jonnelle Marte.
For consumers affected by Equifax’s breach, this is a live issue; there is already at least one class-action suit brewing against Equifax.
If the government is moving to bar arbitration clauses, then why is one in there?
Despite the CFPB’s move to ban arbitration clauses, the rule has not yet gone into effect, according to the agency. That won’t happen until Sept. 18, the CFPB said. What’s more, the rule doesn’t work retroactively, meaning that the Equifax legalese would not be covered anyway. The ban only affects contracts made after March 19, 2018, six months after the rule takes effect.
The CFPB said Friday that Equifax’s arbitration clause was “troubling” and that the agency is investigating the data breach and Equifax’s response.
“Equifax could remove this clause so that consumers can receive this service without condition,” the CFPB said in a statement.
The future of the ban is itself in doubt; just after the CFPB approved the rule, House lawmakers voted to repeal it. The motion to repeal must still be voted on by the Senate and signed by President Trump to become official, but if it does, then the CFPB’s regulation could be nixed.
On Friday, New York Attorney General Eric Schneiderman took aim at Equifax’s arbitration clause, tweeting that his staff has contacted the company urging it to remove that part of the fine print.
“This language is unacceptable and unenforceable,” the state’s top lawyer said in his tweet. Minutes later, Schneiderman’s office announced a formal probe into the Equifax breach. In a release, the state attorney general’s office said Schneiderman had sent a letter to Equifax asking for more information. Among the questions were whether any consumer information has found its way to the “black market,” according to a person familiar with the investigation.
A spokesperson for Schneiderman declined to comment on whether officials were investigating the sale of company stock by Equifax executives prior to the discovery of the hack.
So should I register with the Equifax site, or not?
It’s up to you, but you should know going into the process what you’re signing up for.
Friday morning, after social media users began complaining about the arbitration clause, Equifax updated its terms of service to give consumers an escape hatch if they do not wish to be bound by its language.
Here’s how the opt-out provision reads:
In order to exclude Yourself from the arbitration provision, You must notify Equifax in writing within 30 days of the date that You first accept this Agreement on the Site (for Products purchased from Equifax on the Site). …
[You] must include Your name, address, and Equifax User ID, as well as a clear statement that You do not wish to resolve disputes with Equifax through arbitration.
This language helps address some of the concerns, but it requires consumers to remember to write to Equifax.
Meanwhile, there’s something else that you should know if you do decide to use Equifax’s website to check if you were affected.
The site demands even more information from you to prove your identity.
To make sure that the person checking the database is really you, Equifax’s data breach site asks for your last name and the final six digits of your Social Security number. This is extremely unusual. While the site is legitimate, the fact that you must volunteer more of what would otherwise be private information may not inspire much confidence.
Is there anything else I can do?
You can still monitor your own credit by obtaining a copy of your credit report. Every year, you can request a free copy of your report from each of the three major credit reporting agencies. This means that you can effectively check your credit free every four months or so. You can also put a proactive freeze on your credit, which will prevent unauthorized use.