The credit monitoring firm, Equifax,
recently suffered a massive data breach, resulting in the exposure of the personal information of approximately 143 million Americans. This personal information includes names, Social Security numbers, birth dates, and addresses.
Equifax, realizing how terrible this is, has tried to respond by offering free credit report monitoring services to its customers for a year. But this isn't going over very well, as it appears that Equifax may be attempting to get people to waive their class-action rights and agree to binding arbitration provisions by signing up for the credit-monitoring service. From the
Wall Street Journal:
The fine print in the Equifax agreement concerning the monitoring services said that consumers who take part waive the ability to bring or participate in a class-action suit, a class arbitration or other similar legal actions. That seemed to suggest that consumers would be bound to an individual arbitration process with the company, which some argue is a more difficult place for consumer to get larger rewards for their problems.
The Washington Post has similar reporting
here, and a report from MarketWatch is
here.
The Terms of Service that contain the "fine print" can be found
here. Here is the relevant provision:
Binding Arbitration. Any Claim (as defined below) raised by either You or Equifax against the other shall be subject to mandatory, binding arbitration. As used in this arbitration provision, the term "Claim" or "Claims" means any claim, dispute, or controversy between You and Us relating in any way to Your relationship with Equifax, including but not limited to any Claim arising from or relating to this Agreement, the Products or this Site, or any information You receive from Us, whether based on contract, statute, common law, regulation, ordinance, tort, or any other legal or equitable theory, regardless of what remedy is sought. This arbitration obligation extends to claims You may assert against Equifax’s parents, subsidiaries, affiliates, successors, assigns, employees, and agents. The term "Claim" shall have the broadest possible construction, except that it does not include any claim, dispute or controversy in which You contend that EIS violated the FCRA. Any claim, dispute, or controversy in which You contend that EIS violated the FCRA is not subject to this provision and shall not be resolved by arbitration.
The key in this paragraph is the definition of "Claim," which is sufficiently broad to cover damages arising from the data breach (as these damages presumably arise from one's relationship with Equifax).
Equifax may claim that the Terms of Service linked to above do not apply to customers who enroll in the "TrustedID Premier" program that Equifax is offering after the breach. That program is linked to from
this page (with a URL of
www.equifaxsecurity2017.com). The Terms of Service associated with the TrustedID program are
here, and while they also contain a pretty stringent-sounding arbitration provision, it does not contain the same, extremely broad "Claim" definition. [NOTE: See update below].
But the Terms of Service that I initially quoted should still apply to those who enroll in the TrustedID service because those Terms are extremely broad in their potential application:
THIS PRODUCT AGREEMENT AND TERMS OF USE ("AGREEMENT") CONTAINS THE TERMS AND CONDITIONS UPON WHICH YOU MAY PURCHASE AND USE OUR PRODUCTS THROUGH THE WWW.EQUIFAX.COM, WWW.IDENTITYPROTECTION.COM AND WWW.IDPROTECTION.COM WEBSITES AND ALL OTHER WEBSITES OWNED AND OPERATED BY EQUIFAX AND ITS AFFILIATES ("SITE"). YOU MUST ACCEPT THE TERMS OF THIS AGREEMENT, INCLUDING THE ARBITRATION AGREEMENT CONTAINED IN SECTION 4 BELOW, BEFORE YOU WILL BE PERMITTED TO REGISTER FOR AND PURCHASE ANY PRODUCT FROM THIS SITE. BY REGISTERING ON THIS SITE AND SUBMITTING YOUR ORDER, YOU ARE ACKNOWLEDGING ELECTRONIC RECEIPT OF, AND YOUR AGREEMENT TO BE BOUND BY, THIS AGREEMENT. YOU ALSO AGREE TO BE BOUND BY THIS AGREEMENT BY USING OR PAYING FOR OUR PRODUCTS OR TAKING OTHER ACTIONS THAT INDICATE ACCEPTANCE OF THIS AGREEMENT.
Sorry for all the capital letters. I strongly suspect that attorneys who draft terms of service agreements are secretly angry people, and sometimes the rage manifests itself in the work product.
In case you cannot read the paragraph above, it applies the terms in the Agreement to all websites owned and operated by Equifax and its Affiliates.
In response to critics pointing out how Equifax appears to be systematically herding potential Plaintiffs' into agreeing to binding arbitration, Equifax has set up this
"Progress Update" page where it tries to put out the new fire that it has caused:
2). NO WAIVER OF RIGHTS FOR THIS CYBER SECURITY INCIDENT
In response to consumer inquiries, we have made it clear that the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident.
Have they though?
Let's go back to the Terms of Service -- specifically, to the relevant portion of the integration clause near the end:
ENTIRE AGREEMENT BETWEEN US. This Agreement constitutes the entire agreement between You and Us regarding the Products and information contained on or acquired through this Site or provided by Us, including through other linked third party Internet sites.
This appears to exclude Equifax's damage control statements, which appear on a separate page and are not included in the terms of the Agreement. All Equifax would need to do would be to point to this clause and argue that its statements elsewhere about the arbitration agreement not applying are of no legal relevance.
In short, commentators who are criticizing Equifax's response seem to have a pretty good point. Signing up for Equifax's free (for a year) credit report monitoring service may result in a waiver of rights that the average consumer would not expect, and likely would not agree to if it were put into plain English.
All of this may end up being moot, however, as signing up for the credit monitoring service requires customers to give Equifax the last six digits of their Social Security numbers. Perhaps those willing to entrust Equifax with this information following a breach of this magnitude are willing to agree to just about anything, including a waiver of the right to trial and right to join in a class action.
[UPDATE: 9/11/2017]
I have revised the post above to add the link to the TrustedID Program Terms of Use, which I had not linked to in the original post. Additionally, at the time I wrote the initial post, the TrustedID Program's Terms of Use included an arbitration provision, albeit one that was less all-encompassing than the provision in Equifax's general Terms of Service Agreement. The TrustedID Program's Terms of Use have now been updated and no arbitration provision appears in these terms at all. The TrustedID Agreement contains integration clause near the end of the Agreement, which states, in pertinent part:
ENTIRE AGREEMENT BETWEEN US. This Agreement constitutes the entire agreement between You and Us regarding the Products and information contained on or acquired through this website or provided by Us, including through other linked third party Internet sites.
This may have the effect of fulfilling Equifax's promise that their arbitration provisions do not apply to the recent breach. Users affected by the breach could visit the webpage for the TrustedID Program without ever accessing Equifax's general website (say, by linking to the TrustedID page from the link in the post above). And while the broad terms of Equifax's general Terms of Use still apply, Equifax would probably have a harder time arguing in court that customers are bound to the general Terms of Use if those customers could have enrolled in the TrustedID Program without ever visiting (or being prompted to visit) a page containing or linking to Equifax's general Terms of Use.
In short, users looking to enroll in the TrustedID Program now have a much stronger argument that they have not agreed to arbitration and may still pursue claims in court, either as individuals or through a class action. Of course, I just checked the TrustedID page and it is still seeking the last six digits of my Social Security Number ... so users still must decide whether entrusting Equifax with this information following the breach is a prudent action to take.