Equifax data hack: What are your legal options? – CNET

Nearly half the US woke up Friday to find out their Social Security number might have been stolen, thanks to hackers who breached the database of a top credit monitoring service.

Equifax is one of three major credit monitoring companies, which victims of data breaches typically turn to for protection. Now it’s lost the Social Security numbers, names, addresses and birth dates of up to 143 million people in the US alone. Folks in Canada and the UK have also been affected.

About 209,000 people had their credit card information stolen as well. The Federal Trade Commission has advised people to monitor their accounts closely, and to place a fraud alert on all their files. The massive number of victims means a lot of questions.

Now Playing: Watch this: Equifax breach: Were you one of the 143 million affected?

Equifax has provided a tool for people to find out if they’re affected, but its usefulness has been questionable, with the company telling people who’ve entered fake names that they were hit by the breach. Equifax is also offering potential victims free credit monitoring and identity theft protection, but the terms of use for that program have caused confusion.

Don’t fret though. We’ve put together a guide for those who think they might’ve been nailed by the breach, and we’ll break down some of your legal options. 

What’s the deal with Equifax’s terms of use?

Equifax updated its Frequently Asked Questions on Friday afternoon and noted that the terms of use does not apply to its breach. 

Which means, yes, you can sue them, either in a class action lawsuit or on your own.

As a result of the hack, Equifax is offering free credit monitoring through its TrustedID Premier program. In the terms of use for that program, an arbitration clause says that by signing up to use TrustedID, you give up your right to sue in a class-action lawsuit (though you can still sue as an individual in a small claims court).

The free credit monitoring program that Equifax is offering potential victims comes with some legal restrictions. 

Michael Fuller

Equifax didn’t respond to requests for clarification on the terms, which the company adjusted Wednesday, a day before it announced the massive breach. 

On its website, Equifax added a statement writing that the “arbitration clause and class action waiver included in the TrustedID Premier Terms of Use applies to the free credit file monitoring and identity theft protection products, and not the cybersecurity incident.”

Tom Rohback, an attorney who focuses on data breach litigation, read through TrustedID Premier’s terms of use and said you’ll still be able to sue Equifax, despite agreeing to the TrustedID arbitration clause.

TrustedID Premier, while owned by Equifax, is a separate entity from its parent company, Rohback said, and the TrustedID terms of use serve to protect only the subsidiary company.

Equifax has its owns terms of use, which have an arbitration clause that protects the entire company. TrustedID Premier protects only itself, he noted.

“This agreement would only cover breaches committed by TrustedID, in its future monitoring,” Rohback said.

But Equifax has used its own terms of use to negate TrustedID’s loophole in the past, Michael Fuller, an attorney representing a class-action lawsuit out of Oregon said. For now he’s warning everybody involved against using TrustedID because of the arbitration clause.

“We have to assume that they’re going to enforce that provision,” Fuller said.

Peter Vogel, an attorney who also works for the American Arbitration Association, says Equifax’s clause might not stand up in court. That’s because the agreement is relatively hidden, Vogel said.

“The courts generally require that there be a click agreement,” Vogel said. There isn’t a click agreement for Equifax’s terms of service.  “You could make an argument that the arbitration provision won’t apply.”

That arbitration clause sounds suspicious

It should. In July, the Consumer Financial Protection Bureau decided to ban companies from using arbitration clauses, pointing out that it prevented a mass amount of people from taking legal action.

New York’s attorney general Eric Schneiderman wrote in a tweet that the arbitration clause was “unenforceable,” and that his staff has demanded that Equifax remove it. 

Is there any way out of this clause?

Equifax’s terms of service includes an escape clause for the arbitration.

According to the fine print, you have to write an opt-out notice within 30 days of agreeing to use their products, and send it to this address:

Equifax Consumer Services LLC, Attn.: Arbitration Opt-Out

P.O. Box 105496

Atlanta, GA 30348

The letter must include your name, address, and Equifax User ID, along with a statement that you “do not wish to resolve disputes with Equifax through arbitration.”

So no one is suing Equifax yet?

Actually, there are two class-action lawsuits filed so far.

Fuller is representing two Oregon residents who filed a class-action suit on Thursday, claiming that Equifax failed to adequately protect the personal information of 143 million people. You can join the case by signing up on www.equifaxcase.com. The plaintiffs are seeking $70 billion in damages from Equifax over the breach.

Despite the massive payout, if successful, each victim would only receive $489, and that’s before legal fees. That’s how much your social security number, name, address and birthdate would be worth.

“It could be the largest class-action lawsuit ever filed,” Fuller said. “It involves almost half the country.” 

He’s gotten so many calls about the lawsuit that he started having to redirect people to their local attorney general’s office.

In Equifax’s home state in Georgia, two plaintiffs filed another class-action lawsuit against the company. The lawsuit claims that Equifax could have prevented the data breach, and failed to notify victims in a “timely manner.”

They are being represented by John Yanchunis, the lead counsel representing victims affected by Yahoo’s record-breaking breach, and has also represented data breach victims from Target and Home Depot’s hacks.  

“Equifax contains one of the largest databases of consumer information and they should have been better prepared for any attempt to penetrate its systems,” Yanchunis said in a statement.

Is our government doing anything about this?

On Friday morning, House representative Ted Lieu (D-California) sent a letter to the House Judiciary Committee chair asking them to investigate the breach, and why it had taken more than six weeks for the company to go public with the announcement. 

Lieu is requesting that Congress call representatives from Equifax, TransUnion and Experian — the “Big Three” credit monitoring agencies — to testify on Capitol Hill about the breach and details on their cybersecurity.

Rep. Ted Lieu

Rep. Ted Lieu wrote a letter calling for an investigation on Equifax.

Bill Clark / Getty Images

Sen. Mark Warner (D-Virginia), the vice chair of the Senate Intelligence committee, criticized Equifax over its “profoundly troubling” breach and suggested new data protection policies for Congress to pass.

Equifax is also working with the FBI on the investigation.

In New York, the state attorney general’s office also announced a formal investigation into Equifax’s breach

Three Equifax executives, including its chief financial officer, sold shares in the company just three days after the breach was first discovered. The Securities and Exchange Commission did not comment on if it was investigating insider trading.

CNET Magazine: Check out a sample of the stories in CNET’s newsstand edition.

Logging Out: Welcome to the crossroads of online life and the afterlife.

Updated at 12:45 p.m. PT: To include new details from Equifax’s website.

Leave a Reply

Your email address will not be published. Required fields are marked *