Worried you may be affected by Equifax's massive data breach? The credit bureau has set up a site, equifaxsecurity2017.com, that allows you to check whether your personal information was exposed. But regulators are becoming concerned that the site could pose risks to consumers. As a result, you may want to think twice about using it. Here's why.
The website's terms of service potentially restricts your legal rights.
Sharp-eyed social media users have combed through the data breach site's fine print - and have found what they argue is a red flag. Buried in the terms of service is language that bars those who enroll in the Equifax checker program from participating in any class-action lawsuits that may arise from the incident. Here's the relevant passage of the terms of service:
AGREEMENT TO RESOLVE ALL DISPUTES BY BINDING INDIVIDUAL ARBITRATION. PLEASE READ THIS ENTIRE SECTION CAREFULLY BECAUSE IT AFFECTS YOUR LEGAL RIGHTS BY REQUIRING ARBITRATION OF DISPUTES (EXCEPT AS SET FORTH BELOW) AND A WAIVER OF THE ABILITY TO BRING OR PARTICIPATE IN A CLASS ACTION, CLASS ARBITRATION, OR OTHER REPRESENTATIVE ACTION. ARBITRATION PROVIDES A QUICK AND COST EFFECTIVE MECHANISM FOR RESOLVING DISPUTES, BUT YOU SHOULD BE AWARE THAT IT ALSO LIMITS YOUR RIGHTS TO DISCOVERY AND APPEAL.
This language is commonly known in the industry as an "arbitration clause." In theory, arbitration clauses are meant to streamline the amount of work that's dumped onto the court system. But the Consumer Financial Protection Bureau concluded in the summer that arbitration clauses do more harm to consumers than good - and the agency put in place a rule to ban them.
"In practice, companies use these clauses to bar groups of consumers from joining together to seek justice by vindicating their legal right," Richard Cordray, the CFPB's director, told reporters in July, according to my colleague Jonnelle Marte.
For consumers affected by Equifax's breach, this is a live issue; there is already at least one class-action suit brewing against Equifax. Critics say that arbitration is problematic because it limits consumers' ability to find facts to support their case, a process otherwise known as discovery, to appeal decisions or to present their case before a jury.
Equifax didn't immediately respond to questions about the arbitration clause.
If the government is moving to bar arbitration clauses, then why is one in there?
Despite the CFPB's move to ban arbitration clauses, the rule has not yet gone into effect, according to the agency. That won't happen until Sept. 18, the CFPB said. What's more, the rule doesn't work retroactively, meaning that the Equifax legalese would not be covered anyway. The ban only affects contracts made after March 19, 2018, six months after the rule takes effect.
The CFPB said Friday that Equifax's arbitration clause was "troubling" and that the agency is investigating the data breach and Equifax's response.
"Equifax could remove this clause so that consumers can receive this service without condition," the CFPB said in a statement.
The future of the ban is itself in doubt; just after the CFPB approved the rule, House lawmakers voted to repeal it. The motion to repeal must still be voted on by the Senate and signed by President Donald Trump to become official, but if it does, then the CFPB's regulation could be nixed.
On Friday, New York Attorney General Eric Schneiderman took aim at Equifax's arbitration clause, tweeting that his staff has contacted the company urging it to remove that part of the fine print.
"This language is unacceptable and unenforceable," the state's top lawyer said in his tweet. Minutes later, Schneiderman's office announced a formal probe into the Equifax breach. In a release, the state attorney general's office said Schneiderman had sent a letter to Equifax asking for more information. Among the questions were whether any consumer information has found its way to the "black market," according to a person familiar with the investigation.
A spokesperson for Schneiderman declined to comment on whether officials were investigating the sale of company stock by Equifax executives prior to the discovery of the hack.
So should I register with the Equifax site, or not?
"If you do nothing, these rules don't apply to you," he said. But, he added, going to equifaxsecurity2017.com and entering your name and partial Social Security number does likely expose you to at least one of the two documents.
"Something applies to you," said Winston. "Whether that's the terms of service of TrustedID Premier, or Equifax's main terms of service, is unclear. But there's a very strong argument that some terms apply to you."
If you fall into this category, said Winston, then you have almost certainly waived your right to participate in any class-action suit related to the breach.
What about TrustedID Premier's FAQ?
This language may appear to limit Equifax's ability to block class-action lawsuits, said Winston, but don't be fooled.
Meanwhile, there's something else that you should know if you do decide to use Equifax's website to check if you were affected.
The site demands even more information from you to prove your identity.
To make sure that the person checking the database is really you, Equifax's data breach site asks for your last name and the final six digits of your Social Security number. This is extremely unusual. While the site is legitimate, the fact that you must volunteer more of what would otherwise be private information may not inspire much confidence.
Is there anything else I can do?
You can still monitor your own credit by obtaining a copy of your credit report. Every year, you can request a free copy of your report from each of the three major credit reporting agencies. This means that you can effectively check your credit for free every four months or so. You can also put a proactive freeze on your credit, which will prevent unauthorized use.