Imagine for a moment that you were Equifax, forced to disclose to 143 million US consumers that their sensitive personal information had been compromised in a data breach that took place from mid-May to July. It is an unenviable position to be in. You would, of course, issue a public apology, as chairman and CEO Rick Smith did in an online video. You would also attempt to make some sort of amends, which Smith said Equifax was doing by taking the “unprecedented step” of offering complimentary identity theft protection and credit monitoring to every US consumer.” You might also try to make sure people don’t sue:
YOU MUST ACCEPT THIS AGREEMENT, INCLUDING ITS “ARBITRATION” SECTION BELOW, BEFORE YOU WILL BE PERMITTED TO REGISTER FOR, USE OR PURCHASE ANY PRODUCT. BY REGISTERING ON THIS WEBSITE AND SUBMITTING YOUR ORDER, YOU ARE ACKNOWLEDGING ELECTRONIC RECEIPT OF, AND YOUR AGREEMENT TO BE BOUND BY, THIS AGREEMENT. YOU ALSO AGREE TO BE BOUND BY THIS AGREEMENT BY USING OR PAYING FOR OUR PRODUCTS OR TAKING OTHER ACTIONS THAT INDICATE ACCEPTANCE OF THIS AGREEMENT.
The terms associated with enrolling in TrustedID are not found by checking one of those boxes that are so common on the internet, asking you to read and agree to the conditions of service, but by clicking a link in small, white font at the very bottom of Equifax’s website devoted to the breach, equifaxsecurity2017.com. It is entirely possible to sign up for TrustedID Premier—a process that requires entering your last name, the last six digits of your social security number, and verifying that you are “not a robot”—without ever coming across these terms of service. (In the legal world, this is known as “browsewrap” arbitration compared to the more recognizable “clickwrap” arbitration.) It is even possible to sign up for TrustedID Premier by entering entirely fake information. The terms, effective Sept. 6, or the day before Equifax disclosed the data breach, take effect once you register all the same.
“They’re posturing this as a good thing for consumers, being kind to consumers, being generous, and then it turns out that there’s this language in it that means in all likelihood you couldn’t be part of a lawsuit,” Paul Bland, executive director at consumer advocacy organization Public Justice, said in a phone interview. “To me it suggests that rather than being a sincere effort to help consumers and repair the damage that they caused, instead what they’re doing is setting up a ploy to get consumers to sign away their rights.”
That same statement has since been added to an FAQ section on the site addressing the breach, with New York attorney general Eric Schneiderman writing on Twitter that Equifax made the clarification after “conversations [with] my office.” Earlier in the day, Schneiderman said that he is investigating Equifax’s data breach and called the arbitration language “unacceptable and unenforceable.”
Class-action waivers have become standard practice in business, with all-caps clauses asking you to agree to binding arbitration proliferating. We give up our right to class-action lawsuits when we send money on PayPal, stream videos on Netflix, rent a car from Enterprise, or get cellphone service from Verizon. In 2014, multibillion-dollar food corporation General Mills famously asked consumers to agree to binding arbitration when they downloaded coupons for General Mills products.
For companies, a class-action waiver is a quick way to head off petty, expensive, and time-consuming lawsuits, like a fraud claim brought in the 1990s against Milli Vanilli, a German duo caught lip-syncing on their best-selling album. (“The court hopes that this humble controversy will soon come to an end,” the judge reportedly said in his opinion in the case, “and the courts of this and other jurisdictions can devote their time to the resolution of controversies of a more significant social and economic nature.”) For consumers, however, class-action waivers can be a quick route to disempowerment, preempting challenges to practices like wage theft, employment misclassification, and predatory lending.
Equifax’s arbitration provision was spotted yesterday by some savvy internet users and has since become the subject of much outrage. This is understandable. People are frighteningly apathetic about their privacy, but they still don’t like being told that their names, social security numbers, addresses, birth dates, driver’s license numbers, and credit card numbers may have been seized in mass by enterprising cyber criminals, as happened with Equifax. They like it even less when the relief that company offers is later outed as an apparent ruse to curb potential lawsuits. Unlike the consumers who sacrifice their legal rights in exchange for PayPal’s convenience, Netflix’s entertainment, Enterprise’s cars, or Verizon’s mobile services, the people affected by the Equifax hack also never asked for the company to acquire their data. Equifax simply obtained this information by virtue of being one of the three biggest credit rating agencies.
Despite Equifax’s walkback, the move only served to upset an already volatile situation. US senator Elizabeth Warren, a vocal consumer rights advocate, chastised Equifax for the class-action waiver on Twitter. US senator Sherrod Brown called for Equifax to “remove forced arbitration from TrustedID immediately” and “not take advantage of customers they put at risk.” The Consumer Financial Protection Bureau called the clause “troubling” and said it is investigating Equifax’s response.
Bland said Equifax’s apparent effort to strip consumers of their right to sue was brazen even by normal corporate America’s standards. “I would think that having screwed something up of this magnitude, that they would actually try to make it better,” he said. But, he added, challenged by consumers in most courts in the US, the provision probably would have held up.