Equifax caught stealing legal rights from victims of the Equifax breach

“Money talks. Justice walks.”

The credit reporting agency Equifax, Inc. announced this week that it accidentally allowed the identities of 143 million Americans to be breached by hackers. The data exposed by Equifax includes full names, social security numbers, birthdays, and addresses of adults and children.

For the 143 million victims of this Equifax breach, the company is offering one year of “free” credit file monitoring and identity theft protection provided by the Equifax subsidiary TrustedID. But Equifax Inc. is actually using the TrustedID Terms of Service contract to steal fundamental legal rights from millions of victims of its own breach. Accordingly, victims of the Equifax breach are warned against consenting to the TrustedID Terms of Service contract.

Equifax, Inc. owns and operates the credit file monitoring and identity theft protection service TrustedID. Customers of TrustedID must agree to the contractual Terms of Service and Privacy Policy upon enrollment in TrustedID. The three most harmful provisions of the TrustedID Terms of Service that take legal rights from victims are: (1) Limitation of Liability; (2) Applicable Law; and (3) Arbitration of Claims and Class Actions.

(1) Limitation of Liability

The “Limitation of Liability” section of the TrustedID Terms of Service is essentially a “get out of trouble for free” clause for Equifax.

Agreeing to the TrustedID Terms of Service establishes a contract between the breach victim (“You”) and Equifax’s TrustedID, its “Directors, Officers, Agents, Employees, Suppliers, Licensors, Affiliated Companies, or Affiliated Credit Bureaus (“Affiliated Person(s)”).

By consenting to this contract, “You” promise and agree that neither TrustedID, nor any of its “Affiliated Persons” (including Equifax, Inc.) will be liable to “You” (or any of your minor children) for “any loss or injury arising out of or caused, in whole or part, by any negligent acts or omissions of any such person in preparing, reporting or delivering the products, providing authentication services, or in doing anything related thereto.” This is a broad release of breach liability against Equifax, Inc.

Even more overreaching, the “Limitation of Liability” provision warns that neither TrustedID nor “Affiliated Persons” will be liable to “You” (or your minor children) for “direct, special, indirect, incidental, consequential, punitive or emotional distress damages (including but not limited to lost profits or opportunities, business interruption and loss of programs or data)” in connection with any use of information provided by Equinox’s TrustedID found at this website or “provided by us” at this website or “through any other medium.”

In plain language, Equifax breach victims that enroll in Equifax’s TrustedID Premier “credit file monitoring” service lose all legal claims for monetary damages against Equifax Inc. related to this massive data breach.

(2) Applicable Law

The “Applicable Law” section of the TrustedID Terms of Service uses mandatory arbitration to steal the legal rights of breach victims to bring claims in a court of law, demand trial of Equifax by jury, and to appeal any judgment. As has been demonstrated over and over again, mandatory arbitration harms individuals and allows companies to evade responsibility for wrong-doing.

Specifically, the “Applicable Law” clause requires that the Federal Arbitration Act (“FAA”), “shall govern the arbitrability of all Claims between You and Us.” This even includes “any and all claims or disputes” about the validity and enforceability of the arbitration provision itself.

In short, Equifax breach victims that enroll in Equifax’s TrustedID Premier “credit file monitoring” service lose all access to the courts and fundamental legal rights, including discovery, trial by jury, and appeals of judgment.

(3) Arbitration of Claims and Class Actions

Adding insult to the injury of Equifax breach victims, the individual “Arbitration” of claims and class actions section of the TrustedID Terms of Service forces victims to pursue each claim individually.

The “Arbitration” provision requires that, “arbitration will be conducted as an individual arbitration… No arbitration will be consolidated with any other arbitration proceeding.” Put plainly, the 143 million victims cannot join forces and arbitrate their claims against Equifax Inc. as a class. They must each pursue arbitration on their own, at their own personal cost and expense.

Each arbitration is its own little secret proceeding. 143 million victims are prohibited from sharing information with each other or benefiting from the legal work of other victims to hold Equifax Inc. accountable for this breach. As so plainly oppressive against victims rights, Equifax Inc. purposefully designed this contractual provision to discourage and destroy any meager possibility of widespread consumer recovery, even in arbitration.

Critically, the “Arbitration” provision further demands that, “this class action waiver provision applies to and includes any Claims made and remedies sought as part of any class action, private attorney general action, or other representative action. By consenting to submit Your Claims to arbitration, You will be forfeiting Your right to bring or participate in any class action (whether as a named plaintiff or a class member) or to share in any class action awards, including class claims where a class has not yet been certified, even if the facts and circumstances upon which the Claims are based already occurred or existed.”

Through the use of these two sentences in the TrustedID Terms of Service contract, Equifax Inc. is empowered to steal fundamental legal rights from breach victims for any claims that already occurred or existed in the past. This includes all claims that may result from Equifax’s breach of 143 million identities of adults and children.

Equifax Breach Victims Beware

The Terms of Service of Equifax’s “free” TrustedID Premier “credit file monitoring” service establishes a binding legal contract that steals fundamental legal rights from Equifax breach victims.

Equifax Inc.’s offering of its own TrustedID Premier service as “free credit file monitoring” for Equifax breach victims is, at best, deceptive, and, at worst, criminal. Until Equifax Inc. eliminates these three harmful provisions from its TrustedID Terms of Service, individual victims of the Equifax breach should not consent or enroll.

Instead, breach victims should institute a “security freeze” (aka, “credit freeze”) to lock down your credit files at the four major credit bureaus (Equifax, Experian, TransUnion, and Innovis). Information on how to file a security freeze is available here.

In addition to credit file information, breach victims should be aware that the Equifax Inc. databases also hold information about their residential, employment, and salary histories.

According to NBC News, “the Equifax credit reporting agency, with the aid of thousands of human resource departments around the country, has assembled what may be the most powerful and thorough private database of Americans’ personal information ever created, containing 190 million employment and salary records covering more than one-third of U.S. adults.”

Some of the sensitive information in this little-known Equifax database, operated through an Equifax-owned company called The Work Number/ TALX, was breached earlier this year. “Equifax says crooks were able to reset the 4-digit PIN given to customer employees as a password and then steal W-2 tax data after successfully answering personal questions about those employees.”

Equifax’s The Work Number/ TALX sells income and employment history information about consumers to lenders, pre-employment screeners, and others for use in determining their eligibility for credit, employment, or other purposes, which makes it a consumer reporting agency subject to the Fair Credit Reporting Act (FCRA).

In 2009, TALX Corporation, a subsidiary of Equifax Inc., has agreed to settle Federal Trade Commission (FTC) charges that it, “violated federal law by failing to provide certain disclosures to users of their consumer reports and to entities that provide information for consumer reports.”

At this time, its unclear if personal employment and salary data from The Work Number/ TALX was taken in this most recent Equifax breach of 143 million identities. Information on how to request an annual consumer file disclosure from Equifax’s The Work Number/ TALX is available here.

Related Stories:

About the Author:

Joel Winston, Esq. is a New York-based attorney specializing in privacy law and commercial litigation. He also provides data protection and regulatory compliance counsel to technology entrepreneurs and early-stage ventures. Joel is a former deputy attorney general for the State of New Jersey and previously served the Department of Justice, Office of the U.S. Trustee, in Manhattan.