The terms of service for Equifax's credit monitoring service, TrustedID Premier, say that users give up their right to participate in a class-action lawsuit or arbitration.
Those who user TrustedID Premier do not give up their right to participate in a class-action lawsuit or arbitration against Equifax over the 2017 data breach.
After the credit-reporting company Equifax revealed on 7 September 2017 that a cyber-attack had exposed personal data for 143 million U.S. residents, the company promoted its service TrustedID Premier as a way for people to see if their information was stolen in the 29 July 2017 data breach.
But critics highlighted a clause in TrustedID's terms that required people enrolling in the service to forfeit their right "to bring or participate in a class action, class arbitration, or other representative action":
This arbitration will be conducted as an individual arbitration. Neither You nor We consent or agree to any arbitration on a class or representative basis, and the arbitrator shall have no authority to proceed with arbitration on a class or representative basis. No arbitration will be consolidated with any other arbitration proceeding without the consent of all parties. This class action waiver provision applies to and includes any Claims made and remedies sought as part of any class action, private attorney general action, or other representative action. By consenting to submit Your Claims to arbitration, You will be forfeiting Your right to bring or participate in any class action (whether as a named plaintiff or a class member) or to share in any class action awards, including class claims where a class has not yet been certified, even if the facts and circumstances upon which the Claims are based already occurred or existed.
As of 8 September 2017, Equifax created a website, web site, EquifaxSecurity2017.com, addressing concerns over the issue, which stated that the cyber attack is not covered by TrustedID Premier's arbitration clause:
Do the TrustedID Terms of Use limit my options related to the cyber security incident?
The arbitration clause and class action wavier included in the TrustedID Premier Terms of Use applies to the free credit file monitoring and identity theft protection products, and not the cybersecurity incident.
New York state Attorney General Eric Schneiderman, whose office is investigating the data breach, said on Twitter that Equifax posted the statement "after conversations [with his] office."
We contacted Schneiderman's office seeking further comment but have yet to hear back. Equifax sent us a statement saying:
In response to consumer inquiries, we have made it clear that the arbitration clause and class action
waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity
incident.
However, other users have said that TrustedID's tool told them their data "may have been impacted" if they entered "test" as their last name and "123456" as the last six digits of their social security number. We entered the same number and "Smith" as a last name and got the same result. We contacted Equifax seeking comment but have not received a response.
The company was also criticized following reports that a trio of executives -- Chief Financial Officer John Gamble, U.S. Information Solutions President Joseph Loughran and Workforce Solutions President Rodolfo Ploder -- sold a combined $2 million in company stock on 1 August and 2 August 2017.
Equifax said that the three officials were unaware of the data breach at the time they sold their stock.
The company announced on 26 September 2017 that chief executive officer Richard Smith would resign from both that position and his role as the chairman of the company's board. Paulino do Rego Barros Jr. was appointed as interim CEO, while another board member, Mark Feidler, will serve as "non-executive chairman."
As of 27 September 2017, Smith was scheduled to testify before the Senate Banking Committee at a hearing concerning the data breach.