by Scott Nelson
As Jeff noted earlier this morning, Equifax's offer of "complimentary" enrollment in "TrustedID Premier" to people potentially affected (and even people that it doesn't identify as potentially affected) by its data breach came with a catch: The TrustedID Premier terms and conditions include an arbitration clause and class action ban.
The terms require arbitration of claims relating to the agreement for TrustedID services and the products offered under that agreement (which include credit reports, credit monitoring, and identity theft insurance). Just how broadly that provision might extend is uncertain. As Justice Scalia once observed, everything relates to everything else. The provision's potential breadth immediately provoked concern (expressed here by Paul Bland) that Equifax might be intending to use it to squelch not only class actions aimed at the provision of the TrustedID services, but also cases aimed at imposing liability on Equifax for the underlying data breach.
Who knows what Equifax's original motives were, but it has now added to its "FAQ" page for consumers a statement that the arbitration provisions in the TrustedID terms don't apply to claims relating to the underlying data breach: "The arbitration clause and class action wavier included in the TrustedID Premier Terms of Use applies to the free credit file monitoring and identity theft protection products, and not the cybersecurity incident."
It would have been outrageous for Equifax to take any other position, but that hasn't stopped other companies from relying on arbitration agreements to squelch legitimate claims (see Wells Fargo). So Equifax's clarification (or perhaps its second thoughts) are at least a step in the right direction.
But the TrustedID terms are still problematic in and of themselves. Not only do they bar arbitration and class actions over the services Equifax is offering to the victims of its data breach, but they also purport to immunize the company against liability if it provides those services negligently. How much faith should consumers place in services offered by the company when the company won't even commit to performing those services competently, and when it insists they waive their right to sue it if it ends up compounding their problems?
Equifax's arbitration agreement wouldn't even be legal if the compliance date for the CFPB arbitration rule had arrived, but the fact that the compliance date hasn't arrived is no reason for Equifax to foist another injustice on people already facing injury as a result of its security failures. The Washington Post reports that Equifax has now offered to let consumers opt out of arbitration if they enroll in TrustedID and then notify it in writing within 30 days that they don't want to be bound to arbitrate. But we know that most consumers won't notice the opt-out opportunity (especially those who enrolled before it was added), won't understand it, and won't opt out.
Rather than continuing to back and fill about the TrustedID arbitration provisions, Equifax might be well advised to follow the urgings of the New York Attorney General and the CFPB and get rid of them altogether. Pulling a fast one on consumers when you claim to be trying to help them is not the way to respond to this situation.
Meanwhile, there's another potential arbitration issue: Equifax.com's own terms and conditions for consumers who engage in any transaction on its site (like ordering a credit report from Equifax) say that the consumer agrees to arbitration and a class-action ban for any claim that relates in any way to their "relationship with Equifax." That provision is much broader than the TrustedID clause, and Equifax may well contend that it bars anyone who's entered into any transaction with it on its website from suing over the data breach.
Fortunately, most of the 143 million potentially affected consumers have never engaged in any transaction with Equifax or agreed to anything with it, so they wouldn't be covered by those terms. Even for those who did, the terms may not have been prominently enough disclosed to bind consumers. And seeking to enforce this arbitration agreement as to the data breach might exceed even the very broad scope of the Federal Arbitration Act, because neither Equifax's possession of consumer data nor the breach arises in any way from the contract that contains the arbitration agreement.
But those kinds of considerations generally don't stop companies from relying on arbitration agreements, and if Equifax gets drawn into high-stakes litigation I'm guessing that the arbitration agreement in the terms and services will come into play unless Equifax is persuaded to disavow it.
I keep going back to Equifax's CEO's statement that the situation is "disappointing." That arbitration clauses and class action bans have come into play certainly adds to my disappointment.
I'm reminded of the line from The Princess Bride: "Get used to disappointment."
