by Jeff Sovern
I'm still trying to make sense of the arbitration situation in connection with the Equifax breach. Here is how I see it at the moment. Comments welcome.
Our story so far: after hackers invaded the Equifax database, Equifax set up a web site (that is the current version of the web site; it has been changed since yesterday) so consumers could determine whether their data had been hacked. To do so, consumers had to enter their last name and the last six digits of their Social Security Number (this Times story implies that no matter what you type, you will be told you may have been affected though when I tried it, I was told my data was not affected so that appears not to be so). Equifax also offered free credit monitoring for a year. The Equifax web site had at the bottom in small print the phrase "Terms of Service." Clicking that yesterday took you to a document running nearly 14,000 words and containing an arbitration clause. This led to an uproar as critics accused Equifax of imposing an arbitration clause on people who merely wanted to learn whether their data had been affected. At some point yesterday Equifax modified its breach landing page to say that its arbitration clause did not apply to people checking to see if their data had been compromised:
NO WAIVER OF RIGHTS FOR THIS CYBER SECURITY INCIDENT
Clicking on the Terms of Service link at the bottom of that page takes you to a page that does not include an arbitration clause. However, the terms of service as of yesterday when I checked did not contain that exclusion.
A separate Experian FAQ, as Scott reported, was also modified to include the following statement:
Based on that, you would agree to arbitration and the accompanying class action waiver if you accept the free credit monitoring. I can't tell for certain that the credit monitoring includes an arbitration clause because when I attempted to explore further, I was told I couldn't sign up for the free credit monitoring until 9/14; the page that told me so links to the TOS without the arbitration clause but that may not be the TOS that governs the free credit monitoring.
So let's suppose someone signs up for the credit monitoring and is subject to the an arbitration clause, as implied by the FAQ. And let's also assume that the arbitration clause reads the same as it did yesterday. Here's is some of what it says:
Any Claim (as defined below) raised by either You or Equifax against the other shall be subject to mandatory, binding arbitration. As used in this arbitration provision, the term "Claim" or "Claims" means any claim, dispute, or controversy between You and Us relating in any way to Your relationship with Equifax, including but not limited to any Claim arising from or relating to this Agreement, the Products or this Site, or any information You receive from Us, whether based on contract, statute, common law, regulation, ordinance, tort, or any other legal or equitable theory, regardless of what remedy is sought. * * *The term "Claim" shall have the broadest possible construction, except that it does not include any claim, dispute or controversy in which You contend that EIS violated the FCRA. Any claim, dispute, or controversy in which You contend that EIS violated the FCRA is not subject to this provision and shall not be resolved by arbitration.
That would clearly apply to disputes involving the credit monitoring. And I think we can take the web site at its word that it wouldn't apply to the breach (but not everyone is certain of that, at least as of the version of the web site as it appeared early yesterday) and therefore if you signed up for the credit monitoring, you still wouldn't be subject to arbitration as to the breach but would be as to the credit monitoring service. But what else does it apply to? Suppose there's another Equifax data breach? A second breach may seem far-fetched–but so did the first one. Could Equifax prevent you from being part of a class action as to that breach if you sign up for the credit monitoring? The exclusion refers specifically to "this cybersecurity incident," implying that other breaches are not excluded. The definition of claims is broad in some respects ("any claim, dispute or controversy") but less so in others ("relating in any way to Your relationship with Equifax"). Does a later data breach arise from your relationship with Equifax? The Cambridge English Dictionary defines "relationship" in part as "the way in which things are connected or work together." Could Equifax successfully argue that it is connected to and works together with consumers on whom it maintains files and whose information is sought so that they can obtain credit? (I'm less troubled about claims in which the consumer argues that Equifax has reported incorrect information about them or disclosed information about them for an improper purpose because (1) those claims arise under the FCRA, and FCRA claims are explicitly excluded from the arbitration clause; and (2) I suspect that those claims would not satisfy the "commonality" requirement for class actions and so would not be heard in a class action anyway).
Then there's the whole proof issue. Once you sign up for the free credit monitoring, if it includes an arbitration clause and you are the subject of an identity theft, how do you show that the breach led to the theft rather than something arising out of your relationship with Equifax? It's not as if identity thieves typically testify about how they obtained the information. Again, that would be less likely to be heard in a class action, but conceivably other disputes could arise. I would rather not spend my time trying to anticipate what problems I could have with Equifax. Scott wrote about other problems with the arbitration clause yesterday.
In any event, unless Equifax drops its arbitration clause as to the credit monitoring service, or someone persuades me otherwise, i don't think I'm going to keep my appointment to sign up for the credit monitoring service. Sometimes the most expensive items are the ones billed as "free."