Approximately 143 Million Americans’ Identities Released in Equifax Data Breach
Current Equifax Agreements Limit Consumer Ability to Pursue Class Action Lawsuits
WASHINGTON, D.C. –U.S. Senators Mazie K. Hirono, Al Franken (D-Minn.), and Catherine Cortez Masto (D-Nev.) called on Equifax—the credit bureau that recently made public a data breach affecting 143 million Americans—to completely end its use of forced arbitration agreements, which limit the ability of consumers to pursue actions in public courts in response to corporate wrongdoing.
In a letter sent today, Senator Hirono and 19 Senate Democrats pressured Equifax CEO Richard Smith to drop support for and the use of forced arbitration clauses in consumer agreements.
“Forced arbitration provisions in consumer contracts erode Americans’ ability to seek justice in the courts by forcing them into a privatized system that is inherently rigged against consumers and which offers virtually no way to challenge a biased outcome. Forced arbitration clauses, like the one that appeared in the TrustedID Terms of Use, require consumers to sign away their constitutional right to seek accountability in a court of law,” wrote the Senators. “Although Equifax has since removed the clause from the TrustedID Terms of Use – a move we applaud – we are concerned that the company may still support the use of forced arbitration more broadly.”
The Senators also called on Equifax to clarify its position on a new rule from the Consumer Financial Protection Bureau (CFPB) to limit the use of forced arbitration in the financial services sector.
Equifax, one of the three biggest credit bureaus in the United States, gathers and stores personal information ranging from Social Security numbers to home addresses and tracks the consumer financial information—like loans and credit card payment history—that serves as the basis for Americans’ credit scores. Late last week, Equifax broke the news that their databases were breached in a massive cybersecurity attack earlier this summer, compromising the sensitive information of approximately 143 million Americans.
Shortly after the announcement, several news reports revealed that the terms of use for Equifax’s credit monitoring and identity theft product TrustedID, offered to those affected by the breach, included a clause that forces wronged consumers into private arbitration proceedings and limits the ability of Americans to band together in class-action suits against Equifax. Due to public pressure, Equifax scrapped that TrustedID arbitration clause. But disturbingly, Equifax’s overarching terms of service—which covers all of its websites and services—still includes a similar clause.
The letter, which you can read below or by clicking here, was also signed by Sens. Tom Udall (D-N. Mex.), Ed Markey (D-Mass.), Richard Blumenthal (D-Conn.), Jack Reed (D-R.I.), Elizabeth Warren (D-Mass.), Dick Durbin (D-Ill.), Bob Menendez (D-N.J.), Tammy Baldwin (D-Wis.), Mark Warner (D-Va.), Sherrod Brown (D-Ohio), Ron Wyden (D-Ore.), Heidi Heitkamp (D-N. Dak.), Cory Booker (D-N.J.), Patty Murray (D-Wash.), Patrick Leahy (D-Vt.), Chris Van Hollen (D-Md.) and Martin Heinrich (D-N. Mex.).
September 11, 2017
Mr. Richard F. Smith, CEO
Equifax, Inc.
Dear Mr. Smith:
We are writing to request information on Equifax’s announcement that 143 million U.S. consumers may have had their personal data compromised, as well as Equifax’s initial inclusion of a pre-dispute, mandatory (“forced”) arbitration clause in the Terms of Use agreement for TrustedID Premier – Equifax’s identity theft protection product. In response to significant public outcry regarding Equifax’s apparent attempt to retroactively limit liability for the breach by forcing potential consumer complaints into individual arbitration proceedings, the company took the very important step of removing the arbitration clause from the TrustedID agreement.
While we appreciate Equifax’s speedy response, the breach, as well as the public reaction to the company’s use of forced arbitration, underscore the need for the Consumer Financial Protection Bureau’s (CFPB) recently finalized rule that would prospectively limit the use of forced arbitration clauses and reopen the courtroom doors for consumers. As such, we ask that you clarify your position on the CFPB’s rule, and whether, in the wake of this unprecedented breach of consumers’ personal and financial information, your company supports legislation that would deny consumers access to a court of law.
Last week, Equifax announced that between mid-May and July of this year, cyber criminals gained access to certain Equifax files, including the personal information of potentially 143 million U.S. consumers. Specifically, “[t]he information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed.” In response, Equifax offered “complimentary” access to TrustedID Premier, which purports to help consumers determine if their personal information was impacted and provides them with credit monitoring and identity theft protection. Unfortunately, the TrustedID Premier Terms of Use included a forced arbitration agreement providing that all legal claims “arising from or relating to the subject matter” of the agreement must be settled by individual arbitration – a clause that has since been removed.
Forced arbitration provisions in consumer contracts erode Americans’ ability to seek justice in the courts by forcing them into a privatized system that is inherently rigged against consumers and which offers virtually no way to challenge a biased outcome. Forced arbitration clauses, like the one that appeared in the TrustedID Terms of Use, require consumers to sign away their constitutional right to seek accountability in a court of law. These clauses also frequently include a prohibition on participation in a class action, language which strips consumers of the right to band together with other consumers to challenge widespread wrongdoing or illegal acts.
In the current context, Equifax’s arbitration clause could have prevented those who accessed Equifax’s “free” TrustedID Premier product to verify whether they were affected by the data breach from banding together with others affected to seek justice in a court of law. The effects of the breach are not yet widely known, but it is foreseeable that consumers could have claims related to breaches of statutory and common law duties to safely store and continually secure consumers’ personal and financial data. Although Equifax has since removed the clause from the TrustedID Terms of Use – a move we applaud – we are concerned that the company may still support the use of forced arbitration more broadly.
Indeed, Equifax’s Product Agreement and Terms of Use on its main site continues to include a forced arbitration clause preventing class actions. The product agreement states that it “contains the terms and conditions upon which you may purchase and use products through the www.equifax.com, www.identityprotection.com and www.idprotection.com websites and all other websites owned and operated by Equifax.”[3] Given that the TrustedID website is owned and operated by Equifax, we urge you to remove the offending clause from the landing page’s product agreement as well. Consumers who are rightfully concerned about their financial wellbeing deserve the certainty of knowing that using the TrustedID Premier product – even just to determine if their information has been compromised – won’t be surrendering constitutional rights and effectively immunizing Equifax from accountability. At the very least, Equifax must explicitly state that the arbitration clause does not and will not govern any claims arising out of the breach that occurred between May and July of this year.
Moreover, Equifax is currently lobbying the United States Senate related to the CFPB’s rule that would prospectively limit the use of forced arbitration clauses.[4] Presumably, Equifax is seeking to reverse the CFPB’s rule and limit their liability via repeal legislation, S.J. Res 47. We therefore ask that Equifax clarify its position on this legislation following the breach. We are hopeful that Equifax will use this unfortunate event to reconsider its broader support of pre-dispute, forced arbitration.
Thank you for your prompt attention to this important matter.
Sincerely,
###