Equifax Sued Over Massive Breach; Company Criticized for Response to Theft

Consumer Reports has no financial relationship with advertisers on this site.

Within hours of Equifax — one of the nation’s three major credit bureaus — confirming that the records of some 143 million people had been compromised in a data breach, the company now faces a lawsuit accusing it of failing to protect its stockpile of sensitive consumer information. Meanwhile, some critics are saying that Equifax’s response to the breach may be causing more harm than good.

The potential class action complaint [PDF] was filed Thursday afternoon at a federal court in Oregon with two of that state’s residents as the named plaintiffs. It aims to represent others who may be “harmed by Equifax’s failure to adequately protect their credit and personal information.”

As a credit bureau, Equifax has a large amount of potentially sensitive data about hundreds of millions of Americans — personal information like addresses, phone numbers, driver’s licenses, and Social Security numbers; along with financial information on credit card accounts, loans, lines of credit, and more.

The plaintiffs say that, with this much data at its disposal, Equifax has a legal duty “to use reasonable care to protect their credit and personal information from unauthorized access by third parties.”

The lawsuit alleges that the breach resulted from negligence on the part of Equifax, claiming the company deliberately did not invest adequately in protecting consumer data.

When it confirmed the data breach, Equifax launched a site — EquifaxSecurity2017.com — containing information and a way for people to enroll in TrustedID credit monitoring service, but there are a handful of problems that are only making the waters murkier.

First, Equifax fails to clearly point out that TrustedID is actually an Equifax product. Consumers could be forgiven for not having much trust in a company that just admitted it failed to secure the data of 143 million Americans.

Second, signing up for TrustedID appears to lock you into the cruddy Equifax terms of service, which include a forced arbitration clause. What does that mean? It means that by signing up for TrustedID, you could inadvertently be signing away your right to sue Equifax in a court of law. Instead, you’d have to enter into private arbitration with the company.

The National Consumer Law Center is calling on Equifax to drop this clause from the terms of service for the credit monitoring. “Through those terms, Equifax is purporting to prevent affected customers from access to the courts or the right to join together with the other hundreds of millions of injured consumers to jointly pursue claims against Equifax,” writes NCLC in a statement released today.

There is a 30-day window to opt out of the arbitration clause. It’s buried in the terms of service.

[UPDATE: In a statement to Consumerist, a rep for Equifax clarifies that “the arbitration clause and class action waiver included in the TrustedID Premier Terms of Use applies to the free credit file monitoring and identity theft protection products, and not the cybersecurity incident.”]

It’s worth noting that the Consumer Financial Protection Bureau has finalized a new regulation that would have stopped Equifax from using this sort of anti-consumer arbitration clause, but Congress and the Trump administration — all backed by the nation’s largest lobbying group, the U.S. Chamber of Commerce — are currently trying to roll back those protections and allow companies like Equifax to potentially violate the law with impunity.

Finally, as Ars Technica points out, there are several technical issues with the EquifaxSecurity2017 site — like the fact that it’s running on a system that lacks the proper security you’d expect for a site where you’re asking users to enter sensitive data (just so they can find out if their sensitive data is being misused). Additionally, the EquifaxSecurity2017 URL isn’t registered to Equifax, but through a third party company.

“[I]t’s format looks like precisely the kind of thing a criminal operation might use to steal people’s details,” writes Ars’ Dan Goodin. “It’s no surprise that Cisco-owned Open DNS was blocking access to the site and warning it was a suspected phishing threat.”

(Updated with information from NCLC and the opt-out window for the arbitration clause. Subsequently updated with statement from Equifax.)

More from Consumer Reports:
Top pick tires for 2016
Best used cars for $25,000 and less
7 best mattresses for couples

Consumer Reports is an independent, nonprofit organization that works side by side with consumers to create a fairer, safer, and healthier world. CR does not endorse products or services, and does not accept advertising. Copyright © 2017, Consumer Reports, Inc.

Leave a Reply

Your email address will not be published. Required fields are marked *


2 × five =