The credit reporting agency Equifax Inc. faces enormous national backlash and future scrutiny after revealing one of the largest data breaches in the United States, one that potentially affects nearly half of the country's population.
The company's revelation that personally identifiable information for some 143 million consumers was stolen in a cyberattack will lead to a wave of class actions across the country early suits were filed in Georgia, where the company is based, and in Oregon. The New York Attorney General's Office launched an investigation.
The website Equifax set up to help consumers determine whether their sensitive personal information was exposed came with a catch: To join Equifax's free identity theft protection program, consumers were required to agree to terms of service that included an arbitration clause that would prevent them from joining class actions against the company.
After coming under criticism on social media, Equifax updated the terms of service Friday morning to allow consumers to exclude themselves from the arbitration provision by notifying the company within 30 days of signing the agreement.
Equifax was taking advantage of a window that is closing by the day: On Sept. 18, the company will be subject to a Consumer Financial Protection Bureau rule that would bar class action waivers from arbitration agreements in the banking and finance industries. The rule which Equifax and others in the credit-reporting industry contend should not apply to them would apply to contracts entered into on or after March 19, 2018.
A spokesman for the CFPB assailed Equifax for its move to include an arbitration agreement for consumers harmed by the breach.
Equifax's credit monitoring product contains a mandatory arbitration clause that denies people their right to join together to sue the company for wrongdoing. It is troubling that Equifax is forcing people to waive legal rights in order to receive fraud monitoring after the company's breach put their personal information at risk, CFPB spokesman Sam Gilford said in an email. Equifax could remove this clause so that consumers can receive this service without condition.
A company spokesperson also was not immediately reached for comment.
We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations, Equifax chairman and chief executive Richard F. Smith said in a statement Thursday. We also are focused on consumer protection and have developed a comprehensive portfolio of services to support all U.S. consumers, regardless of whether they were impacted by this incident.
Scott Nelson of Public Citizen, writing Friday at the group's Consumer Law & Policy blog, said: Equifax's arbitration agreement wouldn't even be legal if the compliance date for the CFPB arbitration rule had arrived, but the fact that the compliance date hasn't arrived is no reason for Equifax to foist another injustice on people already facing injury as a result of its security failures.
Equifax's Lobbying Blitz
Last year, when the CFPB was accepting comments on the arbitration rule, the chief trade association for the credit reporting lobby pushed to spare the industry from the ban on class action waivers.
The Consumer Data Industry Association argued in an August 2016 letter that the CFPB lacked authority to apply the arbitration to credit reporting agencies and credit monitoring products offered by them. The letter signed by the association's president and CEO, Stuart Pratt, and sent to the CFPB by Covington & Burling partner David Stein argued that the arbitration study that gave rise to the rule did not support extending the prohibition on class action waivers to credit reporting agencies.
There are critical gaps in the CFPB's arbitration study that deprive the CFPB of the legal authority to apply the proposed arbitration rule to [credit reporting agencies] or their affiliates offering or providing [direct-to-consumers] credit monitoring products or to [credit reporting agencies] more generally, the Consumer Data Industry Association wrote. The letter to the CFPB said the agency in its market studies didn't look at the consumer reporting industry.
The rule is in the hands of the Senate, which could spike the regulation under the Congressional Review Act a legislative tool Republicans have used this year to undo more than a dozen Obama-era policies.
Consumer advocates on Friday hammered Equifax for tucking an arbitration clause into the free credit monitoring service it is offering consumers. It is despicable that Equifax would exploit consumers' need for identity theft monitoring to avoid accountability for this devastating breach, said Amanda Werner, the arbitration campaign manager for the advocacy groups Public Citizen and Americans for Financial Reform. Perhaps more despicable, at this very moment, U.S. senators are weighing legislation to take away our right to hold companies like Equifax accountable in court.
Lobbying against the CFPB's arbitration rule was one of a host of issues the company reported in federal records. Those records show Equifax spent $500,000 this year on issues including data security and breach notification, cybersecurity and threat information sharing, the CFPB's consumer complaint database and arbitration rule, and liability under the Fair Credit Reporting Act, or FCRA.
The company supports the FCRA Liability Harmonization Act, a bill introduced in May that would cap class action damages under the Fair Credit Reporting Act and end punitive damages. U.S. Rep. Barry Loudermilk, R-Georgia, sponsored the bill. His office said numerous business advocates including the U.S. Chamber of Commerce, Financial Services Roundtable, Consumer Data Industry Association and the American Bankers Association support the legislation.
Equifax's potential liability under the Fair Credit Reporting Act will be tested in the lawsuits that are emerging around the country. A case in Atlanta federal district court, filed hours after Equifax alerted the public about the data breach, seeks statutory damages under the Fair Credit Reporting Act.
Equifax, according to the complaint, acted willfully and recklessly because it knew or should have known about its legal obligations regarding data security and data breaches under the FCRA.