Equifax Is Trying To Make Money Off Its Massive Security Failure

The fine print in its "free" service for hack victims indicates they'll have to pay later.

UPDATE: Sept. 11 ― In a reversal, Equifax said in a statement Monday morning that the company wouldn’t require credit card information from victims of the company’s data breach who sign up for its free service.

“We are not requesting consumers’ credit card information when they sign up for the free credit file monitoring and identity theft protection we are offering to all U.S. consumers,” the company said in a statement on its website. “Consumers who sign up for TrustedID Premier will not be automatically enrolled or charged after the conclusion of the complimentary year of TrustedID Premier.”

Equifax had quietly removed information about charges and fees from its “terms of use” over the weekend.


WASHINGTON ― The credit monitoring company that let criminals steal personal information pertaining to nearly half the U.S. population is offering free credit monitoring to those affected ― but there’s a catch.

Victims of the Equifax security breach who sign up for the company’s “complimentary” service will only get one free year. After that, unless they proactively cancel, they may have to pay. The terms of use say customers must have internet access and a credit or debit card to sign up.

“We will not bill You until the free trial period has expired and provided that You have not yet cancelled your trial membership,” say the terms, dated Sept. 6. “In the event that You wish to continue Your membership beyond the trial period, do nothing and Your membership will automatically continue without interruption and We will begin billing You via the payment source You provided when you signed up for the free trial.”

Robert Weissman, president of the consumer watchdog Public Citizen, said, “It appears that the company thinks one of the worst data breaches in history is a marketing opportunity. Instead of trying to rip people off with new hidden charges and trick consumers to give up their rights it might be a better idea to actually remedy the harm.”

A spokesperson for Equifax did not immediately respond to a request for comment about the free service.

Equifax, one of three large credit reporting companies, suffered a data breach affecting 143 million Americans in July.
Equifax, one of three large credit reporting companies, suffered a data breach affecting 143 million Americans in July.
Dado Ruvic / Reuters

Customers also must agree to settle disputes outside of court in an extremely business-friendly format known as arbitration.

Consumer advocates describe the arbitration clause as a straightforward ripoff for the 143 million Americans whose Social Security numbers and addresses are now in the hands of criminals thanks to a breach earlier this year. Though it discovered the breach in late July, Equifax publicly announced the news on Thursday.

“At this point it’s very clear that Equifax is trying to use this massive data breach as an excuse to profit, which is just appalling behavior,” said Amanda Werner, the campaign manager at Americans for Financial Reform. “I can’t even put into words how awful this behavior is.”

As Equifax explains in the terms of use, customers using its products are subject to mandatory, binding arbitration. “By consenting to submit Your Claims to arbitration, You will be forfeiting Your right to bring or participate in any class action (whether as a named plaintiff or a class member) or to share in any class action awards, including class claims where a class has not yet been certified, even if the facts and circumstances upon which the Claims are based already occurred or existed.”

Weissman said that the arbitration clause attached to the free credit monitoring service covers only the credit monitoring service offered and not the overarching breach of data. Still, if Equifax failed to inform a customer ― a victim of the hack, say ― that their identity had been compromised and was being used without their knowledge, by signing up for their free credit monitoring offer and thus agreeing to the arbitration clause, they would have waived the right to sue over this failure outside of arbitration.

However, Equifax also requires consumers who have requested their credit score directly from the company in the past to have agreed to an arbitration clause that could cover the breach.

“If you’ve been an Equifax customer, they will claim that you have agreed to an arbitration provision,” Weissman said.

A company spokesman said the arbitration only applied to the free credit monitoring, not the cybersecurity breach.

Equifax, along with Experian and TransUnion, are the three largest companies that track credit histories of everybody who takes out a loan or signs up a credit card, creating proprietary “scores” that help lenders evaluate a potential borrower’s ability to pay.

The companies are notorious for charging access for the information, which by law is available to consumers for free once a year. Experian has been fined multiple times by the Federal Trade Commission for tricking consumers with false promises of “free” credit reports that wound up costing money.

The Consumer Financial Protection Bureau, headed by Richard Cordray (pictured), issued new rules limiting mandatory arbitration. Republicans are pushing bills to overturn the rules.
The Consumer Financial Protection Bureau, headed by Richard Cordray (pictured), issued new rules limiting mandatory arbitration. Republicans are pushing bills to overturn the rules.
Bloomberg via Getty Images

Companies often require consumers to use their products or services if they waive their right to pursue class action lawsuits and enter into direct arbitration with the business if they seek a legal redress to a wrong.

In the case of Equifax, everyone who signs up for the free credit monitoring the company is offering to the 143 million people whose data has been compromised is waiving their right to join in a class action suit if something goes wrong with the credit monitoring.

The insertion of arbitration clauses into dense terms of service contracts that consumers rarely read has exploded in the past six years. In 2011, the Supreme Court upheld a forced arbitration provision inserted into AT&T contracts in a divided 5-4 ruling. This was one of many tightly divided decisions in recent years where the conservative majority on the court ruled in favor of corporate rights to force consumers into arbitration.

In the face of the corporate tilt of the Supreme Court, the Consumer Financial Protection Bureau, the financial watchdog agency created by the 2010 Wall Street reform legislation, recently announced a new rule against mandatory arbitration clauses disallowing class action lawsuits. But Republicans in Congress have vowed to strike the rule.

The new CFPB arbitration rule is scheduled to take effect on Sept. 18. House Republicans, however, already passed a resolution in July that would block the implementation of the rule. Republicans in the Senate have introduced similar legislation, but have not yet voted on it. That legislation is not subject to a filibuster and would therefore only require 50 votes to pass in a chamber with 52 Republican senators.

Additionally, congressional Republicans are pushing legislation introduced by Rep. Barry Loudermilk (R-Ga.) that sides with the credit reporting companies. Loudermilk’s bill would place a $500,000 cap on punitive damages for consumers who have been wronged. In an ironic twist, the House Financial Services Committee held a hearing on Loudermilk’s bill on Thursday ― the same day Equifax revealed the breach of consumer data.

Popular in the Community


What's Hot