A classic study in mass panic
This is most likely NOT true.
After reading the ToU myself and asking 4 different attorneys for clarification, I was told in no uncertain terms that it was incredibly unlikely that this could be used to protect Equifax from a Class Action lawsuit vis-a-vis it’s security breach. The reason is right in the ToU itself (which you can see in full here).
Here’s the important parts(emphasis in italics is mine):
YOU MUST ACCEPT THIS AGREEMENT, INCLUDING ITS “ARBITRATION” SECTION BELOW, BEFORE YOU WILL BE PERMITTED TO REGISTER FOR, USE OR PURCHASE ANY PRODUCT. BY REGISTERING ON THIS WEBSITE AND SUBMITTING YOUR ORDER, YOU ARE ACKNOWLEDGING ELECTRONIC RECEIPT OF, AND YOUR AGREEMENT TO BE BOUND BY, THIS AGREEMENT. YOU ALSO AGREE TO BE BOUND BY THIS AGREEMENT BY USING OR PAYING FOR OUR PRODUCTS OR TAKING OTHER ACTIONS THAT INDICATE ACCEPTANCE OF THIS AGREEMENT.
PROVIDERS OF PRODUCTS. TrustedID, Inc. provides the Products. TrustedID, Inc. obtains certain Product features from other companies, including obtaining credit Product features from Equifax Consumer Services LLC. TrustedID, Inc. may also partner with other companies (“Suppliers”) to provide Products or Product features to you or sell you a Product provided by a Supplier. Suppliers are included in references in this Agreement to “we”, “us” and “our”. [This last sentence is for other products like credit reports from Equifax, not the monitoring]
ARBITRATION. PLEASE READ THIS ENTIRE SECTION CAREFULLY BECAUSE IT AFFECTS YOUR LEGAL RIGHTS BY REQUIRING ARBITRATION OF DISPUTES (EXCEPT AS SET FORTH BELOW) AND A WAIVER OF THE ABILITY TO BRING OR PARTICIPATE IN A CLASS ACTION, CLASS ARBITRATION, OR OTHER REPRESENTATIVE ACTION. ARBITRATION PROVIDES A QUICK AND COST EFFECTIVE MECHANISM FOR RESOLVING DISPUTES, BUT YOU SHOULD BE AWARE THAT IT ALSO LIMITS YOUR RIGHTS TO DISCOVERY AND APPEAL.
Except as otherwise expressly provided in this Agreement, all claims, disputes, or controversies raised by either You or TrustedID, Inc. arising from or relating to the subject matter of this Agreement or the Products (“Claim” or “Claims”) shall be finally settled by arbitration in the county (or parish) where you live or where You and TrustedID, Inc. otherwise agree using the English language in accordance with the Arbitration Rules and Procedures of JAMS then in effect, by one commercial arbitrator with substantial experience in resolving complex commercial contract disputes, who may or may not be selected from the appropriate list of JAMS arbitrators.
This arbitration will be conducted as an individual arbitration. Neither You nor We consent or agree to any arbitration on a class or representative basis, and the arbitrator shall have no authority to proceed with arbitration on a class or representative basis. No arbitration will be consolidated with any other arbitration proceeding without the consent of all parties. This class action waiver provision applies to and includes any Claims made and remedies sought as part of any class action, private attorney general action, or other representative action. By consenting to submit Your Claims to arbitration, You will be forfeiting Your right to bring or participate in any class action (whether as a named plaintiff or a class member) or to share in any class action awards, including class claims where a class has not yet been certified, even if the facts and circumstances upon which the Claims are based already occurred or existed.
If the parties cannot agree upon the identity of the arbitrator within fifteen (15) days following the date, then a single arbitrator shall be selected on an expedited basis in accordance with the Arbitration Rules and Procedures of JAMS. Any arbitrator so selected shall have substantial experience in complex commercial contract disputes. Judgment upon the award so rendered may be entered in a court having jurisdiction or application may be made to such court for judicial acceptance of any award and an order of enforcement, as the case may be. Notwithstanding the foregoing, each party shall have the right to institute injunctive or other forms of equitable relief at any time in any court of competent jurisdiction.
This agreement to arbitrate involves interstate commerce and is made pursuant to the Federal Arbitration Act, 9 U.S.C. sections 1-16 (the “FAA”). Any claim or dispute as to the enforceability of this arbitration provision’s restrictions on your right to participate in or pursue a class action or class wide arbitration shall be decided by a court and not an arbitrator.
Notwithstanding anything in this Section, either You or TrustedID, Inc. may bring an individual action in small claims court as long as (i) the claim is not aggregated with the claim of any other person, and (ii) the small claims court is located in the same county (or parish) and state as Your address that You most recently provided to TrustedID, Inc. according to TrustedID, Inc.’s records in connection with this Agreement.
1. This is not an agreement with Equifax, who is liable for this breach.
This is an agreement with TrustedID, Inc. which is a wholly owned, but legally separate entity from Equifax. Equifax, the parent company, is liable for this breach, not TrustedID. Even if this ToS were intended to protect the parent company from a lawsuit (which it’s not, see below), it wouldn’t be able to do so; the only parties specified are “You” and “TrustedID, Inc.” This is one of the legal benefits of wholly owned subsidiaries; you create a legal barrier between yourself (which can be overcome, but only by court order) and another part your business. Of course, it works in reverse: the subsidiary cannot protect you from things you are liable for, like in the case of this hacking.
2. This is not an agreement to not seek a class action lawsuit because of the hack, it’s an agreement not to sue TrustedID via Class Action if they screw up
This is immediately obvious upon reading the ToU, but the agreement is in regards to class action liability as a result of TrustedID’s products or services…NOT because of this hack, which has nothing to do with TrustedID. It’s basically saying if you accept the identity theft protection and credit monitoring we offer and we screw up again, you can still sue us individually in a Small Claims court, but you waive your right to be part of any related Class Action. So it’s not great, but it’s standard ToU, and not at all related to the liability incurred by Equifax as a result of the breach. You can still be part of the Class Action.
3. Equifax has come right out and stated that the ToU doesn’t apply to the breach
From the FAQ:
Which puts the final nail in that coffin.
The internet is often wrong
It bears repeating that you shouldn’t believe everything you read on the internet. People read things without context from non-experts and begin to panic for no reason whatsoever. Likewise, they hear things from experts that should cause panic, and nobody cares. A great example of this is the React copyright issue that popped up recently; generally speaking it’s a non-issue, but everyone went wild about it. However, when the same IP Attorney said that Facebook’s patenting of the implementation of the GraphQL spec made it so that most users were in legal hot water there was barely a ripple, despite the fact that GraphQL is a much more deeply important project, in my opinion, as it evolves the entire API movement away from REST.
In the interest of my own liability, I’d like to close with an email that I got from one of the attorneys I asked for input on for this post:
I believe you are correct that accepting free credit monitoring does not prevent you from receiving compensation from a civil lawsuit such as a class action. Given the complexity of the issue, I want someone better informed than us to explain the situation. Watch for a state attorney general or reputable source such as Consumers Union to say what legal options are waived by accepting free credit monitoring.
In short, you don’t just have to take my word for it. Do what you should always do before you panic: seek out or wait for a reputable source to give an expert opinion on the issue. Use your head, and don’t just blindly accept social proof and opinions from people who don’t provide actual evidence.
As an aside, he added:
It may be better to use credit monitoring from another company, anyway, even if you must pay for it.
Bob Sullivan (veteran Consumer Affairs journo) drove this point home:
I agree with your analysis. But I wouldn't want to give a judge a chance to disagree.— Bob Sullivan (@RedTapeChron) September 8, 2017
While I doubt Equifax would be able to use this Arbitration clause to bar people from participating in the Class Action, you can always just choose to avoid the entire issue and just get your own identity monitoring service. Check your bank first to see if they offer any deals.