Sensitive credit information on 143 million people – nearly half the US population – has been stolen in a data breach at monitoring & reporting service Equifax.
The breach, which was discovered on July 29 and is believed to have taken place starting in Mid-May, led to the unauthorized download of customers’ names, addresses, social security numbers and birth dates…essentially, all the information that one would require to steal someone’s identity. In addition, about 209,000 credit card numbers were stolen, as well as 189,000 dispute reports containing identifying information.
Equifax set up a web site, EquifaxSecurity2017.com, where users could enter portions of their social security numbers to check to see if their information was part of the breach, as well as offering a free year of credit monitoring for those affected. This has not been without controversy, however…hidden in the site’s terms of service is a clause which forces users to give up their right to join a class-action suit against the company if they want to check their data’s integrity, sending potential claims to arbitration instead.
You could be giving up some of your rights to sue. At first, Equifax said anyone who gets the credit monitoring service, TrustedID, must agree to submit any complaints about it to arbitration. Those people wouldn’t be allowed to sue, join a class-action suit, or benefit from any class-action settlement.
After public pressure, Equifax added an opt-out provision on Friday. Customers can get out of the arbitration requirement by notifying Equifax in writing within 30 days of accepting the monitoring service.
And Alex Southwell, a privacy lawyer at Gibson Dunn and a former federal prosecutor in New York, said the original rules still left room for people to sue Equifax over the original hack, even if they can’t sue over the credit monitoring.
The federal Consumer Financial Protection Bureau recently published rules against these kinds of arbitration requirements by banks and credit card issuers. The rules will apply to credit rating services such as Equifax. But they don’t take effect until next year, and Republicans in Congress want to roll them back.
And make no mistake, the lawsuits are coming. The office of Mark Geragos, the celebrity attorney who also recently filed a class-action suit against the organizers of the disastrous Fyre Festival, has teamed up with Olsen Daines PC to file a class-action claim against the company in Portland, Oregon.
In addition, three top executives at the company are under fire after dumping $1.8 million in stock just days after the breach was discovered, well before it was announced to the public.
The credit-reporting service said earlier in a statement that it discovered the intrusion on July 29. Regulatory filings show that on Aug. 1, Chief Financial Officer John Gamble sold shares worth $946,374 and Joseph Loughran, president of U.S. information solutions, exercised options to dispose of stock worth $584,099. Rodolfo Ploder, president of workforce solutions, sold $250,458 of stock on Aug. 2. None of the filings lists the transactions as being part of 10b5-1 scheduled trading plans.
Equifax claims the transactions had nothing to do with the breach, saying the three executives were not aware of the intrusion when they made their trades. But given the sheer volume of the transactions – Gamble offloaded over 15% of his shares – the situation nevertheless seems suspect.
We will continue to monitor this story and present more as warranted.