ID Theft Protection and Credit Monitoring for Equifax Cyberattack: Get It But Proceed With Caution

By Claire Rosston, Co-Author

In connection with a massive security breach of a severity beyond those previously reported, Equifax is offering identity theft protection and credit monitoring services to any U.S. citizen who enrolls at www.equifaxsecurity2017.com/enroll/. Despite the controversy that ensued around whether Equifax was offering this free service in an attempt to require enrollees and applicants to waive their right to bring a class action suit against Equifax, it is still recommended that you avail yourself of this protection so long as you opt out of the arbitration clause that asks you to waive your class action rights. Regardless of whether you are among the nearly 50% of Americans whose personal information was compromised by the Equifax breach, it’s safe to assume that at some point your personal data has been or will be accessed by hackers, making the free year of credit monitoring, $1 million in identity theft insurance, and other services provided by Equifax on balance more valuable than the risks of enrolling.

After Equifax announced the cyberattack late last week, it came under fire from the New York attorney general and consumer advocacy groups for requiring individuals to waive their right to participate in a class action against Equifax to qualify for identity theft protection and credit monitoring services called TrustedID Premier. In response to the criticism, Equifax said this waiver does not apply to the cyberattack. Even though Equifax’s statement in all likelihood does not modify its contractual terms that include the waiver, as a practical matter it would be very difficult for Equifax to compel the applicants and enrollees of TrustedID Premier to arbitrate their claims rather than participate in a class action lawsuit. Furthermore, the New York Times has reported that the enrollment process gives people the opportunity to opt out of the arbitration requirement.

According to Equifax, on July 29, 2017 it discovered hackers obtained unauthorized access to personal information by exploiting a vulnerability with Equifax’s website. The company’s investigation determined that approximately 143 million consumer files were impacted. For now, Equifax’s investigation has determined that there was no evidence of unauthorized access to its core consumer and commercial credit reporting databases.

Equifax reported that hackers primarily accessed names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. Of the stolen consumer files, 209,000 contained credit card numbers. In addition, documents with personal information used in disputes for 182,000 people were also taken. Some of the most sensitive personal information stolen contained the keys that unlock consumers’ medical histories, bank accounts, and employee accounts. Eventually, written notices of the cyberattack will only be mailed to consumers whose credit card numbers or dispute documents with personally identifiable information were compromised.

Equifax is one of the three major credit reporting agencies in the U.S. and also provides a range of other services that gives it access to U.S. citizens’ personal information, including a service that provides businesses with the questions and answers used for customers’ account recovery if they lose access to their accounts. According to Equifax’s website, it organizes and analyzes data of more than 820 million consumers and more than 91 million businesses worldwide and its database includes employee data contributed from more than 7,100 employers.

Regardless of whether an individual’s personal information was accessed, Equifax is offering one year of free identity theft protection and credit monitoring services to any person with a social security number who enrolls by November 21, 2017 using the www.equifaxsecurity2017.com website. The enrollment process occurs in two steps and is scheduled over several days. First, a person must begin the enrollment process by providing the person’s last name and last six digits of his or her social security number at https://trustedidpremier.com/eligibility/eligibility.html. At that time, the person will be told whether he or she is at risk and the person’s enrollment date. Next, on the person’s designated enrollment date, he or she must return to the www.equifaxsecurity2017.com website to complete the enrollment process by providing additional information to verify his or her identity.


Unless you are a current client of Holland & Hart LLP, please do not send any confidential information by email. If you are not a current client and send an email to an individual at Holland & Hart LLP, you acknowledge that we have no obligation to maintain the confidentiality of any information you submit to us, unless we have already agreed to represent you or we later agree to do so. Thus, we may represent a party adverse to you, even if the information you submit to us could be used against you in a matter, and even if you submitted it in a good faith effort to retain us.