In connection with a massive security breach of a severity beyond those previously reported, Equifax is offering identity theft protection and credit monitoring services to any U.S. citizen who enrolls at www.equifaxsecurity2017.com/enroll/. Despite the controversy that ensued around whether Equifax was offering this free service in an attempt to require enrollees and applicants to waive their right to bring a class action suit against Equifax, it is still recommended that you avail yourself of this protection so long as you opt out of the arbitration clause that asks you to waive your class action rights. Regardless of whether you are among the nearly 50% of Americans whose personal information was compromised by the Equifax breach, it’s safe to assume that at some point your personal data has been or will be accessed by hackers, making the free year of credit monitoring, $1 million in identity theft insurance, and other services provided by Equifax on balance more valuable than the risks of enrolling.
After Equifax announced the cyberattack late last week, it came under fire from the New York attorney general and consumer advocacy groups for requiring individuals to waive their right to participate in a class action against Equifax to qualify for identity theft protection and credit monitoring services called TrustedID Premier. In response to the criticism, Equifax said this waiver does not apply to the cyberattack. Even though Equifax’s statement in all likelihood does not modify its contractual terms that include the waiver, as a practical matter it would be very difficult for Equifax to compel the applicants and enrollees of TrustedID Premier to arbitrate their claims rather than participate in a class action lawsuit. Furthermore, the New York Times has reported that the enrollment process gives people the opportunity to opt out of the arbitration requirement.
According to Equifax, on July 29, 2017 it discovered hackers obtained unauthorized access to personal information by exploiting a vulnerability with Equifax’s website. The company’s investigation determined that approximately 143 million consumer files were impacted. For now, Equifax’s investigation has determined that there was no evidence of unauthorized access to its core consumer and commercial credit reporting databases.
Equifax reported that hackers primarily accessed names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. Of the stolen consumer files, 209,000 contained credit card numbers. In addition, documents with personal information used in disputes for 182,000 people were also taken. Some of the most sensitive personal information stolen contained the keys that unlock consumers’ medical histories, bank accounts, and employee accounts. Eventually, written notices of the cyberattack will only be mailed to consumers whose credit card numbers or dispute documents with personally identifiable information were compromised.
Equifax is one of the three major credit reporting agencies in the U.S. and also provides a range of other services that gives it access to U.S. citizens’ personal information, including a service that provides businesses with the questions and answers used for customers’ account recovery if they lose access to their accounts. According to Equifax’s website, it organizes and analyzes data of more than 820 million consumers and more than 91 million businesses worldwide and its database includes employee data contributed from more than 7,100 employers.
Regardless of whether an individual’s personal information was accessed, Equifax is offering one year of free identity theft protection and credit monitoring services to any person with a social security number who enrolls by November 21, 2017 using the www.equifaxsecurity2017.com website. The enrollment process occurs in two steps and is scheduled over several days. First, a person must begin the enrollment process by providing the person’s last name and last six digits of his or her social security number at https://trustedidpremier.com/eligibility/eligibility.html. At that time, the person will be told whether he or she is at risk and the person’s enrollment date. Next, on the person’s designated enrollment date, he or she must return to the www.equifaxsecurity2017.com website to complete the enrollment process by providing additional information to verify his or her identity.
This publication is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal or financial advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author(s). This publication is not intended to create an attorney-client relationship between you and Holland & Hart LLP. Substantive changes in the law subsequent to the date of this publication might affect the analysis or commentary. Similarly, the analysis may differ depending on the jurisdiction or circumstances. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.