Were you affected by the Equifax data breach? One click could cost you your rights in court

Key Points
  • The credit reporting firm said Thursday it detected a data breach in July that affects 143 million consumers.
  • On Friday, Equifax added an opt-out clause to its terms of use, but it still requires arbitration instead of litigation to settle disputes for those who do not opt out.
  • Consumer advocates are lashing out at Equifax for requiring arbitration.
Equifax hack may affect one in two US consumers: Here's how to protect yourself

People who are worried about whether their personal information was compromised in the Equifax data breach may be in for another unpleasant surprise: being forced to settle claims against the credit reporting company in arbitration instead of joining forces with other wronged consumers to sue in court.

Equifax is allowing people to sign up on its website for free identity theft protection and credit file monitoring following the disclosure Thursday of the data breach, which Equifax said was detected July 29 and affected 143 million consumers.

But the credit monitoring service, through an Equifax company called Trusted ID, has a provision that limits liability to the company, and consumers who sign up for what is billed as a free service will be charged for it after a one-year trial period if they don't call the company to cancel their subscription.

The provisions, buried in the fine print of Trusted ID's terms of service, added to confusion on Friday about how much help consumers are being offered. In a broader set of terms on Equifax's website, visitors are told they must accept certain terms, including arbitration, before being permitted to register for and purchase any product from its site.

"You also agree to be bound by this agreement by using or paying for our products or taking other actions that indicate acceptance of this agreement," it says.

TrustedID's terms also include this mandatory arbitration provision.

But Equifax's general terms have an arbitration opt-out provision for consumers who know to look for it and notify Equifax in writing within 30 days to a snail mail P.O. box address in its headquarters city of Atlanta.

TrustedID's terms do not include that opt-out provision, something that could trip up consumers if they sign up for the service.

"You're not going to find a lot of consumers who would read the lengthy terms of use, especially when they've been told on the previous page that they will get it for free," said Allison Zieve, the director of litigation for Public Citizen, a consumer protection group, who adds she believes Equifax's general opt-out clause wouldn't apply to TrustedID.

Scott Nelson, who is also a lawyer at Public Citizen, says Equifax uses broad terms to cover activities that fall under arbitration, though he notes that many consumers have never intentionally entered into a formal customer relationship with Equifax.

Equifax is one of three major credit reporting companies that collect data on hundreds of millions of people. That data is used by lenders to judge individuals' creditworthiness to buy a home, take out a credit card or obtain insurance. But there is no requirement that people go to the credit reporting firms to access that information, much less look at their websites, Nelson said.

Companies have pushed consumers to accept arbitration for a broad range of financial services and "it hasn't always held up. Courts look at it on a case-by-case basis," Nelson said. Most recently Wells Fargo has pushed back at lawsuits over its own arbitration requirements in the fake account scandal, Nelson added.

Arbitration usually results in less money recovered for consumers in disputes with companies.

On Friday, the Consumer Financial Protection Bureau, a relatively new consumer watchdog agency created in the wake of the 2008 financial crisis, issued a statement calling Equifax's required arbitration for credit monitoring "troubling."

"It is troubling that Equifax is forcing people to waive legal rights in order to receive fraud monitoring after the company's breach put their personal information at risk. Equifax could remove this clause so that consumers can receive this service without condition."

The agency has been battling Republicans over a new rule set to go into effect next year that would prevent companies from forcing consumers to waive their rights to class-action lawsuits. The rule will apply to new transactions beginning next March, but House Republicans have already voted to repeal it and the Senate could take up its own repeal measure as early as next week.

New York's Attorney General, Eric Schneiderman, likewise said in a post on Twitter Friday that the arbitration language was "unacceptable and unenforceable," adding that his staff had contacted the company to get them to remove it. His office opened an investigation into the data breach.

Equifax's website says the arbitration provision (again, assuming one doesn't opt out) applies to "any claim, dispute, or controversy between You and Us relating in any way to Your relationship with Equifax, including but not limited to any Claim arising from or relating to this Agreement, the Products or this Site, or any information You receive from Us, whether based on contract, statute, common law, regulation, ordinance, tort, or any other legal or equitable theory, regardless of what remedy is sought."

But there is another out for consumers in the small print: an individual can take Equifax to small claims court, where disputes are usually for amounts of $10,000 or less, as long as the claim isn't combined with the claim of another person.

At the end of one year, consumers who signed up for the TrustedID product will begin being charged an unspecified amount unless they cancel by calling the company.

"That's just not right," said Public Citizen's Zieve. "They shouldn't be making money off the hack."

WATCH: Investigation launched into Equifax breach

Investigation launched into Equifax breach