[BreachExchange] Equifax data breach: Credit agency says victims can still sue, despite rule change

[Audrey McNeil]

http://www.itpro.co.uk/data-leakage/29418/equifax-data-
breach-credit-agency-says-victims-can-still-sue-despite-rule-change

Equifax has denied customers affected by the hack that saw the personal
details of millions taken by cyber criminals will be unable to sue the
company.

It had been speculated that those affected would be prevented from suing
the company, after the US Senate yesterday repealed a law that prohibited
"covered providers of certain consumer financial products and services from
using an agreement with a consumer that provides for arbitration of any
future dispute between the parties to bar the consumer from filing or
participating in a class action concerning the covered consumer financial
product or service".

Equifax, however, is standing by earlier statements that customers will be
able to file a lawsuit if they wish.

In a statement, the company told IT Pro: "Enrolling in the free credit file
monitoring and identity theft protection products that we are offering as
part of this cyber security incident does not prohibit customers from
taking legal action. The congressional action overturning the CFPB's rule
does not change our position."

The mention of the free credit file monitoring and identity theft
protection products is significant in itself. When these initiatives were
first launched, there was a clause in the terms of use that it appeared
would have prevented customers for suing the company for the breach.
Following public outcry, however, the company clarified that the
stipulation referred only to these products, not to the breach itself.

Over 140 million consumers globally were affected by the hack, which took
place between May and July 2017, but wasn't discovered until 29 July. No
public announcement was made until mid-September.

25/10/2017: Hack victims may not be able to sue Equifax

The US Senate voted early this morning to remove a federal rule that would
have allowed people affected by the Equifax hack to sue the company.

A 50/50 tie-break in the Senate was broken by vice-president Mike Pence
casting a deciding vote in favour of the joint resolution to get rid of the
rule, TechCrunch reported.

The rule in question stops financial services companies that bind their
users by arbitration agreements from preventing them from suing as a class.

It was entered into the Federal Register in July by the Bureau of Consumer
Financial Protection, with the joint resolution to nullify it - H.J Res.111
- submitted the next day.

The rule says: "The final rule prohibits covered providers of certain
consumer financial products and services from using an agreement with a
consumer that provides for arbitration of any future dispute between the
parties to bar the consumer from filing or participating in a class action
concerning the covered consumer financial product or service."

Equifax pointed customers affected by its huge data breach to sign up to
its TrustedID Premier service in the aftermath of the hack. TrustedID
offers identify theft insurance and scans the web to see if customers'
social security numbers have been used illegally.

Initially, the terms of service of TrustedID made clear that signing up to
use it prevented users from suing the company and ensured any disputes it
had would need to be resolved through arbitration.

Equifax then removed the arbitration clause last month, and said in an FAQ
that neither the TrustedID terms of use nor Equifax's own terms of use
would prevent people from taking legal action.

It still reads: ''We will not apply any arbitration clause or class action
waiver against consumers for claims related to the free products offered in
response to the cybersecurity incident or for claims related to the
cybersecurity incident itself''.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171026/d175adf2/attachment.html>