Equifax bungles details over and over again
Here’s a word of advice for companies in trouble: Don’t make the public any angrier than necessary. That’s the mistake Equifax repeated several times over in its careless handling of its careless loss of detailed identifying data on 143 million consumers, a breach widely described as the worst in history. The company made a number of missteps, such as taking months to make the breakin public and, apparently, running web server software with a known vulnerability.
But the biggest question since the news broke has involved whether Equifax was trying to pull a fast one: Were worried consumers being forced to surrender their right to sue before they could find out if they were among the victims of the hack, or was that an urban myth? I’ve been teaching contract law for a quarter of a century, and I’m not entirely sure.
The issue arose after some people actually read the boilerplate on the special site Equifax set up so that worried consumers could find out whether their data was in the wind. The readers discovered — or at least thought they discovered — that consumers who clicked on “I agree” were giving up their right to sue the company over the hack, and consenting to arbitration instead. Social media erupted in fury.
Unlike most contracts professors, I am no great enemy of arbitration clauses, and I consider the Consumer Financial Protection Bureau’s jeremiad against them to be ill-conceived. I also have no particular problem with what are sometimes derided as “adhesive contracts,” where consumers are asked to consent to a bunch of boilerplate they rarely read. (In short words, such contracts solve serious agency problems and lower transaction costs, enabling the consumer economy to function more cheaply.)
But I have a big problem with a company trying to sneak things past panicked consumers, particularly when the panic is caused by the company’s own malfeasance. Sometimes an example has to be made.
Here, however, we come to the nub. Was Equifax really trying to pull a fast one? After getting spanked on Twitter and Facebook, taking its lumps in the tech press, and being threatened by New York Attorney General Eric Schneiderman, the company added some hastily drafted language to its frequently asked questions page, insisting that the ban on lawsuits does not apply to what it cagily called “the cybersecurity incident.”
That might have been the end of the matter, if anyone actually believed that FAQs were legally binding, or if a subsequent change in the FAQs could affect the status of consumers who had already clicked “I agree” before the new language showed up. So the effect of the clarification was to sow more confusion.
Over the weekend, Equifax issued a series of written statements in an effort to assure the world that “enrolling in the free credit file monitoring and identity theft protection products that we are offering as part of this cybersecurity incident does not prohibit consumers from taking legal action.” The company went on to clarify its clarification: “We will not apply any arbitration clause or class action waiver against consumers for claims related to the free products offered in response to the cybersecurity incident or for claims related to the cybersecurity incident itself.” Backed into a corner, Equifax finally removed the language about arbitration from the terms of use on the site.