Within hours of Equifax — one of the nation’s three major credit bureaus — confirming that the records of some 143 million people had been compromised in a data breach, the company now faces a lawsuit accusing it of failing to protect its stockpile of sensitive consumer information. Meanwhile, some critics are saying that Equifax’s response to the breach may be causing more harm than good.
The potential class action complaint [PDF] was filed Thursday afternoon at a federal court in Oregon with two of that state’s residents as the named plaintiffs. It aims to represent others who may be “harmed by Equifax’s failure to adequately protect their credit and personal information.”
As a credit bureau, Equifax has a large amount of potentially sensitive data about hundreds of millions of Americans — personal information like addresses, phone numbers, driver’s licenses, and Social Security numbers; along with financial information on credit card accounts, loans, lines of credit, and more.
The plaintiffs say that, with this much data at its disposal, Equifax has a legal duty “to use reasonable care to protect their credit and personal information from unauthorized access by third parties.”
The lawsuit alleges that the breach resulted from negligence on the part of Equifax, claiming the company deliberately did not invest adequately in protecting consumer data.
In addition to any potential harm that may come from the thieves’ misuse of the purloined data, the plaintiffs contend that Equifax should be expected to reimburse affected consumers for going out-of-pocket for services like third-party credit monitoring. Consumers should not have to “bear the expense caused by Equifax’s negligent failure to safeguard their credit and personal information from cyber-attackers,” reads the complaint.
We’ve reached out to Equifax for comment regarding this lawsuit but have not yet heard back.
This action is only the first of what will likely be dozens of similar lawsuits filed all over the country in the weeks to come. Aside from the $19.95 that one of the Oregon plaintiffs has already spent on an outside credit monitoring service, the complaint does not allege any actual damage done to the affected consumers. However, the type of information stolen in this breach could very easily lead to ID theft, credit fraud, and other harm.
This issue of potential harm is one that the court system has been debating in recent years. For instance, federal courts have disagreed on whether customers of health insurer CareFirst should be allowed to sue over a data breach where there is little evidence that the stolen information has been misused.
There will also likely be lawsuits, and possibly law enforcement investigations, involving reports that three top Equifax executives — including the company’s Chief Financial Officer — sold large chunks of Equifax stock, totaling around $1.8 million, shortly after the breach was discovered but before it was made public. The Oregon complaint does not mention these transactions.

Doing More Harm?

When it confirmed the data breach, Equifax launched a site — EquifaxSecurity2017.com — containing information and a way for people to enroll in TrustedID credit monitoring service, but there are a handful of problems that are only making the waters murkier.
First, Equifax fails to clearly point out that TrustedID is actually an Equifax product. Consumers could be forgiven for not having much trust in a company that just admitted it failed to secure the data of 143 million Americans.
Second, signing up for TrustedID appears to lock you into the cruddy Equifax terms of service, which include a forced arbitration clause. What does that mean? It means that by signing up for TrustedID, you could inadvertently be signing away your right to sue Equifax in a court of law. Instead, you’d have to enter into private arbitration with the company.
The National Consumer Law Center is calling on Equifax to drop this clause from the terms of service for the credit monitoring. “Through those terms, Equifax is purporting to prevent affected customers from access to the courts or the right to join together with the other hundreds of millions of injured consumers to jointly pursue claims against Equifax,” writes NCLC in a statement released today.
There is a 30-day window to opt out of the arbitration clause. It’s buried in the terms of service, but we’ve pulled out the relevant section in this screengrab:

[UPDATE: In a statement to Consumerist, a rep for Equifax clarifies that “The arbitration clause and class action waiver included in the TrustedID Premier Terms of Use applies to the free credit file monitoring and identity theft protection products, and not the cybersecurity incident.”]
It’s worth noting that the Consumer Financial Protection Bureau has finalized a new regulation that would have stopped Equifax from using this sort of anti-consumer arbitration clause, but Congress and the Trump administration — all backed by the nation’s largest lobbying group, the U.S. Chamber of Commerce — are currently trying to roll back those protections and allow companies like Equifax to potentially violate the law with impunity.
Finally, as Ars Technica points out, there are several technical issues with the EquifaxSecurity2017 site — like the fact that it’s running on a system that lacks the proper security you’d expect for a site where you’re asking users to enter sensitive data (just so they can find out if their sensitive data is being misused). Additionally, the EquifaxSecurity2017 URL isn’t registered to Equifax, but through a third party company.
“[I]t’s format looks like precisely the kind of thing a criminal operation might use to steal people’s details,” writes Ars’ Dan Goodin. “It’s no surprise that Cisco-owned Open DNS was blocking access to the site and warning it was a suspected phishing threat.”
(Updated with information from NCLC and the opt-out window for the arbitration clause. Subsequently updated with statement from Equifax.)

Editor's Note: This article originally appeared on Consumerist.