Letter to Mr. Richard F. Smith, CEO of Equifax, Inc. - End Use Of Consumer-Harming Forced Arbitration Clauses

Letter

Dear Mr. Smith:

We are writing to request information on Equifax's announcement that 143 million U.S. consumers may have had their personal data compromised, as well as Equifax's initial inclusion of a pre-dispute, mandatory ("forced") arbitration clause in the Terms of Use agreement for TrustedID Premier -- Equifax's identity theft protection product. In response to significant public outcry regarding Equifax's apparent attempt to retroactively limit liability for the breach by forcing potential consumer complaints into individual arbitration proceedings, the company took the very important step of removing the arbitration clause from the TrustedID agreement.

While we appreciate Equifax's speedy response, the breach, as well as the public reaction to the company's use of forced arbitration, underscore the need for the Consumer Financial Protection Bureau's (CFPB) recently finalized rule that would prospectively limit the use of forced arbitration clauses and reopen the courtroom doors for consumers. As such, we ask that you clarify your position on the CFPB's rule, and whether, in the wake of this unprecedented breach of consumers' personal and financial information, your company supports legislation that would deny consumers access to a court of law.

Last week, Equifax announced that between mid-May and July of this year, cyber criminals gained access to certain Equifax files, including the personal information of potentially 143 million U.S. consumers. Specifically, "[t]he information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver's license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed."[1] In response, Equifax offered "complimentary" access to TrustedID Premier, which purports to help consumers determine if their personal information was impacted and provides them with credit monitoring and identity theft protection. Unfortunately, the TrustedID Premier Terms of Use included a forced arbitration agreement providing that all legal claims "arising from or relating to the subject matter" of the agreement must be settled by individual arbitration -- a clause that has since been removed.[2]

Forced arbitration provisions in consumer contracts erode Americans' ability to seek justice in the courts by forcing them into a privatized system that is inherently rigged against consumers and which offers virtually no way to challenge a biased outcome. Forced arbitration clauses, like the one that appeared in the TrustedID Terms of Use, require consumers to sign away their constitutional right to seek accountability in a court of law. These clauses also frequently include a prohibition on participation in a class action, language which strips consumers of the right to band together with other consumers to challenge widespread wrongdoing or illegal acts.

In the current context, Equifax's arbitration clause could have prevented those who accessed Equifax's "free" TrustedID Premier product to verify whether they were affected by the data breach from banding together with others affected to seek justice in a court of law. The effects of the breach are not yet widely known, but it is foreseeable that consumers could have claims related to breaches of statutory and common law duties to safely store and continually secure consumers' personal and financial data. Although Equifax has since removed the clause from the TrustedID Terms of Use -- a move we applaud -- we are concerned that the company may still support the use of forced arbitration more broadly.

Indeed, Equifax's Product Agreement and Terms of Use on its main site continues to include a forced arbitration clause preventing class actions. The product agreement states that it "contains the terms and conditions upon which you may purchase and use products through the www.equifax.com, www.identityprotection.com and www.idprotection.com websites and all other websites owned and operated by Equifax."[3] Given that the TrustedID website is owned and operated by Equifax, we urge you to remove the offending clause from the landing page's product agreement as well. Consumers who are rightfully concerned about their financial wellbeing deserve the certainty of knowing that using the TrustedID Premier product -- even just to determine if their information has been compromised -- won't be surrendering constitutional rights and effectively immunizing Equifax from accountability. At the very least, Equifax must explicitly state that the arbitration clause does not and will not govern any claims arising out of the breach that occurred between May and July of this year.

Moreover, Equifax is currently lobbying the United States Senate related to the CFPB's rule that would prospectively limit the use of forced arbitration clauses.[4] Presumably, Equifax is seeking to reverse the CFPB's rule and limit their liability via repeal legislation, S.J. Res 47. We therefore ask that Equifax clarify its position on this legislation following the breach. We are hopeful that Equifax will use this unfortunate event to reconsider its broader support of pre-dispute, forced arbitration.

Thank you for your prompt attention to this important matter.

Sincerely,