
Equifax terms of service may include binding arbitration clause - robteix
https://twitter.com/zackwhittaker/status/906178254331142144
======
paultopia
Law professor here.

1\. This contract does appear to apply to the data breach check site run by
equifax. To be specific, the contract at
[http://www.equifax.com/terms/](http://www.equifax.com/terms/) describes its
scope of coverage as "ALL OTHER WEBSITES OWNED AND OPERATED BY EQUIFAX AND ITS
AFFILIATES" which would appear to include
[https://www.equifaxsecurity2017.com](https://www.equifaxsecurity2017.com)
(which links those terms).

2\. Arbitration clauses are very bad in cases like this, because by far the
most effective technique for forcing companies to compensate people and
deterring similar problems in the future is the class action, and this
arbitration clause, like so many others, includes a waiver of class actions.
Class actions are important because litigation is _really expensive_ and class
actions are the only generally applicable way to aggregate enough small claims
to make them financially viable. (They're the way we keep corporations from
stealing five dollars from everyone in America.)

3\. As someone down-thread correctly noted, arbitration clauses are also
extremely enforceable. The short version is that the federal arbitration act
puts a very big thumb on the scale in favor of the enforceability of even
really oppressive arbitration clauses, and the Supreme Court has added a
couple of thumbs of its own.

4\. I can't tell whether Equifax meant to do this. The cynical interpretation
is that some evil person decided "ok, there's going to be a panic and everyone
is going to go to our website to check if their data is breached, so let's
sneak in a way to get all these people out of class actions." The less cynical
interpretation is "someone threw up a website, and the standard procedure
within the company for throwing up a website is to include a link to these
boilerplate terms of service." No way from the outside to tell which of these
stories is true, and I'm not sure it really matters.

5\. There are arguments that a sharp lawyer could make to try to convince a
court that this clause is unenforceable. I'm happy to go into them if people
want, but, offhand, I would much rather not have agreed to such a contract
than have to try to convince a court to bounce it.

6\. Yes, there is an opt-out. The opt-out is only useful for people who have
actually read and understood the contract, which even with the press coverage
is likely to be a _vanishingly tiny percentage_ of the people who have
inadvertently "agreed" to it. So it doesn't make it meaningfully less evil.

7\. If you want to learn more about this kind of issue, I recommend
Boilerplate by Margaret Radin.
[http://press.princeton.edu/titles/9837.html](http://press.princeton.edu/titles/9837.html)
She does a great job of explaining why this kind of thing is a complete
disaster and also bears no relationship to our traditional conception of what
a contract is or should be.

Editing to add:

8\. I guess I'll add really briefly that the key argument that this clause
doesn't even apply would be that the contract distinguishes between "product
terms of use" and "site terms of use," and that arguably the arbitration
clause only applies to the purchase of products and registration. If checking
breach status doesn't count as purchasing a product, maybe that part (with the
arbitration clause) doesn't apply on the terms of the contract itself.
HOWEVER, registering for some kind of identity protection service as a result
of having checked breach status probably does, so that's cold comfort to a lot
of people who might use the site. I'll have to parse the contract more slowly
and carefully before having any confidence in much more along these lines.

(Standard warning: nothing here is individual legal advice, contact an
attorney in your jurisdiction before deciding whether you'll use this site,
I'm just speaking about the overall interpretation of this contract and what
we should think of it as citizens.)

~~~
dccoolgai
Awesome answer - thank you. Forced arbitration is a pet issue of mine and one
that, like, no one else seems to ever care about (except in really rare cases
where it touches on some other nerve like food safety:
[http://www.latimes.com/business/la-fi-mo-general-mills-
legal...](http://www.latimes.com/business/la-fi-mo-general-mills-legal-policy-
reversal-20140421-story.html) )so since we got a real law professor here, I'd
like to ask a couple questions:

1\. Is there any legal reason any more for a corporation _not_ to include
forced arbitration in its contracts? Like any hidden downside? "Get out of
class action free" card seems like a no-brainer.

2\. Is there anything special you do in your day-to-day life to deal with
forced arbitration issues? Avoid certain businesses, etc.? Have you ever
actually tried to send one of those "opt-out" things and how did it go?

~~~
paultopia
Happy to chat about this stuff.

1\. Honestly, I can't think of any downside, not in consumer contracts (as
opposed to b2b) anyway. I guess there are some cases where particularly
favorable courts might be preferable from the corporation's point of view
(there's a court in Texas that gets tons of patent suits for that reason, also
there are some states that are good for corporations --- Virginia has no class
actions, for example). That's about it.

2\. I personally haven't. (Though, a long long time ago, I did kick enough of
a stink about an arbitration clause in a car loan contract that the dealership
put some money on the table to make me stop.) The thing is, most of the time,
for most consumers, it doesn't really matter--the probability that I'm likely
to get harmed by some transaction enough to want to be part of a class action
is so small, that it's probably rational for me on a day to day basis to just
accept them. It's _collectively_ that they're a problem, because they
seriously damage one of the main ways that the legal system has to hold
corporate misconduct accountable. So we really need a collective solution,
rather than just individual avoidance. (Obviously, the exception being in
cases like this Equifax thing were we know that litigation is on the immediate
horizon.)

I've actually thought for a while about some solutions that people in the tech
world might be able to work on. One idea that I just finished sketching out
for print (will be in the University of Toronto Law Journal sooner or later)
would be to build a kind of coordinated contract negotiation platform, where
people could commit to saying "hey evilCorp, if a million other people also
agree to this, we'll all collectively cancel our accounts unless you get rid
of evil terms X, Y, and Z." This would resolve some of the collective action
problems with it being individually rational to accept these terms usually but
collectively disastrous. If, that is, people would use it...

------
mncolinlee
This is straight-up nonsense. You can't just put any clause you want into a
contract and expect it to be enforceable. This is also a major concern for
startups. You need to always make it possible for clients to opt-out and to
understand your terms. The less you tell the customers what they're committing
to-- the less likely any judge will care what legal terms you choose.

Don't assume a contract actually means what it says when it comes to
enforcement. Seek legal advice.

~~~
at-fates-hands
>> The less you tell the customers what they're committing to-- the less
likely any judge will care what legal terms you choose.

I've seen in a more than one case where the Judge blamed the plaintiff that
the onus is on them to read the TOS BEFORE agreeing to anything. In the end,
it just depends on what kind of a judge you get.

[https://www.eff.org/wp/clicks-bind-ways-users-agree-
online-t...](https://www.eff.org/wp/clicks-bind-ways-users-agree-online-terms-
service)

 _However, courts generally do not require that you actually have read the
terms, but just that you had reasonable notice and an opportunity to read
them._

 _In other words, it’s not merely clicking the “I Agree” button that creates
the legal contract. The issue turns on reasonable notice and opportunity to
review—whether the placement of the terms and click-button afforded the user a
reasonable opportunity to find and read the terms without much effort._

------
carlmcqueen
So if someone purchases my stolen social security number and my last name,
both leaked/stolen and enters it into their site to see if it was a good ID,
it would waive my rights?

~~~
cwkoss
Could be an odd 'public service' for people with the list/similar lists to
write a bot that signs EVERYONE in their database up and publishes evidence of
doing so, to invalidate their argument that any particular user signed up.

------
AdmiralAsshat
I'd say this is non-enforceable. They're trying to make it impossible to sue
them, including withholding the information that would show proof of our
standing to sue them in the first place.

~~~
maxerickson
New York State Attorney General agrees with you:

[https://twitter.com/AGSchneiderman/status/906195350532304896](https://twitter.com/AGSchneiderman/status/906195350532304896)

~~~
dccoolgai
The Supreme Court disagrees with the NY AG. Who do you think wins?

[http://thehill.com/regulation/court-
battles/333417-supreme-c...](http://thehill.com/regulation/court-
battles/333417-supreme-court-sides-with-nursing-home-in-arbitration-case)

~~~
maxerickson
Is it your opinion as the Supreme Court that the facts are the same and thus
the Equifax case can't be heard?

~~~
dccoolgai
My _opinion_ is that forced arbitration sucks and the FAA should be restored
to it's original intention: A tool for large corporations on equal footing to
do business with each other: not a tool to be used against individual
consumers to provide impunity for damages inflicted on customers.

What the Supreme Court, unfortunately, has decided the "fact" is that you are
correct - If you were covered in the forced arbitration clause, you would
forfeit your right to civil action against Equifax in exhange for having your
case heard by an "Arbitrator" that Equifax chooses. Have fun with that.

------
jorblumesea
Is it just whether you put in your info to see if you were affected, or is it
when you sign up for their credit checking service?

[https://www.equifaxsecurity2017.com/frequently-asked-
questio...](https://www.equifaxsecurity2017.com/frequently-asked-questions/)

> The arbitration clause and class action wavier included in the TrustedID
> Premier Terms of Use applies to the free credit file monitoring and identity
> theft protection products, and not the cybersecurity incident

Seems to me that just filling out that form does not waive your rights to
participate in the class action suit. It also even sounds like using their
free product has no impact on your ability to participate in any class action
suit.

~~~
QAPereo
They wouldn't be stupid enough to try and make this the test case- the giant
test case- for TOS. On that basis and the FAQ, I doubt they're trying to lock
people into arbitration that way. I hope that they know, or at least suspect,
that it wouldn't work if they did.

------
ericd
I honestly don't care if I get a share of the class action as long as the
damages are enough to destroy Equifax as a company.

------
just2n
Given Equifax is locking access to whether you're a victim behind an agreement
that forfeits civil rights to act on that information, this looks like a
textbook unconscionable contract.

~~~
delecti
You find out whether you're affected before you enroll. YOu enter your info,
get a result that says "no/maybe/you should enroll right away" and then it
shows the button to actually enroll in their service. Until you actually
enroll you haven't agreed to the arbitration clause.

------
davidw
Here's my strategy: I'll sign on to the class action suit and see if I get
excluded from it because my data wasn't stolen.

------
Jeremy1026
So, you can't find out if you're information was leaked if you want to join a
Class Action lawsuit. But presumably won't be able to join unless you can
attest that your information was leaked. Quite the catch-22.

------
benmowa
....but philisophically... why would I put my information into a site that is
already known to have a leak? obviously im just checking to see if i was
affected, but by checking, if someone is snooping, would validate that i'm
actively concerned and _possibly_ extortable. just sayin....

------
abhi3
Lawyer here. In most countries, such terms would be set aside on the grounds
of being unconscionable and against public policy. The consumers have no real
bargaining power in the setting of the terms here and lack the sophistication
necessary to understand that they are waving their legal rights. If you are
going to make someone waive their rights you need to get not merely their
consent, but 'informed consent'. Additionally, it is the companies duty to
inform people if their data was stolen and can't make them agree to some self-
serving terms before it does so.

Despite the SCOTUS ruling in AT&T Mobility LLC v. Concepcion if this question
is put before a US judge, there's a good chance that the contract won't be
worth the paper its printed on.

------
orev
It may apply only if you enroll in their (toothless) remedy of free credit
monitoring. It's not really clear this applies if you just check your data.

~~~
wyldfire
That's what I got from my read of this text, I can't figure out how someone
else drew that conclusion.

I didn't enroll specifically because I assumed it might waive my rights. I
didn't notice any such disclaimer on the am-i-impacted lookup.

If it really does apply to the lookup itself (or was intended to apply), then
it's worth some outrage. If not, it's worth significantly less outrage.

EDIT: The authoritative-sounding @pabloishappy says, "I spoke with equifax rep
named Marvin. He said enterining your last name and 6 ss#'s DOES NOT
constitute enrollment. Yiu neednto complete1/"

EDIT2: per [https://www.equifaxsecurity2017.com/frequently-asked-
questio...](https://www.equifaxsecurity2017.com/frequently-asked-questions/)
"The arbitration clause and class action wavier included in the TrustedID
Premier Terms of Use applies to the free credit file monitoring and identity
theft protection products, and not the cybersecurity incident."

------
chillingeffect
I don't think this is true. Here's the link (from cnn.com):
[https://www.equifaxsecurity2017.com/potential-
impact/](https://www.equifaxsecurity2017.com/potential-impact/)

It says _nothing_ about waiving your rights, etc. at all. There is the option
to sign up for some of their services ("we will provide you the option to
enroll in TrustedID Premier."), which I have read elsewhere include clauses
waiving your rights to be part of a class action suit. But just checking this
link has no waiving associated with it.

------
joshdance
So TLDR - how can I find out if my data was stolen?

~~~
antimatter
Assume that it was and act accordingly.

------
redm
Ironically, since the data was leaked, how will they prove it was "you" that
even checked?

------
princekolt
What a bunch of crooks. Isn't it illegal to use such a term?

~~~
dccoolgai
Nope. Forced arbitration is perfectly legal. It's what they did under the
cover of "OMFG Lawyers are AWWWFUL! Spilled Coffee == Million dollar
lawsuits!!! :(" panic. Forced arbitration has been held up by the Supreme
Court on more than one occasion. Some fast food chains have clauses that say
it applies when you walk through their doors. Bonus: The company that injured
you gets to pick the "arbitrator"... which are usually seleced because... they
rule in favor of the corporation more.

Fascinating legal history behind it, actually: It was all based on a law from
the early 1900s that was meant to apply only to two businesses in contracts
with each other, but the Supreme Court allowed the creative interpretation
that it could apply between companies and individuals... go figure.

------
miguelrochefort
Last Name: test

Last 6 Digits of Social Security Number: 123456

> Based on the information provided, we believe that your personal information
> may have been impacted by this incident.

~~~
wyldfire
"may have been" \-- well, _maybe_. Much easier to design this site in a hurry
if you don't actually have to look anything up.

------
pasbesoin
Here's hoping an insightful judge might interpret this as actually
strengthening a claim of libel.

Making you wave your due process rights, in order to "learn" what "they are
saying about you". Or, "writing", as it were -- thus the potential for
"libel".

IANAL, but it seems perhaps an unreasonable barrier to "setting the record
straight". One that they are attempting to force you to enter, simply to learn
what they are saying about you.

The credit agencies have gone to a lot of effort, including a lot of lobbying
and influencing lawmakers and regulators, to minimize the risk of libel suits.
I can only hope that, with continuing over-reach like that in the OP, they are
ultimately shooting themselves in the foot, in this regard.

------
zelon88
I've already Tweeted at a Katie Lobosco of CNN Money and Maria LaManga of
MarketWatch. They're pushing credit reporting products and the Equifax link in
articles instructing people to take action. They're actually hurting way more
people than they're helping. Anyone wanna help let them know with me? EDIT:
And Chris Brook from Threat Post too??!?! I thought they would have done more
homework than that.

------
mikestew
I'd like to hear this from an actual attorney, not some "not a lawyer" dude's
Twitter account.

~~~
k-mcgrady
New York Attorney General [0] says it's unenforceable. Something I'm surprised
people didn't just assume given how ridiculous the clause seems.

[0]
[https://twitter.com/AGSchneiderman/status/906195350532304896](https://twitter.com/AGSchneiderman/status/906195350532304896)

~~~
mikestew
Not that I disagree with the NY AG, but I also think that his tweet was a bit
knee-jerky and premature prior to his actual reading of the agreement in
context (the tweet was posted minutes after Ars posted a story). He will
probably stick to this, as well as pointing out that the agreement never said
that to begin with, but I think it's a bit early for the entire Internet to be
passing this around like it's truth.

------
afinlayson
I'm pretty sure the fact THEY potentially lost my data, that won't hold up in
court. Many people are rushing to figure out if they included in the breach.

------
mdev
How can they say I did that check and not the person with my data? Seems
counter intuitive.

------
msimpson
This seems to be a bunch of people on Twitter, lead by a security researcher,
reading legal documents and coming to conclusions which are being second
guessed over the course of the thread.

Some keep quoting this line from the terms of service:

> YOU MUST ACCEPT THE TERMS OF THIS AGREEMENT, INCLUDING THE ARBITRATION
> AGREEMENT CONTAINED IN SECTION 4 BELOW, BEFORE YOU WILL BE PERMITTED TO
> REGISTER FOR AND PURCHASE ANY PRODUCT FROM THIS SITE. BY REGISTERING ON THIS
> SITE AND SUBMITTING YOUR ORDER, YOU ARE ACKNOWLEDGING ELECTRONIC RECEIPT OF,
> AND YOUR AGREEMENT TO BE BOUND BY, THIS AGREEMENT. YOU ALSO AGREE TO BE
> BOUND BY THIS AGREEMENT BY USING OR PAYING FOR OUR PRODUCTS OR TAKING OTHER
> ACTIONS THAT INDICATE ACCEPTANCE OF THIS AGREEMENT.

Whereas others have pointed to the Opt-Out:

> Right to Opt-Out of this Arbitration Provision. IF YOU DO NOT WISH TO BE
> BOUND BY THE ARBITRATION PROVISION, YOU HAVE THE RIGHT TO EXCLUDE YOURSELF.
> Opting out of the arbitration provision will have no adverse effect on your
> relationship with Equifax or the delivery of Products to You by Equifax. In
> order to exclude Yourself from the arbitration provision, You must notify
> Equifax in writing within 30 days of the date that You first accept this
> Agreement on the Site (for Products purchased from Equifax on the Site). If
> You purchased Your Product other than on the Site, and thus this Agreement
> was mailed, emailed or otherwise delivered to You, then You must notify
> Equifax in writing within 30 days of the date that You receive this
> Agreement. To be effective, timely written notice of opt out must be
> delivered to Equifax Consumer Services LLC, Attn.: Arbitration Opt-Out, P.O.
> Box 105496, Atlanta, GA 30348, and must include Your name, address, and
> Equifax User ID, as well as a clear statement that You do not wish to
> resolve disputes with Equifax through arbitration. If You have previously
> notified Equifax that You wish to opt-out of arbitration, You are not
> required to do so again. Any opt-out request postmarked after the opt-out
> deadline or that fails to satisfy the other requirements above will not be
> valid, and You must pursue your Claim in arbitration or small claims court.

Therefore, I'd take everything with a grain of salt and/or read the full terms
for yourself:

[http://www.equifax.com/terms/](http://www.equifax.com/terms/)

~~~
josefresco
If by "people on Twitter" you include the New York State Attorney General than
yes.

~~~
msimpson
If by "New York State Attorney General" you mean Eric Schneiderman, or the guy
jumping on every controversy to further his career, then yes.

~~~
djtriptych
Surely a credit bureau leaking private information on 140 million Americans
(and probably millions of New Yorkers) deserves the AG's attention.

~~~
msimpson
Not saying it doesn't. I'm saying Eric Schneiderman, alone, is a douche.

~~~
dang
You violated the site guidelines by taking this thread into just the sort of
flamewar we're trying to avoid on HN. Would you please (re-)read them and not
do this again?

[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)

~~~
msimpson
If you wish to take issue with the fact I called a political figure a douche,
fine.

But I will not refrain from using such language in the future when I feel it's
appropriate.

Although, if you want to declare I started what can hardly be described as a
flame war just by stating an opinion, you should just delete my account now.

Seriously.

------
traviswingo
Wonder if I can just have my spouse check for me.

------
korzun
From my exprience, this type of clause will not stand up in court. It might
sound legit but mostly viewed as a filler by lawyers.

~~~
dccoolgai
What kind of experience do you have? Because the Supreme Court has held up
forced arbitration multiple times. I know it doesn't "feel right" (and maybe
that's because it isn't) but it's the law of the land.

~~~
korzun
I will let somebody else chime in. There may be instances where something like
this could be upheld, but I don't think it will apply here.

My case involved an employee that committed fraud by offering me bogus shares
of a non-existent entity. They terminated me after I brought this up and asked
me to sign a waiver in exchange for severance. 100% not enforceable.

