The social security numbers of 143 million people—roughly half of all Americans—were recently compromised when hackers stole personal information from credit monitoring firm Equifax. In many cases, home addresses and birth dates were also compromised.
Now, predictably, the class action lawsuits are beginning to trickle in. One class will seek "as much as $70 billion in damages nationally," according to Bloomberg. Whether these lawsuits will hold up in court, however, is less certain.
But many people on social media have dug into the terms of service for TrustedID, Equifax's own identity protection product, and have raised fears that by simply checking to see if you were a part of a hack, you may be forfeiting your right to sue.
TrustedID's terms maintain "a waiver of the ability to bring or participate in a class action, class arbitration, or other representative action," or "to share in any class action awards." Some worry this may keep them from a class action lawsuit, but lawyers tell Motherboard that this clause will be hard for Equifax to enforce in court.
Anyone wishing to discover whether their information had been stolen has been prompted to TrustedID. By submitting their last name, and the last six digits of their social security number, people are supposed to be able to learn if they were affected (though there are reports that TrustedID's responses have changed for certain people).
In a statement, Equifax confirmed to Yahoo Finance that TrustedID's arbitration clause doesn't apply to "the cybersecurity incident." But that doesn't mean the company can't try to use that clause in a potential legal proceeding.
"In the past, parent companies have attempted to enforce the arbitration clauses of their subsidiaries, but are typically unsuccessful. There are some other risks for Equifax if they try to force the case into arbitration," Joseph Sauder, partner at McCune Wright Arevalo, LLP, which is currently investigating the hack, told Motherboard.
"First, you are not agreeing to a product (which is what the arbitration agreement covers) yet, as you have to return to the website after a few days to enroll. Second, at this stage you do not need to affirmatively check a box that states you agree to any terms or conditions, which is a big help for us to argue later on that there was no agreement (i.e. contract) to arbitrate that was accepted by the consumer," Sauder added.
His law firm has opened a page for a potential class action lawsuit, and is asking anyone who has been affected by the breach to contact them.
Earlier this year, the Consumer Financial Protection Bureau determined that financial companies cannot use arbitration clauses to strike down class action lawsuits. It's unclear whether this rule applies to credit monitoring firms like Equifax.
If Equifax attempts to enforce TrustedID's clause in court, its statement on the matter could be entered into evidence.
"There is also a general [terms of service] for the Equifax website that contains an arbitration clause, but again there is no product being purchased or used by anyone yet so it likely does not apply—not that it would stop Equifax from potentially making that argument," Saunders said.
A class action lawsuit, filed on Friday by attorney John Yanchunis of Morgan & Morgan, accuses Equifax of negligence in securing customers' personal and financial information. The complaint also criticizes Equifax for failing "to notify consumers in a timely manner."
The company disclosed the data breach on Thursday, but first discovered its existence on July 29.