Equifax Bungles the Details Over and Over Again
Here’s a word of advice for companies in trouble: Don’t make the public any angrier than necessary. That’s the mistake Equifax Inc. repeated several times over in its careless handling of its careless loss of detailed identifying data on 143 million consumers, a breach widely described as the worst in history. The company made a number of missteps, such as taking months to make the break-in public, and apparently running web server software with a known vulnerability. 1
But the biggest question since the news broke has involved whether Equifax was trying to pull a fast one: Were worried consumers being forced to surrender their right to sue before they could find out if they were among the victims of the hack, or was that an urban myth? I’ve been teaching contract law for a quarter of a century, and I’m not entirely sure.
The issue arose after some people actually read the boilerplate on the special site Equifax set up so that worried consumers could find out whether their data was in the wind. 2 The readers discovered -- or at least thought they discovered -- that consumers who clicked on “I agree” were giving up their right to sue the company over the hack, and consenting to arbitration instead. Social media erupted with fury.
Unlike most contracts professors, I am no great enemy of arbitration clauses, and I consider the Consumer Financial Protection Bureau’s jeremiad against them to be ill-conceived. I also have no particular problem with what are sometimes derided as “adhesive contracts,” where consumers are asked to consent to a bunch of boilerplate they rarely read. (In short words, such contracts solve serious agency problems and lower transaction costs, enabling the consumer economy to function more cheaply.) But I have a big problem with a company trying to sneak things past panicked consumers, particularly when the panic is caused by the company’s own malfeasance. Sometimes an example has to be made.
Here, however, we come to the nub. Was Equifax really trying to pull a fast one? After getting spanked on Twitter and Facebook, taking its lumps in the tech press, and being threatened by New York Attorney General Eric Schneiderman, the company added some hastily drafted language to its frequently asked questions page, insisting that the ban on lawsuits does not apply to what it cagily called “the cybersecurity incident.”
That might have been the end of the matter, if anyone actually believed that FAQs were legally binding, or if a subsequent change in the FAQs could affect the status of consumers who had already clicked “I agree” before the new language showed up. So the effect of the clarification was to sow more confusion.
In the showdown between a big company and social media, the big company blinked.
But was Equifax really guilty of what its critics claimed? I’m not sure that the company was guilty of anything except more sloppiness. From the time the site went up, consumers have been able to check whether their information has been “impacted” (as the site puts it) without clicking an “I agree” box. 3 The controversial terms of service apply only after a consumer chooses to enroll in the one-year free credit monitoring service that Equifax is providing. 4 This isn’t a change Equifax made in response to the furor; this is how the site originally functioned.
Still, plenty of ambiguity lingered. One could read the terms of service to say, in effect, “You don’t have to agree not to sue over our loss of your data in order to find out whether your data was lost. But if you sign up for the free services we’re offering, you give up your right to sue not only if we mess up in monitoring your credit but also over our original loss of your data.” That’s not the most natural reading of the language, but it’s plausible. So maybe there was a problem after all. Although courts usually resolve contract ambiguities against the party who drafted the language, you never know what a particular judge will do. That’s why it’s good for everybody that the company has backed down.
But what a series of missteps! Maybe the anti-lawsuit language was indeed an effort by Equifax to pull a fast one; maybe it was the byproduct of unthinking reproduction of boilerplate from elsewhere. Either way, the company was let down badly by both its lawyers and its corporate communications staff. Which leads us to the final lesson from the whole mess: If you’re going to wait months to confess what you’ve allowed to happen, spend a big chunk of that time working out the tiniest details of the fix. Long before social media existed, the demons were in the details. And it’s those demons that will come back and bite you in the end.
This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.
But see the response by the vendor.
The Equifax website where consumers can check whether their data has been compromised is, let us say, less than perfect. (I had to visit three times before the site would tell me whether my data was at risk.)
As an identifier, the site asks for the last six digits of the consumer’s Social Security number. This unusual requirement strongly implies that the usual four digit identifier has been compromised. If true, this might require financial sites across the Web to begin asking for six digits rather than four, just to be sure of the user’s identity.
Let’s skip over the absurdity of limiting the free service to one year. (Social Security numbers and birth dates do not change, so the hackers need only wait and sell later.)
To contact the editor responsible for this story:
Stacey Shick at email@example.com