Worried couple checking credit account onlineThe grousing began within 24 hours of Equifax’s announcement, last Thursday, of its massive data breach that compromised personal data of over 140 million U.S. consumers.  I’m generally unsympathetic about such complaints (“We’re shocked – SHOCKED – that in a breach affecting 140+ million people, we’re having trouble immediately reaching a live person at the phone bank!  And the breach website is not operating smoothly!”). Usually only Louis CK’s masterpiece “Everything’s Amazing – and Nobody’s Happy” can coax me out of my grumpy place.

But as post-announcement events have unfolded, some of the initial criticism appears to have legs:

Arbitration clause with no class

Terms of Use for Equifax’s proffered credit monitoring service TrustedID Premier originally contained an arbitration clause that, if enforceable, could preclude consumers registering for the credit monitoring service from participating in the inevitable class action litigation against Equifax.  Public pushback was immediate, bolstered by pointed (tweeted) questions to Equfax by New York Attorney General Eric Schneiderman. Equifax reacted quickly, stating the following by Friday evening 9/8/2017: “In response to consumer inquiries, we have made it clear that the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident.”

And by Monday 9/11/2017, Equifax was in full retreat, removing the arbitration clause from the TrustedID Premier Terms of Use and adding the following to its breach response website’s Consumer FAQs: “To confirm, enrolling in the free credit file monitoring and identity theft protection products that we are offering as part of this cybersecurity incident does not prohibit consumers from taking legal action. We have already removed that language from the Terms of Use on the site www.equifaxsecurity2017.com. The Terms of Use on www.equifax.com do not apply to the TrustedID Premier product being offered to consumers as a result of the cybersecurity incident. Again, to be as clear as possible, we will not apply any arbitration clause or class action waiver against consumers for claims related to the free products offered in response to the cybersecurity incident or for claims related to the cybersecurity incident itself.”

Take the money and run?

Bloomberg reported on 9/7/2017 that regulatory filings indicate three Equifax executives made unscheduled sales of over $1.8 million in company stock and options on 8/1 and 8/2/2017  – a few days after Equifax says it discovered the breach (7/31/2017), yet more than a month before the public announcement.  A company spokesperson promptly countered that the three insiders “had no knowledge that an intrusion had occurred at the time.”  Co-chairs of the Senate Finance Committee are now pointedly asking Equifax to explain the nature and timing of these sales.

It’s to be expected that Equifax will be under a high-power microscope for its breach response.  This was indeed an epic breach, both in scale (4 in 10 American consumers) and scope (the perfect do-it-yourself identity theft kit).  More significantly, unlike our relationships with our retailers, banks, and health systems, folks don’t feel they have a relationship of choice with credit bureaus (we’re the product, not the customer).  And our feelings about them are clouded by our ambivalence, or frustration, with our credit generally – nearly a third of Americans are dissatisfied with their credit score, and 28 percent doubt that their current score can help them reach their goals.

From the perspective of affected individuals, there are more options than those offered to date by Equifax.  You can request and review your credit report for free, once per year (every four months if you alternate between Equifax, Experian, and TransUnion).  You can also put a fraud alert on your credit files, which is less drastic than a credit freeze.  Diligent review of bank and credit card statements is always prudent, and anytime one’s Social Security number is at risk, filing tax returns early is a good move.  And if you want to do more to lock things down, consider the credit freeze option.

Looking at this from the perspective of organizational breach response is different.  By analogy, it’s one thing to be a Houston or Jacksonville homeowner reacting to a natural disaster, but another thing entirely to be a mayor, governor, or disaster response official who’s accountable for both disaster preparedness and effective response and recovery.  So, how is Equifax doing from that perspective?  It looks a bit wobbly out of the blocks, yet Equifax is showing some nimbleness by promptly responding to complaints about website functionality, tripling its call center staff, and rapidly changing course on its irritating arbitration clause.

At this early point, the stock sales by executives are the wildcard.  If the allegations prove true, it will indeed be a hot mess.