Explainer Security

Equifax data hack: What are your legal options?

Can you sue Equifax? We look at that question, as well as what the government is doing and what you should do if you're one of the 143 million affected.

James Martin/CNET

Nearly half the US woke up Friday to find out their Social Security number might have been stolen, thanks to hackers who breached the database of a top credit monitoring service.

Equifax is one of three major credit monitoring companies, which victims of data breaches typically turn to for protection. Now, a breach at the company has exposed the Social Security numbers, names, addresses and birth dates of up to 143 million people in the US alone. Folks in Canada and the UK have also been affected.

About 209,000 people had their credit card information stolen as well. The Federal Trade Commission has advised people to monitor their accounts closely, and to place a fraud alert on all their files. The massive number of victims has prompted a lot of questions.

Now Playing: Watch this: Equifax breach: Were you one of the 143 million affected?
1:29

Equifax has provided a tool for people to find out if they're affected, but its usefulness has been questionable, with the company telling people who've entered fake names that they were hit by the breach. Equifax is also offering potential victims free credit monitoring and identity theft protection, but the terms of use for that program have caused confusion.

Don't fret though. We'll look at the legal situation below. And in CNET's How To section, you'll find a general guide for those who think they might've been nailed by the breach

Can I sue Equifax?

Yes, either as part of a class action lawsuit or on your own. 

There was some question about this due to certain language in the terms of use for Equifax's TrustedID Premier program, which offers a year of free credit monitoring as a result of the hack. The terms of use suggested that if you signed up for TrustedID, you'd give up the right to sue Equifax over the breach in a class action (though you could still sue as an individual in a small claims court).

It looked even more suspicious that the terms were changed on Wednesday, a day before the revelation of the hack. 

But Equifax updated its Frequently Asked Questions on Friday afternoon and noted that the terms of use don't apply to the breach. 

The free credit monitoring program that Equifax is offering potential victims comes with some legal restrictions. 

Michael Fuller

On its website, Equifax added a statement saying the "arbitration clause and class action waiver included in the TrustedID Premier Terms of Use applies to the free credit file monitoring and identity theft protection products, and not the cybersecurity incident."

Even before that confirmation, it seemed unlikely Equifax would use the clause to protect itself from lawsuits. Tom Rohback, an attorney who focuses on data breach litigation, read through TrustedID Premier's terms of use and said you would've still been able to sue Equifax, despite agreeing to the TrustedID arbitration clause.

That's because TrustedID Premier, while owned by Equifax, is a separate entity from its parent company, Rohback said, and the TrustedID terms of use serve to protect only the subsidiary company.

Equifax has its owns terms of use, with an arbitration clause designed to protect the entire company. TrustedID Premier protects only itself, he noted.

"This agreement would only cover breaches committed by TrustedID, in its future monitoring," Rohback said.

Peter Vogel, an attorney who also works for the American Arbitration Association, suggested the clause wouldn't have stood up in court anyway. That's because the terms of use page doesn't require users to agree by hitting a button.

"The courts generally require that there be a click agreement," Vogel said. There isn't a click agreement on the TrustedID terms of use page. "You could make an argument that the arbitration provisions [wouldn't] apply."

Even the arbitration clause in Equifax's own terms of use can be avoided. The fine print says you can opt out. You simply need to send a letter within 30 days that includes your name, address and Equifax user ID, along with a statement that you "do not wish to resolve disputes with Equifax through arbitration."

This still sounds suspicious

It should. In July, the Consumer Financial Protection Bureau decided to ban companies from using arbitration clauses, pointing out that such clauses have prevented massive numbers of people from taking legal action.

New York's attorney general, Eric Schneiderman, on Friday wrote in a tweet that the arbitration clause was "unenforceable" and that his staff had demanded Equifax remove it. 

Is anyone suing Equifax yet?

Actually, two lawsuits seeking class action status have been filed so far.

Michael Fuller is representing two Oregon residents who filed a suit Thursday, claiming Equifax failed to adequately protect the personal information of 143 million people. You can join the case by signing up on www.equifaxcase.com. The plaintiffs are seeking $70 billion in damages from Equifax over the breach.

Despite the massive payout, if successful, each victim would receive only $489, and that's before legal fees. That's how much your Social Security number, name, address and birthdate would be worth.

Still, "It could be the largest class action lawsuit ever filed," Fuller said. "It involves almost half the country." 

Fuller has gotten so many calls about the lawsuit that he began redirecting people to their local attorney general's office.

Meanwhile, in Equifax's home state of Georgia, two plaintiffs have filed another suit against the company. The lawsuit alleges Equifax could have prevented the data breach, and that it failed to notify victims in a timely manner.

The plaintiffs are being represented by John Yanchunis, the lead counsel representing victims affected by the record-breaking breach of Yahoo. Yanchunis has also represented victims of breaches involving Target and Home Depot.  

"Equifax contains one of the largest databases of consumer information and they should have been better prepared for any attempt to penetrate its systems," Yanchunis said in a statement.

Is the US government doing anything about this?

On Friday morning, Democratic Rep. Ted Lieu of California sent a letter to the House Judiciary Committee chair asking the committee to investigate the breach and why it took more than six weeks for Equifax to go public with the announcement. 

Lieu is requesting that Congress call representatives from Equifax, TransUnion and Experian, the "big three" credit monitoring agencies, to testify on Capitol Hill about the breach and about how they protect their computer systems.

Rep. Ted Lieu

Rep. Ted Lieu wrote a letter calling for an investigation of Equifax.

Bill Clark / Getty Images

Democratic Sen. Mark Warner of Virginia, the vice chair of the Senate Intelligence Committee, criticized Equifax over its "profoundly troubling" breach and suggested new data protection policies for Congress to pass.

Equifax is also working with the FBI on the investigation.

In New York, the state attorney general's office announced a formal investigation into the Equifax breach

Three Equifax executives, including its chief financial officer, sold shares in the company just three days after the breach was first discovered. The Securities and Exchange Commission didn't comment on whether it was investigating insider trading.

First published Sept. 8, 11:26 a.m. PT.
Update, 12:45 p.m. PT:
Recasts story in light of Equifax's updated FAQ. Update, 2:32 p.m. PT: Changes made throughout for clarity and readability.

CNET Magazine: Check out a sample of the stories in CNET's newsstand edition.

Logging Out: Welcome to the crossroads of online life and the afterlife.