Equifax Bungles Details Over and Over Again

Here’s a word of advice for companies in trouble: Don’t make the public any angrier than necessary. That’s the mistake Equifax repeated several times over in its careless handling of its careless loss of detailed identifying data on 143 million consumers, a breach widely described as the worst in history. The company made a number of missteps, such as taking months to make the break-in public and, apparently, running web server software with a known vulnerability.

But the biggest question since the news broke has involved whether Equifax was trying to pull a fast one: Were worried consumers being forced to surrender their right to sue before they could find out if they were among the victims of the hack, or was that an urban myth? I’ve been teaching contract law for a quarter of a century, and I’m not entirely sure.

The issue arose after some people actually read the boilerplate on the special site Equifax set up so that worried consumers could find out whether their data was in the wind. The readers discovered — or at least thought they discovered — that consumers who clicked on “I agree” were giving up their right to sue the company over the hack, and consenting to arbitration instead. Social media erupted in fury.

Unlike most contracts professors, I am no great enemy of arbitration clauses, and I consider the Consumer Financial Protection Bureau’s jeremiad against them to be ill-conceived. I also have no particular problem with what are sometimes derided as “adhesive contracts,” where consumers are asked to consent to a bunch of boilerplate they rarely read. (In short words, such contracts solve serious agency problems and lower transaction costs, enabling the consumer economy to function more cheaply.) But I have a big problem with a company trying to sneak things past panicked consumers, particularly when the panic is caused by the company’s own malfeasance. Sometimes an example has to be made.

Here, however, we come to the nub. Was Equifax really trying to pull a fast one? After … taking its lumps in the tech press, and being threatened by New York Attorney General Eric Schneiderman, the company added some hastily drafted language to its frequently asked questions page, insisting that the ban on lawsuits does not apply to what it cagily called “the cybersecurity incident.”

That might have been the end of the matter, if anyone actually believed that FAQs were legally binding, or if a subsequent change in the FAQs could affect the status of consumers who had already clicked “I agree” before the new language showed up. So the effect of the clarification was to sow more confusion.

Over the weekend, Equifax issued a series of written statements in an effort to assure the world that “enrolling in the free credit file monitoring and identity theft protection products that we are offering as part of this cybersecurity incident does not prohibit consumers from taking legal action.” The company went on to clarify its clarification: “We will not apply any arbitration clause or class action waiver against consumers for claims related to the free products offered in response to the cybersecurity incident or for claims related to the cybersecurity incident itself.” Backed into a corner, Equifax finally removed the language about arbitration from the terms of use on the site.

In the showdown between a big company and social media, the big company blinked.

But was Equifax really guilty of what its critics claimed? I’m not sure that the company was guilty of anything except more sloppiness. From the time the site went up, consumers have been able to check whether their information has been “impacted” (as the site puts it) without clicking an “I agree” box. The controversial terms of service apply only after a consumer chooses to enroll in the one-year free credit monitoring service that Equifax is providing. This isn’t a change Equifax made in response to the furor; this is how the site originally functioned.

Still, plenty of ambiguity lingered. One could read the terms of service to say, in effect, “You don’t have to agree not to sue over our loss of your data in order to find out whether your data was lost. But if you sign up for the free services we’re offering, you give up your right to sue not only if we mess up in monitoring your credit but also over our original loss of your data.” That’s not the most natural reading of the language, but it’s plausible. So maybe there was a problem after all. Although courts usually resolve contract ambiguities against the party who drafted the language, you never know what a particular judge will do. That’s why it’s good for everybody that the company has backed down.

But what a series of missteps! Maybe the anti-lawsuit language was indeed an effort by Equifax to pull a fast one; maybe it was the byproduct of unthinking reproduction of boilerplate from elsewhere. Either way, the company was let down badly by both its lawyers and its corporate communications staff. Which leads us to the final lesson from the whole mess: If you’re going to wait months to confess what you’ve allowed to happen, spend a big chunk of that time working out the tiniest details of the fix. Long before social media existed, the demons were in the details. And it’s those demons that will come back and bite you in the end.

Carter is a professor of law at Yale University and was a clerk to U.S. Supreme Court Justice Thurgood Marshall.