The massive security and data breach at Equifax has brought to light the requirement of making sure that your company adopts internal processes that prevents breaches and ensures that such breaches are timely discovered. This requires that you undergo regular Service Organization Control (SOC) audits or similar audits if you are hosting data on your servers. If you store your data on third–party data centers, you should require that they undergo regular SOC audits. You may also want to implement a robust reporting time frame for informing customers when such security or data breaches are discovered, amongst others.
This breach also brought to forefront a clause that is almost always present in the terms of use – the binding and mandatory arbitration clause and waiver of class action. While Equifax offers an “opt-out” provision from the binding and mandatory arbitration clause, its credit monitoring service TrustedID does not offer the “opt-out” provision for arbitration and has a class action wavier. Which further adds to the confusion. It also appears that TrustedID updated their terms of use on September 6, 2017 and the news of the breach broke on September 7, 2017.
After pressure from consumer advocates and New York’s Attorney General, initially, Equifax had tweeted and added new lines to its FAQ section that stated that the arbitration clause and class action wavier included in the TrustedID Premier terms of use applied only to the free credit file monitoring and identity theft protection products, and not the cybersecurity incident. However, that approach did not alleviate the confusion because the last paragraph of TrustedID terms of use states that “This Agreement constitutes the entire agreement between You and Us regarding the Products and information contained on or acquired through this website or provided by Us…” More recently, Equifax updated its website www.equifaxsecurity2017.com with “A Progress Update for Consumers” dated September 11, 2017, where Equifax noted that it has now updated terms of use on the website www.equifaxsecurity2017.com to remove any language pertaining to waiver of rights to take legal actions. Further, the notice also clarified that the terms of use on www.equifax.com do not apply to the TrustedID Premier product being offered to consumers as a result of the cyber security incident.
Therefore, it is important to not only have internal security processes that have strict auditing and reporting requirements, but also to have “opt-out” provision from arbitration clauses that are carefully drawn, as terms of use is often the only contract that you will enter with your customers.
We are keeping a close eye on this and on the development on the Consumer Financial Protection Bureau’s rule regarding mandatory arbitration clauses and class action waivers.
