Some people are concerned that by enrolling in the TrustedID Premier credit monitoring service offered by Equifax following the Big Breach, they will be waiving their right to recover from Equifax in the event of a class action. I thought I'd share my thoughts on that issue.
(By way of background, as described in my earlier post, when Equifax announced yesterday that the personal information of 143 million Americans was potentially exposed in a massive data security breach, it began offering individuals the option to enroll, free of charge, in TrustedID Premier, a credit monitoring and ID theft response service.)
The TrustedID Premier terms do include an arbitration provision that purports to (and likely does) waive a consumer's right to sue or participate in a class action.
The terms relate to "TrustedID, Inc." and its "Products," however, and not to Equifax and the Big Breach. Furthermore, the waiver is not prominently disclosed to consumers when they enroll through the Equifax breach response website (www.equifaxsecurity2017.com).
In sum, I just don't think that consumers should be concerned about being unable to participate in a class action lawsuit against Equifax if they enroll in the TrustedID Premier service.
On the other hand, if TrustedID Premier is breached or otherwise botches the remediation services, consumers will be precluded from bringing a class action against TrustedID, Inc.
[Update: Equifax has revised its FAQ to specifically address this issue. The explanation is consistent with my early analysis.]
Friday, September 8, 2017
The Morning After: What You Can Do To Protect Yourself After The Equifax Breach
You've probably heard that Equifax revealed yesterday that it was the subject of a data security breach that resulted in the exposure of 143 million Americans--almost half the population. It is likely the largest data security breach in U.S. history. The information exposed included names, social security numbers, addresses, credit card numbers, drivers license numbers, and sensitive documents. In other words, this is very, very bad news.
If you're an American (or live in the U.S.), this is a step-by-step guide for protecting your own identity:
1. First, take advantage of the opportunity to ask Equifax whether your information was exposed.
Equifax has set up a website for consumers to inquire whether their personal information was among the exposed data. Go to www.equifaxsecurity2017.com and enter your last name and the final six digits of your social security number.
Next, click on "Potential Impact" at the bottom left side of the screen. A new page will open.
Click on "Check Potential Impact" at the bottom left side of this page as well.
If you're lucky (like me), you'll see the following screen:
If your information was potentially exposed, you'll be notified of that instead. (Please accept my condolences!)
2. Enroll in free credit monitoring.
When you complete the step described above, Equifax offers to enroll you in a credit monitoring and identity theft protection program called TrustedID Premier. You can enroll with a single click.
Equifax says that TrustedID Premier includes credit monitoring of Equifax, Experian and TransUnion credit reports; copies of Equifax credit reports; the ability to lock and unlock Equifax credit reports; a type of identity theft insurance; and Internet scanning for Social Security numbers – free for one year.
If you have additional questions, you can call Equifax at 866-447-7559 between 7:00 a.m. and 1:00 a.m. Eastern time.
(Note that if you sign up for the TrustedID Premier service, you will be bound by a mandatory arbitration provision and will be unable to joiny any class action lawsuit against TrustedID, Inc., but you will not be excluded if there is a class action lawsuit against Equifax. If you are concerned about the ability to join a class action against Equifax, you can send an opt-out notice to Equifax within 30 days.
(Note that if you sign up for the TrustedID Premier service, you will be bound by a mandatory arbitration provision and will be unable to joiny any class action lawsuit against TrustedID, Inc., but you will not be excluded if there is a class action lawsuit against Equifax. If you are concerned about the ability to join a class action against Equifax, you can send an opt-out notice to Equifax within 30 days.
3. Check for ID Theft.
Because the Equifax breach occurred beginning in May, your identity may already have been assumed by a nefarious character. You should check you credit report immediately for unfamiliar credit accounts. Although Equifax will give you a free Equifax credit report, I suggest you obtain your report from Experian and TransUnion (the other two major credit reporting bureaus) as well. You can do that by phone or online:
- Experian - 1-888-397-3742, www.experian.com
- TransUnion - 1-800-680-7289, www.transunion.com
You could also use this form if you prefer pen-and-ink.
5. If you are the victim of identity theft, submit an affidavit to the Federal Trade Commission.
4. If you find evidence of fraud, put a fraud alert on your credit report.
If you see any fraudulent credit accounts on your report, you can call any one of the three major credit reporting agencies and instruct them to place a fraud alert on your credit report. (Tell the agency you contact to tell the other two to do the same...although there's no harm in calling all three yourself). You'll be required to prove your identity when placing a fraud alert. There will be no cost. The purpose of a fraud alert is to make it harder for an identity thief to open more accounts in your name. An initial fraud alert lasts 90 days, but can be renewed. You can contact the credit reporting agencies at the following:
- Equifax - 1-800-525-6285, www.equifax.com
- Experian - 1-888-397-3742, www.experian.com
- TransUnion - 1-800-680-7289, www.transunion.com
5. If you are the victim of identity theft, submit an affidavit to the Federal Trade Commission.
Write out a description of how you learned about the suspected identity theft and everything you've learned about it since, in as much detail as you can. Next, you need to put this information into the form of an affidavit (a sworn written statement). The Federal Trade Commission has a helpful tool (called the "FTC Complaint Assistant") to put your information into the proper form, which you can use for free at https://www.ftccomplaintassistant.gov/. When finished, submit the affidavit to the FTC through the website. Print or save a copy for your records. (Alternatively, you can use this form.)
Once you have created an ID Theft Report (FTC affidavit plus police report), you are entitled under federal law to extend your fraud alert for seven years. When you extend the fraud alert, you can get two free credit reports within 12 months from each of the three major credit reporting bureaus, and they must take your name off marketing lists for prescreened credit offers for five years, unless you ask them to put your name back on the list.
6. File a Police Report.
If you are a victim of ID theft, after you complete the FTC affidavit, you should call the local law enforcement agency (a) where the theft appears to have occurred, or (b) where you live, or (c) both. In North Carolina, this is usually a police department if you live in a city or town, or a county sheriff's department if you live outside a municipality (though there are exceptions to this general rule). File a police report. (Either they will send an officer to you, or will ask you to come to the station.) Give the officer a copy of your FTC Identity Theft Affidavit. Ask to be given a copy of the police report once it's ready.
Sadly, some local law enforcement agencies are reluctant to take reports on ID theft. You can give the agency a copy of the FTC's official memo for local law enforcement agencies, a copy of which is available here.
7. File an FTC ID Theft Report.
Together, your FTC Affidavit and the police report comprise an "FTC ID Theft Report." An FTC Report can help you (i) get fraudulent information removed from your credit report; (ii) stop a company from attempting to collect debts from you that result from identity theft, or from selling the debt to another company for collection, (iii) extend the fraud alert on your credit report; and (iv) get information from companies about any accounts the identity thief opened or misused. Send the ID Theft Report to the credit bureaus and to any organization affected by the ID theft (such as a retailer or credit card company).
Send an ID Theft Report to the credit reporting agencies, and tell them whether you want to extend the fraud alert or initiate a security freeze (see below). In either case, you should notify all three of the credit reporting agencies.
8. Decide Whether You Want to Extend the Fraud Alert or Institute a Credit Freeze.
Next, you need to decide whether to (a) extend the fraud alert or (b) initiate a security freeze.
Once you have created an ID Theft Report (FTC affidavit plus police report), you are entitled under federal law to extend your fraud alert for seven years. When you extend the fraud alert, you can get two free credit reports within 12 months from each of the three major credit reporting bureaus, and they must take your name off marketing lists for prescreened credit offers for five years, unless you ask them to put your name back on the list.
North Carolina residents (and residents of certain other states) are entitled by state law to "freeze" their credit reports. When a security freeze is in place, a consumer reporting agency may not release your credit report or information to a third party without your prior express authorization. If you want someone (such as a lender or employer) to be able to review your credit report (for a credit application or background check), you must ask the credit reporting agency to lift the security freeze. You can ask to lift the security freeze temporarily or permanently. (The credit reporting agency is required by NC law to give you a unique PIN or password when you initiate the security freeze to be used by you when requesting a temporary or permanent lift of the freeze.) If you request a lift to the freeze by mail, the agency has three business days to comply, but if you request electronically or by telephone, the agency must comply with the request within 15 minutes. Putting a credit freeze on your credit file does not affect your credit score.
The cost to place and lift a freeze, and how long the freeze lasts, depends upon state law. Here in North Carolina, a freeze lasts as long as you wish, and a consumer reporting agency cannot charge a fee to put a security freeze in place, remove a freeze, or lift a freeze if your request is made electronically. If you request a security freeze by telephone or by mail, a consumer reporting agency can charge up to $3.00 (unless you are 62 or older, or have submitted a police report--see #4 and #5 above).
So, to summarize, a "security freeze" generally stops all access to your credit report unless you lift it, while an "extended fraud alert" permits creditors to get your report as long as they take steps to verify your identity. My general preference is the freeze, because it gives you the most control.
9. Review Your Credit Reports and Dispute Errors.
You will have already reviewed your credit reports for unauthorized accounts. Review them on an ongoing basis. If errors on your credit report are the result of identity theft and you have submitted an Identity Theft Report, you are entitled to tell the credit reporting companies to block the disputed information from appearing on your credit report. Here is a sample letter that may be helpful.
The credit reporting agency will notify the relevant business of any disputed information, after which the business has 30 days to investigate and respond to the credit reporting agency. If the business finds an error, it must notify the credit reporting agency so your credit file can be corrected. If your credit file changes because of the business’ investigation, the credit reporting agency will send you a letter to notify you. The credit reporting agency cannot return the disputed information to your file unless the business says the information is correct. If the credit reporting company puts the information back in your file, it will send you a letter telling you that.
\
\
10. Contact Any Businesses Involved.
If you are aware of specific accounts that have been opened in your name without authorization, or existing accounts that have been accessed without your authorization, contact those organizations, even if you have already notified the credit reporting agencies of the problem. Ask to speak to someone in the fraud department. Ask them to reverse any unauthorized charges and to preserve all records for use by law enforcement. You might also want to ask them to simply close the accounts, and open new accounts for you. [Use different access credentials (PIN or password) for the new accounts.] Ask for copies of any documents used by the identity thief. (Here's a sample letter.) Ask for a letter confirming that any fraudulent information has been removed or transactions reversed. Also ask them to stop reporting information relating to the fraud to credit reporting agencies. As soon as you conclude the conversation, memorialize your discussion in a certified letter to the organization. Here is a sample.
11. Stop Debt Collectors from Contacting You about Fraudulent Debts.
If an identity thief opens accounts in your name and doesn’t pay the bills, a debt collector may contact you. To stop debt collectors from contacting you, in addition to the steps described above, you can send them a letter using this form.
12. Additional Tips:
- Remember to record the dates you made calls or sent letters.
- Keep copies of all correspondence in your files.
- A number of sample letters are available here.
I hope you find this helpful.
Please feel free to share it with your family, friends, and colleagues.
I encourage you to bookmark this post for quick reference, along with the FTC's ID Theft website and the NC DOJ's website. This post is for general information only, and is not legal advice. No attorney-client relationship is created by this blog post.
Subscribe to:
Posts (Atom)