1. This contract does appear to apply to the data breach check site run by equifax. To be specific, the contract at http://www.equifax.com/terms/ describes its scope of coverage as "ALL OTHER WEBSITES OWNED AND OPERATED BY EQUIFAX AND ITS AFFILIATES" which would appear to include https://www.equifaxsecurity2017.com (which links those terms).
2. Arbitration clauses are very bad in cases like this, because by far the most effective technique for forcing companies to compensate people and deterring similar problems in the future is the class action, and this arbitration clause, like so many others, includes a waiver of class actions. Class actions are important because litigation is really expensive and class actions are the only generally applicable way to aggregate enough small claims to make them financially viable. (They're the way we keep corporations from stealing five dollars from everyone in America.)
3. As someone down-thread correctly noted, arbitration clauses are also extremely enforceable. The short version is that the federal arbitration act puts a very big thumb on the scale in favor of the enforceability of even really oppressive arbitration clauses, and the Supreme Court has added a couple of thumbs of its own.
4. I can't tell whether Equifax meant to do this. The cynical interpretation is that some evil person decided "ok, there's going to be a panic and everyone is going to go to our website to check if their data is breached, so let's sneak in a way to get all these people out of class actions." The less cynical interpretation is "someone threw up a website, and the standard procedure within the company for throwing up a website is to include a link to these boilerplate terms of service." No way from the outside to tell which of these stories is true, and I'm not sure it really matters.
5. There are arguments that a sharp lawyer could make to try to convince a court that this clause is unenforceable. I'm happy to go into them if people want, but, offhand, I would much rather not have agreed to such a contract than have to try to convince a court to bounce it.
6. Yes, there is an opt-out. The opt-out is only useful for people who have actually read and understood the contract, which even with the press coverage is likely to be a vanishingly tiny percentage of the people who have inadvertently "agreed" to it. So it doesn't make it meaningfully less evil.
7. If you want to learn more about this kind of issue, I recommend Boilerplate by Margaret Radin. http://press.princeton.edu/titles/9837.html She does a great job of explaining why this kind of thing is a complete disaster and also bears no relationship to our traditional conception of what a contract is or should be.
Editing to add:
8. I guess I'll add really briefly that the key argument that this clause doesn't even apply would be that the contract distinguishes between "product terms of use" and "site terms of use," and that arguably the arbitration clause only applies to the purchase of products and registration.
If checking breach status doesn't count as purchasing a product, maybe that part (with the arbitration clause) doesn't apply on the terms of the contract itself. HOWEVER, registering for some kind of identity protection service as a result of having checked breach status probably does, so that's cold comfort to a lot of people who might use the site. I'll have to parse the contract more slowly and carefully before having any confidence in much more along these lines.
(Standard warning: nothing here is individual legal advice, contact an attorney in your jurisdiction before deciding whether you'll use this site, I'm just speaking about the overall interpretation of this contract and what we should think of it as citizens.)
Awesome answer - thank you. Forced arbitration is a pet issue of mine and one that, like, no one else seems to ever care about (except in really rare cases where it touches on some other nerve like food safety: http://www.latimes.com/business/la-fi-mo-general-mills-legal... )so since we got a real law professor here, I'd like to ask a couple questions:
1. Is there any legal reason any more for a corporation not to include forced arbitration in its contracts? Like any hidden downside? "Get out of class action free" card seems like a no-brainer.
2. Is there anything special you do in your day-to-day life to deal with forced arbitration issues? Avoid certain businesses, etc.? Have you ever actually tried to send one of those "opt-out" things and how did it go?
1. Honestly, I can't think of any downside, not in consumer contracts (as opposed to b2b) anyway. I guess there are some cases where particularly favorable courts might be preferable from the corporation's point of view (there's a court in Texas that gets tons of patent suits for that reason, also there are some states that are good for corporations --- Virginia has no class actions, for example). That's about it.
2. I personally haven't. (Though, a long long time ago, I did kick enough of a stink about an arbitration clause in a car loan contract that the dealership put some money on the table to make me stop.) The thing is, most of the time, for most consumers, it doesn't really matter--the probability that I'm likely to get harmed by some transaction enough to want to be part of a class action is so small, that it's probably rational for me on a day to day basis to just accept them. It's collectively that they're a problem, because they seriously damage one of the main ways that the legal system has to hold corporate misconduct accountable. So we really need a collective solution, rather than just individual avoidance. (Obviously, the exception being in cases like this Equifax thing were we know that litigation is on the immediate horizon.)
I've actually thought for a while about some solutions that people in the tech world might be able to work on. One idea that I just finished sketching out for print (will be in the University of Toronto Law Journal sooner or later) would be to build a kind of coordinated contract negotiation platform, where people could commit to saying "hey evilCorp, if a million other people also agree to this, we'll all collectively cancel our accounts unless you get rid of evil terms X, Y, and Z." This would resolve some of the collective action problems with it being individually rational to accept these terms usually but collectively disastrous. If, that is, people would use it...
> The less cynical interpretation is "someone threw up a website, and the standard procedure within the company for throwing up a website is to include a link to these boilerplate terms of service."
As somebody who has been building websites for living and worked with corporate clients, this is about 99% likely to be true IMHO. Unless they run an extremely efficient legal department with lawyer equivalents of Superman working there, it just doesn't happen that new and specifically case-targeted TOS appears that fast, especially in a large corporation environment. "Just toss a standard link there, nobody reads it anyway", OTOH, happens all the time.
This is straight-up nonsense. You can't just put any clause you want into a contract and expect it to be enforceable. This is also a major concern for startups. You need to always make it possible for clients to opt-out and to understand your terms. The less you tell the customers what they're committing to-- the less likely any judge will care what legal terms you choose.
Don't assume a contract actually means what it says when it comes to enforcement. Seek legal advice.
>> The less you tell the customers what they're committing to-- the less likely any judge will care what legal terms you choose.
I've seen in a more than one case where the Judge blamed the plaintiff that the onus is on them to read the TOS BEFORE agreeing to anything. In the end, it just depends on what kind of a judge you get.
However, courts generally do not require that you actually have read the terms, but just that you had reasonable notice and an opportunity to read them.
In other words, it’s not merely clicking the “I Agree” button that creates the legal contract. The issue turns on reasonable notice and opportunity to review—whether the placement of the terms and click-button afforded the user a reasonable opportunity to find and read the terms without much effort.
So if someone purchases my stolen social security number and my last name, both leaked/stolen and enters it into their site to see if it was a good ID, it would waive my rights?
Could be an odd 'public service' for people with the list/similar lists to write a bot that signs EVERYONE in their database up and publishes evidence of doing so, to invalidate their argument that any particular user signed up.
I'd say this is non-enforceable. They're trying to make it impossible to sue them, including withholding the information that would show proof of our standing to sue them in the first place.
My opinion is that forced arbitration sucks and the FAA should be restored to it's original intention: A tool for large corporations on equal footing to do business with each other: not a tool to be used against individual consumers to provide impunity for damages inflicted on customers.
What the Supreme Court, unfortunately, has decided the "fact" is that you are correct - If you were covered in the forced arbitration clause, you would forfeit your right to civil action against Equifax in exhange for having your case heard by an "Arbitrator" that Equifax chooses. Have fun with that.
I have absolutely no idea what I just read. Can you dumb it down for me please? Why would this ruling have any bearing on what we're talking about.
Nobody is signing anything on your behalf with power-of-attorney. Does this ruling say that I or my agent can relinquish my rights in a contract, that does not actually come out and say that I am relinquishing my rights?
I'm sure that's not what it says, but that's approximately what I'm able to tease out of the words in that link you posted. That sounds like absolute nonsense, so please explain precisely what this is supposed to mean if you will be so kind.
In 1925 the Federal Arbitration Act was passed. https://en.wikipedia.org/wiki/Federal_Arbitration_Act The intention of the FAA was to provide a way to streamline legal/business relationships between two corporations and it was largely used that way until...
The Supreme Court said "Other laws don't matter - if there is an arbitration clause you have to go through that: No Court For You regardless of how you were injured." ( https://en.wikipedia.org/wiki/Southland_Corp._v._Keating )
Huh. So if I never had any direct relationship with Equifax, I am probably still able to sue them, but if I ever checked my credit report, I probably agreed to some bullshit arbitration clause that was buried in fine print, and now I'm SOL forever in perpetuity.
Thanks! That kind of makes sense. In a very Machiavellian kind of way.
I wouldn't say "might be able to make a case." I think you've just made the case right there. The company has proven their inability to determine whether or not you are who you say you are, by their own admission that your personal information was lifted from their servers.
I don't know who's signing up for these "free" identity protection services anyway. This company has failed to protect the personal information of roughly half the population of the entirety of US. (I understand they are not limited to US, but those are the numbers.)
They do not need to be "protecting" anybody after that. They should be tarred and feathered for putting up these websites after what they've done, and whatever lawyer advised them to sneak in a provision against class action lawsuit should be immediately disbarred, in my not so humble opinion.
How many digits of my SSN do I need to enter into this five-day-old website that provides me with no clue what they're going to do next, in order to see if I need any further "protection" from this group with which I have no direct relationship, and whom I've never done business with, but that has diligently kept records on me for my entire adult life?
> You had to enter your lastname and last 6 digits of your SSN. So there's a high likelyhood that it would be you.
You mean right after the database containing full list of SSNs and last names of virtually every person in the US has been stolen? Of course, there's nobody around that could guess this information. And of course, there's no way to enumerate most common last names and the huge amount of 6 digits... It probably would take literally a million milliseconds!
> You had to enter your lastname and last 6 digits of your SSN. So there's a high likelyhood that it would be you.
Except for that Equifax has all that data. So what's to stop them from just using their own data to prevent anyone else from suing them? (Or to prevent the people who stole the data from doing this for whatever reason.)
> The arbitration clause and class action wavier included in the TrustedID Premier Terms of Use applies to the free credit file monitoring and identity theft protection products, and not the cybersecurity incident
Seems to me that just filling out that form does not waive your rights to participate in the class action suit. It also even sounds like using their free product has no impact on your ability to participate in any class action suit.
They wouldn't be stupid enough to try and make this the test case- the giant test case- for TOS. On that basis and the FAQ, I doubt they're trying to lock people into arbitration that way. I hope that they know, or at least suspect, that it wouldn't work if they did.
Given Equifax is locking access to whether you're a victim behind an agreement that forfeits civil rights to act on that information, this looks like a textbook unconscionable contract.
You find out whether you're affected before you enroll. YOu enter your info, get a result that says "no/maybe/you should enroll right away" and then it shows the button to actually enroll in their service. Until you actually enroll you haven't agreed to the arbitration clause.
Somebody should open a second lawsuit about this. A hack is one thing, but a deliberately evil reaction to it should spell the end of the line for the company.
So, you can't find out if you're information was leaked if you want to join a Class Action lawsuit. But presumably won't be able to join unless you can attest that your information was leaked. Quite the catch-22.
....but philisophically... why would I put my information into a site that is already known to have a leak? obviously im just checking to see if i was affected, but by checking, if someone is snooping, would validate that i'm actively concerned and possibly extortable. just sayin....
Lawyer here. In most countries, such terms would be set aside on the grounds of being unconscionable and against public policy. The consumers have no real bargaining power in the setting of the terms here and lack the sophistication necessary to understand that they are waving their legal rights. If you are going to make someone waive their rights you need to get not merely their consent, but 'informed consent'. Additionally, it is the companies duty to inform people if their data was stolen and can't make them agree to some self-serving terms before it does so.
Despite the SCOTUS ruling in AT&T Mobility LLC v. Concepcion if this question is put before a US judge, there's a good chance that the contract won't be worth the paper its printed on.
That's what I got from my read of this text, I can't figure out how someone else drew that conclusion.
I didn't enroll specifically because I assumed it might waive my rights. I didn't notice any such disclaimer on the am-i-impacted lookup.
If it really does apply to the lookup itself (or was intended to apply), then it's worth some outrage. If not, it's worth significantly less outrage.
EDIT: The authoritative-sounding @pabloishappy says, "I spoke with equifax rep named Marvin. He said enterining your last name and 6 ss#'s DOES NOT constitute enrollment. Yiu neednto complete1/"
EDIT2: per https://www.equifaxsecurity2017.com/frequently-asked-questio... "The arbitration clause and class action wavier included in the TrustedID Premier Terms of Use applies to the free credit file monitoring and identity theft protection products, and not the cybersecurity incident."
It says nothing about waiving your rights, etc. at all. There is the option to sign up for some of their services ("we will provide you the option to enroll in TrustedID Premier."), which I have read elsewhere include clauses waiving your rights to be part of a class action suit. But just checking this link has no waiving associated with it.
Nope. Forced arbitration is perfectly legal. It's what they did under the cover of "OMFG Lawyers are AWWWFUL! Spilled Coffee == Million dollar lawsuits!!! :(" panic. Forced arbitration has been held up by the Supreme Court on more than one occasion. Some fast food chains have clauses that say it applies when you walk through their doors. Bonus: The company that injured you gets to pick the "arbitrator"... which are usually seleced because... they rule in favor of the corporation more.
Fascinating legal history behind it, actually: It was all based on a law from the early 1900s that was meant to apply only to two businesses in contracts with each other, but the Supreme Court allowed the creative interpretation that it could apply between companies and individuals... go figure.
Given that they are reporting 143 millions of US persons affected, which is pretty close to "every adult US person that has credit card, bank account, etc", I'd say if they made the script answer "yes" in any case, they didn't err much.
Here's hoping an insightful judge might interpret this as actually strengthening a claim of libel.
Making you wave your due process rights, in order to "learn" what "they are saying about you". Or, "writing", as it were -- thus the potential for "libel".
IANAL, but it seems perhaps an unreasonable barrier to "setting the record straight". One that they are attempting to force you to enter, simply to learn what they are saying about you.
The credit agencies have gone to a lot of effort, including a lot of lobbying and influencing lawmakers and regulators, to minimize the risk of libel suits. I can only hope that, with continuing over-reach like that in the OP, they are ultimately shooting themselves in the foot, in this regard.
I've already Tweeted at a Katie Lobosco of CNN Money and Maria LaManga of MarketWatch. They're pushing credit reporting products and the Equifax link in articles instructing people to take action. They're actually hurting way more people than they're helping. Anyone wanna help let them know with me? EDIT: And Chris Brook from Threat Post too??!?! I thought they would have done more homework than that.
Not that I disagree with the NY AG, but I also think that his tweet was a bit knee-jerky and premature prior to his actual reading of the agreement in context (the tweet was posted minutes after Ars posted a story). He will probably stick to this, as well as pointing out that the agreement never said that to begin with, but I think it's a bit early for the entire Internet to be passing this around like it's truth.
I'm pretty sure the fact THEY potentially lost my data, that won't hold up in court. Many people are rushing to figure out if they included in the breach.
This seems to be a bunch of people on Twitter, lead by a security researcher, reading legal documents and coming to conclusions which are being second guessed over the course of the thread.
Some keep quoting this line from the terms of service:
> YOU MUST ACCEPT THE TERMS OF THIS AGREEMENT, INCLUDING THE ARBITRATION AGREEMENT CONTAINED IN SECTION 4 BELOW, BEFORE YOU WILL BE PERMITTED TO REGISTER FOR AND PURCHASE ANY PRODUCT FROM THIS SITE. BY REGISTERING ON THIS SITE AND SUBMITTING YOUR ORDER, YOU ARE ACKNOWLEDGING ELECTRONIC RECEIPT OF, AND YOUR AGREEMENT TO BE BOUND BY, THIS AGREEMENT. YOU ALSO AGREE TO BE BOUND BY THIS AGREEMENT BY USING OR PAYING FOR OUR PRODUCTS OR TAKING OTHER ACTIONS THAT INDICATE ACCEPTANCE OF THIS AGREEMENT.
Whereas others have pointed to the Opt-Out:
> Right to Opt-Out of this Arbitration Provision. IF YOU DO NOT WISH TO BE BOUND BY THE ARBITRATION PROVISION, YOU HAVE THE RIGHT TO EXCLUDE YOURSELF. Opting out of the arbitration provision will have no adverse effect on your relationship with Equifax or the delivery of Products to You by Equifax. In order to exclude Yourself from the arbitration provision, You must notify Equifax in writing within 30 days of the date that You first accept this Agreement on the Site (for Products purchased from Equifax on the Site). If You purchased Your Product other than on the Site, and thus this Agreement was mailed, emailed or otherwise delivered to You, then You must notify Equifax in writing within 30 days of the date that You receive this Agreement. To be effective, timely written notice of opt out must be delivered to Equifax Consumer Services LLC, Attn.: Arbitration Opt-Out, P.O. Box 105496, Atlanta, GA 30348, and must include Your name, address, and Equifax User ID, as well as a clear statement that You do not wish to resolve disputes with Equifax through arbitration. If You have previously notified Equifax that You wish to opt-out of arbitration, You are not required to do so again. Any opt-out request postmarked after the opt-out deadline or that fails to satisfy the other requirements above will not be valid, and You must pursue your Claim in arbitration or small claims court.
Therefore, I'd take everything with a grain of salt and/or read the full terms for yourself:
The NY AG, like several other lawyers, pointed out that the contract term isn't enforceable. At the very least, it appears to be a contract of adhesion.
The AG is also pissed about the language, but that doesn't mean he's confirmed it's enforceable.
Yes I don't understand attacking one AG at the defense of one of the three main credit bureaus. One has an oversized market power and the others a government official. One seeks profit and power at a scale few humans ever dream of and the others one of 50 such officials.
To be fair an AG does have plenty of power, but it's the power primarily, of the office. That comes with all kinds of oversight and politics, while the Big Three are just... apes.
You violated the site guidelines by taking this thread into just the sort of flamewar we're trying to avoid on HN. Would you please (re-)read them and not do this again?
If you wish to take issue with the fact I called a political figure a douche, fine.
But I will not refrain from using such language in the future when I feel it's appropriate.
Although, if you want to declare I started what can hardly be described as a flame war just by stating an opinion, you should just delete my account now.
I'm not getting into a nitpick over his alliances to left-wing groups I strongly dislike or that he commonly tries to pull high ranking democrats further left than necessary, etc.
> So you just wanted to attack him personally without having any obligation to back up your opinion? Do I understand correctly?
Last time I checked, I posted useful information in this thread and only noted my opinion of Schneiderman after "josefresco" specifically named him in an attempt to divert the conversation. If I wanted to attack him specifically I would have picked a better forum than Hacker News where politically charged discourse is generally frowned upon. And moreover, I owe no one any further explanation of my opinion of Schneiderman; much less you in particular.
Just like Equifax is trying to get out of screwing the public over as cheaply as possible. Don't pretend they are somehow victims or noble exemplars, or that you aren't just complaining about the status quo because it's politically expedient for you. If you haven't been arguing for structural reforms in how we select public officials then your objections don't really carry any weight.
It might if I knew what structural reforms you had been advocating for. But that's the problem with launching ad hominem attacks- people wonder what motive you had to go for the cheap shot.
Thanks for posting that; depending on the site (if you go to equifaxsecurity2017 or trustedidpremer) you see different ToUs.
Equifax has the clause for opting out of arbitration, but Trusted ID Premier's Terms of Use doesn't have it. The enrollment site I've seen is owned by Trusted ID Premier, and it's arguably deceptive that Equifax structured the site as a bat-and-switch to see if their shitstorm exposed you.
Heck, they may have even planned a PR push around telling news outlets to refer readers to that site, omitting that using trustedidpremier.com means that you agree to a ToU that mentions only waiving the right to participate in class-action suits, but not how to opt-out.
It's so phishing-sounding that I want to believe it was chosen after a quick focus group with the "people who are most likely to become fraud victims" demographic.
I had to go check the certificate chain to make sure it was legit, and they're using an amazon-generated certificate that appears legitimate. Definitely looks fishy but I think they're just that bad at making trustworthy websites.
DV certs don't say anything about who the own the website. Just that the website is the URL you are trying to visit. Someone else could have registered the url and created the website, so checking the certificate chain doesn't prove anything.
EV certs on the other hand at least claim to verify who owns the website but even then I would be cautious.
Right, I was mostly looking to see if it was some dodgy cert provider - Amazon is on my mental list of questionable-but-not-obviously-scammy ones. EV certs, to me, just mean 'this cert is intended to secure company x's sites', not 'company x controls this site'. So an obvious on-page-text mismatch to the cert raises red flags, for example.
It sounds like copy/pasted boilerplate that may happen to be overreaching, rather than a conspiracy. Upon what do I base this? Not a legal argument, but a pragmatic one that it simply won't work to discharge them of liability in this case, because they'll be lucky if 5% of the affected people use this form to see if they were affected. (For instance, even before I heard about this legal stuff, I didn't even bother, because I'm just going to assume "yes".) I want to say they'll be lucky if 1% do, but the news story is pretty big.
But there's no way that anything like 100% of the affected people will, which is what it would take to even theoretically get them out of the class action lawsuit(s).
Arguing about the legal details seems pointless, this isn't going to get them out of this scrape even if it was 100% iron-clad and court tested, and I seriously doubt anyone at Equifax ever thought for a second this clause would be used that way.
You don't think Equifax have lawyers? Of course they do, and they know that the clause exists. Just having the clause in the first place is a conspiracy to abuse consumers.
What I mean is that I don't think anybody specifically was thinking "Aha! We can put this clause in there today, and we've got a free out! Hooray!", precisely because even if it did work as putatively designed, it wouldn't work, and they'd completely know it. It isn't even useful as a "throw the spaghetti against the wall and see what sticks" maneuver.
To believe that this clause is related to this matter is to require not merely mendacity (believable), not merely stupidity (believable), but an unbelievably precise combination of mendacity and stupidity that can only be read as constructing a rationalization for a pre-supposed conclusion.
It sounds like copy/pasted boilerplate that may happen to be overreaching, rather than a conspiracy.
Probably, but people and companies should stop doing that. Equifax has the resources to pay lawyers to do things fairly if they want, they're just choosing not to.
How does one prove they wrote and satisfied the requirements within 30 days? I actually currently have a situation where my HOA claims I have violated covenants, but there's an architectural review committee one can write to for exceptions, and the covenants state that if no response is received within 100 days the exception is automatically approved. However the committee members have a habit of cancelling public meetings, ignoring emails, and their other employers are very good at deflecting attempts to contact them on committee business. I'm at their mercy to prove that I qualify for an exception. Same problem. In hindsight, best I could have done is prove I sent some mail to the right address on a certain date. That's it.
That's basically what you do—you send the correspondence via certified mail, and keep the certified mail receipt. That doesn't prove what you mailed, but it gives verification that you sent something. (You purchased something from Equifax on the 1st, sent them a certified letter on the 10th. You claim it was the arbitration opt-out; they had better have some evidence it wasn't, or the judge/jury is probably going to believe you.)
Honestly for this (the Equifax thing), you just keep record of when you sent it—it's only an issue if you litigate, and then I'd expect your record of when you sent it + your testimony would be sufficient. But IANAL, and you should of course talk to one if it matters.
For your HOA, hopefully you have some record of when you sent the request (e.g., you kept a copy of the ARC application with a note that you mailed it on $DATE). (Of course, the HOA should be maintaining records of when applications are received.) Depending on what it is, this is something that may be worth paying for legal advice on.
CertifiedMailLabels.com is what I use -- They send it certified mail, keep a copy of the letter (so there is no disputing what the contents of the letter are) and give you effectively indisputable proof of delivery -- they give you a proof of mailing that they sent the letter that is in .pdf form, and then they provide a .pdf receipt that is your return mail copy.
I've had to use it in the past for creditors who don't have a clue.
You're right about the grain of salt, but offering an opt-out to shitty conditions that they know most people won't read about that most people who read about won't act on, and will those waive their legal rights, is an unconscionable condition.
Personally I think that lawyers ought not to draft agreements and contracts that are likely to be found unconscionable or wildly asymmetric as a matter of professional ethics. Adversarial legalism between private parties tends to yield crappy results for the public. I mean, if you've just created a problem for 140 million people, trying to trick them into waiving their rights of redress basically confirms that you're a Bad Person - a bad corporate person, a bad executive making the decision on behalf of shareholders, and a bad lawyer for agreeing to promulgate such trickery.
I think you're probably right about the intention. The trouble is that the enrollment website (equifaxsecurity2017.com) has a TOS link that goes to the regular Equifax TOS. These TOS claim to apply to several listed websites
> "AND ALL OTHER WEBSITES OWNED AND OPERATED BY EQUIFAX AND ITS AFFILIATES".
So this would mean that the general TOS would apply to the Trusted ID site also.
And while some parts of this TOS make it seem like it would only apply if you purchase and use a product (which is inapplicable to the Trusted ID program, which is free), other parts make it seem like it applies beyond purchases, to any use:
> YOU ALSO AGREE TO BE BOUND BY THIS AGREEMENT BY USING OR PAYING FOR OUR PRODUCTS OR TAKING OTHER ACTIONS THAT INDICATE ACCEPTANCE OF THIS AGREEMENT.
So it's a big mess, and probably unintentionally so, from the looks of the legal docs.
"On April 27, 2011, the Court ruled, by a 5–4 margin, that the Federal Arbitration Act of 1925 preempts state laws that prohibit contracts from disallowing class-wide arbitration, such as the law previously upheld by the California Supreme Court in the case of Discover Bank v. Superior Court. As a result, businesses that include arbitration agreements with class action waivers can require consumers to bring claims only in individual arbitrations, rather than in court as part of a class action."
After this decision, tons of click-wrap ("contracts of adhesion") agreements added "oh BTW you can't join a class-action suit against us." They seem to be on very solid legal ground. :-(
What kind of experience do you have? Because the Supreme Court has held up forced arbitration multiple times. I know it doesn't "feel right" (and maybe that's because it isn't) but it's the law of the land.
I will let somebody else chime in. There may be instances where something like this could be upheld, but I don't think it will apply here.
My case involved an employee that committed fraud by offering me bogus shares of a non-existent entity. They terminated me after I brought this up and asked me to sign a waiver in exchange for severance. 100% not enforceable.
1. This contract does appear to apply to the data breach check site run by equifax. To be specific, the contract at http://www.equifax.com/terms/ describes its scope of coverage as "ALL OTHER WEBSITES OWNED AND OPERATED BY EQUIFAX AND ITS AFFILIATES" which would appear to include https://www.equifaxsecurity2017.com (which links those terms).
2. Arbitration clauses are very bad in cases like this, because by far the most effective technique for forcing companies to compensate people and deterring similar problems in the future is the class action, and this arbitration clause, like so many others, includes a waiver of class actions. Class actions are important because litigation is really expensive and class actions are the only generally applicable way to aggregate enough small claims to make them financially viable. (They're the way we keep corporations from stealing five dollars from everyone in America.)
3. As someone down-thread correctly noted, arbitration clauses are also extremely enforceable. The short version is that the federal arbitration act puts a very big thumb on the scale in favor of the enforceability of even really oppressive arbitration clauses, and the Supreme Court has added a couple of thumbs of its own.
4. I can't tell whether Equifax meant to do this. The cynical interpretation is that some evil person decided "ok, there's going to be a panic and everyone is going to go to our website to check if their data is breached, so let's sneak in a way to get all these people out of class actions." The less cynical interpretation is "someone threw up a website, and the standard procedure within the company for throwing up a website is to include a link to these boilerplate terms of service." No way from the outside to tell which of these stories is true, and I'm not sure it really matters.
5. There are arguments that a sharp lawyer could make to try to convince a court that this clause is unenforceable. I'm happy to go into them if people want, but, offhand, I would much rather not have agreed to such a contract than have to try to convince a court to bounce it.
6. Yes, there is an opt-out. The opt-out is only useful for people who have actually read and understood the contract, which even with the press coverage is likely to be a vanishingly tiny percentage of the people who have inadvertently "agreed" to it. So it doesn't make it meaningfully less evil.
7. If you want to learn more about this kind of issue, I recommend Boilerplate by Margaret Radin. http://press.princeton.edu/titles/9837.html She does a great job of explaining why this kind of thing is a complete disaster and also bears no relationship to our traditional conception of what a contract is or should be.
Editing to add:
8. I guess I'll add really briefly that the key argument that this clause doesn't even apply would be that the contract distinguishes between "product terms of use" and "site terms of use," and that arguably the arbitration clause only applies to the purchase of products and registration. If checking breach status doesn't count as purchasing a product, maybe that part (with the arbitration clause) doesn't apply on the terms of the contract itself. HOWEVER, registering for some kind of identity protection service as a result of having checked breach status probably does, so that's cold comfort to a lot of people who might use the site. I'll have to parse the contract more slowly and carefully before having any confidence in much more along these lines.
(Standard warning: nothing here is individual legal advice, contact an attorney in your jurisdiction before deciding whether you'll use this site, I'm just speaking about the overall interpretation of this contract and what we should think of it as citizens.)