Ever since the news broke regarding the Equifax breach affecting over 140 million people in the U.S., we have received daily phone calls from clients, friends, and family asking what they can do to protect themselves.  Should I sign up for the credit monitoring?  Am I am going to waive my right to join a class action if I sign up for credit monitoring?  Would you advise me to bring my own lawsuit against Equifax?

Below we have tried to sum up our responses to these and the most common questions we get around the Cybersecurity water cooler regarding the Equifax breach.

1. Should I sign up for Equifax’s free credit monitoring?

We recommend being very careful about signing up for Equifax’s credit monitoring service.  First, make sure you’re visiting the official Equifax website as there have been reports of a phishing domain setup.  Equifax tweeted the wrong web address to consumers (see below).  Once you are at the right website, Equifax asks for six digits of your social security number and last name to even determine whether you were affected.  This may be more information than you feel comfortable providing.  Other services will provide both credit monitoring and identity theft protection, which may reimburse you for costs associated with reclaiming your stolen identity.  Indeed, there are perhaps better ways to protect yourself, as we discuss in part 3 below.

2. I want to bring a lawsuit, or at least join a class action lawsuit against Equifax, what should I do?

According to Equifax, you do not waive your right to join a class action lawsuit against Equifax by signing up for their credit monitoring service.  At first this was not clear, and we fielded many calls from clients on this issue.  Here is the play-by-play from Equifax’s own FAQ’s (accessed 9.21.2017), which is a good reminder that the Terms of Use posted on a service-provider’s website is actually a contract between the company and the user.

Class-action lawsuits apply to everyone the court determines to be part of the class.  So you do not necessarily have to sign up to join a class action.  Inevitably, there will be a large settlement and you can file a claim for your portion (which will likely be less than $50) at that time.  Legal fees will come out of the settlement.  Consumer Reports has provided some good information on this process in the context of the Equifax breach.

Lastly, unless you have concrete harm (e.g., quantifiable) arising from the Equifax breach, i.e., someone has stolen your personal information and opened lines of credit, personal lawsuits generally do not make economic sense.  As we have written in the past, unless you can point to concrete harm, post-data breach lawsuits generally do not survive the motion to dismiss phase.

3. What are my other options to protect myself?

First, review your financial accounts for suspicious activity and notify your bank or credit card issuer of evidence of same promptly.  Consumer protection regulations are in place to protect you.  One of the least-well known ones is Regulation E described here, which sets forth a process for reporting fraudulent transactions and capping your liability to $50 in certain circumstances.  You can also review your annual free credit report by following the FTC’s link here.  Note, you will be required to enter in lots of personal information, including your social security number, to obtain this credit report (and it does not include your credit score) so make sure you haven’t stumbled upon the wrong site and you’re using a secure connection.  You may want to consider implementing a “security freeze” or “credit freeze” at the four major credit reporting agencies.  Krebs on Security outlines the advantages and quirks of this process.  For more information on ways to protect yourself, check out the FTC’s website on identity theft.

And as always, if you have any questions, please feel free to contact someone on our Cybersecurity team.