Tell Congress to Protect Our Personal InformationLearn More About Unauthorized Access to Data
This past week, Congress demanded answers from former Equifax CEO Richard Smith about what, exactly, went so terribly wrong in his company’s handling of its massive data breach this summer, and to ask how to keep something like this from happening again. Over the course of four hearings in both the Senate and the House, it became clear that the list of "wrongs" is lengthy. But one of the most damning revelations emerged in the aftermath of the breach in the company’s attempts to mitigate harm post-breach. To be clear, we’re not talking about mitigating consumer harm - we’re talking about Equifax protecting itself from accountability through the use of forced arbitration.
A quick refresher on the Equifax breach: the sensitive personal information of 145 million (and counting) Americans was exposed, including, but not limited to, social security numbers, addresses, driver’s license numbers, and mother’s maiden names. In short, the kind of personal information you can’t just change, like you can with a password or PIN number. This was disastrous enough on its own. Further, due to opacity in the financial services sector, it is difficult for Americans to know which firms retain their data and therefore whether or not they might be affected by the breach, and to what extent. To address this, Equifax sent notifications to millions of Americans offering to let them know if their information was actually at risk - as long as they agreed to waive their rights to bring suit against Equifax if they had indeed been harmed, otherwise known as a forced arbitration agreement.
John Oliver once said "if you want to do something evil, hide it in something boring.” That describes forced arbitration to a T. Forced arbitration agreements are fine-print clauses companies put in the depths of contracts, which waive your right to your day in court if that company subsequently harms you. Instead, you have to go through lengthy, complex negotiations with corporations that have extreme bargaining and financial leverage over their harmed consumers. They amount to a short-circuit of fundamental tenets of our judicial system, yet they are, to use ex-CEO Smith's term, "boilerplate" contract language you likely agree to almost every time you click an "accept" box on Terms of Service or sign a contract.
And under current law, it turns out, that’s totally fine.
Equifax’s use of forced arbitration was particularly egregious in this case because they used it in the wake of the breach to require people to waive their right to sue as a condition to even being informed of whether or not they were injured. It’s true that Equifax ultimately removed this requirement, as Smith testified, but some unknown number of Americans had already waived their right to sue just so they could get the basic notice Equifax should have provided them in the first place. (Smith claimed at hearing that it was a "mistake" to include forced arbitration in the post-breach language, saying that it had been merely "cut-and-paste from boilerplate language," which illustrates just how ubiquitous such terms are in credit firm agreements.)
Members of Congress on both sides of the aisle were incredulous. They repeatedly pressed Smith on whether they continue to employ forced arbitration clauses in other product contracts, to which he had to admit they did. Why do so, if the company acknowledged in this case that they were harmful to the consumers and therefore removed the clause? His answer: because it’s completely legal. It was the former CEO version of “everyone’s doing it.”
And as I said earlier: he’s absolutely right. Forced arbitration clauses are completely legal, under current law. They've even been upheld by the Supreme Court in a case called AT&T v. Concepcion. Consumer advocates and legal analysts alike read the decision as a perversion of the American judicial system. Meanwhile, industries saw it as a green light, and as a result, the widespread use of forced arbitration clauses continues unabated. Worse, most Americans sign away these rights without even knowing it. A recent study by the Consumer Financial Protection Bureau (CFPB) found that three out of four consumers do not realize that many of the agreements they sign contain forced arbitration agreements that enable companies to deny consumers their day in court, avoid paying out refunds, and even continue harmful practices.
But just because something is technically legal doesn't necessarily mean it’s a good policy. There have been numerous attempts by Congress to rewrite the law to significantly curtail the use of forced arbitration across industry. Unfortunately, they have thus far been unsuccessful. It’s difficult to pass laws that reverberate through every industry, and there are naturally powerful industry players who like the leverage and lack of accountability they enjoy under the status quo.
Meanwhile, forced arbitration continues to crop up. And while the Equifax breach may be one of the worst the modern American market has seen, exposing the sensitive data of 145 million consumers, it is not the first of its kind and is unlikely to be the last. The dangers of forced arbitration are not limited to the financial industry. Millions of businesses that Americans rely upon to meet our basic needs collect and share endless streams of similar personal data. In the 21st century, our banks, communications companies, and countless other businesses across industries are all now custodians of our most personal information. It is incumbent on these essential businesses to treat that information with appropriate care, and where they fail, Americans must have a reliable method by which to hold them accountable and be compensated after a breach.
Forced arbitration is not limited to cases of personal data breaches. Companies insert these clauses into phone contracts, credit card contracts, banking contracts, nursing home contracts that sign away rights in cases of abuse, hospital contracts that require forced arbitration as a condition of admittance, and more. The landmark Concepcion case was itself about a couple seeking redress for a deceptive phone contract (they brought a class action, but found they had signed away their right to do so via a forced arbitration clause buried in the fine print of the phone contract). Consumers are signing away their rights by law daily, often without realizing it, as a condition of participating in the modern marketplace, for access to essential needs. And, as Smith says, it's totally, one hundred percent legal.
But if Congress can provide no immediate solution, there are other solutions to rolling back the widespread use of forced arbitration. Our regulatory agencies can act instead on an industry-by-industry basis.
Just this past summer, the CFPB passed a rule that would limit forced arbitration clauses in financial service contracts - in other words, in precisely this situation. Several other consumer protection agencies have toyed with following suit. As recently as 2016, the Federal Communications Commission sought public comment on forced arbitration in the broadband sector, noting that “just as customers should not be forced to agree to binding arbitration and surrender their right to their day in court in order to obtain broadband Internet access service, they should not have to do so in order to protect their private information conveyed through that service." These are the kinds of questions we want agencies to address as actual harms continue to manifest across industries, as we saw in Equifax.
In the rule it passed this year, the CFPB actually followed through. However, the rule is currently fresh enough on the books that it still falls within a time window where Congress can repeal it with what’s called the Congressional Review Act, as it did with privacy and a litany of other pro-consumer agency protections all this year. (You can see how repeal via the CRA works here.)
What’s odd is that many of the same Senators who were (rightfully) slamming Smith and his company for employing forced arbitration in their contracts are at this moment actively trying to repeal the critical CFPB protections that would prevent exactly that. A repeal of the rule by Congress would not only harm consumers in the financial sector, but would send a message that our lawmakers put industry interests above those of everyday Americans, and that those companies may conduct their business without being held responsible when something goes wrong.
Consumers need full legal redress for harm caused by misuse or inappropriate distribution of personal data, and any similar breaches. If the members of Congress who rebuked Smith and Equifax were sincere about the outrage they expressed over these fine-print corporate giveaways, they should turn words into action and oppose the current effort to repeal the CFPB rule, and should continue to explore any possible avenues towards restoring consumer rights of action.
But beyond that, the Equifax scandal should light a fire under those who have been complacent with the spread of forced arbitration clauses - and who themselves presumably are prey to those practices. It’s high time lawmakers both at the agency level and in Congress took a hard look at how to rein in these practices and restore Americans’ rights to be made whole again under the eye of the law, the way it was intended to be.