While Kevin’s on vacation, we’ve invited other Mother Jones writers to contribute posts.
Kevin, as you’re probably aware, has strong opinions on the Equifax disaster, so let’s keep that ball rolling while he enjoys fiddle tunes and a half-pint in the Irish pubs.
Over at the New York Times, finance columnist Ron Lieber has kept busy shaming the credit-reporting giants, posing questions from readers on their handling (or lack thereof) of the unprecedented (so far as we know) Equifax breach that compromised the personal and financial data of up to 143 million Americans. (Equifax reluctantly answered some of Lieber’s questions but not others—and not always accurately.)
This whole nightmare has reminded Americans what the credit-reporting industry is: a rapacious, unaccountable corporate beast that sucks up, stores, and sells our secrets whether we like it or not, and seeks to avoid any liability should anything go wrong. Then, when something inevitably does go wrong, the big three—Experian, TransUnion, and until last week, Equifax—take advantage of laws that allow them to charge us to freeze our credit files so they don’t fall into unauthorized hands. (Innovis, a smaller player, doesn’t charge for this service.)
As my colleague Hannah Levintova noted last week, Sen. Elizabeth Warren (D-Mass.) just introduced a bill that would impose new regulations on the industry; in a letter to Equifax, Warren took issue with the company’s “sluggish response to the hack, its lack of transparency about exactly what information may have been accessed by hackers, and Equifax’s initial attempt to enroll affected customers in free credit monitoring—only if they give up their right to sue the reporting agency.”
TransUnion was another story. First of all, the company has been diverting customers who want a credit freeze and urging them instead to “lock” their credit by signing up for a currently free TransUnion service called TrueIdentity. The Times’ Lieber has asked TransUnion for more details about locking, a sort of credit-freeze-lite that isn’t described in consumer law, but he hasn’t received a satisfying response. And when you sign up for TrueIdentity, as far as your right to take legal action, you basically have to give them your first-born.
But I didn’t even get that far. Before I could request a freeze with TransUnion, I was directed to register with its website. To do so, I had to enter my social security number, address, etc.—and then agree to legal terms that stopped me in my tracks.
Tell me if the following excerpt from TransUnion’s “Disclaimer of Warranties and Liability” doesn’t give you pause. To me it suggests that, in order to interact with the company at all, I have to absolve them of liability for anything that might happen to my data on their watch. (You’ll find an identical clause in TrueIdentity’s terms of service.)
…YOU AGREE THAT YOUR ACCESS TO AND USE OF OUR SITE, PRODUCTS, SERVICES AND CONTENT ARE AT YOUR OWN RISK. BY USING OUR SITE, YOU ACKNOWLEDGE AND AGREE THAT NEITHER TRANSUNION, ITS DOMESTIC SUBSIDIARIES, NOR ITS AFFILIATES HAVE ANY LIABILITY TO YOU (WHETHER BASED IN CONTRACT, TORT, STRICT LIABILITY OR OTHERWISE) FOR ANY DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL OR SPECIAL DAMAGES ARISING OUT OF OR IN ANY WAY CONNECTED WITH YOUR ACCESS TO OR USE OF OUR SITE, CONTENT, PRODUCTS OR SERVICES (EVEN IF WE HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES)…
Does this seem reasonable? I’m no lawyer, so I showed this language to one, and he seconded my assessment that it’s “about as broad as it gets.” In California, at least, it’s probably not enforceable, he added, because you could argue that it’s coercive: If you have to freeze your TransUnion credit file, it’s not like there’s somewhere else for you to go.
Why would TransUnion ask such a thing from consumers who, through no fault of their own, are scrambling to keep their data out of the hands of crooks? I emailed Dave Blumberg, TransUnion’s senior director of public relations, late last week to ask whether the company really considers this waiver fair or necessary. I let him know a response was needed urgently and, well…can you hear the crickets?
Maybe we should all start emailing and tweeting and Facebooking questions to Dave and all the rest of ’em until they give us some real answers. In the meantime, we’d love to hear about your own experiences trying to deal with this stuff. Let us know in the comments.