While Equifax is still reeling from one of “the most impactful” data breaches ever, it’s also being attacked on a legal front.
Last week, Equifax revealed that more that 143 million American’s and an unknown number of Canadian’s sensitive information (like Social insurance numbers or credit card numbers) might have been stolen in a security breach on July 29.
At least 30 class action lawsuits have been filed against the credit reporting company in the U.S., and two have been filed in Canada.
Saskatchewan-based lawyer Tony Merchant of the Merchant Law Group said he filed a lawsuit in B.C. on Friday and in Quebec on Monday, and he plans to file another in Ontario Tuesday.
He says Equifax unsafely stored the information all in one location — rather than on multiple file servers for greater protection.
“It might not be the biggest, but it’s the most impactful hack ever,” Merchant said, explaining that the nature of the data made it so important.
Both the Office of the Privacy Commissioner of Canada and the New York States Attorney’s office are investigating the breach.
If you think you’ve been affected, the Financial Consumer Agency of Canada recommends contacting Equifax, and the other Canadian credit monitoring company TransUnion, and asking for them to place a fraud alert on your information. That way, if someone tries to apply for a mortgage, the companies will alert you first to make sure it is a legitimate transaction.
LISTEN: Author of “Techno Creep” on how Canadians can protect their personal information online
‘Bogus’ arbitration clause waived
Savvy social media users have shone a light on a clause Merchant called “bogus” and unfair.
The arbitration clause, which is buried in the legalese of a contract, normally wouldn’t allow for the customer to participate in a class action lawsuit.
It has to do with the credit monitoring the credit report company offers — the ones specifically targeted at those who might have had their sensitive data accessed by hackers.
After Equifax disclosed the security breach, it offered customers a chance to see if their data was part of the compromised information on its website. Once they checked, the company offered one year of credit monitoring free to see if their information was used fraudulently.
READ MORE: What to do when thieves get your cards and PIN
But in the fine print of that credit monitoring software contract, lay the arbitration clause.
After outrage on social media and in the news, Equifax waived the clause, first by saying consumers could opt out if they chose, but eventually, officials took the clause out of the contract entirely.
A request for comment from Global News was not returned, but officials told the Washington Post they had waived the clause.
“To be as clear as possible, we will not apply any arbitration clause or class action waiver against consumers for claims related to the free products offered in response to the cybersecurity incident or for claims related to the cybersecurity incident itself,” officials told the Post.
Merchant said he will be advising those who are part of the class to contact Equifax to opt out.
WATCH: Warnings about card skimming
Using the hack as incentive to buy more products
One complaint filed in San Jose, California, suggested that Equifax was offering the free year of credit monitoring to lay a “foundation” to pitch costlier services.
It cited a Feb. 22 regulatory filing in which Atlanta-based Equifax said more companies are offering free or low-cost services such as credit scores, reports and monitoring “as a means to introduce consumers to premium products and services.”