Not only did Equifax suffer a massive data breach that potentially compromised the personal data of up to 143 million in the U.S. and then wait 6 weeks to inform the public—the credit-reporting company is directing those who want to know if they were a victim of the breach to a service that forces them into a "rip-off clause" that makes them give up their right to file or join class-action lawsuit against the company.

Robert Weissman, president of advocacy group Public Citizen, called it "one of the most brazen corporate wrongdoer maneuvers in memory."

MarketWatch reported:

Equifax's terms require "arbitration of disputes" and "a waiver of the ability to bring or participate in a class action, class arbitration, or other representative action." The terms were written in block capitals. However, experts say research has shown that customers rarely read the terms and conditions when signing up for services. (The company was not immediately available for comment.)

A new rule from the Consumer Financial Protection Bureau (CFPB) bans companies from using these consumer-unfriendly mandatory arbitration clauses. But it doesn't go into effect until Sept. 18. It's also already in the cross-hairs of Republicans—a point noted CFPB creator Sen. Elizabeth Warren (D-Mass.), who called the breach "Exhibit A for why we must stop @GOP from reversing the @CFPB's rule protecting your right to join class actions."

The @Equifax breach is Exhibit A for why we must stop @GOP from reversing the @CFPB's rule protecting your right to join class actions. — Elizabeth Warren (@SenWarren) September 8, 2017

That tweet was included in a series from Warren that took aim at Equifax:

It's outrageous that @Equifax -- a company whose one job is to collect consumer information -- failed to safeguard data for 143M Americans. — Elizabeth Warren (@SenWarren) September 8, 2017

It's also outrageous that @Equifax waited so long to disclose the breach -- needlessly leaving nearly half of America at risk for a month. — Elizabeth Warren (@SenWarren) September 8, 2017

.@Equifax is forcing you to give up your right to join a class action against the company if you want their credit protection product. pic.twitter.com/anu0SE58wg — Elizabeth Warren (@SenWarren) September 8, 2017

SCROLL TO CONTINUE WITH CONTENT Never Miss a Beat. Get our best delivered to your inbox.





That's right: @Equifax fails to protect your data and then they demand you give up legal rights if you want to limit the damage they caused. — Elizabeth Warren (@SenWarren) September 8, 2017

The @CFPB's new rule would stop companies like @Equifax from avoiding legal accountability like this -- as long as @GOP doesn't reverse it. — Elizabeth Warren (@SenWarren) September 8, 2017

The clause also drew from Amanda Werner, arbitration campaign manager at Public Citizen and Americans for Financial Reform. "It is despicable that Equifax would exploit consumers' need for identity theft monitoring to avoid accountability for this devastating breach. Perhaps more despicable, at this very moment, U.S. senators are weighing legislation to take away our right to hold companies like Equifax accountable in court," she said.

Brian Fung writes at Washington Post's "The Switch" blog that

There appears to be an escape hatch from the arbitration clause in Equifax's main terms of use, but it's unclear if that applies to the credit monitoring program known as TrustedID Premier, whose more specific terms of use may be found here. Both documents contain an arbitration clause.

In addition, he writes,

Some readers have pointed out that Equifax maintains an FAQ about TrustedID Premier, and that the FAQ appears to limit the scope of TrustedID Premier's terms of use to "the free credit file monitoring and identity theft protection products, and not the cybersecurity incident" that was disclosed this week.

But according to Joel Winston, a former deputy attorney general for the state of New Jersey and a privacy and data protection lawyer, that may not reign in Equifax's ability to stop people from banding together in a suit. Fung continues:

"Just because someone in the marketing department wrote that the terms of service don't apply to the cybersecurity incident means nothing compared to the contractual obligations of the terms of use," he said. "You could say, 'What you're saying here is deceitful,' but it's a real gray area," he said. "If you look back at the TrustedID terms of use, the last paragraph says 'entire agreement between us,' which basically reiterates that the terms of service is the entire agreement and anything else you read on the website have no applicability."

New York Attorney General Eric T. Schneiderman announced Friday that he is launching a formal investigation into the breach. On Twitter, Schneider blasted the rip-off clause, writing: "This language is unacceptable and unenforceable. My staff has already contacted @Equifax to demand that they remove it."

House Financial Services Committee Chairman Jeb Hensarling (R-Texas), meanwhile, announced that it would hold a hearing into the breach.