Help from Equifax may have strings attached after data breach

Equifax Inc.
This July 21, 2012, photo shows Equifax Inc., offices in Atlanta. Credit monitoring company Equifax says a breach exposed social security numbers and other data from about 143 million Americans. The Atlanta-based company said Thursday, Sept. 7, 2017, that "criminals" exploited a U.S. website application to access files between mid-May and July of this year. (AP Photo/Mike Stewart)

(CNN) – Equifax is offering help for people whose personal information was hacked — but there are big strings attached.

The credit reporting agency announced Thursday that the personal information of as many as 143 million people was compromised in a data breach between May and July. The stolen data includes names, Social Security numbers, birth dates, addresses and driver’s license numbers.

If your information was exposed, Equifax is offering free identity theft protection and credit file monitoring services. But the offer comes with some conditions that may make you think twice.

You can’t get help right away. When people enter their last name and part of their Social Security number on the site to see whether they were affected, some are being told: “Based on the information provided, we believe that your personal information may have been impacted by this incident.”

But even in that case, Equifax is not offering the credit monitoring service until next week at the earliest. Monday is the first day you can sign up.

You could be giving up some of your rights to sue. At first, Equifax said anyone who gets the credit monitoring service, TrustedID, must agree to submit any complaints about it to arbitration. Those people wouldn’t be allowed to sue, join a class-action suit, or benefit from any class-action settlement.

After public pressure, Equifax added an opt-out provision on Friday. Customers can get out of the arbitration requirement by notifying Equifax in writing within 30 days of accepting the monitoring service.

And Alex Southwell, a privacy lawyer at Gibson Dunn and a former federal prosecutor in New York, said the original rules still left room for people to sue Equifax over the original hack, even if they can’t sue over the credit monitoring.

Related: The biggest data breaches ever

The federal Consumer Financial Protection Bureau recently published rules against these kinds of arbitration requirements by banks and credit card issuers. The rules will apply to credit rating services such as Equifax. But they don’t take effect until next year, and Republicans in Congress want to roll them back.

Equifax isn’t promising help fixing your credit: Equifax will agree only to monitor your credit, not help you fix any problems arising from the hack. “We do not offer, provide, or furnish any products, or any advice, counseling, or assistance, for the express or implied purpose of improving your credit record, credit history, or credit rating,” the company in its 7,200-word terms and conditions. “By this we mean that we do not claim we can ‘clean up’ or ‘improve’ your credit record, credit history, or credit rating.”

Equifax did not immediately respond to a request for comment Friday.