Update, Sept. 10, 2:25 p.m.: Equifax issued a new statement Sunday further clarifying its stance on the arbitration clause. "To confirm, enrolling in the free credit file monitoring and identity theft protection products that we are offering as part of this cybersecurity incident does not prohibit consumers from taking legal action," Equifax said. The company said it has now removed the arbitration language from the terms of use on its data breach notification site, equifaxsecurity2017.com. It also said Sunday that the terms of use on Equifax's main site, equifax.com, do not cover the TrustedID Premier service, which has its own terms of use. "Again," Equifax continued, "to be as clear as possible, we will not apply any arbitration clause or class action waiver against consumers for claims related to the free products offered in response to the cybersecurity incident or for claims related to the cybersecurity incident itself.”

Update, Sept. 8: Equifax issued a statement Friday evening. “In response to consumer inquiries, we have made it clear that the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident,” the company said.

Sharp-eyed social media users have combed through the Equifax data breach site's fine print — and found what they argue is a red flag.

Buried in the terms of service is language that appears to bar those who enroll in an Equifax credit monitoring program from participating in any class-action lawsuits that may arise from the incident. Here's the relevant passage of the terms of service:

AGREEMENT TO RESOLVE ALL DISPUTES BY BINDING INDIVIDUAL ARBITRATION. PLEASE READ THIS ENTIRE SECTION CAREFULLY BECAUSE IT AFFECTS YOUR LEGAL RIGHTS BY REQUIRING ARBITRATION OF DISPUTES (EXCEPT AS SET FORTH BELOW) AND A WAIVER OF THE ABILITY TO BRING OR PARTICIPATE IN A CLASS ACTION, CLASS ARBITRATION, OR OTHER REPRESENTATIVE ACTION. ARBITRATION PROVIDES A QUICK AND COST EFFECTIVE MECHANISM FOR RESOLVING DISPUTES, BUT YOU SHOULD BE AWARE THAT IT ALSO LIMITS YOUR RIGHTS TO DISCOVERY AND APPEAL.

This language is commonly known in the industry as an “arbitration clause.” In theory, arbitration clauses are meant to streamline the amount of work that's dumped onto the court system. But the Consumer Financial Protection Bureau concluded in the summer arbitration that clauses do more harm to consumers than good — and the agency put in place a rule to ban them.

“In practice, companies use these clauses to bar groups of consumers from joining to seek justice by vindicating their legal right,” Richard Cordray, the CFPB’s director, told reporters in July, according to my colleague Jonnelle Marte.

Here's a further look into why the language raised concerns.

Why is arbitration a big deal?

There is already at least one class-action suit brewing against Equifax. Arbitration clauses make it hard if not impossible for consumers to join such suits. Arbitration is weaker than class-action suits, critics say, because it limits consumers’ ability to find facts to support their case, to appeal decisions or to present their case before a jury.

If the government is moving to bar arbitration clauses, then why is one in there?

Despite the CFPB's move to ban arbitration clauses, the rule has not yet gone into effect, according to the agency. That won't happen until Sept. 18, the CFPB said. What's more, the rule doesn't work retroactively, meaning the Equifax legalese would not be covered anyway. The ban only affects contracts made after March 19, 2018, six months after the rule takes effect.

The CFPB said earlier Friday Equifax's arbitration clause was “troubling” and the agency is investigating the data breach and Equifax's response.

“Equifax could remove this clause so consumers can receive this service without condition,” the CFPB said in a statement.

The future of the ban is itself in doubt; just after the CFPB approved the rule, House lawmakers voted to repeal it. The motion to repeal must still be voted on by the Senate and signed by President Trump to become official, but if it does, then the CFPB's regulation could be nixed.

Friday afternoon, New York Attorney General Eric Schneiderman took aim at Equifax's arbitration clause, tweeting his staff has contacted the company urging it to remove that part of the fine print.

“This language is unacceptable and unenforceable,” the state's top lawyer said in his tweet. Minutes later, Schneiderman's office announced a formal probe into the Equifax breach. In a release, the state attorney general's office said Schneiderman had sent a letter to Equifax asking for more information. Among the questions were whether any consumer information has found its way to the “black market,” according to a person familiar with the investigation.

A spokesperson for Schneiderman declined to comment on whether officials were investigating the sale of company stock by Equifax executives before the discovery of the hack.

So should I register with the Equifax site, or not?

It's up to you, but you should know going into the process what you're signing up for. Equifax issued a statement Friday evening apologizing for consumers' inconvenience and said the arbitration clause and class-action waiver “does not apply to this cybersecurity incident.”

This language may appear to limit Equifax's ability to block class-action lawsuits, said Joel Winston, a former deputy attorney general for the state of New Jersey and a privacy and data protection lawyer — but don't get complacent.

“Just because someone in the marketing department wrote that the terms of service don't apply to the cybersecurity incident means nothing compared to the contractual obligations of the terms of use,” he said.

“If you look back at the TrustedID terms of use, the last paragraph says 'entire agreement between us,' which basically reiterates that the terms of service is the entire agreement and anything else you read on the website have no applicability.”

The most we can say, Winston said, is you are not bound by any of Equifax's terms of use if you do not engage the company at all.

Meanwhile, there's something else you should know if you do decide to use Equifax's website to check if you were affected.

The site demands even more information from you to prove your identity.

To make sure the person checking the database is really you, Equifax's data breach site asks for your last name and the final six digits of your Social Security number. This is extremely unusual. While the site is legitimate, that you must volunteer more of what would otherwise be private information may not inspire much confidence. 

Is there anything else I can do?

You can still monitor your own credit by obtaining a copy of your credit report. Every year, you can request a free copy of your report from each of the three major credit reporting agencies. This means you can effectively check your credit free every four months or so. You can also put a proactive freeze on your credit, which will prevent unauthorized use.

Read more:

How Equifax hackers might use your Social Security number

Outrage builds after Equifax executives banked $2 million in stock sales following breach

Why it can take so long for companies like Equifax to reveal their data breaches

Equifax asks consumers for personal info, even after massive data breach