Nearly half the US woke up Friday to find out their Social Security number might have been stolen, thanks to hackers who breached the database of a top credit monitoring service.

Equifax is one of three major credit monitoring companies, which victims of data breaches typically turn to for protection. Now it’s lost the Social Security numbers, names, addresses and birth dates of up to 143 million people in the US alone. Folks in Canada and the UK have also been affected.

About 209,000 people had their credit card information stolen as well. The Federal Trade Commission has advised people to monitor their accounts closely, and to place a fraud alert on all their files. The massive number of victims means a lot of questions.

Now Playing: Watch this: Equifax breach: Were you one of the 143 million affected?

1:29

Equifax has provided a tool for people to find out if they’re affected, but its usefulness has been questionable, with the company telling people who’ve entered fake names that they were hit by the breach. Equifax’s terms of use have also caused confusion.

Don’t fret though. We’ve put together a guide for those who think they might’ve been nailed by the breach, and we’ll break down some of your legal options. 

What’s the deal with Equifax’s terms of use clause?

It’s still unclear.

As a result of the hack, Equifax offers a free year’s worth of credit monitoring through its TrustedID Premier program. In its Terms of Use, the program’s arbitration clause points out that by signing up to use the program — which, for now, is the only way to find out if you were swept up in Equifax’s breach — you give up your right to sue in a class action lawsuit.

Enlarge Image

The company adjusted its terms on Wednesday, just one day before it announced the massive breach. The arbitration clause is still being debated among lawyers looking at the fine print.

Equifax didn’t respond to requests for clarification on its legal terms.

The terms still allow you to sue individually. You’re still able to sue Equifax, despite agreeing to the arbitration from TrustedID Premier, Tom Rohback, an attorney with Axinn Veltrop & Harkrider said.

He’s focused his practice in recent years on data breach litigation, and read through TrustedID Premier’s terms of use, which only serves to protect the subsidiary company. TrustedID Premier, while owned by Equifax, is a separate entity from its parent company, Rohback said.

Equifax has its owns Terms of Use, which has an arbitration clause that protects the entire company. TrustedID Premier only protects itself, he noted.

“This agreement would only cover breaches committed by TrustedID, in its future monitoring,” Rohback said.

But Equifax has used its own Terms of Use to negate TrustedID’s loophole in the past, Michael Fuller, an attorney representing a class action lawsuit out of Oregon said. For now, he’s warning everybody involved against using TrustedID because of the arbitration clause.

“We have to assume that they’re going to enforce that provision,” Fuller said.

Peter Vogel, an attorney who also works for the American Arbitration Association, says Equifax’s clause might not stand up in court. That’s because the agreement is relatively hidden, Vogel said.

“The courts generally require that there be a click agreement,” Vogel said. There isn’t a click agreement for Equifax’s terms of service.  “You could make an argument that the arbitration provision won’t apply.”

That arbitration clause sounds suspicious

It should. In July, the Consumer Financial Protection Bureau decided to ban companies from using arbitration clauses, pointing out that it prevented a mass amount of people from taking legal action.

New York’s attorney general Eric Schneiderman wrote in a tweet that the arbitration clause was “unenforceable,” and that his staff has demanded that Equifax remove it. 

Is there any way out of this clause?

Equifax’s terms of service includes an escape clause for the arbitration.

According to the fine print, you have to write an opt-out notice within 30 days of agreeing to use their products, and send it to this address:

Equifax Consumer Services LLC, Attn.: Arbitration Opt-Out

P.O. Box 105496

Atlanta, GA 30348

The letter must include your name, address, and Equifax User ID, along with a statement that you “do not wish to resolve disputes with Equifax through arbitration.”

So no one is suing Equifax yet?

Actually, there are two class-action lawsuits filed so far.

Fuller is representing two Oregon residents who filed a class-action suit on Thursday, claiming that Equifax failed to adequately protect the personal information of 143 million people. You can join the case by signing up on www.equifaxcase.com. The plaintiffs are seeking $70 billion in damages from Equifax over the breach.

Despite the massive payout, if successful, each victim would only receive $489, and that’s before legal fees. That’s how much your social security number, name, address and birthdate would be worth.

“It could be the largest class-action lawsuit ever filed,” Fuller said. “It involves almost half the country.” 

He’s gotten so many calls about the lawsuit that he started having to redirect people to their local attorney general’s office.

In Equifax’s home state in Georgia, two plaintiffs filed another class-action lawsuit against the company. The lawsuit claims that Equifax could have prevented the data breach, and failed to notify victims in a “timely manner.”

They are being represented by John Yanchunis, the lead counsel representing victims affected by Yahoo’s record-breaking breach, and has also represented data breach victims from Target and Home Depot’s hacks.  

“Equifax contains one of the largest databases of consumer information and they should have been better prepared for any attempt to penetrate its systems,” Yanchunis said in a statement.

Is our government doing anything about this?

On Friday morning, House representative Ted Lieu (D-California) sent a letter to the House Judiciary Committee chair asking them to investigate the breach, and why it had taken more than six weeks for the company to go public with the announcement. 

Lieu is requesting that Congress call representatives from Equifax, TransUnion and Experian — the “Big Three” credit monitoring agencies — to testify on Capitol Hill about the breach and details on their cybersecurity.

Sen. Mark Warner (D-Virginia), the vice chair of the Senate Intelligence committee, criticized Equifax over its “profoundly troubling” breach and suggested new data protection policies for Congress to pass.

Equifax is also working with the FBI on the investigation.

In New York, the state attorney general’s office also announced a formal investigation into Equifax’s breach. 

Three Equifax executives, including its chief financial officer, sold shares in the company just three days after the breach was first discovered. The Securities and Exchange Commission did not comment on if it was investigating insider trading.

CNET Magazine: Check out a sample of the stories in CNET’s newsstand edition.

Logging Out: Welcome to the crossroads of online life and the afterlife.