Federal Employees Suing OPM Score Win in Lawsuit Over Data Hacks

wk1003mike/Shutterstock.com

Appeals court overrules district-level finding, says federal employee unions have standing to sue.

A court has ruled that federal employees have standing to sue the government over its failure to protect personally identifiable information that led to massive data breaches in 2015, reversing the decision of a lower court. 

The U.S. Court of Appeals for the D.C. Circuit largely sided with two federal employee unions in their lawsuit against the Office of Personnel Management and a federal contractor for their roles in the hacks that led to the disclosure of the personal records of 21.5 million individuals. The American Federation of Government Employees and the National Treasury Employees Union are seeking lifetime credit monitoring and identity theft protection for affected individuals, and NTEU also sought to change the way OPM stores and protects personnel data. NTEU said its clients had a constitutional right to informational privacy and the government violated that right. AFGE is seeking a remedy under the 1974 Privacy Act, including monetary damages from KeyPoint. 

OPM disclosed two data breaches in 2015, one that exposed the personnel files of all current and former federal employees and another that released the personally identifiable information of all applicants for security clearances, as well as their families.

The appeals court said it was concerned only with whether the plaintiffs could plausibly allege standing. In terms of potential damages, the court said it was focusing on “the risk of future identity theft.” OPM has said hackers stole Social Security numbers, birth dates, fingerprints and addresses, among other sensitive personal information. 

“It hardly takes a criminal mastermind to imagine how such information could be used to commit identity theft,” the court wrote in its majority opinion. 

Attorneys representing the plaintiffs alleged during oral arguments last year that their clients have, since the hacks, spent time and money addressing fraudulent credit charges, tax filings and other instances of identity theft that could credibly trace back to the OPM breaches. In remanding the case back to district court, the appellate judges said the charges were reasonable and the lower court must hear the case on the merits. 

“We conclude that not only do the incidents of identity theft that have already occurred illustrate the nefarious uses to which the stolen information may be put, but they also support the inference that [the plaintiffs] face a substantial—as opposed to a merely speculative or theoretical—risk of future identity theft,” the appeals court wrote. 

AFGE’s suit also named KeyPoint Government Solutions, a contractor that handled background checks on behalf of the government, as a defendant. The company argued it was immune from any liability, as it was simply following the direction of the government. The appeals court rejected that argument, noting KeyPoint is alleged to have violated the Privacy Act standards spelled out in its contract with OPM. 

The plaintiffs “have plausibly alleged that KeyPoint’s failure to secure its credentials ran afoul of both OPM’s explicit instructions and federal law standards, rendering derivative sovereign immunity unavailable,” the court said. 

The court rejected NTEU’s argument, however, that OPM violated federal employees’ constitutional right to privacy. Ruling with the union would mean “constitutionally micromanaging” how the government must maintain its records and shift an oversight function to the judiciary, the court said. It added that creating a constitutional mandate to prevent unauthorized third-party access to personal information would require a “labyrinth of technical rules” the court was not prepared to address.

“NTEU is disappointed that the court disagreed with our view of the constitutional right to informational privacy,” said Tony Reardon, the union’s president. “NTEU, however, appreciates the court’s acknowledgment of “the severity and scope of OPM’s data security shortcomings.” Reardon added that NTEU will continue to push for lifetime identity theft protections for those impacted by the breach. 

An AFGE spokesman said it was determining the full implications of the ruling. 

“Our attorneys are still reviewing the court’s lengthy opinion, but it looks like a positive step for our members affected by the data breach,” the spokesman said. 

OPM attempted to argue the records were stolen as an act of espionage, rather than an attempt at identity theft, and therefore the employees were not facing risks for which they were seeking redress. The court said espionage and identity theft were not mutually exclusive goals and it was undisputed that identity theft was possible using the information stolen in the hacks. It also faulted the district court for using outside media reports citing the Chinese government as responsible for the hacks, noting it was not part of the evidence presented in the case. 

“It is just as plausible to infer that identity theft is at least one of the hackers’ goals, even if those hackers are indeed affiliated with a foreign government,” the appeals court said. 

Congress intervened to give hack victims 10 years of protections in a fiscal 2016 spending bill. OPM had offered the 21.5 million federal employees, contractors, applicants and family members affected by the breach involving security clearance files three years of a “suite of services,” including full service identity restoration support and victim recovery assistance, identity theft insurance, identity monitoring for minor children, continued credit monitoring and fraud monitoring services beyond credit files. The 4.2 million current and former federal workers affected by the initial hack of personnel data—most of whom were also impacted by the second breach—were originally offered just 18 months of credit monitoring and identity theft insurance.

OPM further argued the protections it has already offered—and that it has been required to offer—have mitigated the threat, which diminishes as time wears on. The court also found this argument without merit.   

“Cyberhacking on such a massive scale is a relatively new phenomenon, and we are unwilling at this stage to assume that the passage of a year or two without any clearly identifiable pattern of identity theft or financial fraud means that all those whose data was compromised are in the clear,” the court said. 

The appellate judges found the plaintiffs “adequately alleged actual damages” as defined by the Privacy Act. Further, OPM credibly faces allegations of “willfully and intentionally” failing its duties because it ignored repeated warning signs, including from its own inspector general, that it was not properly protecting its data. 

“OPM effectively left the door to its records unlocked by repeatedly failing to take basic, known and available steps to secure the trove of sensitive information in its hands,” the court said. 

No timetable has been set for when the D.C. district court will once again hear the case.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.