Judge dismisses OPM data breach lawsuits, union appeals

U.S. District Judge Amy Jackson delivered a major blow to the federal unions and employees involved in bringing multiple class-action lawsuits against the Office of Personnel Management over its 2015 data breach. Citing the federal government’s immunity from lawsuits and the difficulty of legally proving harm as the result of having personally identifiable information (PII) stolen, she granted the government’s motion to dismiss the case.

Both the National Treasury Employees Union and the American Federation of Government Employees sued separately, but Jackson dismissed the suits at the same time based on similar concerns.

NTEU immediately appealed the Sept. 19 decision.

“NTEU strongly disagrees with the district judge’s ruling that our members were not sufficiently harmed by the OPM data breaches to show legal standing to bring the case to court,” NTEU National President Tony Reardon said in a statement.

Advertisement

Meanwhile, AFGE’s response was somewhat vaguer.

“The judge’s unfortunate decision to dismiss AFGE’s case reflects an unduly narrow view of the rights of data breach victims,” AFGE National President J. David Cox said in a statement. “AFGE is seriously evaluating all options to challenge this decision and will continue to fight on behalf of the millions of current, future, and retired federal employees and their family members whose lives were forever disrupted by this unprecedented data breach.”

But Judge Jackson’s ruling argued that, even if the government had waived its sovereign immunity and consented to be sued, there were a number of issues with the suits themselves. First, they sought damages for improper “disclosure” of private information, but disclosure is very different from theft.

Second, the fact that the attack was directed against a government agency, rather than a retail or financial organization, makes it difficult to project what uses the perpetrators may intend for the data. And third, because of this, plaintiffs cannot prove imminent, or even likely, future harm.

Finally, Jackson argued that due to the increasing frequency of data breaches and threats to PII, “those plaintiffs who allege that they have already experienced an actual misuse of their credit card numbers or personal information, they cannot tie those disparate incidents to this breach.”

The AFGE lawsuit, filed in U.S. District Court in the District of Columbia, sought class-action status to represent all the past and present federal employees whose personally identifiable information was stored in the compromised databases.

The lawsuit alleged that OPM violated the Privacy Act of 1974 by failing to fix cybersecurity flaws that it had known about since at least 2009. It says the agency was negligent because it did not act on the warnings of its inspector general. Keeping the databases operating without interruption was more important to OPM than protecting the sensitive information those databases stored, said Girard Gibbs, who was named lead counsel on the suit in January 2016.

NTEU’s lawsuit differed from the one filed by AFGE, saying the agency violated the constitutional rights of union members by exposing their private information to hackers.

OPM filed its motion to dismiss NTEU’s case in June 2016, based on a “lack of subject matter jurisdiction and for failure to state a claim upon which relief may be granted.”

On June 4, 2015, OPM first reported a December 2014 cyber breach had affected the personally identifiable information of 4 million current and former federal employees. OPM began notifying those impacted by email and traditional mail, contracting out the duties to Winvale and CSID.

News of a second data breach at OPM came on June 12, 2015. This time, the breach impacted systems containing background information of current and former federal employees seeking security clearances.