A court has ruled that federal employees have standing to sue the government over its failure to protect personally identifiable information that led to massive data breaches in 2015, reversing the decision of a lower court.
The U.S. Court of Appeals for the D.C. Circuit largely sided with two federal employee unions in their lawsuit against the Office of Personnel Management and a federal contractor for their roles in the hacks that led to the disclosure of the personal records of 21.5 million individuals. The American Federation of Government Employees and the National Treasury Employees Union are seeking lifetime credit monitoring and identity theft protection for affected individuals, and NTEU also sought to change the way OPM stores and protects personnel data. NTEU said its clients had a constitutional right to informational privacy and the government violated that right. AFGE is seeking a remedy under the 1974 Privacy Act, including monetary damages from KeyPoint.
OPM disclosed two data breaches in 2015, one that exposed the personnel files of all current and former federal employees and another that released the personally identifiable information of all applicants for security clearances, as well as their families.
The appeals court said it was concerned only with whether the plaintiffs could plausibly allege standing. In terms of potential damages, the court said it was focusing on “the risk of future identity theft.” OPM has said hackers stole Social Security numbers, birth dates, fingerprints and addresses, among other sensitive personal information.
“It hardly takes a criminal mastermind to imagine how such information could be used to commit identity theft,” the court wrote in its majority opinion.
Attorneys representing the plaintiffs alleged during oral arguments last year that their clients have, since the hacks, spent time and money addressing fraudulent credit charges, tax filings and other instances of identity theft that could credibly trace back to the OPM breaches. In remanding the case back to district court, the appellate judges said the charges were reasonable and the lower court must hear the case on the merits.
“We conclude that not only do the incidents of identity theft that have already occurred illustrate the nefarious uses to which the stolen information may be put, but they also support the inference that [the plaintiffs] face a substantial—as opposed to a merely speculative or theoretical—risk of future identity theft,” the appeals court wrote.
AFGE’s suit also named KeyPoint Government Solutions, a contractor that handled background checks on behalf of the government, as a defendant. The company argued it was immune from any liability, as it was simply following the direction of the government. The appeals court rejected that argument, noting KeyPoint is alleged to have violated the Privacy Act standards spelled out in its contract with OPM.
The plaintiffs “have plausibly alleged that KeyPoint’s failure to secure its credentials ran afoul of both OPM’s explicit instructions and federal law standards, rendering derivative sovereign immunity unavailable,” the court said.
The court rejected NTEU’s argument, however, that OPM violated federal employees’ constitutional right to privacy. Ruling with the union would mean “constitutionally micromanaging” how the government must maintain its records and shift an oversight function to the judiciary, the court said. It added that creating a constitutional mandate to prevent unauthorized third-party access to personal information would require a “labyrinth of technical rules” the court was not prepared to address.
“NTEU is disappointed that the court disagreed with our view of the constitutional right to informational privacy,” said Tony Reardon, the union’s president. “NTEU, however, appreciates the court’s acknowledgment of “the severity and scope of OPM’s data security shortcomings.” Reardon added that NTEU will continue to push for lifetime identity theft protections for those impacted by the breach.
An AFGE spokesman said it was determining the full implications of the ruling.
“Our attorneys are still reviewing the court’s lengthy opinion, but it looks like a positive step for our members affected by the data breach,” the spokesman said.
OPM attempted to argue the records were stolen as an act of espionage, rather than an attempt at identity theft, and therefore the employees were not facing risks for which they were seeking redress. The court said espionage and identity theft were not mutually exclusive goals and it was undisputed that identity theft was possible using the information stolen in the hacks. It also faulted the district court for using outside media reports citing the Chinese government as responsible for the hacks, noting it was not part of the evidence presented in the case.
“It is just as plausible to infer that identity theft is at least one of the hackers’ goals, even if those hackers are indeed affiliated with a foreign government,” the appeals court said.
Congress intervened to give hack victims 10 years of protections in a fiscal 2016 spending bill. OPM had offered the 21.5 million federal employees, contractors, applicants and family members affected by the breach involving security clearance files three years of a “suite of services,” including full service identity restoration support and victim recovery assistance, identity theft insurance, identity monitoring for minor children, continued credit monitoring and fraud monitoring services beyond credit files. The 4.2 million current and former federal workers affected by the initial hack of personnel data—most of whom were also impacted by the second breach—were originally offered just 18 months of credit monitoring and identity theft insurance.
OPM further argued the protections it has already offered—and that it has been required to offer—have mitigated the threat, which diminishes as time wears on. The court also found this argument without merit.
“Cyberhacking on such a massive scale is a relatively new phenomenon, and we are unwilling at this stage to assume that the passage of a year or two without any clearly identifiable pattern of identity theft or financial fraud means that all those whose data was compromised are in the clear,” the court said.
The appellate judges found the plaintiffs “adequately alleged actual damages” as defined by the Privacy Act. Further, OPM credibly faces allegations of “willfully and intentionally” failing its duties because it ignored repeated warning signs, including from its own inspector general, that it was not properly protecting its data.
“OPM effectively left the door to its records unlocked by repeatedly failing to take basic, known and available steps to secure the trove of sensitive information in its hands,” the court said.
No timetable has been set for when the D.C. district court will once again hear the case.