Update on OPM Data Breach Lawsuit

NTEU has filed its opening brief with the U.S. Court of Appeals for the D.C. Circuit in the OPM data breach lawsuit.

Wooden gavelNTEU is continuing to press its arguments that OPM acted unlawfully when it failed to protect the personal data of millions of federal employees and allowed a series of data breaches to occur. NTEU filed its opening brief on May 10, 2018 in its appeal before the U.S. Court of Appeals for the D.C. Circuit.

As explained in earlier posts, in June 2015, OPM revealed that unknown hackers accessed and stole the personal information of nearly 22 million individuals from its deficiently-secured databases. In addition to NTEU’s successful legislative efforts to obtain ten (10) years of identity theft protection services and $5 million in identity theft insurance, NTEU also filed suit against the Director of OPM in federal district court.

Our lawsuit alleged that OPM violated our constitutional right to informational privacy by recklessly disregarding its Inspector General’s warnings over many years about its IT security deficiencies, leading to the sweeping data breaches that occurred. Among other relief, our lawsuit asked the court to order OPM to take all appropriate steps to correct deficiencies in its IT security program, and to order OPM to provide lifetime credit monitoring and identity theft protection to all NTEU members affected by the breaches.

NTEU vigorously pushed its arguments in court through multiple rounds of briefing and oral argument. The U.S. District Court for the District of Columbia, however, granted the government’s motion to dismiss NTEU’s suit on September 19, 2017. The court ruled that NTEU members were not sufficiently injured by the data breaches, and therefore lacked “standing” to bring the lawsuit. And the court ruled that NTEU failed to state a cognizable legal claim. The court also dismissed a related suit brought by different plaintiffs.

Law bookNTEU immediately appealed that decision to the appellate court, and filed its opening brief on May 10, 2018. In that brief, NTEU makes two main arguments. First, NTEU argues that its members have been hurt by these data breaches and therefore have “standing” to pursue relief in court. “Standing” is a legal prerequisite to bringing any lawsuit. And the standing argument arises particularly often in data breach cases, whether involving the government or private companies. However, NTEU argues that its members have been grievously injured by these data breaches, and there are a number of recent court decisions to support that argument. One such case was Attias v. Carefirst, which involved a health care data breach. In that case, the U.S. Court of Appeals for the D.C. Circuit ruled that the plaintiffs’ concern about future identity theft was a sufficient injury that could be traced to Carefirst’s data breach. That risk of future identity theft was enough to give those data breach victims standing. For similar reasons, NTEU and its members are at risk of future identity theft and have standing to pursue this case.

Second, NTEU argues that its constitutional claim is well-founded. The constitutional right to information privacy is firmly established. Several courts have found that the right has been violated when the government discloses private information to third parties. NTEU argues that the right should also be recognized when the government, through inadequate security protections, allows a third party to steal sensitive private information (as in the data breach).

This litigation is an important fight for us. We continue to believe that OPM must answer for breaking its promise to us about keeping our personal information safe. Furthermore, the agency must take sufficient concrete steps towards safeguarding that information in the future.

I will continue to keep you posted on our lawsuit. Periodic updates are also available at https://www.nteu.org/lawsuit-faqs.