Federal Employees’ Lawsuit Reinstated for Data Breach of Personal Information

June 25, 2019 by Tom Ramstack
Federal Employees’ Lawsuit Reinstated for Data Breach of Personal Information
District of Columbia Court of Appeals. (Photo by Dan McCue)

WASHINGTON – Federal employees will get their day in court after the D.C. Circuit Court of Appeals ruled last week that their lawsuit over an Office of Personnel Management data breach can be reinstated.

A trial court dismissed the lawsuit accusing OPM of negligence for allowing hackers in 2014 to breach the agency’s computer network, exposing sensitive information of 21.5 million people. The hack was believed to have been espionage by China.

The hacked information included Social Security numbers, birth dates, addresses and fingerprint records of employees and applicants to the federal government. OPM is the government’s main human resources agency.

A court in 2017 consolidated the ensuing lawsuits into two claims by the National Treasury Employees Union and the American Federation of Government Employees, who claim violations of the Privacy Act and the constitutional rights of their members.

A federal district court judge in Washington then said the labor unions lacked standing to sue and could not overcome the government’s immunity from liability.

However, the D.C. Circuit Court of Appeals disagreed, saying the evidence already showed some of the plaintiffs were subjected to fraud because of the data breach. It included identity theft, such as credit cards being opened and fraudulent tax returns in the victims’ names, according to the lawsuit.

Other victims are at a higher risk of identity theft, meaning they have enough of an injury to prove they have a good reason for a lawsuit, the appellate court ruled.

“There is no question that the OPM hackers … now have in their possession all the information needed to steal [plaintiffs’] identities,” the court’s ruling says. “It hardly takes a criminal mastermind to imagine how such information could be used to commit identity theft.”

The “plaintiffs have plausibly alleged a substantial risk of future identity theft that is fairly traceable to OPM’s … cybersecurity failings and likely redressable, at least in part, by damages,” the appellate court’s ruling says.

The appeals court added that the district court erred by finding the Privacy Act gives the government immunity from lawsuits despite the fact OPM was warned about data breaches before the 2014 attack.

Part of the evidence for negligence was based on past OPM inspector general reports that found failings in the agency’s computer security. The court said security remains lax.

“The complaint’s plausible allegations that OPM decided to continue operating in the face of those repeated and forceful warnings, without implementing even the basic steps needed to minimize the risk of a significant data breach, is precisely the type of willful failure to establish appropriate safeguards that makes out a claim under the Privacy Act,” the ruling says.

Also named as a defendant in the lawsuit was KeyPoint Government Solutions, a contractor that assisted with background checks and security clearance investigations on government employees and applicants.

The contractor had access to OPM’s computer databases. The hackers used KeyPoint’s credentials to breach the databases.

The appeals court also criticized the lower court for relying on information from Defense Department officials who speculated the Chinese government sponsored the computer breach.

The lower court reasoned that foreign government espionage was not likely to create a risk of identity thieves stealing money through bogus tax returns or credit card purchases.

The appellate court again disagreed, writing, “As an initial matter, the district court should not have relied, even in part, on its own surmise that the Chinese government perpetrated these attacks.”

The case is AFGE, NTEU v. Office of Personnel Management, U.S. Ct. App. for D.C., No. 17-5217, June 21, 2019.

A+
a-
  • D.C. Circuit
  • data breach
  • Office of Personnel Management
  • In The News

    Health

    Voting

    Litigation

    June 21, 2024
    by Lauren Zola
    Civil Liberties Groups to Sue Louisiana Over Ten Commandments Mandate

    BATON ROUGE, La. — Just hours after Louisiana Gov. Jeff Landry, a Republican, signed a bill into law requiring the... Read More

    BATON ROUGE, La. — Just hours after Louisiana Gov. Jeff Landry, a Republican, signed a bill into law requiring the display of the Ten Commandments in all public school classrooms, civil libertarians offered their unequivocal response — we’ll see you in court. With Landry’s signature, Louisiana... Read More

    June 20, 2024
    by Tom Ramstack
    Washington Commanders Settle Lawsuit Alleging Team Withheld Ticket Holders’ Deposits

    WASHINGTON — Virginia’s attorney general this week announced a $1.3 million settlement with the Washington Commanders after the football team... Read More

    WASHINGTON — Virginia’s attorney general this week announced a $1.3 million settlement with the Washington Commanders after the football team was accused of improperly withholding deposits by season ticket holders. The Virginia settlement, which is the largest so far, follows similar settlements with the attorneys general... Read More

    June 17, 2024
    by Dan McCue
    Railway Must Pay Tribe $400M for Trespassing Oil Trains

    SEATTLE — The BNSF Railway Co., the largest freight railroad in the United States, must pay a Native American tribe... Read More

    SEATTLE — The BNSF Railway Co., the largest freight railroad in the United States, must pay a Native American tribe in Washington state nearly $400 million for years of illegally transporting crude oil-laden tankers across their land. Monday’s ruling by U.S. District Judge Robert Lasnik comes... Read More

    June 10, 2024
    by Tom Ramstack
    FCC Wants Net Neutrality Case Transferred to DC Circuit

    WASHINGTON — The Federal Communications Commission is trying to keep a pivotal net neutrality case in Washington, D.C., as the... Read More

    WASHINGTON — The Federal Communications Commission is trying to keep a pivotal net neutrality case in Washington, D.C., as the agency seeks to prevent internet companies from giving preference to favored customers. Along with its motion to transfer the case to the U.S. Circuit Court of... Read More

    April 24, 2024
    by Tom Ramstack
    Madonna Fans Sue After Singer’s Late Arrival in DC

    WASHINGTON — Three Madonna fans are suing the singer for her late arrival and quality of her performance in December... Read More

    WASHINGTON — Three Madonna fans are suing the singer for her late arrival and quality of her performance in December in Washington, D.C. The lawsuit filed Friday in U.S. District Court for the District of Columbia seeks class action certification. If the court certifies the class... Read More

    April 15, 2024
    by Dan McCue
    Attorneys General, State Legislature Seek Stay of EPA Methane Rule

    WASHINGTON — Attorneys general from 24 states and one state legislature have asked a federal appeals court to stay a... Read More

    WASHINGTON — Attorneys general from 24 states and one state legislature have asked a federal appeals court to stay a new methane emissions rule rolled out by the Environmental Protection Agency. Unveiled in December and finalized on March 8, the rule aims to sharply reduce methane... Read More

    News From The Well
    scroll top