Updates to our Terms of Use

We are updating our Terms of Use. Please carefully review the updated Terms before proceeding to our website.

Monday, June 24, 2024 | Back issues
Courthouse News Service Courthouse News Service

Appeal on OPM Data Breach Strikes Chord in Washington

The D.C. Circuit seemed skeptical Friday of the rejection of two lawsuits over a data breach at the Office of Personnel Management that compromised the records of more than 21 million people. 

WASHINGTON (CN) - The D.C. Circuit seemed skeptical Friday of the rejection of two lawsuits over a data breach at the Office of Personnel Management that compromised the records of more than 21 million people.

The story behind the suits begins in 2015 when OPM, as the office’s name is commonly abbreviated, announced that its personnel and background investigation records were hacked, putting Social Security numbers, birthdates, fingerprints and other sensitive details at risk.

This led to a flurry of lawsuits across the country, which eventually came together as two separate filings in the U.S. District Court for the District of Columbia.

One suit came from the American Federation of Government Employees, the AFL-CIO and 38 people who represented a class seeking monetary damages under the Privacy Act. The other came from the National Treasury Employees Union and three people who brought suit on constitutional grounds.

A federal judge dismissed both complaints in September 2017, finding none of the plaintiffs in either case had standing because they could not show that the attack put them at greater risk of future harm. Those plaintiffs who were able to show they suffered identify theft or fraud saw their claims dismissed because there was no way to link the breach to their injuries.

Fighting to revive the class claims Friday before a D.C. Circuit panel, Cooper & Kirk attorney Peter Patterson said his clients have standing because it is "at least plausible" that some people were victims of identity theft as a direct result of OPM breach.

U.S. Circuit Judge Stephen Williams wondered whether the claims from Patterson’s clients became more "implausible" as time went on because it would be harder to tie the OPM breach to any individual identity theft due to the ordinary risk of theft, even for people who are not the victims of a data breach.

But Patterson said the class suffered more than just speculative injuries, as the breach led two of the plaintiffs in the case to buy credit-monitoring and other services to protect themselves, giving them a clear path to standing through that hit to their pocketbooks.

Meanwhile, Paras Shah, an attorney with the National Treasury Employees Union, told the judges that the people he represents had their constitutional rights violated the moment the theft occurred. The government left "all the doors and windows open" by not imposing stricter security controls, giving his clients a different route into the courtroom, Shah said.

Sonia Carson, who represented the government, said neither Patterson nor Shah's clients alleged anything more than a speculative harm in their complaints.

She turned aside Patterson's point that some people purchased anti-theft products as a result of the breach by noting the government provided similar protection for free.

"Our basic point is that you're not at a loss if you pay for something the government gave you for free," Carson said.

As for the constitutional challenges, Carson said that group of plaintiffs has not shown the relief they seek in the complaint would do anything to repair the harms they claimed to suffer as a result of the breach.

But the panel seemed skeptical of many of Carson's contentions throughout the hearing this morning.

U.S. Circuit Judge Patricia Millett suggested some of the defenses Carson raised sounded like disputes over facts, not issues that could be decided based purely on the allegations included in the complaint.

"It sounds like we're turning complaints into motions for summary judgment at this point," Millett said.

Millett also wondered why the passage of time from when the breach first occurred should have any bearing on the suit. Unlike someone whose credit card information falls into the wrong hands, the victims of the OPM data breach cannot avoid identity theft by changing their Social Security numbers or birth dates, Millett said.

U.S. Circuit Judge David Tatel expressed similar concerns to those of Millett, saying a compromised Social Security number can have "enormous consequences to people."

Tatel also told Carson as she was arguing against the constitutional claims that he could not imagine what else the plaintiffs in the case would have to allege to clear the standing question.

"You've got an uphill battle for me," Tatel told Carson, after acknowledging he is just one member of a three-judge panel.

Categories / Appeals, Civil Rights, Government

Subscribe to Closing Arguments

Sign up for new weekly newsletter Closing Arguments to get the latest about ongoing trials, major litigation and hot cases and rulings in courthouses around the U.S. and the world.