WASHINGTON (CN) – The D.C. Circuit on Friday revived a legal battle over the 2014 Office of Personnel Management data breach, which exposed sensitive information about more than 21 million people.
Sometime around May 2014, hackers breached OPM’s networks and accessed background check information about 21.5 million people. Included in this information were Social Security numbers, birth dates and fingerprint records for people who work, have worked, or applied to work in the federal government.
OPM, the primary human resources agency for the federal government, did not publicly announce the hack until 2015.
The agency soon faced an onslaught of lawsuits, which were eventually consolidated into two sets of claims led by the National Treasury Employees Union and the American Federation of Government Employees.
The AFGE, as well as 38 people who represented a class, sought monetary damages under the Privacy Act, while the NTEU raised constitutional claims in its lawsuit.
A federal judge in Washington, D.C., dismissed the suits, saying neither group had standing to bring the claims against the government. The court also said the AFGE had not done enough to overcome the federal government’s immunity against suit.
In a 52-page unsigned opinion issued Friday, the D.C. Circuit said the district court got both of these findings wrong. The opinion refers to the AFGE and the groups it represents as the “Arnold plaintiffs.”
First, the ruling from the three-judge panel of U.S. Circuit Judges David Tatel, Patricia Millett and Stephen Williams states both sets of plaintiffs have shown they meet the “low bar” necessary to have standing at this early point in the case.
The opinion notes some of the people who are part of the suit suffered fraud as a result of the breach and those who have not yet experienced such harms are at a higher risk of identity theft in the future.
“Arnold plaintiffs have plausibly alleged a substantial risk of future identity theft that is fairly traceable to OPM’s and KeyPoint’s cybersecurity failings and likely redressable, at least in part, by damages, and NTEU plaintiffs have plausibly alleged actual and imminent constitutional injuries that are likewise traceable to OPM’s challenged conduct and redressable either by a declaration that the agency’s failure to protect plaintiffs’ personal information is unconstitutional or by an order requiring OPM to correct deficiencies in its cybersecurity program,” the opinion states.
The panel then determined the district court was wrong that the claims AFGE raised did not invoke the provision of the Privacy Act that waives government immunity from lawsuits seeking damages for the government’s failure to maintain personal information collected in agency records.
The judges slammed OPM’s response to previous data breaches and warnings about its preparedness, saying the agency “left the door to its records unlocked” by not putting in place more stringent cybersecurity protections. Because this failure to heed warnings about its cybersecurity capabilities caused actual damages, the opinion states, the government’s sovereign immunity is waived and the AFGE lawsuit can proceed.
“The complaint’s plausible allegations that OPM decided to continue operating in the face of those repeated and forceful warnings, without implementing even the basic steps needed to minimize the risk of a significant data breach, is precisely the type of willful failure to establish appropriate safeguards that makes out a claim under the Privacy Act,” the opinion states.
The NTEU was not so successful in convincing the circuit of its constitutional claims. The opinion notes the claims concern information people gave “voluntarily” to the government and states that if there is a “constitutional right to informational privacy,” people can only seek relief for the violation of that right after “intentional disclosures” of their information.
“Absent any plausible mooring in the Constitution’s text or the nation’s history and tradition, we join the district court in declining to recognize the proposed constitutional right to informational privacy that would be violated not only when information is intentionally disclosed (or the functional equivalent), but also ‘when a third party steals it,'” the opinion states.
A spokesman for AFGE said the group’s attorneys are still reviewing the decision.
“Our attorneys are still reviewing the court’s lengthy opinion, but it looks like an important win for our members affected by the data breach,” the spokesman said in a statement.
OPM deferred to the Department of Justice, which declined to comment on the decision.
NTEU National President Tony Reardon said the group is “disappointed” with the D.C. Circuit’s decision on its constitutional claims, but satisfied with the opinion’s lengthy discussion of the agency’s cybersecurity shortcomings.
“NTEU has laid bare that OPM was aware of the critical weaknesses in its system and that it has done nothing meaningful to strengthen its safeguards,” Reardon said in a statement. “Working with Congress, NTEU has secured 10 years’ worth of identity theft protection for affected federal workers and we will continue to push for lifetime protections for these public servants whose personal data was compromised. We also expect OPM to take every precaution available to protect the information it holds so no other federal employees are ever faced with an uncertain future because their personal information has been stolen.”