WASHINGTON (CN) — The 21.5 million federal employees whose personal information was compromised by the Office of Personnel Management data hack have no legal recourse, a federal judge ruled, saying immunity forecloses their negligence and privacy claims.
Despite voicing sympathy for the position of the class members, U.S. District Judge Amy Berman Jackson found Tuesday that the unique circumstances of this case “implicate the constitutional limits on the court’s jurisdiction.”
“It may well be that the Supreme Court or the D.C. Circuit will someday announce that given the potential for harm inherent in any cyberattack, breach victims automatically have standing even if the harm has yet to materialize, and even if the purpose behind the breach and the nature of any future harm have yet to be discerned,” the 74-page opinion states. “But that has not happened yet, and the court is not empowered to expand the limits of its own authority, so it cannot find that plaintiffs have standing based on this record.”
The two cases Jackson dismissed were consolidated in Washington from lawsuits filed across the country after OPM disclosed that a data breach at the agency and at federal contractor KeyPoint Government Solutions had exposed the sensitive data of more than 21 million federal employees, retirees and job applicants.
In addition to names, addresses and Social Security numbers, the data also involved personal financial and legal information in many cases, fingerprints in others.
Noting the uncertainty of whether harm from the breach will ever come to pass for these individuals, Judge Jackson concluded Tuesday that standing is one of many bases to dismiss a case where the plaintiffs are seeking economic damages for speculative harm.
“The law is clear that the statute does not create a cause of action for those who have been merely aggrieved by, or are even actively worried about, the fact that their information has been taken,” she wrote. “Neither the Administrative Procedure Act nor the Little Tucker Act supplies a cause of action against the government to enforce its information security obligations, and no court has expressly recognized a right to data security arising under the Constitution.”
Immunity carries the day both for the government and its contractor, Jackson said.
“Plaintiffs do not identify any contract provisions that KeyPoint allegedly violated, and their claims that it violated federal law cannot stand,” the opinion states. “And importantly, the sovereign in this case, OPM, does not disavow the actions of KeyPoint. Indeed, the complaint indicates as much, alleging that ‘OPM did not terminate or suspend its contract with KeyPoint.’ Thus, plaintiffs fail to plead facts sufficient to allege that KeyPoint violated OPM’s explicit instructions or exceeded its authority under its contract with the agency.”
One of the unions behind the dismissed suit, the American Federation of Government Employees, is weighing the possibility of an appeal.
“The judge’s unfortunate decision to dismiss AFGE’s case reflects an unduly narrow view of the rights of data breach victims,” the union said in a statement Wednesday. “OPM failed to keep our most private and sensitive information from getting into the hands of Chinese hackers. We are deeply disappointed by the judge’s ruling in favor of OPM.
“AFGE is seriously evaluating all options to challenge this decision and will continue to fight on behalf of the millions of current, future, and retired federal employees and their family members whose lives were forever disrupted by this unprecedented data breach.”
The National Treasury Employees Union meanwhile didn’t waste any time.
“We immediately appealed the district court’s decision to the U.S. Court of Appeals for the D.C. Circuit,” NTEU president Tony Reardon said in a statement. “We will make our case there that NTEU members were harmed by the breaches and that OPM’s indifference to securing its databases in the years leading up to the breaches violated NTEU members’ constitutional right to informational privacy.”
The government has been providing free services such as credit and identity monitoring and identity-theft insurance for those affected by the breach.
The Department of Justice, which represented the OPM in the suit, did not respond to request for comment.