One of two consolidated complaints—one brought by AFGE and a putative class and another by NTEU—resulting from a massive security breach of OPM affecting more than 21 million people has been revived by the D.C. Circuit.
In 2014, cyberattackers breached multiple U.S. Office of Personnel Management (OPM) databases and allegedly stole the sensitive personal information—including birth dates, Social Security numbers, addresses, and fingerprint records—of past, present, and prospective government workers and their spouses: more than 21 million people in all. Multiple lawsuits were ultimately consolidated into two complaints: one brought by the American Federation of Government Employees on behalf of 38 individuals affected by the breaches and a putative class of similarly situated breach victims (the Arnold plaintiffs) and another for declaratory and injunctive relief brought by the National Treasury Employees Union (NTEU) and three of its members. The district court dismissed those complaints for lack of Article III standing and failure to state a claim. But the D.C. Circuit resurrected one of those complaints, reversing in part, affirming in part, and remanding (In RE: U.S. Office Of Personnel Management Data Security Breach Litigation, June 21, 2019, per curiam).
The appeals court held that:
- NTEU and the Arnold plaintiffs (the AFGE suit) have adequately alleged Article III standing;
- AFGE/Arnold plaintiffs have stated a claim under the Privacy Act, which waives OPM’s sovereign immunity;
- KeyPoint, the government contractor that performed background and security clearance investigations and input the sensitive information it collected into OPM’s electronic recordkeeping system, is not protected by derivative sovereign immunity; and
- The NTEU plaintiffs have failed to state a claim that flaws in OPM’s information-storage measures violated the Constitution.
Both sets of plaintiffs alleged that OPM’s cybersecurity practices were woefully inadequate, enabling the hackers to gain access to the agency’s treasure trove of employee information, which in turn exposed plaintiffs to a heightened risk of identity theft and a host of other injuries.
AFGE allegations. According to this complaint, after breaching OPM’s network “using stolen KeyPoint credentials” around May 2014, the hackers extracted almost 21.5 million background investigation records from the agency’s Central Verification System. They gained access to another OPM system near the end of 2014, stealing over four million federal employees’ personnel files. This included current and prospective employees’ Social Security numbers (as well as those of spouses and cohabitants), birth dates, and residency details, along with millions of sets of fingerprints.
On appeal, the Arnold plaintiffs argued that the agency “willfully failed” to establish appropriate safeguards to ensure the security and confidentiality of their private information, in violation of the Privacy Act of 1974.
They also alleged common-law and statutory claims against KeyPoint, alleging that the company’s “actions and inactions constitute[d] negligence, negligent misrepresentation and concealment, invasion of privacy, breach of contract, and violations of the Fair Credit Reporting Act and state statutes.”
They are seeking damages from OPM under the Privacy Act; from KeyPoint, they seek money damages plus an order requiring the company to extend free lifetime identity theft and fraud protection services to all putative class members.
NTEU allegations. The National Treasury Employees Union complaint sought declaratory and injunctive relief against the acting director of OPM based on essentially the same set of facts. NTEU plaintiffs alleged that when they provided OPM with the sensitive personal information ultimately exposed in the breaches, they did so relying on the agency’s assurance that it “would be safeguarded” and kept confidential. They claimed that OPM’s “reckless failure to safeguard” their personal information, which ultimately “resulted in [its] unauthorized disclosure” during the 2014 attacks, was a violation of what they describe as their “constitutional right to informational privacy,” and they sought a declaration to that effect.
Moreover, they alleged that OPM has yet to make the cybersecurity improvements necessary to protect their personal information from future attacks. Consequently, the plaintiffs requested an injunction requiring OPM “to take immediately all necessary and appropriate steps to correct deficiencies in [its] IT security program so that NTEU members’ personal information will be protected from unauthorized disclosure” in the future. They also sought an order requiring the agency to provide them with free lifetime credit monitoring and identity theft protection.
District court dismisses complaints. Neither complaint survived; in a 74-page opinion, the district court found the plaintiffs lacked standing and further that the federal defendants were immune from suit under the Privacy Act; also, the contractor was shielded by derivative government contractor immunity, so the court lacked subject matter jurisdiction. Although the plaintiffs sought damages for improper disclosure of information and for failure to maintain adequate safeguards under the Privacy Act, they had not alleged that private information was “disclosed”—as opposed to stolen—and they had not alleged facts to show that their claimed injuries were the result of the agency’s failures. Nor did they sufficiently allege a Constitutional violation.
Rejecting plaintiffs’ argument that they faced a heightened risk of identity theft due to the breaches, the district court held further that the allegations did not plausibly support the conclusion that this risk of future injury was either substantial or clearly impending. The district court ultimately concluded that only those plaintiffs who specifically identified out-of-pocket losses stemming from the actual misuse of their data had suffered an injury in fact; but even those plaintiffs lacked standing, the district court concluded, because they failed to allege facts demonstrating that the misuse of their information was traceable to the OPM breaches in particular.
In the appeals court. On appeal, however, the D.C. Circuit held that both sets of plaintiffs had alleged facts sufficient to satisfy Article III standing requirements. The AFGE/Arnold plaintiffs had stated a claim for damages under the Privacy Act and had “unlocked” OPM’s waiver of sovereign immunity by alleging OPM’s knowing refusal to establish appropriate information security safeguards. The contractor, KeyPoint, was not entitled to derivative sovereign immunity because it had not shown that its alleged security faults were directed by the government, and it was alleged to have violated the Privacy Act standards incorporated into its contract with OPM.
However, even assuming a constitutional right to informational privacy, the appeals court agreed with the district court that the NTEU plaintiffs have not alleged any violation of such a right.
Standing. The appeals court devoted a lot of discussion to the standing issue, finding that the AFGE/Arnold plaintiffs had plausibly alleged a substantial risk of future identity theft that is fairly traceable to OPM’s and KeyPoint’s cybersecurity failings, which was “likely redressable,” at least in part, by damages. The NTEU plaintiffs too had plausibly alleged actual and imminent constitutional injuries that were traceable to OPM’s challenged conduct and “redressable either by a declaration that the agency’s failure to protect plaintiffs’ personal information is unconstitutional or by an order requiring OPM to correct deficiencies in its cybersecurity program.”
Privacy Act claim. In brief, the D.C. Circuit, went on to find that the AFGE/Arnold plaintiffs adequately alleged that OPM willfully chose not to establish basic and necessary information security safeguards in violation of Section 552a(e)(10) of the Privacy Act, and that OPM’s actions proximately caused actual damages in multiple, specific ways (which the court detailed).
According to the appeals courts, the complaint “plausibly and with specificity” alleged that OPM was “willfully indifferent to the risk that acutely sensitive private information was at substantial risk of being hacked.” At the time of the breach, OPM allegedly had long known that its electronic recordkeeping systems were prime targets for hackers. “The agency suffered serious data breaches from hackers in 2009 (millions of users’ personal information stolen) and 2012 (OPM access credentials stolen and posted online) and is subject to at least ten million unauthorized electronic intrusion attempts every month.” But “OPM effectively left the door to its records unlocked by repeatedly failing to take basic, known, and available steps to secure the trove of sensitive information in its hands,” concluded the court.
Sovereign immunity. Because it had found the complaint stated a viable Privacy Act claim, OPM’s sovereign immunity had been waived. As to the district court’s finding that, as OPM’s contractor, KeyPoint enjoyed “derivative sovereign immunity” from those claims and reviewing the applicability of derivative sovereign immunity de novo, the D.C. Circuit disagreed. OPM tasked KeyPoint with performing background and security clearance investigations, and with inputting the sensitive information it collected into OPM’s electronic recordkeeping system. The cyberhackers allegedly were able to obtain KeyPoint credentials and used them to gain access to OPM’s network. OPM’s contract obligated KeyPoint to meet the same standards for protecting personal information that the Privacy Act imposed directly on OPM.
“Because the improper conduct alleged would have violated the Privacy Act if committed by OPM itself, and because KeyPoint’s challenged misconduct was not directed by OPM, there is no sovereign immunity for KeyPoint to derive,” concluded the appeals court.
“Right to informational privacy?” But the NTEU plaintiffs’ constitutional claim did not fare as well. They did not allege that OPM intentionally disclosed the records or even the functional equivalent of such a disclosure—they alleged “reckless indifference” instead. They challenged OPM’s internal record-management and storage practices as unconstitutionally infringing on their constitutional right to privacy. Even assuming without deciding that the Constitution protects a privacy interest in “avoiding disclosure of personal matters,” their complaint failed to state a legally cognizable claim.
There simply was nothing to establish that the Constitution imposes on the government an affirmative duty—”untethered to specific constitutional provisions such as the First Amendment”—to “safeguard personal information” from the criminal acts of third parties. This alleged governmental duty to “adequately secure” government computer networks was neither supported in the Constitution or history, said the appeals court, noting that neither it nor the Supreme Court had “ever elaborated on the rationale for—or even defined the ‘precise contours of”—the putative right to informational privacy.”
Not only that, but the NTEU plaintiffs cited no authority for the government to be held responsible for violating the alleged right to informational privacy without it having affirmatively provided the protected information. The D.C. Circuit agreed with the district court that it would not recognize a “proposed constitutional right to informational privacy that would be violated not only when information is intentionally disclosed (or the functional equivalent), but also ‘when a third party steals it.’”
Due process claim against OPM as employer. Here OPM held the information not as the government, but as the employer, giving it a “much freer hand” than if it was dealing with “citizens at large,” reasoned the appeals court. The NTEU plaintiffs had asserted an “affirmative government duty to safeguard personal information that current and prospective employees voluntarily submitted to the government—not information the government compelled. They voluntarily submitted personal information “as part of a background investigation.” Because the NTEU plaintiffs were not compelled to seek government employment (and provide it personal information), the government had “no constitutional duty under the Due Process Clause to protect them from the risks associated with applying for such positions,” concluded the appeals court.
Judge Williams concurred in part and dissented in part.
Interested in submitting an article?
Submit your information to us today!Learn More
Employment Law Daily: Breaking legal news at your fingertips
Sign up today for your free trial to this daily reporting service created by attorneys, for attorneys. Stay up to date on employment legal matters with same-day coverage of breaking news, court decisions, legislation, and regulatory activity with easy access through email or mobile app.