Dismissal of Class Action Suit Against OPM Resulting from Data Breach Appealed
In a consolidated multidistrict class action against the Office of Personnel Management following a severe data breach of OPM’s cybersecurity that affected millions of federal employees and former federal employees, federal employees and the union alleged gross negligence and a violation of constitutional rights to informational privacy, but the United States District Court for the District of Columbia dismissed the case on September 19, 2017. On October 12, 2017, the employees appealed the dismissal to the United States Court of Appeals for the D.C Circuit.
The district’s court decision was primarily based on three factors, the first of which was the issue of standing. As the court stated in its dismissal, “[t]he fact that the breaches occurred is not disputed, and the identities of the individuals whose information was compromised are known. There is no doubt that something bad happened, and many people are understandably chagrined and concerned.” However, the court observed that prior to exploring the facts, including whether OPM was on notice that it was being targeted by hackers, or whether OPM did enough to design and maintain safeguards, it must answer a “foundational” question: “whether plaintiffs have set forth a cause of action that a court has the power to hear.”
The court stated that the “judiciary does not operate as a freestanding advisory board that can opine about the conduct of the executive branch as a general matter or oversee how it manages its internal operations. The Court’s authority is derived from Article II of the U.S. Constitution, and a federal court may only consider live cases or controversies based on events that caused actual injuries or created real threats of imminent harm to the particular individuals who brought the case.” In other words, the employees must demonstrate that there has been harm or that there is an imminent threat of harm due to the government’s actions.
But, the court stated, there is no Supreme Court or U.S. Court of Appeals for the D.C. Circuit precedent for the employees’ contention that a “breach” on its own is harm, and the court found that the employees who alleged that their private information had already been misused could not tie that misuse back to the OPM breach. Although the court noted that it “may well be that the Supreme Court or the D.C. Circuit will someday announce that given the potential for harm inherent in any cyberattack, breach victims automatically have standing even if the harm has yet to materialize, and even if the purpose behind the breach and the nature of any future harm have yet to be discerned.” Therefore, the court found, the employees could not allege the necessary harm in order to gain standing.
The court also dismissed the case due to its finding that the Privacy Act limits the right to bring a claim for damages to those who can demonstrate that they have suffered “actual economic harm” as a result of the government’s statutory violation. The court found that the “law is clear that the statute does not create a cause of action for those who have been merely aggrieved by, or are even actively worried about, the fact that their information has been taken.” Therefore, the court held that the employees failed to overcome the government’s argument that the federal defendants are immune from suit under the Privacy Act and the Administrative Procedure Act, and that [the OPM contractor] is shielded by government contractor immunity, so the Court lacks subject matter jurisdiction to hear those claims.” Additionally, the court held that the employees “failed to state claims upon which relief can be granted,” finding that the employees’ information was stolen, rather than disclosed, and because the employees have not “alleged facts to show that their claimed injuries were the result of the agency’s failures.”
As noted above, the dismissal has been appealed to the United States Court of Appeals for the D.C. Circuit.
Read the full dimissal: In re: U.S. Office of Personnel Management Data Security Breach Litigation.
This case law update was written by Conor D. Dirks, Associate Attorney, Shaw Bransford & Roth, PC.
For thirty years, Shaw Bransford & Roth P.C. has provided superior representation on a wide range of federal employment law issues, from representing federal employees nationwide in administrative investigations, disciplinary and performance actions, and Bivens lawsuits, to handling security clearance adjudications and employment discrimination cases.