In re OPM Data Security Breach Litigation
“When the State takes a person’s data and holds it in a fashion outside the person’s control, the State has done to that data exactly what Chief Justice Rehnquist said was necessary to trigger Due Process Clause protection: it has ‘by the affirmative exercise of its power’ taken the data and ‘so restrain[ed]’ it that the original owner is unable to exert any control whatsoever over how the government stores or secures it. The government’s ‘affirmative duty to protect’ the data ‘arises . . . from the limitation which it has imposed on his freedom to act on his own behalf’ to keep the data secure.”A. Michael Froomkin, Government Data Breaches, 24 Berkley Tech. L. J. 1019, 1049 (2009), as quoted in In re OPM Data Security Breach Litigation, 266 F.Supp.3d 1 (D.D.C. 2017).
In Re: U.S. Office of Personnel Management Data Security Breach Litigation, Nos. 17-5217, 17-5232, concerns constitutional and statutory claims based on data breaches that affected 22 million federal employees and family members in 2015. The Office of Personnel Management (“OPM”) disclosed that hackers had stolen troves of data on federal employees in two separate breaches. The stolen information included names, birthdates, current and former addresses, and Social Security numbers. In 2015, the American Federation of Government Employees ("AFGE") and individual government workers filed a class action lawsuit against OPM, alleging that the breach stemmed from gross negligence by federal officers and violated both federal and state laws. A separate suit was brought by the National Treasury Employees Union ("NTEU") alleging a violation of federal employees' constitutional right to informational privacy. On September 19, 2017, the U.S. District Court for the District of Columbia granted OPM’s motion to dismiss both suits. The court concluded that the NTEU plaintiffs failed to "allege a legally cognizable constitutional claim" and that only the two named plaintiffs who suffered out-of-pocket identity theft expenses could establish standing to sue under Article III. On appeal, the D.C. Circuit is evaluating the grounds for dismissal and determining both the scope of the constitutional right to informational privacy and the application of Article III standing doctrine to data breach victims.
Defendant OPM is a federal agency that handles portions of the federal employee recruitment process. Defendant KeyPoint Government Solutions (“KeyPoint”) is a private contractor that conducts background investigations and security clearance checks for OPM. Plaintiffs are victims of alleged OPM data breaches that occurred in 2013 and 2014. Several times, hackers infiltrated OPM’s systems and stole sensitive information, including security system documents and electronic manuals about the agency’s systems and the user log-in credentials of a KeyPoint employee. The login information was subsequently used to access OPM’s network and install malware, creating “a conduit through which data could be ex-filtrated.” This breach affected nearly 22 million federal employees and family members. Hackers had stolen information including federal employees’ names, birthdates, current and former addresses, and Social Security numbers.
On April 27, 2015, OPM notified approximately 48,000 federal employees that their personal information might have been exposed in a data breach that compromised about 4.2 million federal employees and contractors. On June 12, 2015, OPM announced that the scope of the breach was broader and likely affected 14 million. On July 9, 2015, this number again increased to almost 22 million, majority of which was information included in background checks. The agency notified each individual whose private information had been compromised and offered free identity theft protection services for up to three years, depending on the sensitivity of the information.
A number of lawsuits were filed around the country after the data breaches had been announced. The United States Judicial Panel on Multidistrict Litigation consolidated the cases before the District Court of the District of Columbia. In the consolidated complaint, the AFGE plaintiffs alleged that OPM violated the Privacy Act, the Little Tucker Act, and the Administrative Procedure Act, and that KeyPoint is liable for “negligence, negligent misrepresentation and concealment, invasion of privacy, breach of contract, and violations of the Fair Credit Reporting Act and various state statutes governing unfair and deceptive trade practices and data security.” Plaintiffs seek declaratory and injunctive relief against both OPM and KeyPoint. The NTEU plaintiffs alleged that the disclosure of their personal information by the federal government violated their constitutional right to informational privacy.
OPM and KeyPoint each filed motions to dismiss the complaint, arguing that the court lacked subject matter jurisdiction and that plaintiffs do not have standing. Furthermore, defendants argued that they are protected by sovereign immunity and plaintiffs failed to state a claim upon which relief could be granted under Rule 12(b)(6) of the Federal Rules of Civil Procedure.
The lower court focused on the question of whether the NTEU plaintiffs could assert a violation of their constitutional right to informational privacy and whether the AFGE plaintiffs had standing under Article III. As to the right to informational privacy, the lower court provided a detailed overview of the cases that have gone before the Supreme Court and the D.C. Circuit addressing the right to informational privacy. The court discussed the three Supreme Court cases that addressed the constitutional right to privacy - NASA v. Nelson, Nixon v. Adm'r of Gen. Servs., and Whalen v. Roe. In these cases, while the holding did not ultimately hinge on finding a violation of the constitutional right to informational privacy, the Court did assume the existence of such a right. For instance, in discussing Whalen, the court re-emphasized that "the government's right to collect and use private data for public purposes is 'typically accompanied by a concomitant statutory or regulatory duty to avoid unwarranted disclosures,' and 'that in some circumstances, that duty arguably has its roots in the Constitution." Also, the court cited Nixon in establishing that "when Government intervention is at stake, public officials, including the President, are not wholly without constitutionally protected privacy rights in matters of personal life unrelated to any acts done by them in their public capacity."
The lower court opinion also cited Professor Michael Froomkin's article on Government Data Breaches, stating:
"when the State takes a person's data and holds it in a fashion outside the person's control, the State has done to that data exactly what Chief Justice Rehnquist said was necessary to trigger Due Process Clause protection: it has 'by the affirmative exercise of its power' taken the data and 'so restrain[ed]' it that the original owner is unable to exert any control whatsoever over how the government stores or secures it. The government's 'affirmative duty to protect' the data 'arises … from the limitation which it has imposed on his freedom to act on his own behalf' to keep the data secure."Nonetheless, the court found that, similar to other cases acknowledging the constitutional right to privacy, it would "avoid wading into the legal waters surrounding the existence or scope of any constitutional right to informational privacy in general when it is not necessary to do so."
As to standing, the court found a distinction between a data breach caused by a cyberattack against the United States from other cases (including Carefirst) involving breaches of retail establishments and financial entities. The court posited that a data breach occurring as a result of a cyberattack on the United States might not be done for the purpose of facilitating identity theft.
Ultimately, the lower court granted defendants’ motion to dismiss on failure of the NTEU plaintiffs to state a claim under the constitution and failure of the AFGE plaintiffs to meet the Article III standing requirements and the Privacy Act damages requirements.
Both sets of plaintiffs filed appeals in the D.C. Circuit. The NTEU plaintiffs appeal was docketed on September 27, 2017, No. 17-5217. The AFGE plaintiffs appeal was docketed on October 12, 2017, No. 17-5232.
EPIC has a strong interest in ensuring privacy lawsuits proceed to redress the harms of privacy violations and ensure greater privacy protections thereafter. EPIC has long argued that data breach victims should not have to wait until they suffer identity theft to sue the parties that failed to protect their data. EPIC filed comments last year with OPM recommending limits on data collection; has recommended updates to the federal Privacy Act; and has urged the Supreme Court to recognize a right to “informational privacy” and to ensure Privacy Act damages for non-economic harm.
In NASA v. Nelson, 562 U.S. 134 (2011), EPIC filed an amicus brief arguing that the right to informational privacy is well recognized and that NASA violated that right when it required contractors to submit sensitive personal data without adequate protections. The Supreme Court found that the government's invasive background checks for government contractors implicated "a privacy interest of Constitutional significance." The Court had earlier recognized in Whalen v. Roe, 429 U.S. 589 (1977), that the constitutional right to informational privacy protects "the individual interest in avoiding disclosure of personal matters." And also considered the right in Nixon v. Administrator of General Services, 433 U.S. 425 (1977). The Court in NASA confirmed that both of these seminal cases recognized a constitutional right to informational privacy. EPIC subsequently filed amicus briefs in IMS Health, Inc. v. Sorrell v. IMS Health, Inc., 564 U.S. 552 (2011), arguing that data-mining of prescriber information Implicates the constitutional right to informational privacy, and in Doe v. Luzerne County, 660 F.3d 169 (3d Cir. 2011), arguing that the constitution protects public employees from surreptitious video surveillance while undressed as they shower at their workplace.
EPIC has also filed several briefs in cases concerning the right of individuals to seek redress for data breach. In 2017, EPIC filed a brief in the D.C. Circuit in Attias v. CareFirst, Inc., . In 2016, EPIC filed a brief in the Eighth Circuit in In re Supervalu Consumer Data Security Breach Litigation, which involved a very similar question as Carefirst. EPIC also filed a brief on this issue in the Third Circuit in Storm v. Paytime, Inc.. EPIC argued that consumers are facing unprecedented threat from data breaches and subsequent misuse of their personal data. Accordingly, now is not the time to be limiting consumers’ options for recourse. EPIC also argued that consequential, downstream harms such as identity theft and financial fraud are irrelevant to whether data breach victims have standing to sue breached companies.
In January 2016, EPIC launched Data Protection 2016, a nonpartisan campaign to make data protection an issue in the 2016 election. The campaign advocates for reduced identity theft and financial fraud and for investigations of the misuse of personal data.
United States Court of Appeals for the D.C. Circuit, No. 17-5232
- Joint Proposal on Briefing (Mar. 2, 2018)
- EPIC Notice of Intent to Participate as Amicus (Mar. 15, 2018)
- Briefing Order (Mar. 26, 2018)
- Class Plaintiff-Appellants' Opening Brief (May 10, 2018)
- NTEU Appellant Brief (May 10, 2018)
- Joint Appendix (May 10, 2018)
- EPIC Amicus Brief (May 17, 2018)
United States District Court for the District of Columbia, No. 15-1394
- Memorandum Opinion and Order Dismissing Consolidated Amended Complaint (Sept. 19, 2017)
- NTEU Complaint
- Amended Complaint for Declaratory and Injunctive Relief (NTEU) (June 3, 2016)
- OPM Motion to Dismiss NTEU Complaint (June 27, 2016)
- NTEU Opposition to Motion to Dismiss (July 27, 2016)
- OPM Reply in Support of Motion to Dismiss AFGE Complaint (Aug. 29, 2016)
- AFGE Complaint
- Consolidated Amended Complaint (AFGE) (March 14, 2016)
- OPM Motion to Dismiss AFGE Complaint (May 13, 2016)
- AFGE Opposition to Motion to Dismiss (June 30, 2016)
- OPM Reply in Support of Motion to Dismiss AFGE Complaint (Aug. 3, 2016)
- Chris Strohm, Hacked OPM data hasn’t been shared or sold, top spy-catcher says, Bloomberg (Sept. 28, 2017)
- Amul Kalia and Cindy Cohn, Will the Equifax data breach finally spur the courts (and lawmakers) to recognize data harms?, Electronic Frontier Foundation (Sept. 26, 2017)
- Alex Swoyer, Government workers plan to appeal after judge tosses OPM data breach lawsuit, The Washington Times (Sept. 21, 2017)
- Eric Yoder, Federal court denies cash awards to 22 million OPM data theft victims, The Washington Post (Sept. 20, 2017)
- Allison Grande, Data theft not enough to keep OPM breach suit, Judge says, Law360 (Sept. 20, 2017)
- Morgan Chalfant, Court dismisses lawsuits over OPM data breach, The Hill (Sept., 19, 2017)