Parties in OPM Data Breach Suit Hold Oral Arguments at D.C. Circuit Court of Appeals
In a consolidated multidistrict class action against the Office of Personnel Management following a severe data breach of OPM’s cybersecurity that affected millions of federal employees and former federal employees, federal employees and the union alleged gross negligence and a violation of constitutional rights to informational privacy. The United States District Court for the District of Columbia dismissed the case on September 19, 2017. On October 12, 2017, the employees appealed the dismissal to the United States Court of Appeals for the D.C Circuit.
On November 2, 2018, the parties held oral arguments before a panel of three judges at the United States Court of Appeals for the D.C. Circuit. Per Government Executive, two of the judges, Patricia Millett, an Obama appointee, and David Tatel, a Clinton appointee, “noted that plaintiffs incurred real costs as a result of the breach and may face legitimate risks beyond the 10 years for which the government is currently offering protections.”
The district’s court decision was primarily based on three factors, the first of which was the issue of standing. As the district court stated in its dismissal, “[t]he fact that the breaches occurred is not disputed, and the identities of the individuals whose information was compromised are known. There is no doubt that something bad happened, and many people are understandably chagrined and concerned.” However, the court observed that prior to exploring the facts, including whether OPM was on notice that it was being targeted by hackers, or whether OPM did enough to design and maintain safeguards, it must answer a “foundational” question: “whether plaintiffs have set forth a cause of action that a court has the power to hear.”
The district court stated that the “judiciary does not operate as a freestanding advisory board that can opine about the conduct of the executive branch as a general matter or oversee how it manages its internal operations. The Court’s authority is derived from Article II of the U.S. Constitution, and a federal court may only consider live cases or controversies based on events that caused actual injuries or created real threats of imminent harm to the particular individuals who brought the case.” In other words, the employees must demonstrate that there has been harm or that there is an imminent threat of harm due to the government’s actions.
But, the district court stated, there is no Supreme Court or U.S. Court of Appeals for the D.C. Circuit precedent for the employees’ contention that a “breach” on its own is harm, and the court found that the employees who alleged that their private information had already been misused could not tie that misuse back to the OPM breach. Although the court noted that it “may well be that the Supreme Court or the D.C. Circuit will someday announce that given the potential for harm inherent in any cyberattack, breach victims automatically have standing even if the harm has yet to materialize, and even if the purpose behind the breach and the nature of any future harm have yet to be discerned.” Therefore, the district court found, the employees could not allege the necessary harm in order to gain standing.
However, on appeal, the government found resistance on its standing argument from Circuit Judge Tatel. According to Government Executive, Judge Tatel addressed the government’s argument regarding standing by telling the government attorney that it had an “uphill battle” to show that one set of plaintiffs lacked standing, and that if the court found standing for one case, it would likely apply to the other.
In addition to the standing issue, the appeals court may also address in its eventual decision additional rulings by the district court, including whether the plaintiffs failed to state a claim upon which relief could be granted, and whether the federal defendants are immune from suit under the Privacy Act and Administrative Procedure Act.
Read the full district court dismissal: In re: U.S. Office of Personnel Management Data Security Breach Litigation
This case law update was written by Conor D. Dirks, Associate Attorney, Shaw Bransford & Roth, PC.
For thirty years, Shaw Bransford & Roth P.C. has provided superior representation on a wide range of federal employment law issues, from representing federal employees nationwide in administrative investigations, disciplinary and performance actions, and Bivens lawsuits, to handling security clearance adjudications and employment discrimination cases.
Posted in Case Law Update