Federal employee unions suing over a pair of data breaches that affected more than 22 million people will tell an appeals court Nov. 2 that their lawsuits were wrongly dismissed.
The case stems from data breaches announced by the Office of Personnel Management in June and July of 2015. The U.S. District Court for the District of Columbia ruled in September 2017 that neither the American Federation of Government Employees nor the National Treasury Employees Union, which filed separate lawsuits, had standing to sue. The unions didn’t show that the data breaches resulted in harm to those affected, the court said.
The U.S. Court of Appeals for the District of Columbia Circuit is hearing arguments from the OPM and the unions in what is now a consolidated case following the unions’ appeal of the lower court ruling.
The NTEU’s primary purpose in pursuing its lawsuit is to force the OPM to provide lifetime credit monitoring and identity theft protection to those affected by the data breaches, Paras Shah, the union’s assistant counsel, told Bloomberg Law Nov. 1.
The union is alleging that the OPM “recklessly disregarded” for nearly a decade prior to the breaches its own inspector general’s urgent warnings that it needed to beef up its information technology protections, Shah said. The OPM’s failure to protect the information violated NTEU union members’ constitutional right to privacy, he said.
The AFGE is taking a different approach. It’s pursuing a class action lawsuit under the Privacy Act that seeks monetary damages. Both unions are asserting that the breaches resulted in harm and that the OPM is responsible.
The OPM is arguing that the data breaches didn’t result in tangible harm. The risk of future harm isn’t actionable, the OPM says.
Two Data Breaches
The OPM said in June 2015 that personal information for about 4.2 million current and former federal employees was exposed in a breach of personnel files. In July 2015, the OPM announced a second breach of federal background check files—including those of current, former, and prospective federal civilian and contract employees—that affected about 21.5 million people. About 3.6 million people were affected by both breaches, the OPM said when it announced the scope of the second breach.
Those affected by the breaches were provided with 10 years of credit monitoring and identity theft protection after Congress voted to boost the protections originally offered by the OPM.
The OPM declined to comment on the upcoming court arguments. The AFGE didn’t immediately provide comment.
The case is In re: U.S. Office of Pers. Mgmt. Data Sec. Breach Litig., D.C. Cir., No. 17-5217, oral argument 11/2/18.