WASHINGTON (Legal Newsline) – A District of Columbia appeals court's ruling this summer in two class action lawsuits against the Office of Personnel Management over a 2014 data breach may lead to U.S. Supreme Court intervention over whether plaintiffs in such lawsuits have standing to sue.
in June, the U.S. Court of Appeals for the District of Columbia Circuit ruled that American Federation of Government Employees, National Treasury Employees Union and other plaintiffs had shown they were harmed as a result of the data breach that affected more than 21 million people.
The appeals court also affirmed a lower court ruling that the National Treasury Employees Union hadn't proved that a constitutional right to privacy had been violated based on personal information stolen during the data breach.
"Here, NTEU plaintiffs' claims fall on the wrong side of this line," the appeals court's three-judge panel said in its 52-page decision issued in June. "They assert an affirmative government duty to safeguard personal information that current and prospective employees voluntarily submitted to the government."
Circuit Court Judge David S. Tatel and Judge Patricia Millett concurred in the appeal court's decision while Judge Stephen F. Williams dissented in part.
The U.S. District Court for the District of Columbia previously found that with no allegations of widespread identity theft or financial fraud, it was too speculative to suggest there might be harm in the future. The data breach occurred in 2015, and plaintiffs allege the Office of Personnel Management was cybersecurity practices were inadequate.
King & Spalding mentioned the decision creates a split with the Fourth and Third circuits. The decision broke from those rulings because the D.C. plaintiffs were able to show hackers targeted the data and misused it.
"We hold that both sets of plaintiffs have alleged facts sufficient to satisfy Article III standing requirements. Arnold Plaintiffs have stated a claim for damages under the Privacy Act, and have unlocked OPM’s waiver of sovereign immunity, by alleging OPM’s knowing refusal to establish appropriate information security safeguards," the D.C. decision says.
"KeyPoint is not entitled to derivative sovereign immunity because it has not shown that its alleged security faults were directed by the government, and it is alleged to have violated the Privacy Act standards incorporated into its contract with OPM."