A new case decision (AFGE, NTEU v. OPM, USCADC, No. 17-5217, June 21, 2019) has given renewed life to two federal employee unions’ lawsuits against the Office of Personnel Management over the two data breaches the agency suffered that left the personal data of over 20 million current and former federal employees vulnerable.
The US Court of Appeals for the District of Columbia ruled in favor of the American Federation of Government Employees and the National Treasury Employees Union, saying that OPM will have to defend itself in court rather than having the case thrown out, reversing the previous decision of a lower court.
AFGE and NTEU may be able to ultimately collect damages as well, as the court noted that impacted individuals could be left vulnerable to future identity theft resulting from the OPM data breaches.
The court summarized the situation as follows:
…Plaintiffs have plausibly alleged a substantial risk of future identity theft that is fairly traceable to OPM’s and KeyPoint’s cybersecurity failings and likely redressable, at least in part, by damages, and NTEU Plaintiffs have plausibly alleged actual and imminent constitutional injuries that are likewise traceable to OPM’s challenged conduct and redressable either by a declaration that the agency’s failure to protect plaintiffs’ personal information is unconstitutional or by an order requiring OPM to correct deficiencies in its cybersecurity program.
The court said in its decision that OPM failed to properly secure the personal data of the federal employees and retirees stored in its computer systems, leave them vulnerable to theft. The unions cited this fact as well in their lawsuits. The court apparently agreed with the unions, citing past OPM Inspector General reports which found that OPM’s IT security was lacking.
KeyPoint, the contractor involved that was doing background and security clearance investigation fieldwork for OPM, had access to OPM’s IT systems and was sued also because KeyPoint’s credentials were the ones used by the hackers to breach the computer systems. KeyPoint had convinced the previous court that they had immunity from being sued, but the DC Appeals Court concluded otherwise.
Bottom line: the lawsuit will now continue, and OPM and KeyPoint will have to defend themselves in the district court.