Using Email to Communicate With Federal Employees
Three days after the presidential transition, OPM announced it was “testing a new capability allowing it to send important communications to ALL civilian federal employees from a single email address.” Emails from that system came from the [email protected] email address. OPM subsequently began using this new system to send messages “to most if not all individuals with Government email addresses.”
When the system was started, some emails inadvertently reached non-executive branch users (e.g., state employees and contractors) with .gov or .mil addresses.
OPM Using the New System
The email system sends messages to large swaths of the executive branch workforce and, perhaps inadvertently, to a host of others, as noted above.
The first widely publicized example of how this system can be used, and the initial experience of using a mass email system like this for communication with federal employees, may have been announcing and describing a deferred resignation program. This program would soon be available to a large number of federal employees, but there was only a short time to sign up for it. Presumably, OPM used the email system to let those federal employees with a potential interest in the program to learn about it as soon as possible.
As often happens in the federal government, a new system with broad applicability is quickly challenged in court. This new system was no exception, and it was quickly challenged with a lawsuit filed in the District Court for the District of Columbia.
The court case, Jane Doe, et al. v. Office of Personnel Management, focused on the Office of Personnel Management’s (OPM) implementation of the Government-Wide Email System (GWES) without conducting a Privacy Impact Assessment (PIA).
Key Points
- Legal Requirement: Section 208 of the E-Government Act requires a performance impact assessment (PIA) for systems collecting identifiable information about the public. Office of Management and Budget (OMB) guidance clarified PIAs are unnecessary for internal government operations.
- Plaintiffs’ Claims: Two federal employees and five non-executive users alleged OPM violated Section 208 by skipping a PIA, risking exposure of sensitive data (e.g., email addresses revealing names and employers) if hacked.
OPM argued that the PIA was not required because the GWES targeted government employees, not the public. OPM subsequently produced a PIA (February 5, 2025) and claimed courts could not review its adequacy.
Those filing the lawsuit contended OPM’s “rushed PIA” was insufficient and left systems vulnerable. They cited a 2015 OPM breach of data obtained by hackers as a precedent for their concern.
The plaintiffs asked the court for a temporary restraining order (TRO) to halt the use of the GWES until a “legally sufficient” PIA was completed. Two plaintiffs were federal executive branch employees and five other individuals with “.gov” email addresses but are not executive branch employees.
The court denied the request for a TRO. It cited two primary reasons.
The plaintiffs failed to show a “concrete, imminent harm.” Storing emails in a system that they contended was insecure system (without evidence of misuse or breach) was insufficient under previous decisions requiring harm analogous to traditional legal injuries.
Also, previous breaches of OPM data (2015) did not establish future risk as “certainly impending” (Clapper v. Amnesty International, 2013).
Finally, the court ruled there was no irreparable harm. Speculative hacking risks and generalized privacy concerns about .gov emails (e.g., potential harassment) were deemed insufficiently “certain or great” to warrant emergency relief.
