A federal court has concluded that the law does not permit a suit seeking monetary damages for the breaches of OPM databases that resulted in the theft of personal information on most current and former federal employees. Following is the court’s summary of that decision, which already has been appealed.
In June of 2015, millions of unsuspecting federal employees sat down at their computers, opened up their email, and received some very disconcerting news.
I am writing to inform you that the U.S. Office of Personnel Management (OPM) recently became aware of a cybersecurity incident affecting its systems and data that may have exposed your personal information.
Over time, OPM revealed that data breaches at the agency and at one of its contractors affected more than twenty-one million people, and that the stolen information included such sensitive data as names, birthdates, current and former addresses, and Social Security numbers. After those announcements, a number of plaintiffs filed separate lawsuits in courts across the country, and they were consolidated into two complaints in the multidistrict action assigned to this Court.
The first complaint is a class action lawsuit filed by thirty-eight individuals and a union, the American Federation of Government Employees (“AFGE”). See Consolidated Amended Complaint [Dkt. # 63] (“CAC”). Plaintiffs allege that the breaches resulted from gross negligence on the part of officials entrusted with the responsibility of protecting the private details that job seekers submit to OPM in connection with the background investigations they are required to undergo. They have sued on behalf of the 21.5 million current and former federal employees, job applicants, contractors, and relatives whose information was compromised, and they seek statutory damages under the Privacy Act, contract damages under the Little Tucker Act, and declaratory and injunctive relief under the Administrative Procedure Act. These plaintiffs have also sued KeyPoint Government Solutions, a government contractor that performed background investigations for OPM. KeyPoint’s computer systems were also breached, and plaintiffs seek damages from the company under multiple federal and state statutory and common law theories. Defendants have moved to dismiss the entire case on the grounds that plaintiffs lack standing to bring it, the claims are barred by sovereign immunity, and the factual allegations are not sufficient to state valid claims under any of the statutes or common law theories plaintiffs have invoked.
The second complaint before the Court was filed by three individuals and the National Treasury Employees Union (“NTEU”). Am. Compl. [Dkt. # 75] (“NTEU Compl.”). These plaintiffs sued the OPM Acting Director only, and they claim that their constitutional right to informational privacy was violated. Defendant has moved to dismiss that case as well, on both standing grounds and the basis that the plaintiffs have failed to allege a constitutional violation that is recognized by the courts.
The OPM breaches have been the subject of considerable public interest and multiple Congressional hearings and reports. The fact that the breaches occurred is not disputed, and the identities of the individuals whose information was compromised are known. There is no doubt that something bad happened, and many people are understandably chagrined and concerned. In these lawsuits, plaintiffs seek to demonstrate that the agency’s failures were willful – that the defendants were on notice that hackers regularly targeted their systems, but they failed to design and maintain adequate safeguards. Plaintiffs also contend that their sensitive information remains subject to a continuing risk of additional exposure due to an ongoing failure to secure it.
This opinion will not get into the merits of those contentions. At this stage of the proceedings, the Court is required to accept all of plaintiffs’ factual assertions as true, and nothing that follows should be read as any indication of the Court’s view of the strength of plaintiffs’ troubling allegations.
Before the parties can explore the facts, though, the Court is required to answer a foundational question: whether plaintiffs have set forth a cause of action that a court has the power to hear. The judiciary does not operate as a freestanding advisory board that can opine about the conduct of the executive branch as a general matter or oversee how it manages its internal operations. The Court’s authority is derived from Article III of the U.S. Constitution, and a federal court may only consider live cases or controversies based on events that caused actual injuries or created real threats of imminent harm to the particular individuals who brought the case. In other words, before a court may proceed to the merits of any claim, the plaintiffs must demonstrate that they have constitutional “standing” to sue. Also, a court may not entertain an action against the United States if the government has not expressly waived its sovereign immunity, that is, unless it has given its consent to be sued in that particular situation. And once a plaintiff overcomes those hurdles, he or she must state a valid legal claim.
This case implicates the constitutional limits on the Court’s jurisdiction imposed by both the standing doctrine and the doctrine of sovereign immunity, and it involves unique factual circumstances. Neither the Supreme Court nor the U.S. Court of Appeals for the D.C. Circuit has held that the fact that a person’s data was taken is enough by itself to create standing to sue; a plaintiff who claims an actual injury must be able to connect it to the defendant’s actions, and a person who is pointing to a threat of future harm must show that the harm is certainly impending or that the risk is substantial. The fact that this is not just a data breach case, but that it is a data breach arising out of a particular sort of cyberattack against the United States, differentiates it from the majority of the legal precedent that arises in the context of retail establishments or other financial entities. Courts in those cases often make certain assumptions about the likelihood of future harm in order to find that the elements needed to initiate a case have been satisfied. Here, the usual assumptions about why the information was stolen and what is likely to be done with it in the future do not apply and cannot fill the gap. As for those plaintiffs who allege that they have already experienced an actual misuse of their credit card numbers or personal information, they cannot tie those disparate incidents to this breach. It may well be that the Supreme Court or the D.C. Circuit will someday announce that given the potential for harm inherent in any cyberattack, breach victims automatically have standing even if the harm has yet to materialize, and even if the purpose behind the breach and the nature of any future harm have yet to be discerned. But that has not happened yet, and the Court is not empowered to expand the limits of its own authority, so it cannot find that plaintiffs have standing based on this record.
Even if the Court were inclined to anticipate that this is where the law is heading, the problem runs deeper than standing. The right to bring a claim for damages under the Privacy Act is expressly limited to those who can demonstrate that they have suffered actual economic harm as a result of the government’s statutory violation. The law is clear that the statute does not create a cause of action for those who have been merely aggrieved by, or are even actively worried about, the fact that their information has been taken. Neither the Administrative Procedure Act nor the Little Tucker Act supplies a cause of action against the government to enforce its information security obligations, and no court has expressly recognized a right to data security arising under the Constitution.
Therefore, defendants’ motions to dismiss will be granted, and both cases will be dismissed in their entirety. The Court finds, applying the case law it is required to follow, that neither set of plaintiffs has pled sufficient facts to demonstrate that they have standing. Moreover, even if they had the right to enter the courthouse, they did not bring a claim with them that the Court can hear. Plaintiffs have failed to overcome the arguments that the federal defendants are immune from suit under the Privacy Act and the Administrative Procedure Act, and that KeyPoint is shielded by government contractor immunity, so the Court lacks subject matter jurisdiction to hear those claims. Moreover, the Court finds that plaintiffs have failed to state claims upon which relief can be granted. Plaintiffs seek damages for improper disclosure of information and for a failure to maintain adequate safeguards under the Privacy Act, but they have not alleged that private information was “disclosed,” as opposed to stolen, and they have not alleged facts to show that their claimed injuries were the result of the agency’s failures. Plaintiffs have not stated a claim for breach of contract under the Little Tucker Act since they have not shown that OPM entered into a contract with them or that any contract was breached, and they have not alleged any violation of the United States Constitution.