In reinstating a lawsuit seeking payments to victims of the OPM database breaches, a federal appeals court described in notably harsh terms that agency’s performance in protecting the personal information of federal employees and others.
The federal appeals court in the District of Columbia examined OPM’s cybersecurity practices in deciding whether the AFGE and NTEU unions had presented enough evidence of a Privacy Act violation merit a trial, concluding that they had.
“The complaint alleges in no uncertain terms that OPM dropped that ball because appropriate safeguards were not in place . . . alleging that OPM was willfully indifferent to the risk that acutely sensitive private information was at substantial risk of being hacked. According to the complaint, at the time of the breach, OPM had long known that its electronic record-keeping systems were prime targets for hackers,” the decision said, citing successful cyberattacks against OPM in 2009 and 2012 and constant attempts since.
“Despite that pervading threat, OPM effectively left the door to its records unlocked by repeatedly failing to take basic, known, and available steps to secure the trove of sensitive information in its hands. Information security audits by OPM’s inspector general repeatedly warned OPM about material deficiencies in its information security systems,” it said.
It listed warnings about outdated security policies and procedures, understaffed and undertrained cybersecurity personnel, failure to install security updates promptly, and more.
“So forewarned, OPM chose to leave those critical information security deficiencies (and more) in place,” it said. “The risk created by these lapses was so serious that the inspector general took the unprecedented step of advising OPM to shut down all the systems lacking valid authorizations until adequate security measures could be put in place. OPM declined, choosing instead to continue operating these systems.”
“The complaint’s plausible allegations that OPM decided to continue operating in the face of those repeated and forceful warnings, without implementing even the basic steps needed to minimize the risk of a significant data breach, is precisely the type of willful failure to establish appropriate safeguards that makes out a claim under the Privacy Act,” it said in sending the case back to the lower court for a trial.