Fedweek

The Justice Department has asked an appeals court to rehear a recent decision that a union-sponsored lawsuit arising from the OPM database breaches should go to trial, saying that federal employees and others whose personal data was stolen have not shown a direct connection between the breaches and the identity thefts that some have experienced since.

A panel of the U.S. Court of Appeals for the District of Columbia Circuit held in June that a lower court erred in dismissing the case on those grounds; the appeals panel instead held that there was enough evidence to warrant a trial and potential payouts under the Privacy Act.

The union-sponsored lawsuit seeks reimbursement for costs that affected persons have incurred or will incur in the future to protect themselves against possible identity theft or to respond to instances of actual theft.

The breaches, disclosed in the summer of 2015, involved a government-wide database of career information on 4 million current and former federal employees and a second database of background investigations on 21 million federal, military and contractor personnel. Both contained basic identifying information while the latter also contained the kind of highly personal information that security clearance applicants and holders must disclose, including fingerprints of some.

In its ruling, the appeals panel said that over many years before the breaches, the OPM was “willfully indifferent to the risk that acutely sensitive private information was at substantial risk of being hacked.” OPM “had long known that its electronic record-keeping systems were prime targets for hackers” but “effectively left the door to its records unlocked by repeatedly failing to take basic, known, and available steps to secure the trove of sensitive information in its hands,” the decision said.

However, in asking for reconsideration by the full appeals court, the Justice Department said that the motivation for the hacks was espionage, not identity theft, and that there should therefore be no presumption that the breaches were the cause of any instances of identity theft for affected persons. Even if the court disagrees with that contention, it argued, only some of the employees named as representative of the entire group alleged the kind of actual harm that would be reimbursable.