In re: U.S. Office of Personnel Management Data Security Breach Litigation, No. 17-5117 (D.C. Cir. 2019)Annotate this Case
These consolidated appeals stemmed from the cyberattack of multiple OPM databases that resulted in the data breach of sensitive personal information from more than 21 million people. Plaintiffs alleged that OPM's cybersecurity practices were inadequate, enabling the hackers to gain access to the agency's database of employee information, in turn exposing plaintiffs to heightened risks of identity theft and other injuries. The district court dismissed the complaints based on lack of Article III standing and failure to state a claim.
The DC Circuit held that both sets of plaintiffs have alleged facts sufficient to satisfy Article III standing requirements; the Arnold Plaintiffs have stated a claim for damages under the Privacy Act, and have unlocked OPM's waiver of sovereign immunity, by alleging OPM's knowing refusal to establish appropriate information security safeguards; KeyPoint was not entitled to derivative sovereign immunity because it has not shown that its alleged security faults were directed by the government, and it is alleged to have violated the Privacy Act standards incorporated into its contract with OPM; and, assuming a constitutional right to informational privacy, NTEU Plaintiffs have not alleged any violation of such a right. Accordingly, the court affirmed in part, reversed in part, and remanded for further proceedings.