Two key federal unions on Nov. 2 argued a lower court got it wrong in a 2017 ruling that dismissed a suit against the Office of Personnel Management related to the agency’s massive 2014 data breach.
The American Federation of Government Employees and the National Treasury Employees Union made arguments before the D.C. Circuit Court of Appeals Nov. 2 that their lawsuits against OPM over that agency’s 2015 data breaches were wrongfully dismissed by a lower court.
The OPM data breaches, which occurred sometime in 2014 and were discovered in 2015, impacted almost 22 million records of federal employees, contractors, their families and those that had applied for federal jobs.
AFGE and NTEU brought suits against OPM on behalf of their members and other federal employees that had been impacted by the breach.
The AFGE suit alleges that the breach was a result of gross negligence on the part of OPM and seeks damages under the Privacy Act, contract damages under the Little Tucker Act, and declaratory and injunctive relief under the Administrative Procedure Act.
OPM argued that the case should be dismissed because the union lacked standing to bring the case and OPM was protected under sovereign immunity, a legal term meaning that the government cannot be sued unless it consents to. Sovereign immunity can be waived under certain circumstances.
The NTEU suit goes a step further, alleging that OPM acted with “reckless indifference” to warnings about its lack of security over personnel systems and thereby violated federal employees’ constitutional right to information privacy.
OPM claimed that the NTEU suit also lacked standing and that the union had failed to prove a constitutional violation that would be recognizable by the courts.
As the cases rely on similar standings and brought suit over the same event, they were heard as a consolidated case, meaning that the judge could choose to issue one decision for both cases or to issue separate decisions.
In September 2017, the federal district court dismissed the cases, ruling that neither had sufficient standing to bring the suit; both unions immediately appealed the decision to the higher court.
“Standing is always hotly contested,” said NTEU lead attorney Paras Shah after the three-judge appeals court panel heard the Nov. 2 arguments from both unions and OPM about the motion to dismiss the case.
In effect, AFGE’s case relies on the ability to prove that, under the Privacy Act, their members had experienced special damages due to actions or lack thereof by OPM and KeyPoint Government Solutions, which performed background checks for OPM.
The standing in that case, according to Shah, relies on arguments made in Attias v. Carefirst, in which the D.C. Circuit Court of Appeals ruled that plausibly alleged risk of future injury after a data breach was enough grounds to bring suit.
NTEU’s standing relied on the same precedent, but the union also argued that because OPM was warned by its own watchdog agency that its security was not sufficient to protect personal data, the agency became a “facilitator of the theft” and was therefore suable under constitutional protections of information privacy.
Precedent in that area has only been established with cases that concerned the intentional disclosure of personal information, rather than knowingly leaving that information vulnerable.
Shas added that he felt the judges had displayed a “strong grasp of the standing issue” during the hearing, but said that there is no timetable for when the court will make a decision.
Should one or both cases be ruled in favor of the unions, it would only allow the lawsuits to proceed to a full trial, and not guarantee that the unions would win the lawsuit overall.