Recent Decision: D.C. Circuit Rules That OPM Breach Victims Have Standing to Sue

from Lawfare

With data breach incidents on the rise, federal courts are grappling with the issue of standing in class action lawsuits arising from data breaches. As Lawfare has covered previously, there is arguably a circuit split over whether plaintiffs can establish an “injury in fact,” one of three constitutional standing requirements, on the grounds that a breach has put them at a heightened risk of identity theft.

In a 2-1 decision this past summer titled In re: U.S. Office of Personnel Management Data Security Breach Litigation, the U.S. Court of Appeals for the D.C. Circuit weighed in on that question, ruling that plaintiffs whose personal information was exposed in the 2014 infiltrations of the Office of Personnel Management (OPM) sufficiently alleged an “injury in fact” based on their “risk of future identity theft.” The court, in a per curiamopinion, added clarity as to the bar data breach victims must clear in order to establish that they have standing. And because the Supreme Court passed on two opportunities last term to apply its standing doctrine in data breach class actions, the D.C. Circuit’s decision serves as an important marker of the current state of the law.

This post examines the court’s holding with regard to standing for those plaintiffs who brought statutory claims against the government and a government contractor responsible for the OPM database.

More here.

, , , , ,

8 Responses to Recent Decision: D.C. Circuit Rules That OPM Breach Victims Have Standing to Sue

  1. Walter Dingwall October 4, 2019 at 6:46 pm #

    As information grows and humanity’s capabilities, like the spread of data bases, broaden, as so does the law have to change in keeping up with the times. As the lines get even blurrier and require more and more specialized knowledge, the legal system must accelerate its ability to find what is just.
    In the case referred to by Nathanial Sobel in Lawfare, there is an argument over a plaintiff’s ability to establish “injury in fact,” as the cause relates to a large data breach. There are no photos to be taken of a data breach and no possible evidence of bodily or property damages. A data breach is sophisticated in the sense that there must be an understanding of how a data breach could cause injury. An injury that’s evidence will only ever show up in files and statements made regarding the data base.
    The majority found, the plaintiff “’would have suffered a variety of past and future data-breach related harms,’ including ‘the improper use of their Social Security numbers, unauthorized charges to existing credit card and bank accounts, fraudulent openings of new credit card and other financial accounts, and the filing of fraudulent tax returns in their names,’” which are very harmful outcomes in most ways except physically. To be against a favorable ruling for the plaintiffs, it would require a lack of knowledge regarding the importance of data security. Other breaches are coming, and they are also going to bring damages that don’t show up on the body or the property.
    For example, Russian hacks during the recent Presidential election have put naturality and legitimacy of the current holders of government positions. This mistrust and descent among American politics, and the current standing of who is President, is just what the Russians wanted, and they got it through insecure systems that allowed for the spread of convincing disinformation.
    The Chinese use of TikTok to gather foreign data at no risk. There is not enough attention being paid to the lack of security in America that relates to data, and there just is not enough knowledge on the field. The focus on protecting Americans by physically keeping other countries out with the dismissal of approving certain people entrance to the country is peanuts to the amount of lives to be distressed through weak data base security.
    This is another instance that should support the large tech companies’ hacker challenges with the goal of improving data security. Data breach incidences are ever presence and coming from more and more advance tech, meaning there must be even greater counter measures.

  2. Edward S October 5, 2019 at 10:52 pm #

    The D.C. court’s ruling indicates that it is not necessarily that a breach occurred that creates standing but that the defendant engaged in actions that contributed to the breach. In addition, the court comments on the standing created not by harm suffered but the potential for harm to occur in the future. Walter, who is one of the bloggers to this post comments on this issue as well. As evidenced by some of the previous court cases the D.C. court mentions that data breach cases are handled on a case by case basis. It is intriguing that from a legal standpoint, one can have standing to sue based on events that have not occurred yet. How can one measure damage suffered to another party if the damage has not happened? In the circuit split currently, the 6th, 7th, 9th , and D.C. circuits have allowed data breach class actions cases to proceed based on the potential of identify theft whereas the 1st, 3rd, and 4th have not (Yannella and McAndrew). In addition the Supreme Court’s denial of certiorari in CareFirst v. Attias implies that the court accepts a circuit split.

    Due care is a principle that has been preserved both legally and ethically. Health professions, legal professions and even business professions such as those responsibilities of public accounting firms recognize that it would not be feasible to expect the performance of service without flaws that are beyond control of the servicer and such principles have been preserved in the law. The expectation that professionals act to exercise due care creates stability in the legal world as well as the business world. It satisfies expectations that the public holds for some of the defining professions that have a moral obligation to society. The government has an intense amount of responsibility to take in determining what is considered a breach of care. To an extent the development of common law in these cases is a necessity due to the wide variability in the origins and potential outcomes of different data hacks.

    In the event that a breach does take place businesses can be proactive in limiting the damage. Most states have enacted some type of legislation regarding informing parties of when data breaches have occurred. In addition it is helpful to provide information about what appropriate next steps people can take as well as what the business has done to limit the damage. Speed is an important factor in limiting the potential damage as well as establishing open communication with stakeholders (Federal Trade Commission)

    Yannella, P.N., McAndrew, E.J. (2018). Supreme Court Denies Cert Petition in CareFirst v. Attias. National Law Review. Retrieved from

    Federal Trade Commission. 2019.Data Breach Response: A guide for Business. Retrieved from

  3. Xuanchen Zhang October 11, 2019 at 1:31 am #

    The article address the rising concern of data privacy in the present times when data breaches have been on the rise. In the wake of these breaches, the affected persons have been filing class action law suits in a bid to hold the companies responsible. The suits also have the effect of making other companies enhance their data protection measures so that they do not find themselves in situations where data breaches have occurred and risk facing class action suits. Since this issue of data breach is relatively new and is also relatively complex since each breach is entirely different from others, there have been a concern as to whether the victims of such breaches have a standing to sue. Perhaps this issue may have risen due to the rising number of class action suits against the companies.

    For the victims to have a standing to sue, they should be able to demonstrate that there has been injury they have faced resulting directly from the breaches. The US Court of Appeals for the D.C circuit held that the victims indeed faced a real injury in regard to the possible “future identity theft.” This grants them a standing to sue. In essence, this ruling of the court has a wide ranging effect to the business environment, especially impacting companies that collect private data of their customers, or users of their websites. It for instance enhances the confidence of customers of such companies that their data will be protected since those companies will not want to risk being sued for data breaches. It therefore makes the companies more proactive in protecting the data of their customers. This enhanced confidence and trust by the customers on the companies will improve the business environment for the companies.

    On the other hand, the ruling has the effect of making the legal business environment more challenging to the companies. This is because the companies start to face an increased risk of possible class action suits for any data breaches that occur. To protect themselves from such eventualities, they will be forced to enhance their data security measures. This will often come at an extra cost, and hence increase some of the operational costs of the businesses. Therefore, whereas the ruling that victims have a standing to sue has benefits to the customers, and also to the companies in regard to customers getting more trust and confidence when dealing with the companies, there are also disadvantages that the companies face, such as the increase in operational costs, and an increased risk of lawsuits since data breaches through hacking is an ever present risk.

  4. Tyler Abline October 11, 2019 at 8:21 pm #

    The internet is currently a very interesting state. Currently there is not that much regulation on the internet especially between countries. Due to this cyber crime is difficult to combat. With little history and limited regulation the internet is like the wild west.
    Due to security on the internet being so shaky, companies that provide internet security need to be held to a high standard. If they fail to protect their clients they need to be held accountable, especially when cyber criminals are so difficult to catch. When cyber criminals are in a different country than the victims, it can be very difficult to find them and harder still to prosecute them. The article mentioned how China was the leading suspect and how is a U.S company going to punish the Chinese. This means that security companies need to better protect their customers, and leaving them responsible if something goes wrong seems like a good motivator to make sure that their system stays secure.

  5. Joe Antonucci October 18, 2019 at 3:33 pm #

    A recurring issue with the American legal system is that new technology is never reflected in the law, due to the fact that legal precedents can take decades to establish. As technology grows, so too does the ability to create new technology. This phenomenon of exponential growth has widened the gap between where the law is, and how far technology has gone.

    Part of the new risks that come with our technologically advanced society is the fact that data can be stolen. When a company that stores sensitive information of its users experiences a data breach, those people are now at risk to have that information misused. Social security numbers, banking information, and passwords of users have been exposed, and companies thus far that failed to prevent such breaches were barely held accountable. Of course it would be ideal to go after and punish whoever may have stolen the data, but it is rare that the perpetrator is ever caught due to the ability to remain anonymous online.

    For this reason, companies should be held responsible when they fail to prevent a data breach. This would hopefully serve as a motivation for those companies to beef up their cybersecurity.

    As previously noted, the law has been extremely slow to catch up on this issue, but a D.C. circuit court recently ruled that “plaintiffs whose personal information was exposed in the 2014 infiltrations of the Office of Personnel Management (OPM)” may be able to sue for damages in return for the leaking of their information. Seeing as this was a high profile case involving 21.5 million people having their data stolen, it is about time that such a ruling was handed down. There have been similar breaches in the past, including a 2014 breach of the iCloud accounts of high profile celebrities. The hacks led to the dissemination online of hundreds of personal photos and videos that were stored on their iCloud accounts. It would be hard to see how Apple and iCloud were not held responsible, as most of the celebrities involved could allege that they suffered serious damage to their reputations as a result of the leaks. However, in this case, four hackers were caught and sentenced to prison time, so in a way, justice was served.

    Unfortunately, justice was not (and probably will never) be served in the OPM case, though, simply because the U.S. government has no leads except for a suspicion that the Chinese government may have played a role in the breach. That is why this is such a critical ruling; if a breach occurs, leaving 21.5 million people prone to identity theft, what is the recourse? What can be done? If the perpetrators get off clean, then the company who was supposed to be protecting that data in the first place should be forced to provide some kind of recompense.

    This logic is quite consistent with how the law functions now, yet the courts were so many years late in handing down the ruling. This speaks to the fact that the court has no way of keeping up with these new developments.

    It’s certainly open for debate if this problem is something we have to accept and live with, or something that we may be able to change.

  6. Stephen Hoffman October 18, 2019 at 7:48 pm #

    It is very interesting that victims of this crime are now given standing to sue. One element that is particularly interesting is how the precedent set by this Washington D.C. court serves almost as legislation. When the judiciary finds in a ruling that someone is eligible to sue or liable for the responsibility of damages, the floodgates of lawsuits open and others damaged by the same claim will begin to sue. After future cases are based on the first decision, the ruling essentially takes hold as law, and serves to determine the outcomes of future cases. Since this takes effect, it either elevates the case to a higher court or determines the outcome of later cases.
    This is also interesting because this case has the opportunity to put business in a dangerous place. Multiple businesses have suffered substantial data breaches over the past 10 years, including Target and Amazon to name a couple, that resulted in the loss of millions of customer’s personal data and credit card information. Could these private corporations now be sued for the danger occurring to individuals as a result of these breaches? A question that would have to be brought up in the discussion, based solely off of the OPM breach, is that is the individuals whose data was stolen in the OPM breach were employees, not customers. Do individual consumers take the risk of a potential data breach upon themselves when accepting the offer to shop at the store? This seemingly enters an interesting area of contract law, raising the question of what the consumer sacrifices by shopping at a store. This is a tumultuous question that would result in either a very harmful ruling to businesses, providing the opportunity to sue for the breach of data, or would terribly upset consumers, as they would sacrifice much of their personal information simply by shopping at a store. As more of the worldwide retail scene moves onto a digital setting, as online shopping is becoming more and more popular every day, this issue will continue to remain prevalent. This will be another area where legal policy will have to catch up to technology, as it continually moves faster than the governmental side of the coin.

  7. Max Nitzberg October 18, 2019 at 9:21 pm #

    The article discusses a data breach that occurred in 2015, where 21.5 million federal employees had their personal information stolen. OPM had their database breached, containing names, birth dates, home addresses, Social Security Numbers, and fingerprints. As a result, the victims of this data breach have been filing lawsuits against OPM and KeyPoint Government Solutions. The U.S Government suspects that the data breach is connected to the Chinese Government, but lacks any concrete evidence. Since the attackers have not be identified the only ones left to blame are the companies who failed to protect the data.

    Companies who are responsible for storing such important data must be held more responsible if a data breach, similar to the 2014 OPM breach occurs. The 21.5 million people now have their personal information in the hands of unknown hackers. There is a lack of legal precedent or regulations on companies holding personal data on their database. Consequently, the victims had a very tough time pursuing legal action and it took 5 years for the courts to rule on the case. It is very apparent that companies need to be held more responsible for data breaches, and regulations need to be created or updated to allow for easier prosecution.

  8. Alyssa Lackland November 25, 2019 at 11:08 am #

    The DC Circuit Court allowing Arnold Plaintiffs standing to sue is a huge jump into the counties future. Generally, plaintiffs who attempt to start a lawsuit because of their data being breached have no ground to stand on and, therefore, end up wasting their money. This is because the plaintiffs’ bar usually fails to prove that breach victims suffered an actual/threatened injury under Article 3. However, this article proves that legislations may indeed begin to change with the increasingly innovative times.

    One complaint the American Federation of Government employees filed on behalf of the Arnold Plaintiffs against OPM and Keypoint Government Solutions was brought on claims against the government “under multiple federal statutes”. Namely, the claims fell under the Privacy Act of 1974- “which requires that agencies establish appropriate…safeguards to insure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity…”. The Privacy Act essentially balances the governments need to maintain information about individuals with the right of individuals to be protected from invasions of their privacy “stemming from federal agencies’ collection, maintenance, use, and disclosure of personal information”. People should have been protected since 1974 within data breach lawsuits, however, that has failed to happen- apparently until now.

    Although the District Court dismissed the case, the Circuit Court focused on the “injury-in-fact” motion to justify the plaintiffs. “Injury-in-fact” meaning that “the plaintiff must have suffered or imminantely will suffer injury” where “injury can be categorized as economic, non-economic, or both”. In this case, many of the plaintiffs were worried about their economic losses- maybe the brachers would steal their money via credit/debit card information, etc. However, the one “injury” that all the plaintiffs shared was the risk of future identity theft. They then had to prove that the government had violated the Privacy Act’s waiver of sovereign immunity, being that the plaintiff’s sustained “actual damages that are as a result of that violation”. Due to the reports that consistently warned OPM about material deficiencies in its information security systems, the Arnold Plaintiffs now had ground to stand on and won the case.

    The article closes with “without further guidance from the Supreme Court, the D.C. Circuit’s approach is likely to influence both litigants and judges in the inevitable lawsuits to come” which is promising to hear. Ultimately, this case, among other data breach cases, are lengthy and difficult for plaintiffs to win because of a lack thereof federal data breach laws. While I do think that this case serves as ground for improvement within the world of online contracting/data breach cases, I think there is still a lot of work to be done to update the American legal system.

Leave a Reply