Recent Decision: D.C. Circuit Rules That OPM Breach Victims Have Standing to Sue

from Lawfare

With data breach incidents on the rise, federal courts are grappling with the issue of standing in class action lawsuits arising from data breaches. As Lawfare has covered previously, there is arguably a circuit split over whether plaintiffs can establish an “injury in fact,” one of three constitutional standing requirements, on the grounds that a breach has put them at a heightened risk of identity theft.

In a 2-1 decision this past summer titled In re: U.S. Office of Personnel Management Data Security Breach Litigation, the U.S. Court of Appeals for the D.C. Circuit weighed in on that question, ruling that plaintiffs whose personal information was exposed in the 2014 infiltrations of the Office of Personnel Management (OPM) sufficiently alleged an “injury in fact” based on their “risk of future identity theft.” The court, in a per curiamopinion, added clarity as to the bar data breach victims must clear in order to establish that they have standing. And because the Supreme Court passed on two opportunities last term to apply its standing doctrine in data breach class actions, the D.C. Circuit’s decision serves as an important marker of the current state of the law.

This post examines the court’s holding with regard to standing for those plaintiffs who brought statutory claims against the government and a government contractor responsible for the OPM database.

More here.

Posted in Law, Technology and tagged , , , , , .


  1. The D.C. court’s ruling indicates that it is not necessarily that a breach occurred that creates standing but that the defendant engaged in actions that contributed to the breach. In addition, the court comments on the standing created not by harm suffered but the potential for harm to occur in the future. Walter, who is one of the bloggers to this post comments on this issue as well. As evidenced by some of the previous court cases the D.C. court mentions that data breach cases are handled on a case by case basis. It is intriguing that from a legal standpoint, one can have standing to sue based on events that have not occurred yet. How can one measure damage suffered to another party if the damage has not happened? In the circuit split currently, the 6th, 7th, 9th , and D.C. circuits have allowed data breach class actions cases to proceed based on the potential of identify theft whereas the 1st, 3rd, and 4th have not (Yannella and McAndrew). In addition the Supreme Court’s denial of certiorari in CareFirst v. Attias implies that the court accepts a circuit split.

    Due care is a principle that has been preserved both legally and ethically. Health professions, legal professions and even business professions such as those responsibilities of public accounting firms recognize that it would not be feasible to expect the performance of service without flaws that are beyond control of the servicer and such principles have been preserved in the law. The expectation that professionals act to exercise due care creates stability in the legal world as well as the business world. It satisfies expectations that the public holds for some of the defining professions that have a moral obligation to society. The government has an intense amount of responsibility to take in determining what is considered a breach of care. To an extent the development of common law in these cases is a necessity due to the wide variability in the origins and potential outcomes of different data hacks.

    In the event that a breach does take place businesses can be proactive in limiting the damage. Most states have enacted some type of legislation regarding informing parties of when data breaches have occurred. In addition it is helpful to provide information about what appropriate next steps people can take as well as what the business has done to limit the damage. Speed is an important factor in limiting the potential damage as well as establishing open communication with stakeholders (Federal Trade Commission)

    Yannella, P.N., McAndrew, E.J. (2018). Supreme Court Denies Cert Petition in CareFirst v. Attias. National Law Review. Retrieved from

    Federal Trade Commission. 2019.Data Breach Response: A guide for Business. Retrieved from

  2. A recurring issue with the American legal system is that new technology is never reflected in the law, due to the fact that legal precedents can take decades to establish. As technology grows, so too does the ability to create new technology. This phenomenon of exponential growth has widened the gap between where the law is, and how far technology has gone.

    Part of the new risks that come with our technologically advanced society is the fact that data can be stolen. When a company that stores sensitive information of its users experiences a data breach, those people are now at risk to have that information misused. Social security numbers, banking information, and passwords of users have been exposed, and companies thus far that failed to prevent such breaches were barely held accountable. Of course it would be ideal to go after and punish whoever may have stolen the data, but it is rare that the perpetrator is ever caught due to the ability to remain anonymous online.

    For this reason, companies should be held responsible when they fail to prevent a data breach. This would hopefully serve as a motivation for those companies to beef up their cybersecurity.

    As previously noted, the law has been extremely slow to catch up on this issue, but a D.C. circuit court recently ruled that “plaintiffs whose personal information was exposed in the 2014 infiltrations of the Office of Personnel Management (OPM)” may be able to sue for damages in return for the leaking of their information. Seeing as this was a high profile case involving 21.5 million people having their data stolen, it is about time that such a ruling was handed down. There have been similar breaches in the past, including a 2014 breach of the iCloud accounts of high profile celebrities. The hacks led to the dissemination online of hundreds of personal photos and videos that were stored on their iCloud accounts. It would be hard to see how Apple and iCloud were not held responsible, as most of the celebrities involved could allege that they suffered serious damage to their reputations as a result of the leaks. However, in this case, four hackers were caught and sentenced to prison time, so in a way, justice was served.

    Unfortunately, justice was not (and probably will never) be served in the OPM case, though, simply because the U.S. government has no leads except for a suspicion that the Chinese government may have played a role in the breach. That is why this is such a critical ruling; if a breach occurs, leaving 21.5 million people prone to identity theft, what is the recourse? What can be done? If the perpetrators get off clean, then the company who was supposed to be protecting that data in the first place should be forced to provide some kind of recompense.

    This logic is quite consistent with how the law functions now, yet the courts were so many years late in handing down the ruling. This speaks to the fact that the court has no way of keeping up with these new developments.

    It’s certainly open for debate if this problem is something we have to accept and live with, or something that we may be able to change.

  3. The article discusses a data breach that occurred in 2015, where 21.5 million federal employees had their personal information stolen. OPM had their database breached, containing names, birth dates, home addresses, Social Security Numbers, and fingerprints. As a result, the victims of this data breach have been filing lawsuits against OPM and KeyPoint Government Solutions. The U.S Government suspects that the data breach is connected to the Chinese Government, but lacks any concrete evidence. Since the attackers have not be identified the only ones left to blame are the companies who failed to protect the data.

    Companies who are responsible for storing such important data must be held more responsible if a data breach, similar to the 2014 OPM breach occurs. The 21.5 million people now have their personal information in the hands of unknown hackers. There is a lack of legal precedent or regulations on companies holding personal data on their database. Consequently, the victims had a very tough time pursuing legal action and it took 5 years for the courts to rule on the case. It is very apparent that companies need to be held more responsible for data breaches, and regulations need to be created or updated to allow for easier prosecution.

  4. The DC Circuit Court allowing Arnold Plaintiffs standing to sue is a huge jump into the counties future. Generally, plaintiffs who attempt to start a lawsuit because of their data being breached have no ground to stand on and, therefore, end up wasting their money. This is because the plaintiffs’ bar usually fails to prove that breach victims suffered an actual/threatened injury under Article 3. However, this article proves that legislations may indeed begin to change with the increasingly innovative times.

    One complaint the American Federation of Government employees filed on behalf of the Arnold Plaintiffs against OPM and Keypoint Government Solutions was brought on claims against the government “under multiple federal statutes”. Namely, the claims fell under the Privacy Act of 1974- “which requires that agencies establish appropriate…safeguards to insure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity…”. The Privacy Act essentially balances the governments need to maintain information about individuals with the right of individuals to be protected from invasions of their privacy “stemming from federal agencies’ collection, maintenance, use, and disclosure of personal information”. People should have been protected since 1974 within data breach lawsuits, however, that has failed to happen- apparently until now.

    Although the District Court dismissed the case, the Circuit Court focused on the “injury-in-fact” motion to justify the plaintiffs. “Injury-in-fact” meaning that “the plaintiff must have suffered or imminantely will suffer injury” where “injury can be categorized as economic, non-economic, or both”. In this case, many of the plaintiffs were worried about their economic losses- maybe the brachers would steal their money via credit/debit card information, etc. However, the one “injury” that all the plaintiffs shared was the risk of future identity theft. They then had to prove that the government had violated the Privacy Act’s waiver of sovereign immunity, being that the plaintiff’s sustained “actual damages that are as a result of that violation”. Due to the reports that consistently warned OPM about material deficiencies in its information security systems, the Arnold Plaintiffs now had ground to stand on and won the case.

    The article closes with “without further guidance from the Supreme Court, the D.C. Circuit’s approach is likely to influence both litigants and judges in the inevitable lawsuits to come” which is promising to hear. Ultimately, this case, among other data breach cases, are lengthy and difficult for plaintiffs to win because of a lack thereof federal data breach laws. While I do think that this case serves as ground for improvement within the world of online contracting/data breach cases, I think there is still a lot of work to be done to update the American legal system.

Leave a Reply to Edward S Cancel reply

Your email address will not be published. Required fields are marked *