Plaintiffs' attorneys suing over data breaches scored a big win Friday after a federal appeals court reinstated lawsuits brought on behalf of victims of data breaches that hit the U.S. Office of Personnel Management.

The U.S. Court of Appeals for the D.C. Circuit found that the plaintiffs in two consolidated cases had standing to sue in federal court under Article III of the U.S. Constitution. The ruling reversed a district judge's 2017 dismissal of both cases, one of which was a class action, against the OPM and its contractor, KeyPoint Government Solutions Inc.

The class plaintiffs “have plausibly alleged a substantial risk of future identity theft that is fairly traceable to OPM's and KeyPoint's cybersecurity failings and likely redressable, at least in part, by damages,” the panel wrote. Further, the plaintiffs in the second case, who are members of the National Treasury Employees Union, “have plausibly alleged actual and imminent constitutional injuries that are likewise traceable to OPM's challenged conduct and redressable.”

The panel affirmed dismissal as to only the NTEU's allegations that the OPM breaches violated its members' constitutional right to privacy.

Lawyers who handle data breach class actions have closely watched the OPM cases, which was one of several to address whether victims of data breaches have sufficient injuries to sue, especially if they did not suffer fraudulent charges or other immediate costs associated with a cyberattack. In many cases, victims of data breaches allege nothing more than the risk of identity theft, but some cases have named plaintiffs who suffered fraudulent tax returns, charges to their credit cards or other costs.

Courts have split over whether those injuries are sufficient to have standing, with Friday's ruling siding for the plaintiffs.

“The court's decision represents another strong endorsement for the growing recognition by courts that plaintiffs can establish Article III standing in data breach cases based upon the substantial risk of future identity theft, and the rejection of the narrow view that standing only exists in these cases where there are 'out-of-pocket' losses,” wrote Andrew Friedman, a Washington, D.C., partner at Cohen Milstein Sellers & Toll, in an email. He is a lead plaintiffs attorney in class actions over data breaches at Home Depot and Anthem.

“The decision should further bolster data breach lawsuits where the majority of the class has not yet experienced fraud losses, yet the real risk of injury to those class members is significant,” he wrote.

The American Federation of Government Employees, along with 38 individuals, brought the class action, while the NTEU, and three government employees who had filled out background investigation forms, filed the second case.

Peter Patterson, a partner at Cooper & Kirk, for the class plaintiffs, did not respond to a request for comment.

“NTEU is disappointed that the Court disagreed with our view of the constitutional right to informational privacy,” wrote NTEU president Tony Reardon in an emailed statement. But, he added, NTEU has pursued remedies outside of court. “Working with Congress, NTEU has secured 10 years' worth of identity theft protection for affected federal workers, and we will continue to push for lifetime protections for these public servants whose personal data was compromised.”

A spokeswoman for the U.S. Justice Department declined to comment.

“We are disappointed that a divided panel of the D.C. Circuit reversed the district court's careful decision to dismiss these claims,” wrote KeyPoint attorney Jason Mendro, a Washington, D.C., partner at Gibson, Dunn & Crutcher, in a statement. “We are evaluating our next steps and are confident that these claims, ultimately, will be found to lack merit.”

The 2-1 ruling split along party lines, with Democratic appointees David Tatel and Patricia Millett making up the majority opinion, and Ronald Reagan appointee Stephen Williams writing a dissent.

The OPM breaches compromised the Social Security numbers and other personal information of 21 million federal government employees, and prospective employees, at OPM. The personal data included names, birth dates, addresses and Social Security numbers.

The class action brought claims under the federal Privacy Act, while the NTEU alleging OPM violated its members' constitutional right to privacy of information.

Before U.S. District Judge Amy Berman Jackson dismissed the cases, the D.C. Circuit reversed dismissal of a case related to a 2014 breach at health insurer CareFirst. In that 2017 decision, the panel found that the district judge had taken too narrow a view of harm to the plaintiffs in finding that the increased risk of identity theft was speculative.

Jackson, however, found the cases to be different because Attias v. CareFirst dealt with a domestic hack in which credit card or bank fraud was at issue, while OPM's breach appeared to be from a foreign state and involved Social Security numbers.

In their appeal, plaintiffs latched onto CareFirst, which the D.C. Circuit cited in finding “there is no question that the OPM hackers, too, now have in their possession all the information needed” to steal the identities of class members, who, unlike the CareFirst breach, had their Social Security numbers, birth dates and fingerprints stolen.

“It hardly takes a criminal mastermind to imagine how such information could be used to commit identity theft,” the panel wrote.

And, the panel wrote, the fact that the breach occurred two years before plaintiffs sued does not defeat standing based on whether their alleged injuries were caused by the OPM hack, as opposed to another data breach.

“Cyberhacking on such a massive scale is a relatively new phenomenon, and we are unwilling at this stage to assume that the passage of a year or two without any clearly identifiable pattern of identity theft or financial fraud means that all those whose data was compromised are in the clear,” the panel wrote.

Further, plaintiffs alleged OPM failed to heed repeated warnings about its security risks by its own Inspector General.

In a dissent limited to the standing of the class plaintiffs, Williams found the risk of identity theft was speculative given that the hack, believed to have ties to the Chinese government, involved the “handiwork of foreign spies” aimed at espionage. Further, he wrote, the plaintiffs could not prove that the OPM hack caused any of their damages two years later.

The panel also reversed the district judge's separate finding that sovereign immunity shielded the federal government and KeyPoint from the class claims under the Privacy Act, which required the OPM to secure private information.

“The complaint alleges in no uncertain terms that OPM dropped that ball because appropriate safeguards were not in place,” the panel wrote. “Despite that pervading threat, OPM effectively left the door to its records unlocked by repeatedly failing to take basic, known and available steps to secure the trove of sensitive information on its hands.”

Several of the class representatives, the panel noted, alleged costs such as legal fees, credit repair services and delays in tax refunds.

Affirming dismissal of the NTEU's constitutional claims, the panel wrote, “Not once do NTEU plaintiffs quote the very document from which they purport to derive their claimed right: the Constitution of the United States.”

Williams, in his dissent, also had no issues with the majority's holding on immunity and constitutional claims. However, he raised concerns about subjects that lawyers did not argue in the appeal, such as a “plausible argument for preemption” as to KeyPoint, a federal government contractor, and the use of pseudonyms for five of the plaintiffs.

“Although pseudonymous plaintiffs were once a rarity, there appears now to be a trend permitting adult plaintiffs to litigate incognito, with little more than pro-forma gatekeeping, if any, by the district courts—even though the practice is aberrant from the perspective of core constitutional and rule of law norms, not to mention the federal rules of procedure,” he wrote.