On June 21, the U.S. Court of Appeals for the D.C. Circuit handed victims of a data breach at the  U.S. Office of Personnel Management (OPM) a win when it reversed a district court’s early ruling dismissing two cases suing the federal agency.  

In a 2-1 decision, the court of appeals wrote that “plaintiffs face a substantial—as opposed to a merely speculative or theoretical—risk of future identity theft.” The D.C. court’s decision allowing plaintiffs to sue for risk of harm, as opposed to actual harm after a data breach underscores a deepening divide among the circuit courts. What’s more, by holding a federal agency civilly liable for a data breach, it also potentially exposes the government to more lawsuits, lawyers said.