Office of Personnel Management in Washington, D.C.
Office of Personnel Management in Washington, D.C. (Credit: Another Believer via Wikimedia Commons)

A federal judge dismissed two lawsuits Tuesday stemming from a massive breach of government data, but plaintiffs wasted little time, appealing one of those decisions within an hour.

Lawyers representing the National Treasury Employees Union filed an appeal to the U.S. Court of Appeals for the D.C. Circuit on Tuesday following a ruling from U.S. District Judge Amy Berman Jackson that dismissed their lawsuit, along with another, over a 2015 Office of Personnel Management data breach. The breach affected more than 21 million people, and lawsuits over it were consolidated in multidistrict litigation in the District of Columbia in October 2015.

Paras Shah, assistant counsel at NTEU, said his team was “ready to review” Jackson’s decision and “upon reading it found it appropriate to file our appeal.” The union alleged that the breach violated its members’ rights under the Constitution’s Fifth Amendment to privacy of information.

“Our legal theory is that, if the government cannot disclose inherently personal information that’s given to it to unauthorized individuals, then it can’t recklessly disregard its obligation to protect that information. … The government can’t leave [the information] somewhere and leave the doors and windows open so that somebody may find it.”

In addition to NTEU’s lawsuit, which was brought by the union and some individual members, another government union, the American Federation of Government Employees, brought a class action lawsuit that was consolidated with others from across the country. In the ruling Tuesday, Jackson also dismissed that suit, which alleged violations of federal law prohibiting the dissemination of individuals’ personal information by the government.

Daniel Girard, managing partner of Girard Gibbs in San Francisco, was lead counsel on that lawsuit. Girard did not immediately say whether he planned to file an appeal.

“We are reviewing the court’s opinion and will be discussing options with our clients and co-counsel,” Girard said in an email.

Jackson wrote in her opinion that the plaintiffs in both lawsuits failed to show they had standing to bring their claims. None of the plaintiffs, the judge wrote, could show a cognizable injury from the breach that the court could address.  

“It may well be that the Supreme Court or the D.C. Circuit will someday announce that given the potential for harm inherent in any cyberattack, breach victims automatically have standing even if the harm has yet to materialize, and even if the purpose behind the breach and the nature of any future harm have yet to be discerned,” Jackson wrote. “But that has not happened yet, and the court is not empowered to expand the limits of its own authority, so it cannot find that plaintiffs have standing based on this record.”

The ruling comes at a critical point for case law surrounding data breaches. Courts are split over what constitutes as a cognizable injury in data breach suits. Meanwhile, lawsuits are piling up across the country related to the recently announced breach at Equifax, which affected nearly half the country. Just last month, the U.S. Court of Appeals for the D.C. Circuit reversed the dismissal of a case related to a 2014 breach at health insurer CareFirst, writing that the district court had taken too narrow a view of the harm to plaintiffs.

Jackson wrote that the circumstances were different in the OPM case, although she added that the circuit court’s ruling meant “standing is a very close and difficult question in this case.”

She wrote there was no evidence that “the means to commit credit card or bank fraud were included in this breach,” nor was there evidence that the stolen information had been used to commit such fraud. She wrote that while the CareFirst hack was a “domestic crime,” the OPM hack appeared to be sponsored by a foreign state, according to media reports.

As for the class action, Jackson wrote, the federal government has sovereign immunity from its claims.

Meanwhile, Jackson said the constitutional claims in the NTEU suit did not hold up.

“Even if it might violate the Constitution for the government to then deliberately disclose the information, there is no authority for the proposition that the Constitution gives rise to an affirmative duty–separate and apart from the statutory requirements enacted by Congress–to protect the information in any particular manner from the criminal acts of third parties,” Jackson wrote.