Court tosses federal data theft lawsuit
Unions sought compensation for victims of government database hack
A federal court has rejected a lawsuit seeking compensation for millions of federal employees, retirees and others whose personal information was stolen from two government databases.
The U.S. District Court for the District of Columbia said Tuesday that it has no jurisdiction over cases brought by two federal unions after the hacking of Office of Personnel Management databases, which was revealed in mid2015 but occurred months before. Those databases included names, addresses and Social Security numbers; in many cases personal financial and legal information; and in some cases fingerprints.
In response, the government has provided free services such as credit and identity monitoring and identity theft insurance.
Separate lawsuits by the American Federation of Government Employees and the National Treasury Employees Union sought financial damages for the victims.
The lawsuits argued the government knew that hack- ers regularly targeted its systems but that it failed to maintain adequate safeguards. They also said the victims remain at continuing risk of having their information misused.
The court, addressing the cases together, wrote that though the allegations are “troubling,” there is no legal basis to even consider them.
It said the situation did not meet the test that “a plaintiff who claims an actual injury must be able to connect it to the defendant’s actions, and a person who is pointing to a threat of future harm must show that the harm is certainly impending or that the risk is substantial.”
The right to bring a claim for damages under the Privacy Act “is expressly limited to those who can demonstrate that they have suffered actual economic harm as a result of the government’s statutory violation. The law is clear that the statute does not create a cause of action for those who have been merely aggrieved by, or are even actively worried about, the fact that their information has been taken.”
Nor do other laws cited by the unions allow for suing the government “to enforce its information security obligations, and no court has expressly recognized a right to data security arising under the Constitution,” District Judge Amy Berman Jackson wrote for the court.
The National Treasury Employees Union said it was disappointed with the ruling and already has filed an appeal. “We will make our case there that NTEU members were harmed by the breaches and that OPM’s indifference to securing its databases in the years leading up to the breaches violated NTEU members’ constitutional right to informational privacy,” union President Tony Reardon said in a statement.
The larger of the two breaches involved about 21.5 million people who had undergone background checks since about 2000, including federal, military and contractor personnel who sought new or renewed security clearances, as well as people checked merely to gain access to certain government facilities. The other breach involved personnel records of about 4.2 million current or former federal employees. Overlap between the two brought the total affected to about 22.1 million.