In Re: U.S. Office of Personnel Management Data Security Breach Litigation
266 F. Supp. 3d 1
D.D.C.2017Background
- In 2014–2015 OPM and contractor KeyPoint suffered cyber intrusions that resulted in the theft of millions of federal background-investigation records (approx. 21.5 million) containing highly sensitive personal data. OPM notified affected individuals and offered identity-protection services.
- Two consolidated complaints were filed: a putative class action (CAC) against OPM and KeyPoint asserting Privacy Act, Little Tucker Act, APA, contract, tort, and state-law claims; and an NTEU suit against OPM’s Acting Director alleging a constitutional informational-privacy violation.
- Plaintiffs alleged a mix of harms: some asserted actual identity-theft or fraudulent charges; many asserted increased risk of future identity theft, time and money spent on mitigation, and emotional distress; plaintiffs also argued the mere theft/disclosure of data sufficed for standing.
- Defendants moved to dismiss for lack of Article III standing, sovereign immunity, and failure to state viable claims. KeyPoint additionally asserted derivative government-contractor immunity.
- The district court accepted plaintiffs’ factual allegations for Rule 12 purposes but dismissed both complaints in full: it found plaintiffs largely lacked Article III standing; where jurisdiction arguably existed under the Privacy Act for two plaintiffs, those claims nonetheless failed to state a claim; the APA and Little Tucker Act claims failed; and KeyPoint enjoyed derivative immunity.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Article III standing (injury-in-fact for data-breach plaintiffs) | Theft/disclosure of private records (or increased risk of identity theft) is a concrete injury; some plaintiffs also alleged actual identity-theft or mitigation expenses. | Plaintiffs must plead a concrete, particularized, and actual or certainly-imminent injury fairly traceable to defendants; mere theft or subjective fear (or self-inflicted mitigation costs) is insufficient. | Court: majority of plaintiffs lack standing. Mere theft without further harm insufficient; most claimed future-risk or stress too speculative; only two plaintiffs alleged actual, traceable pecuniary injury. |
| Privacy Act (disclosure vs. theft; damages requirement) | OPM willfully violated Privacy Act disclosure and safeguards provisions; statutory remedies and injunctive relief are available. | The Act permits damages only for proven pecuniary/economic harm; agency did not "disclose" records (third-party hackers stole them); safeguards violation requires causation linking agency failures to plaintiffs' injuries. | Court: Privacy Act claims dismissed. Most plaintiffs failed to plead the required "actual damages"; theft by third parties is not an intentional agency disclosure; alleged causation/adverse effect insufficient to state a claim. |
| APA & Little Tucker Act / sovereign immunity | Plaintiffs seek injunctive relief under APA and contract damages under Little Tucker Act; Privacy Act and FISMA violations support review/relief. | Sovereign immunity limits relief; FISMA does not create private right enforceable via APA; Little Tucker Act requires an underlying contract and consideration. | Court: APA/FISMA claims not reviewable here and APA cannot be used to obtain relief barred by Privacy Act; Little Tucker Act claim fails (no enforceable contract/consideration). Sovereign immunity bars many claims. |
| Government-contractor liability (KeyPoint) | KeyPoint breached contractual / statutory duties and lost derivative immunity by acting negligently or exceeding authority. | KeyPoint performed work under valid OPM contract and is entitled to derivative immunity absent breach of explicit government instructions or acting outside authority; Privacy Act liability attaches to agencies, not contractors. | Court: KeyPoint entitled to derivative sovereign immunity. Plaintiffs failed to identify specific contract provisions KeyPoint breached or allege facts showing it exceeded authority; Privacy Act does not impose direct contractor liability. |
Key Cases Cited
- Lujan v. Defs. of Wildlife, 504 U.S. 555 (standing requires injury-in-fact, traceability, redressability)
- Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (statutory violations require a concrete and particularized injury to satisfy Article III)
- Clapper v. Amnesty Int’l USA, 568 U.S. 398 (future injuries must be certainly impending or present substantial risk)
- Attias v. CareFirst, Inc., 865 F.3d 620 (D.C. Cir.) (increased-risk-of-identity-theft allegations can suffice when breach + nature of data plausibly show substantial risk)
- Doe v. Chao, 540 U.S. 614 (Privacy Act damages require actual, provable injury)
- FAA v. Cooper, 566 U.S. 284 (actual damages under Privacy Act limited to pecuniary loss)
- Pilon v. U.S. Dep’t of Justice, 73 F.3d 1111 (D.C. Cir.) (interpretation of “disclose” under Privacy Act)
- Remijas v. Neiman Marcus Group, 794 F.3d 688 (7th Cir.) (data-breach standing where stolen credit-card data was plausibly used for fraud)