U.S. Office of Pers. Mgmt. Data SEC. Breach Litig. v. Office of Pers. Mgmt.
928 F.3d 42
| D.C. Cir. | 2019Background
- In 2014 attackers breached OPM systems (stealing ~21.5 million personnel/background records and ~5.6 million fingerprint sets); KeyPoint contractors’ credentials were allegedly used to access OPM networks.
- Two consolidated complaints: (1) Arnold plaintiffs (individuals and putative class) sue OPM and KeyPoint for Privacy Act and tort/statutory claims alleging willful failures to secure data and resulting identity theft and mitigation costs; (2) NTEU (union) seeks declaratory/injunctive relief alleging violation of a claimed constitutional informational-privacy right and ongoing risk.
- District court dismissed both complaints for lack of Article III standing and, as to Arnold plaintiffs, for failure to state a Privacy Act claim and sovereign-immunity defects; it also held KeyPoint enjoyed derivative sovereign immunity.
- D.C. Circuit reviews de novo whether plaintiffs plausibly pled standing (Spokeo/Lujan standards at pleading stage) and addresses Privacy Act waiver of sovereign immunity and contractor immunity.
- Court: reverses in part and affirms in part — finds both plaintiff groups have standing; Arnold plaintiffs state a willful Privacy Act claim (waiving sovereign immunity); KeyPoint not entitled to derivative sovereign immunity; NTEU fails to state a cognizable constitutional informational-privacy or due-process claim.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Article III standing (NTEU) | NTEU: loss of informational privacy and ongoing substantial risk from OPM’s cybersecurity failures is a concrete, particularized, imminent injury, traceable to OPM and redressable by injunction/declaration | OPM: plaintiffs lack concrete injury; speculative future risk insufficient | Court: NTEU has standing to seek declaratory/injunctive relief based on alleged constitutional privacy injury and ongoing substantial risk |
| Article III standing (Arnold plaintiffs) | Arnold: past incidents of identity fraud plus nature of stolen data (SSNs, birthdates, fingerprints) create substantial risk of future identity theft; mitigation costs are injuries | OPM/KeyPoint: risk speculative, hackers’ motive may be espionage rather than identity theft; incidents not plausibly traceable to OPM breach | Court: Arnold plaintiffs plausibly allege substantial risk of identity theft, causation, and redressability; standing satisfied at pleading stage |
| Privacy Act waiver / claim for damages (Arnold) | Arnold: OPM willfully failed to adopt required safeguards (Inspector General warnings ignored), causing actual pecuniary damages (fraud losses, credit-monitoring costs, time spent) | OPM: lack of willfulness; damages not sufficiently pleaded or unreimbursed; sovereign immunity not waived | Court: Plaintiffs plausibly alleged willful violation of 5 U.S.C. § 552a(e)(10), actual damages, and proximate causation; Privacy Act waiver applies; claim survives dismissal |
| Derivative sovereign immunity (KeyPoint) | KeyPoint: as government contractor, it is entitled to derivative immunity from plaintiffs’ tort/statutory claims | Plaintiffs: KeyPoint violated contractual/regulatory duties and privacy standards; conduct not authorized or directed by government | Held: KeyPoint cannot invoke derivative sovereign immunity because alleged misconduct violated governing contract/regulations and was not directed/authorized by OPM; immunity unavailable |
| Constitutional informational-privacy & Due Process (NTEU merits) | NTEU: Constitution protects informational privacy and OPM’s reckless failures (even absent intentional disclosure) violate that right; alternatively, due process is shocked by reckless indifference | OPM: No established constitutional right that imposes affirmative duty to secure employment records; due process requires custodial relationship or objective shocking conduct | Court: Assuming a constitutional informational-privacy interest, it covers intentional disclosures (or functional equivalent) but not mere third-party theft from negligent/reckless storage; due-process claim fails because plaintiffs were not in state-imposed custody or analogous relationship |
Key Cases Cited
- Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016) (standing requires concrete and particularized injury; pleading-stage rule for future injuries)
- Clapper v. Amnesty Int’l USA, 568 U.S. 398 (2013) (future injury must be certainly impending or present substantial risk)
- Susan B. Anthony List v. Driehaus, 573 U.S. 149 (2014) (substantial risk standard for future injury)
- Lujan v. Defenders of Wildlife, 504 U.S. 555 (1992) (standing elements and burden across litigation stages)
- Attias v. CareFirst, Inc., 865 F.3d 620 (D.C. Cir. 2017) (data-breach plaintiffs plausibly alleged substantial risk of identity theft based on nature of stolen data)
- United States v. Mitchell, 463 U.S. 206 (1983) (waiver of sovereign immunity is a jurisdictional prerequisite)
- Campbell-Ewald Co. v. Gomez, 136 S. Ct. 663 (2016) (limits of derivative sovereign immunity for contractors; immunity applies only to government-directed acts)