Update on OPM Data Breach Lawsuit
A message from NTEU National President Tony Reardon regarding the U.S. Court of Appeals for the D.C. Circuit ruling on NTEU’s appeal in the OPM data breach litigation.
I have previously described to you the many ways that NTEU sprang into action after OPM’s announcements in June 2015 concerning the sweeping data breaches that it suffered. See Chapter Presidents’ memorandum dated September 19, 2017. NTEU took to Capitol Hill and to federal court, while also communicating directly with OPM, to advocate for our members. Those efforts yielded real results: a prompt change in OPM’s leadership and legislation providing ten years of identity theft protection services to those affected by the breaches.
I told you about these tangible results after a federal district court dismissed the lawsuit against OPM in 2017. That lawsuit alleged that OPM violated NTEU members’ constitutional right to informational privacy by recklessly disregarding the urgent IT security warnings of its own Inspector General for nearly a decade. I disagreed with the court’s decision and directed our lawyers to appeal it. See Chapter Presidents’ memoranda dated November 2, 2018; and May 10, 2018 (providing updates on status of appeal).
Today, the U.S. Court of Appeals for the District of Columbia Circuit ruled on NTEU’s appeal. NTEU’s appeal raised an important and hotly debated issue related to when individuals who are the victims of data breaches have a right to sue in federal court. The court reversed the district court’s ruling that NTEU lacked “standing” under the Constitution to bring its lawsuit.
NTEU’s appeal also raised an issue of first impression regarding the constitutional right to informational privacy’s application in the data breach context. Today, the court affirmed the district court’s ruling that NTEU’s constitutional claim should be dismissed. The court was unwilling to adopt NTEU’s aggressive interpretation of the constitutional right, which it discussed at length. The court did, however, acknowledge NTEU’s allegations regarding “the severity and scope of OPM’s data security shortcomings,” noting that those shortcomings “[t]roubled” the court.
The court also ruled on legal claims brought in a putative class action proceeding arising from the breaches (referred to in the opinion as the Arnold action), remanding those claims to the district court for further consideration. If the Arnold plaintiffs are able to persuade the district court to certify their putative class action (a lengthy and uncertain endeavor that would entail legal briefing and a ruling by the district judge), NTEU-represented employees would be able to join the action, if they fall within the class definition that the court establishes.
I am extremely proud of what we fought for and what we achieved in this nearly five-year litigation effort. The OPM data breaches might have faded from the news, but, for many of you, the feeling of having your inherently personal information stolen by hackers certainly has not. NTEU has done everything in its power to tell your story and to try to get the government to make things right.
Anthony M. Reardon