In re U.S. Office of Personnel Management Data Security Breach Litigation, 062119 FEDDC, 17-5217
|Docket Nº:||17-5217, 17-5232|
|Opinion Judge:||PER CURIAM.|
|Party Name:||In re: U.S. Office of Personnel Management Data Security Breach Litigation, v. Office of Personnel Management, et al., Appellees American Federation of Government Employees, AFL-CIO, et al., Appellees National Treasury Employees Union, et al., Appellants|
|Attorney:||Peter A. Patterson argued the cause for Arnold Plaintiffs-Appellants in No. 17-5232. With him on the briefs were David H. Thompson, Daniel C. Girard, Jordan Elias, Tina Wolfson, Gary E. Mason, and Richard B. Rosenthal. Paras N. Shah argued the cause for appellants National Treasury Employees Unio...|
|Judge Panel:||Before: Tatel and Millett, Circuit Judges, and Williams, Senior Circuit Judge. Williams, Senior Circuit Judge, concurring in part and dissenting in part:|
|Case Date:||June 21, 2019|
|Court:||United States Courts of Appeals, Court of Appeals for the District of Columbia Circuit|
Argued November 2, 2018
Appeals from the United States District Court for the District of Columbia (No. 1:15-mc-01394)
Peter A. Patterson argued the cause for Arnold Plaintiffs-Appellants in No. 17-5232. With him on the briefs were David H. Thompson, Daniel C. Girard, Jordan Elias, Tina Wolfson, Gary E. Mason, and Richard B. Rosenthal.
Paras N. Shah argued the cause for appellants National Treasury Employees Union, et al. in No. 17-5217. With him on the briefs were Gregory O'Duden, Larry J. Adkins, and Allison C. Giles.
Marc Rotenberg and Alan Butler were on the brief for amici curiae Electronic Privacy Information Center (EPIC) and Forty-Four Legal Scholars and Technical Experts in support of appellants.
Sonia M. Carson, Attorney, U.S. Department of Justice, argued the cause for federal appellees. With her on the brief was Mark B. Stern.
Jason J. Mendro argued the cause for appellee KeyPoint Government Solutions, Inc. With him on the brief were F. Joseph Warin, Matthew S. Rozen, and Jeremy M. Christiansen.
Alan Charles Raul, Kwaku A. Akowuah, Daniel J. Hay, and Steven P. Lehotsky were on the brief for amicus curiae The Chamber of Commerce of the United States of America in support of appellees.
Before: Tatel and Millett, Circuit Judges, and Williams, Senior Circuit Judge.
In 2014, cyberattackers breached multiple U.S. Office of Personnel Management ("OPM") databases and allegedly stole the sensitive personal information-including birth dates, Social Security numbers, addresses, and even fingerprint records-of a staggering number of past, present, and prospective government workers. All told, the data breaches affected more than twenty-one million people. Unsurprisingly, given the scale of the attacks and the sensitive nature of the information stolen, news of the breaches generated not only widespread alarm, but also several lawsuits. These suits were ultimately consolidated into two complaints: one filed by the National Treasury Employees Union and three of its members, and another filed by the American Federation of Government Employees on behalf of several individual plaintiffs and a putative class of others similarly affected by the breaches. Both sets of plaintiffs alleged that OPM's cybersecurity practices were woefully inadequate, enabling the hackers to gain access to the agency's treasure trove of employee information, which in turn exposed plaintiffs to a heightened risk of identity theft and a host of other injuries. The district court dismissed both complaints for lack of Article III standing and failure to state a claim. For the reasons set forth below, we reverse in part and affirm in part.
As its name suggests, the U.S. Office of Personnel Management serves as the federal government's chief human resources agency. In that capacity, OPM maintains electronic personnel files that contain, among other information, copies of federal employees' birth certificates, military service records, and job applications identifying Social Security numbers and birth dates.
The agency also oversees more than two million background checks and security clearance investigations per year. To facilitate these investigations, OPM collects a tremendous amount of sensitive personal information from current and prospective federal workers, most of which it then stores electronically in a "Central Verification System." Consolidated Amended Complaint, In re United States Office of Pers. Mgmt. Data Security Breach Litig., No. 1:15-mc-01394, ¶ 65 (D.D.C. March 14, 2016) ("Arnold Plaintiffs' Compl."), J.A. 61. The investigation-related information stored by OPM includes birth dates, Social Security numbers, residency details, passport information, fingerprints, and other records pertaining to employees' criminal histories, psychological and emotional health, and finances. In recent years, OPM has relied on a private investigation and security firm, KeyPoint Government Solutions, Inc. ("KeyPoint"), to conduct the lion's share of the agency's background and security clearance investigation fieldwork. KeyPoint investigators have access to the information stored in OPM's Central Verification System and can transmit data to and from the agency's network through an electronic portal.
It turns out that authorized KeyPoint investigators have not been the only third parties to access OPM's data systems. Cyberattackers hacked into the agency's network on several occasions between November 2013 and November 2014. Undetected for months, at least two of these breaches resulted in the theft of vast quantities of personal information. According to the complaint, after breaching OPM's network "using stolen KeyPoint credentials" around May 2014, Arnold Plaintiffs' Compl. ¶ 127, J.A. 73, the cyberintruders extracted almost 21.5 million background investigation records from the agency's Central Verification System. They gained access to another OPM system near the end of 2014, stealing over four million federal employees' personnel files. Among the types of information compromised were current and prospective employees' Social Security numbers, birth dates, and residency details, along with approximately 5.6 million sets of fingerprints. The breaches also exposed the Social Security numbers and birth dates of the spouses and cohabitants of those who, in order to obtain a security clearance, completed a Standard Form 86. According to the complaints, since these 2014 breaches, individuals whose information was stolen have experienced incidents of financial fraud and identity theft; many others whose information has not been misused-at least, not yet-remain concerned about the ongoing risk that they, too, will become victims of financial fraud and identity theft in the future.
After announcing the breaches in the summer of 2015, OPM initially offered individuals whose information had been compromised fraud monitoring and identity theft protection services and insurance at no cost for either eighteen months or three years, depending on whether their Social Security numbers had been exposed. But OPM's offer failed to address the concerns of all such parties, and the agency soon found itself named as a defendant in breach-related lawsuits across the country. The Judicial Panel on Multidistrict Litigation transferred these actions to the U.S. District Court for the District of Columbia for coordinated pretrial proceedings. The suits were ultimately consolidated into two complaints: one brought by the American Federation of Government Employees on behalf of thirty-eight individuals affected by the breaches and a putative class of similarly situated breach victims ("Arnold Plaintiffs") and another for declaratory and injunctive relief brought by the National Treasury Employees Union ("NTEU") and three of its members ("NTEU Plaintiffs"). Below we summarize the relevant allegations and claims contained in each complaint, accepting all factual allegations "as true" and drawing "reasonable inferences * * * in the plaintiffs' favor." Philipp v. Federal Republic of Germany, 894 F.3d 406, 409 (D.C. Cir. 2018) (internal quotation marks omitted).
Arnold Plaintiffs allege that KeyPoint's "information security defenses did not conform to recognized industry standards" and that the company unreasonably failed to protect the security credentials that the hackers used to unlawfully access one of OPM's systems in mid-2014. Arnold Plaintiffs' Compl. ¶ 222, J.A. 98. Specifically, they assert that "KeyPoint knew or should have known that its information security defenses did not reasonably or effectively protect Plaintiffs' and Class members' [personal information] and the credentials used to access it on KeyPoint's and OPM's systems." Id. As for OPM, Arnold Plaintiffs allege that the agency had long been on notice that its systems were prime targets for cyberattackers. OPM experienced data breaches related to cyberattacks in 2009 and 2012, and it is no secret that its network is regularly subject to a strikingly large number of hacking attempts. Despite this, say Arnold Plaintiffs, OPM repeatedly failed to comply with the Federal Information Security Management Act of 2002, 44 U.S.C. §§ 3541 et seq. (repealed 2014), and its replacement, the Federal Information Security Modernization Act of 2014, 44 U.S.C. §§ 3551 et seq. (collectively, "Information Security Act"), which require agencies to "develop, implement, and maintain a security program...
To continue readingFREE SIGN UP