U.S. Office of Pers. Mgmt. Data Sec. Breach Litig. v. Office of Pers. Mgmt., 17-5217

• Decision Date: 21 June 2019
• Docket Number: No. 17-5217,C/w 17-5232,17-5217
• Citation: 928 F.3d 42
• Parties: IN RE: U.S. OFFICE OF PERSONNEL MANAGEMENT DATA SECURITY BREACH LITIGATION, American Federation of Government Employees, AFL-CIO, et al., Appellees National Treasury Employees Union, et al., Appellants v. Office of Personnel Management, et al., Appellees
• Court: U.S. Court of Appeals — District of Columbia Circuit

928 F.3d 42

IN RE: U.S. OFFICE OF PERSONNEL MANAGEMENT DATA SECURITY BREACH LITIGATION,

American Federation of Government Employees, AFL-CIO, et al., Appellees

National Treasury Employees Union, et al., Appellants

v.Office of Personnel Management, et al., Appellees

No. 17-5217

C/w 17-5232

United States Court of Appeals, District of Columbia Circuit.

Argued November 2, 2018

Decided June 21, 2019

Peter A. Patterson, Washington, DC, argued the cause for Arnold Plaintiffs-Appellants in No. 17-5232. With him on the briefs were David H. Thompson, Washington, DC, Daniel C. Girard, Jordan Elias, Tina Wolfson, San Francisco, CA, Los Angeles, CA, Gary E. Mason, Washington, DC, and Richard B. Rosenthal.

Paras N. Shah, Washington, DC, argued the cause for appellants National Treasury Employees Union, et al. in No. 17-5217. With him on the briefs were Gregory O'Duden, Larry J. Adkins, and Allison C. Giles, Washington, DC.

Marc Rotenberg and Alan Butler, Washington, DC, were on the brief for amici curiae Electronic Privacy Information Center (EPIC) and Forty-Four Legal Scholars and Technical Experts in support of appellants.

Sonia M. Carson, Attorney, U.S. Department of Justice, argued the cause for federal appellees. With her on the brief was Mark B. Stern, Washington, DC.

Jason J. Mendro, Washington, DC, argued the cause for appellee KeyPoint Government Solutions, Inc. With him on the brief were F. Joseph Warin, Matthew S. Rozen, and Jeremy M. Christiansen, Washington, DC.

Alan Charles Raul, Kwaku A. Akowuah, Daniel J. Hay, and Steven P. Lehotsky, Washington, DC, were on the brief for amicus curiae The Chamber of Commerce of the United States of America in support of appellees.

Before: Tatel and Millett, Circuit Judges, and Williams, Senior Circuit Judge.

Opinion concurring in part and dissenting in part filed by Senior Circuit Judge Williams.

Per Curiam:

In 2014, cyberattackers breached multiple U.S. Office of Personnel Management ("OPM") databases and allegedly stole the sensitive personal information—including birth dates, Social Security numbers, addresses, and even fingerprint records—of a staggering number of past, present, and prospective government workers. All told, the data breaches affected more than twenty-one million people. Unsurprisingly, given the scale of the attacks and the sensitive nature of the information stolen, news of the breaches generated not only widespread alarm, but also several lawsuits. These suits were ultimately consolidated into two complaints: one filed by the National Treasury Employees Union and three of its members, and another filed by the American Federation of Government Employees on behalf of several individual plaintiffs and a putative class of others similarly affected by the breaches. Both sets of plaintiffs alleged that OPM's cybersecurity practices were woefully inadequate, enabling the hackers to gain access to the agency's treasure trove of employee information, which in turn exposed plaintiffs to a heightened risk of identity theft and a host of other injuries. The district court dismissed both complaints for lack of Article III standing and failure to state a claim. For the reasons set forth below, we reverse in part and affirm in part.

I

As its name suggests, the U.S. Office of Personnel Management serves as the federal government's chief human resources agency. In that capacity, OPM maintains electronic personnel files that contain, among other information, copies of federal employees' birth certificates, military service records, and job applications identifying Social Security numbers and birth dates.

The agency also oversees more than two million background checks and security clearance investigations per year. To facilitate these investigations, OPM collects a tremendous amount of sensitive personal information from current and prospective federal workers, most of which it then stores electronically in a "Central Verification System." Consolidated Amended Complaint, In re United States Office of Pers. Mgmt. Data Security Breach Litig. , No. 1:15-mc-01394, ¶ 65 (D.D.C. March 14, 2016) ("Arnold Plaintiffs' Compl."), J.A. 61. The investigation-related information stored by OPM includes birth dates, Social Security numbers, residency details, passport information, fingerprints, and other records pertaining to employees' criminal histories, psychological and emotional health, and finances. In recent years, OPM has relied on a private investigation and security firm, KeyPoint Government Solutions, Inc. ("KeyPoint"), to conduct the lion's share of the agency's background and security clearance investigation fieldwork. KeyPoint investigators have access to the information stored in OPM's Central Verification System and can transmit data to and from the agency's network through an electronic portal.

It turns out that authorized KeyPoint investigators have not been the only third parties to access OPM's data systems. Cyberattackers hacked into the agency's network on several occasions between November 2013 and November 2014. Undetected for months, at least two of these breaches resulted in the theft of vast quantities of personal information. According to the complaint, after breaching OPM's network "using stolen KeyPoint credentials" around May 2014, Arnold Plaintiffs' Compl. ¶ 127, J.A. 73, the cyberintruders extracted almost 21.5 million background investigation records from the agency's Central Verification System. They gained access to another OPM system near the end of 2014, stealing over four million federal employees' personnel files. Among the types of information compromised were current and prospective employees' Social Security numbers, birth dates, and residency details, along with approximately 5.6 million sets of fingerprints. The breaches also exposed the Social Security numbers and birth dates of the spouses and cohabitants of those who, in order to obtain a security clearance, completed a Standard Form 86. According to the complaints, since these 2014 breaches, individuals whose information was stolen have experienced incidents of financial fraud and identity theft; many others whose information has not been misused—at least, not yet—remain concerned about the ongoing risk that they, too, will become victims of financial fraud and identity theft in the future.

After announcing the breaches in the summer of 2015, OPM initially offered individuals whose information had been compromised fraud monitoring and identity theft protection services and insurance at no cost for either eighteen months or three years, depending on whether their Social Security numbers had been exposed. But OPM's offer failed to address the concerns of all such parties, and the agency soon found itself named as a defendant in breach-related lawsuits across the country. The Judicial Panel on Multidistrict Litigation transferred these actions to the U.S. District Court for the District of Columbia for coordinated pretrial proceedings. The suits were ultimately consolidated into two complaints: one brought by the American Federation of Government Employees on behalf of thirty-eight individuals affected by the breaches and a putative class of similarly situated breach victims ("Arnold Plaintiffs") and another for declaratory and injunctive relief brought by the National Treasury Employees Union ("NTEU") and three of its members ("NTEU Plaintiffs"). Below we summarize the relevant allegations and claims contained in each complaint, accepting all factual allegations "as true" and drawing "reasonable inferences * * * in the plaintiffs' favor." Philipp v. Federal Republic of Germany , 894 F.3d 406, 409 (D.C. Cir. 2018) (internal quotation marks omitted).

Arnold Plaintiffs allege that KeyPoint's "information security defenses did not conform to recognized industry standards" and that the company unreasonably failed to protect the security credentials that the hackers used to unlawfully access one of OPM's systems in mid-2014. Arnold Plaintiffs' Compl. ¶ 222, J.A. 98. Specifically, they assert that "KeyPoint knew or should have known that its information security defenses did not reasonably or effectively protect Plaintiffs' and Class members' [personal information] and the credentials used to access it on KeyPoint's and OPM's systems." Id. As for OPM, Arnold Plaintiffs allege that the agency had long been on notice that its systems were prime targets for cyberattackers. OPM experienced data breaches related to cyberattacks in 2009 and 2012, and it is no secret that its network is regularly subject to a strikingly large number of hacking attempts. Despite this, say Arnold Plaintiffs, OPM repeatedly failed to comply with the Federal Information Security Management Act of 2002, 44 U.S.C. §§ 3541 et seq. (repealed 2014), and its replacement, the Federal Information Security Modernization Act of 2014, 44 U.S.C. §§ 3551 et seq. (collectively, "Information Security Act"), which require agencies to "develop, implement, and maintain a security program that assesses information security risks and provides adequate security for the operations and assets of programs and software systems under agency and contractor control." Arnold Plaintiffs' Compl. ¶ 83, J.A. 65.

As early as 2007, Information Security Act compliance audits conducted by OPM's Office of the Inspector General regularly identified major information security deficiencies that left the agency's network vulnerable to attack. Such problems included "severely outdated" security policies and procedures, understaffed and undertrained cybersecurity personnel, and a lack of a centralized information security management structure. Arnold Plaintiffs' Compl. ¶¶ 92–95, J.A. 67–68. As a result, in every year from 2007 through 2013, the Inspector General identified "serious concerns that * * * pose an immediate risk to the security of assets or operations"—termed "material weaknesses"—in the agency's information security governance program. Id. ¶¶ 87–88, J.A. 66; see also ...