In early June, the Office of Personnel Management announced that data files on current and past Federal employees had been stolen from its servers. Some weeks later, the OPM announced a second theft, from its database of those who have applied for security clearances. The total number of individuals who have had their information totals in the tens of millions.
Since the public announcements, a number of lawsuits have been filed against the OPM and other Federal agencies. Some have been filed by unions representing Federal employees while others have been filed by individuals who have been notified that their information was stolen. The barrage of lawsuits is similar to what occurred after similar data breaches at Target and other private companies.
What happened?
In April, 2015, the OPM discovered that personal data from 4.2 million current and former Federal employees had been stolen from their computers. That loss was not announced until June.
While investigating the April theft, the OPM discovered that the system housing data on background investigations for security clearance applications had also been penetrated. They believe that the theft affects 21.5 million individuals.
What is OPM doing?
The initial data loss was not publicly revealed until June 4, 2015, by the Office of Personnel Management. At that time, the OPM began notifying individuals whose personal identifying information may have been stolen. The second theft was discussed in a press release July 9. The OPM is in the process of notifying affected individuals.
All those affected are being offered identification and credit protections services. The use of e-Qip was suspended for some weeks. The OPM has completed security enhancements and the on-line security clearance application process is being placed back into use.
Who is suing OPM?
At least seven lawsuits have been filed over the two data thefts at OPM. OPM is named, of course, and some of the suits name the Homeland Security Department, or Keypoint Systems, the contractor involved in the breached systems.
The American Federation of Government Employees filed a suit on June 29, naming OPM, its then director Katherine Archuleta and chief information officer Donna Seymour. About two weeks later, the National Treasury Employees Union followed with their lawsuit.
Marcy Woo has filed a lawsuit requesting $5 million in damages. She sued OPM, Keypoint, and the two individuals. Social Security judge Teresa J. McGarry is suing the above four, and the Homeland Security Department. She charges that the HS cyber traffic monitoring system named EINSTEIN failed to prevent the thefts. Former Defense Department employee Edward Krippendorf has sued OPM and Keypoint Systems.
The law firm of Labaton Sucharow filed a class action lawsuit on Aug. 14 on behalf of the 21.5 million individuals affected in the second data theft.
Chances of success?
The Hill reports that some of the suits have been consolidated and will be heard by a judge in Washington, D.C. The piece also notes that the suits may have little chance of success. Under the principle of “sovereign immunity,” the government cannot be sued over most matters.
The greatest challenge to the plaintiffs may be the issue of damages. In general, the Hill notes, a plaintiff must show that they have suffered or will suffer harm from the alleged tort. At this point, it appears that few, if any, of those whose data was stolen have suffered any damages as a result. None of the stolen data has been publicly released, and the potential repercussions are speculative, at this point.
In addition, the two union lawsuits face the issue of standing. They must be prepared to show that they, as an entity, suffered damages, in order to be a plaintiff in any suit.
At this time, the thieves remain unknown. The data has not been publicly released. The OPM has instituted additional data security measures. The OPM director Katherine Archuleta has resigned. The agency’s CIO, Donna Seymour, remains on the job. And some government employees have other data breach problems to worry about.