Last week the Court of Appeals for the D.C. Circuit reversed a lower court decision in two class action lawsuits against the Office of Personnel Management (OPM) for the 2015 data breach that affects more than 21 million people. The court decided that the American Federation of Government Employees (AFGE) and the National Treasury Employees Union (NTEU) – along with any individually named plaintiffs – could show that they had suffered harm as a result of the data breach.

The court also ruled that OPM waived its sovereign immunity to lawsuits under the Privacy Act, and reversed the decision of the lower court, which had thrown out the case.

What this ruling means for the future of OPM

OPM will now have to defend itself in court as a result of this ruling. More importantly, AFGE and NTEU may be able to collect damages as the Court of Appeals noted that those impacted by the breach could be left vulnerable to future identity theft.

The court summarized its ruling:

Plaintiffs have plausibly alleged a substantial risk of future identity theft that is fairly traceable to OPM’s and KeyPoint’s cybersecurity failings and likely redressable, at least in part, by damages, and NTEU Plaintiffs have plausibly alleged actual and imminent constitutional injuries that are likewise traceable to OPM’s challenged conduct and redressable either by a declaration that the agency’s failure to protect plaintiffs’ personal information is unconstitutional or by an order requiring OPM to correct deficiencies in its cybersecurity program.”

An AFGE spokesperson called the ruling a “positive step for our members affected by the data breach.”

the OPM Data Breach and Clearance Backlog Go Hand-in-Hand

This isn’t the end of the matter however, as OPM and KeyPoint will have to defend their respective actions in court. Yet, the breach has been seen as something that should have been avoidable.

“The first thing to remember is that we got into this mess because the background check process was so backlogged,” explained Dan Meyer, managing partner for the D.C. offices of Tully Rinckey PLLC.

“We’re now in the third decade of the federal government not understanding how to do background investigations,” Meyer told ClearanceJobs.

The move to having OPM handle the investigations and away from its stated mission of “recruiting, retaining and honoring a world-class force to serve the American people” has been called out by many as a disaster waiting to happen. As a result, the Department of Defense, as well the intelligence agencies, are now taking back their investigations.

“We’re back to a system that didn’t really work before and resulted in a backlog,” added Meyer.

Clearance backlog: Lifelong Problem With No Solution

Some plaintiffs have said that as a result of the breach, they’ve received fraudulent tax returns and had their identities used to open fake credit cards. Given that the amount of information that was compromised, this could be much more than just bad credit.

“Those affected are going to need monitoring for life,” warned Meyer. “And this isn’t just credit monitoring.”

For federal employees whose identity is compromised, it could result in a loss of clearance – an irony as OPM’s role was to aid in the clearance process.

“This could include a situation where an employee’s credential review is held up, and they could be suspended from a job,” noted Meyer. “The worst part of it is that those employees will have to go out and defend themselves, and prove they were part of the OPM mismanagement of their personal information.”

This could be a six month process, but Meyer told ClearanceJobs that one case he worked on lasted for years.

“People haven’t gotten a hold of how serious this problem is, and we haven’t thought through the outstanding liability,” he added. “The most important takeaway is this: employees should acquire hard copies of documents that clearly state that they were a victim of the OPM mismanagement in case of any identity theft.”

 

Related News

Peter Suciu is a freelance writer who covers business technology and cyber security. He currently lives in Michigan and can be reached at petersuciu@gmail.com. You can follow him on Twitter: @PeterSuciu.