Breached employees can’t show they were actually damaged, the federal judge said.
A federal judge tossed out a lawsuit Tuesday from a group of federal employees who say gross negligence by the Office of Personnel Management contributed to the office’s 2015 data breach that exposed sensitive security clearance information about more than 20 million people.
The lawsuit filed by the National Treasury Employees Union can’t go forward because the employees can’t prove they were actually harmed by the breach, Judge Amy Jackson said.
The personnel office breach is widely believed to have been a Chinese intelligence operation aimed at identifying high-placed government employees who might be vulnerable to bribes or blackmail. The breach focused on SF-86 forms, highly sensitive security clearance documents where prospective employees describe troubles with money, romantic relationships and substance abuse among other topics. The breach also included a smaller number of fingerprints.
As a result, there’s no evidence the breached information ever made it into the hands of cyber criminals who might use it to commit tax fraud, apply for phony credit cards or steal a victim’s identity—the sort of damage that might give the plaintiffs standing to sue, Jackson said.
Jackson also dismissed a separate lawsuit from 38 federal employees and the American Federation of Government Employees union. That suit also named the personnel office’s contractor, KeyPoint Government Solutions, which was also breached.
“Neither the Supreme Court nor the U.S. Court of Appeals for the D.C. Circuit has held that the fact that a person’s data was taken is enough by itself to create standing to sue,” the judge’s opinion states. “A plaintiff who claims an actual injury must be able to connect it to the defendant’s actions, and a person who is pointing to a threat of future harm must show that the harm is certainly impending or that the risk is substantial.”
In the case of the personnel office breach, that likelihood simply isn’t there, the judge said.
The unions also failed to show that the personnel office isn’t protected from lawsuits by sovereign immunity, Jackson said.
The National Treasury Employees Union has already appealed the case to the federal appeals court in Washington, D.C., the union said in a press release.
“The union’s members provided OPM with deeply personal information as a condition of their employment, and they did so on an explicit promise of confidentiality,” the union, which represents about 150,000 federal employees at 31 agencies, said in a press release.
“OPM flagrantly disregarded its promise by failing to secure that personal information,” the union said.
NTEU wants the personnel office to give breach victims lifetime credit monitoring and identity theft protection services and wants the court to bar OPM from storing union members’ personal information in electronic form. Currently, hack victims are slated to get 10 years of identity protection services.
The other plaintiff, the American Federation of Government employees union said in a statement that it is “seriously evaluating all options,” but did not pledge to appeal the ruling. The union said the ruling reflected “an unduly narrow view of the rights of data breach victim.”
The Obama administration never publicly accused the Chinese government of being behind the OPM breach. A threat to sanction Chinese officials for the breach, however, is widely believed to have been the catalyst for a 2015 deal between Obama and Chinese President Xi Jinping in which both nations pledged not to hack the other for financial gain.
Chinese commercial espionage, which former National Security Agency Director Keith Alexander once described as the “greatest transfer of wealth in history,” has significantly declined since that agreement, cybersecurity firms say.
Eric Katz contributed to this report.