A Judge Has Finalized the $63M OPM Hack Settlement. Feds Now Have Two Months to Sign Up for Damages.

A federal judge on Wednesday formally finalized a $63 million settlement that will soon allow thousands of current and former federal employees to receive payouts as part of the agreement stemming from a 2015 breach of data maintained by the Office of Personnel Management.

District Judge Amy Berman Jackson said all parties had fulfilled their obligations since they reached a preliminary agreement in June, including taking proper steps to notify the victims of the hack of their eligibility to potentially receive monetary damages. Jackson added in her order the settlement is “fair, reasonable and adequate, and in the best interests of the class.” 

OPM disclosed two data breaches in 2015: one that exposed the personnel files of all current and former federal employees and another that released the personally identifiable information of all applicants for security clearances, as well as their families. Those individuals are set to receive a minimum of $700 and up to $10,000 from the agreement if they can prove they were victims of the hack and incurred out-of-pocket expenses or lost compensable time. More than 22.1 million people were impacted by the breaches. 

They now have until Dec. 23 to file a claim for damages. The plaintiffs are part of a class action lawsuit that reached a $63 million settlement earlier this year with OPM and its contractor, now known as Peraton Risk Decision Inc. As of the latest filing earlier this month, more than 19,000 employees have filed a claim. 

Jackson made clear the government and Peraton were not admitting guilt and would not play any part in doling out the settlement to class members. That role will fall to Epiq, the firm overseeing the implementation of the agreement. The court itself will retain jurisdiction over administration and interpretation of the settlement, Jackson said. The judge upheld the settlement over the objections of more than a dozen class members who submitted concerns. 

Nearly all of the 22 million impacted by the breach will no longer have any standing to sue the government or Peraton due to the hacks, except for the 114 individuals who proactively asked to be excluded from the settlement. 

In order to qualify for the payouts, hack victims must show they purchased their own credit monitoring or identity theft protection services, accessed a credit report or made efforts to mitigate an identity theft incident. Epiq, which said it expects more class members to file claims over the next two months, will review and audit all claims that it receives. Individuals must affirmatively make a claim to be eligible for monetary compensation, which they can do on OPMDataBreach.com. They are encouraged to provide documentation of their related expenses, for which they can be compensated up to $10,000.

In addition to providing notice to hack victims of the settlement and the steps for signing up, Epiq has overseen an advertising campaign to raise awareness of the agreement. The firm said it would make more than 700 million impressions through print, digital and social media ads. It is not yet clear exactly when breach victims could start receiving their compensation, though the court ordered the payouts to begin as expeditiously as possible after the Dec. 23 deadline. Epiq will also have to review and audit the claims it receives. 

The defendants have already agreed to pay the plaintiffs’ attorneys from Girard Sharp LLP $7 million in fees. Congress has mandated that OPM provide victims 10 years of credit monitoring and identity theft protections. The agency has signed two contracts with ID Experts to provide the services, the first worth $340 million and the second worth up to $416 million.