[BreachExchange] Plaintiffs Take Just 1 Hour to Appeal Dismissal of Suit Over OPM Data Breach

[Destry Winant]

http://www.nationallawjournal.com/id=1202798363311/Plaintiffs-Take-Just-1-Hour-to-Appeal-Dismissal-of-Suit-Over-OPM-Data-Breach?slreturn=20170821090624

A federal judge dismissed two lawsuits Tuesday stemming from a massive
breach of government data, but plaintiffs wasted little time,
appealing one of those decisions within an hour.

Lawyers representing the National Treasury Employees Union filed an
appeal to the U.S. Court of Appeals for the D.C. Circuit on Tuesday
following a ruling from U.S. District Judge Amy Berman Jackson that
dismissed their lawsuit, along with another, over a 2015 Office of
Personnel Management data breach. The breach affected more than 21
million people, and lawsuits over it were consolidated in
multidistrict litigation in the District of Columbia in October 2015.

Paras Shah, assistant counsel at NTEU, said his team was “ready to
review” Jackson’s decision and “upon reading it found it appropriate
to file our appeal.” The union alleged that the breach violated its
members’ rights under the Constitution’s Fifth Amendment to privacy of
information.

“Our legal theory is that, if the government cannot disclose
inherently personal information that’s given to it to unauthorized
individuals, then it can’t recklessly disregard its obligation to
protect that information. … The government can’t leave [the
information] somewhere and leave the doors and windows open so that
somebody may find it.”

In addition to NTEU’s lawsuit, which was brought by the union and some
individual members, another government union, the American Federation
of Government Employees, brought a class action lawsuit that was
consolidated with others from across the country. In the ruling
Tuesday, Jackson also dismissed that suit, which alleged violations of
federal law prohibiting the dissemination of individuals’ personal
information by the government.

Daniel Girard, managing partner of Girard Gibbs in San Francisco, was
lead counsel on that lawsuit. Girard did not immediately say whether
he planned to file an appeal.

“We are reviewing the court’s opinion and will be discussing options
with our clients and co-counsel,” Girard said in an email.

Jackson wrote in her opinion that the plaintiffs in both lawsuits
failed to show they had standing to bring their claims. None of the
plaintiffs, the judge wrote, could show a cognizable injury from the
breach that the court could address.

“It may well be that the Supreme Court or the D.C. Circuit will
someday announce that given the potential for harm inherent in any
cyberattack, breach victims automatically have standing even if the
harm has yet to materialize, and even if the purpose behind the breach
and the nature of any future harm have yet to be discerned,” Jackson
wrote. “But that has not happened yet, and the court is not empowered
to expand the limits of its own authority, so it cannot find that
plaintiffs have standing based on this record.”

The ruling comes at a critical point for case law surrounding data
breaches. Courts are split over what constitutes as a cognizable
injury in data breach suits. Meanwhile, lawsuits are piling up across
the country related to the recently announced breach at Equifax, which
affected nearly half the country. Just last month, the U.S. Court of
Appeals for the D.C. Circuit reversed the dismissal of a case related
to a 2014 breach at health insurer CareFirst, writing that the
district court had taken too narrow a view of the harm to plaintiffs.

Jackson wrote that the circumstances were different in the OPM case,
although she added that the circuit court’s ruling meant “standing is
a very close and difficult question in this case.”

She wrote there was no evidence that “the means to commit credit card
or bank fraud were included in this breach,” nor was there evidence
that the stolen information had been used to commit such fraud. She
wrote that while the CareFirst hack was a “domestic crime,” the OPM
hack appeared to be sponsored by a foreign state, according to media
reports.

As for the class action, Jackson wrote, the federal government has
sovereign immunity from its claims.

Meanwhile, Jackson said the constitutional claims in the NTEU suit did
not hold up.

“Even if it might violate the Constitution for the government to then
deliberately disclose the information, there is no authority for the
proposition that the Constitution gives rise to an affirmative
duty–separate and apart from the statutory requirements enacted by
Congress–to protect the information in any particular manner from the
criminal acts of third parties,” Jackson wrote.