“It was a reckless failure to keep the information OPM was given confidentially by thousands of employees,” NTEU President Colleen Kelley said at a news conference announcing the suit, filed in the court’s Northern District of California.
“OPM failed to take measures to protect information it was obligated to protect,” Kelley said, adding that the long-term repercussions from the hack of employee personnel files and a vast database containing background investigation data are “not anything that’s going to be over in a month or two.”
Also Wednesday, aides to Sen. Benjamin Cardin (D-Md.) said he plans to introduce legislation in the coming days that would force the government to offer stronger, longer-term identity theft protections than the 18 months of credit monitoring OPM is now offering active and current employees through a private contractor.
“Senator Cardin has committed to introducing legislation that would better protect all individuals affected by the OPM data breach,” the senator’s spokeswoman, Sue Walitsky, said in a statement. “The details are still being hammered out but his bill would extend coverage and increase loss limits.”
OPM announced in June that the personnel files of 4.2 million current and former federal workers — containing their names, addresses, Social Security numbers and other data — had been hacked late last year. In another breach, hackers got access to records of millions of employees and contractors seeking security clearances. OPM has not announced the number of individuals whose information was stolen or potentially compromised in that attack.
OPM spokesman Sam Schumach said the agency had no immediate comment on the lawsuit.
NTEU, which represents about 85,000 federal employees, is asking the court to find that by failing to take all recommended steps to shore up the security of its computer networks before the intrusion, OPM violated the employees’ constitutional right to privacy.
The lawsuit also wants the court to require the government to pay for credit-monitoring and identity-theft protection for life; order the agency to improve its cybersecurity program and halt any collection of personal information from union members electronically until the court is satisfied that the data can be protected from hackers.
The lawsuit follows similar legal action in late June by the American Federation of Government Employees. AFGE also sued a contractor, Keypoint Government Solutions, that does background investigations for security clearances because the company was the target of an earlier breach that led the intruders whose hack was announced in June to gain access to employee files.