In response, the government has been providing free services such as credit and identity monitoring and identity theft insurance.
Separate suits by the American Federation of Government Employees and the National Treasury Employees Union sought financial damage awards for the victims in addition.
They argued that the government was on notice that hackers regularly targeted its systems but failed to maintain adequate safeguards. They also said the victims remain at continuing risk of having their information misused.
The court, addressing both cases together, wrote that although the allegations are “troubling,” there was no legal basis to even consider them.
It said the situation did not meet the test that “a plaintiff who claims an actual injury must be able to connect it to the defendant’s actions, and a person who is pointing to a threat of future harm must show that the harm is certainly impending or that the risk is substantial.”
The right to bring a claim for damages under the Privacy Act “is expressly limited to those who can demonstrate that they have suffered actual economic harm as a result of the government’s statutory violation. The law is clear that the statute does not create a cause of action for those who have been merely aggrieved by, or are even actively worried about, the fact that their information has been taken.”
Nor do other laws cited by the unions allow for suing the government “to enforce its information security obligations, and no court has expressly recognized a right to data security arising under the Constitution,” District Judge Amy Berman Jackson wrote for the court in In Re: U.S. Office of Personnel Management Data Security Breach Ligation, Misc. Action No. 15-1394.
NTEU said it was disappointed with the ruling and already has filed an appeal. “We will make our case there that NTEU members were harmed by the breaches and that OPM’s indifference to securing its databases in the years leading up to the breaches violated NTEU members’ constitutional right to informational privacy,” union president Tony Reardon said in a statement.
AFGE president J. David Cox Sr. said his union also is considering an appeal, saying that “everyone affected deserves to see that justice is served . . . The judge’s unfortunate decision to dismiss AFGE’s case reflects an unduly narrow view of the rights of data breach victims.”
The larger of the two breaches involved some 21.5 million people who had undergone background checks since about 2000, including federal, military and contractor personnel who were seeking new or renewed security clearances, as well as people checked merely to gain access to certain government facilities. The other involved personnel records of some 4.2 million current and former federal employees. Overlap between the two brought the total affected to about 22.1 million.