The Washington PostDemocracy Dies in Darkness

Caught up in the OPM hack? You might be able to sue the government.

China hacked into the federal government's network. Here's what kind of national security risk this poses and why China wants this information. (Video: Alice Li/The Washington Post)

As current and former federal workers try to figure out if their personal information was exposed in a recently disclosed breach at the Office of Personnel Management, experts say that there are protections built into the law that could enable the employees to take the government to court.

The agency is currently notifying those affected by the breach, which may have exposed the Social Security numbers, dates of birth and addresses of workers along with information about their careers in public service. The government is offering those caught up in the incident 18 months of credit monitoring and identity theft protections, but experts have warned that victims of data breaches may face an increased risk of fraud due to compromised information that persists after those services expire. And they may have other legal options.

"The Privacy Act of 1974 clearly placed an obligation on federal agencies to protect information they collected. It also created a mechanism for people to bring lawsuits against agencies that failed to safeguard information in their protection," said Marc Rotenberg, the executive director of the Electronic Privacy Information Center.

But a such a case would likely be an uphill battle.

The agency put a caveat about legal responsibility in the letter sent to those affected by the breach. "[N]othing in this letter should be construed as OPM or the U.S. Government accepting liability for any of the matters covered by this letter or for any other purpose," the letter reads. "Any alleged issues of liability concerning OPM or the United States for the matters covered by this letter or for any other purpose are determined solely in conformance with appropriate Federal law."

The Privacy Act does not specifically address breaches related to cyberattacks, but prohibits the government from revealing data to unauthorized individuals. Rotenberg said consumers could argue that OPM was so negligent in protecting workers' data that its actions amounted to willful disclosure of that information. "The agency was on notice that it had a security problem and failed to rectify it," he said, referencing years of OPM Inspector General reports that highlighted problems with the agency's digital defenses.

"The intrusions into OPM’s systems were criminal acts committed by unknown adversaries for criminal purposes," an agency spokesperson told The Post in response to an inquiry about its responsibilities under the law. "As a result, we have done and continue to do everything possible to protect the security of OPM systems and the records contained in those systems. We will also continue to contact those who may have been affected, and to offer credit monitoring."

Under the Privacy Act, individuals who have had their data disclosed by the government can sue for damages and reasonable attorney's fees. All U.S. citizens have a right to action under the law, including current federal employees, according to Nuala O'Connor, a former chief privacy officer at the Department of Homeland Security and current leader of the Center for Democracy & Technology.

But proving damages could be difficult, said Bob Gellman, a longtime privacy and information policy consultant and former federal employee. "At the moment, I don't know that there's any harm to be shown."

While there have been some lawsuits over retail breaches in recent years, one reason there haven't been more is that damages in this area are hard to prove, said Michael Sussmann, a partner in the privacy and data security practice at law firm Perkins Coie.

First you need to have suffered a specific harm, which is actually fairly rare in breach cases, he said, and then you need to be able to definitively say it resulted from a specific breach. But because there have been so many breaches in recent years, it could be hard to tie a specific case of identity theft to one particular security incident.

In the private sector, companies sometimes settle cases seeking damages to make them go away or avoid legal fees even if it would be difficult for consumers to prove harm, but it's unclear if the federal government would do something similar, Gellman said. "They seem to have unlimited litigation resources."

There is another option: The Privacy Act also provides for criminal penalties of up to $5,000 per unauthorized disclosure, if done "willfully." But that would require the Department of Justice bring charges against a specific person at the agency for what seems to be a larger, systemic security failure.

"There are clearly a lot of things that have been done wrong here, but trying to bring a criminal action against an individual [in government] doesn't seem to be the right approach," Gellman said.

At the end of the day, the real criminals are the people who broke into the system, said O'Connor.

Still, Rotenberg would like to see someone be held accountable. "The failure of enforcement is leading these agencies to not take this seriously."

(Disclosure: The reporter is a former federal employee, but does not know if data about her was compromised in the OPM breach).