“OPM effectively left the door to its records unlocked by repeatedly failing to take basic, known, and available steps to secure the trove of sensitive information in its hands,” said the decision Friday by the U.S. Court of Appeals for the District of Columbia Circuit.
The OPM deferred a request for comment to the Justice Department, which declined to comment.
The appellate court ruled that a federal district judge erred in dismissing a combined suit brought by two federal employee unions, the American Federation of Government Employees and the National Treasury Employees Union.
The NTEU is asking the courts to order lifetime credit protection for victims and compel the OPM to carry out the recommendations from its inspector general to strengthen its cyberdefenses. The AFGE suit seeks a monetary award to victims under the Privacy Act.
Both databases contained personal information such as names, addresses, birth dates and Social Security numbers.
The larger of the two encompassed some 21.5 million people who had undergone background checks since about 2000, including federal, military and contractor personnel who were seeking new or renewed security clearances and people checked to gain access to certain government facilities.
It also included highly personal financial and other information that must be disclosed to hold a clearance, as well as fingerprints in some cases.
The other database involved personnel records of some 4.2 million current and former federal employees. Overlap between the two brought the total number of people affected to about 22.1 million.
Although the breaches were revealed in mid-2015, they began in late 2014 and continued for several months. They were widely, although not officially, attributed to hackers based in China.
The OPM director resigned under pressure in July 2015, and a law was enacted providing 10 years of free identity and credit monitoring and identity theft insurance.
The Defense Department is taking over from the OPM the responsibility for conducting background checks and protecting the related information, while the White House wants to move most of the OPM’s other duties to the General Services Administration, citing the OPM’s antiquated computer systems.
The district court granted the government’s bid to dismiss the suit in September 2017, holding that the unions had failed to show the kind of harm to the affected people needed to hold the government liable.
But two of the three judges on a panel of the appeals court, David S. Tatel and Patricia A. Millett, wrote that some of the victims “have already experienced some form of identity theft,” including fraudulent claims for tax refunds, the opening of credit card accounts, and loans taken out and purchases made in their names.
Those forms of identity theft are “accomplishable only with the type of information that OPM stored and the hackers accessed. That directly links the hack to the theft of the victims’ private information, the pecuniary harms suffered, and the ongoing increased susceptibility to identity theft or financial injury,” the judges wrote.
Further, the decision said, some people have incurred costs — including purchasing individual credit protection and repair services and taking time off from work — to deal with identity-theft-related problems.
The ruling meanwhile noted that the OPM inspector general, which operates largely independent of the agency’s management, had “repeatedly warned OPM about material deficiencies in its information security systems,” but management “chose to leave those critical information security deficiencies (and more) in place.”
“The complaint’s plausible allegations that OPM decided to continue operating in the face of those repeated and forceful warnings, without implementing even the basic steps needed to minimize the risk of a significant data breach, is precisely the type of willful failure to establish appropriate safeguards that makes out a claim under the Privacy Act,” the court majority said.
The ruling used similar reasoning to find that the government should not be protected from the suit under the principle of sovereign immunity.
In a partial dissent, one of the three judges, Stephen F. Williams, said that no evidence was presented that the breach had resulted in widespread fraud, which “one would expect to see” by now, and that the problems the court majority cited could relate to different thefts of personal information.
The case now returns to the district court for proceedings on the merits of the claims. Also still ahead, should the unions ultimately win, is a decision on awarding money to victims.
Allison Giles, an attorney for the NTEU, cautioned that “this is a very preliminary decision” and that a final resolution could be months if not years away.