One breach involved records on about 21.5 million federal, military and contractor personnel and others who had undergone background checks since about 2000, commonly to gain or renew security clearances. The other involved personnel records of about 4.2 million current and former federal employees. Overlap between the two brought the total affected to about 22.1 million.
The American Federation of Government Employees is seeking a monetary award to victims under the Privacy Act, which provides for awards of at least $1,000 per individual if the government willfully fails to protect information on them that it holds.
The suit was combined with one in which the National Treasury Employees Union is seeking free lifetime credit protection for victims and a court order requiring the Office of Personnel Management to shore up its cyberdefenses.
A district judge initially dismissed the case, saying the complaint failed to show that problems some victims later experienced — such as fraudulent tax refund claims, credit card accounts and purchases made in their names — were caused by the breaches.
A panel of the federal Court of Appeals for the District of Columbia Circuit, however, told the lower court to consider the case, saying that OPM had failed to protect the data despite “repeated and forceful warnings” that the databases were vulnerable and a prime target for hackers. It further found that the unions had shown that the types of problems the complaint described can occur only after such a theft of personal information.
However, the Justice Department said the decision ignored evidence that the hacks were motivated by espionage.
“When the circumstances of a cyberattack suggest the attackers have a motive other than identity theft or fraud, the mere occurrence of the attack cannot support standing for all individuals whose data may have been compromised,” it argued.
The unions did not show “any coherent pattern of fraud or identity theft caused by the OPM attacks. Instead, the allegations identify sporadic and isolated episodes” that were not necessarily related to those attacks, it said in asking for reconsideration by all of the court’s judges sitting together.
Meanwhile, a coalition of unions including the AFGE and the NTEU has asked the court for the same type of review of a separate decision involving three executive orders issued by President Trump in May 2018.
Those orders sought to restrict labor-management negotiations, reduce the amount of working time that federal employees can spend on some union-related matters, and restrict employee protections in certain disciplinary cases.
A district court issued an injunction against many of those provisions on the grounds that civil service law requires bargaining over those issues.
An appeals court panel recently ruled, though, that unions should have filed their challenges with the Federal Labor Relations Authority, which decides internal government labor-management disputes. The court did not address the merits of the unions’ claims.
In their appeal, the unions argue that only the federal courts can rule on their contention that the orders exceed presidential authority under civil service law.