Why the Lawsuit Against OPM over the Massive Data Breach Faces an Uphill Battle

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.nextgov.com/cybersecurity/2015/07/why-lawsuit-against-opm-over-massive-data-breach-faces-uphill-battle/116701/


A class action lawsuit against the Office of Personnel Management over a
massive breach of federal employees’ data faces an uphill battle, privacy
law experts say.

The American Federation of Government Employees says OPM and a contractor
violated the 1974 Privacy Act by neglecting to secure employees' personal
data, which resulted in financial and emotional harm.

The failure to protect workers’ data could hold up in court, but
demonstrating damages have actually been suffered will be the challenge,
legal experts say. The suspected thieves in this situation are foreign
government spies aiming for access to U.S. secrets, not financial
fraudsters seeking access to people’s bank accounts.

The real harm done for a federal employee or job applicant is now "living
for the rest of your life knowing that all of your personal information is
in the hands of another country and possibly terrorists, or possibly people
that want to do harm to you, your family or the country,” said Cheri
Cannon, a partner at federal employment law group Tully Rinckey. “The
United States can't fix that."

But neither can any lawsuit, said Cannon, a former military attorney who
says she's affected by the breach. AFGE, the country's largest government
employee union, filed suit in U.S. District Court on Monday against the
agency, OPM Director Katherine Archuleta, OPM Chief Information Officer
Donna Seymour and the contractor, KeyPoint Government Solutions, which
conducts background investigations for the government.

Past data breach cases resting on the Privacy Act largely have been
unsuccessful.

According to AFGE’s complaint, OPM disregarded federal information security
statutes and inspector general recommendations dating back to 2007.

Last month, OPM acknowledged a breach of 4.2 million personnel records,
containing Social Security numbers, and the compromise of an undefined
number of invasive background investigations on individuals with access to
classified intelligence.

Claiming that OPM knew its networks were vulnerable to attack and did
nothing “opens the door a little bit wider" for making a case, said Cannon,
a former Air Force deputy general counsel for fiscal, ethics and
administrative law, who at one point held a security clearance. She said
she has been notified her personnel records were compromised by one of the
hacks. The government has not notified victims of the background check
breach.

Demonstrating the Agency Did Not Lock the Door

“AFGE has compelling case, particularly because OPM was on notice as to the
security vulnerabilities," said Marc Rotenberg, president of the Electronic
Privacy Information Center. "It doesn’t matter who committed the breach.
The central question is whether the federal agencies took necessary
measures to protect the information collected."

By law, the agency was obligated to protect the volumes of information it
collects.

That likely is why defendant OPM head Archuleta has consistently said she
is "angry" about the hacks but has not expressed remorse. Archuleta and
other OPM officials "cannot apologize or take responsibility for" the
breach publicly on Capitol Hill or in the press because that would hurt
their legal defense, Cannon said.

OPM officials Tuesday would not comment on the lawsuit.

In the past, Archuleta has insisted no one in the government is personally
responsible for the network intrusion, rather the hackers are to blame.
Background check provider KeyPoint Government Solutions, from whom hackers
stole a credential to open OPM systems, says the company has seen no
evidence it is responsible for the breach.

AFGE’s complaint states the damages employees have or will suffer include
"pecuniary losses, anxiety and emotional distress," caused by among other
things the compromise of personal information belonging to themselves,
relatives, neighbors and acquaintances contained in investigative records.

Also listed among the harms inflicted is "lost opportunity costs"
associated with the effort and time spent preventing ID and medical theft.

Proving Your Data Has Been Misused

But past Privacy Act verdicts have narrowly defined who is eligible for
compensation when personal data is compromised.

In 2004, the Supreme Court ruled an individual can file suit against the
government to recover financial damages when such information is exposed --
but only if an "actual damage" is proven. The definition of "actual damage"
was left open in the case, which involved miners suing the Labor Department
for disclosing their Social Security numbers.

In 2012, the high court decided an individual -- in that case, a Federal
Aviation Administration employee whose HIV-positive status was divulged --
cannot claim financial damages based on mental or emotional distress caused
by a federal agency's intentional or willful violation of the Privacy Act.

In 2011, SAIC and the Pentagon were sued under the Privacy Act when Tricare
military health insurance data on 4.9 million service members and their
families was stolen. A D.C. federal judge dismissed most of the charges in
May 2014, ruling that data loss alone, without evidence the information was
misused, did not merit damages.

There have been recent legal proceedings that suggest some sort of
settlement agreement might be brokered.

The National Labor Relations Board ruled earlier this year the U.S. Postal
Service violated labor laws by not at least negotiating with postal unions
on the agency’s response to its employees’ data being hacked in 2014.

In addition, the Supreme Court will hear a case in the next term, starting
in October, that could set a new standard for whether data breach lawsuits
can be based on future harm.

"The impossibility of forecasting what will happen to stolen data has
intensified legal wrangling over the rights of data breach victims," the
Intercept reported in a June 12 article on the upcoming case that cited the
OPM incident.

Up until now, the precedent on fear of prospective losses has been a 2013
decision, Clapper v. Amnesty International USA, where journalists and human
rights advocates unsuccessfully sued for suffering the cost and
inconvenience of protecting themselves against the likelihood of
warrantless digital surveillance.

The forthcoming high court case addresses whether an unemployed Virginia
man has legal standing to sue the search site Spokeo because it allegedly
published incorrect details about his education, wealth and age, which he
says hurt his employment chances.

Justice Department Staff v. Justice Department Staff?

According to AFGE, the union will contend federal workers suffered damages
from the moment personal data was stolen. The union has not provided the
amount of money being sought, explaining the total sum will be figured out
during the discovery period.

Costs already incurred involve replacing credit cards, closing accounts and
other steps individuals may have taken in response to the breach, officials
said during a Tuesday call with reporters. One attorney representing the
union stressed employees do not have to be victims of identity theft to
demonstrate damages.

It will also be interesting to see how breach victims at the Justice
Department, which must defend claims against the United States, will handle
legal proceedings.

"Justice lawyers are working against their own financial interests – they
have a stake in OPM winning for their own personal financial reason,"
Cannon said.

The complaint excludes “any judicial officer assigned to this case,” OPM,
Archuleta, Seymour and KeyPoint as members of the proposed class action
lawsuit.

“The Justice Department is reviewing the complaint,” DOJ spokeswoman Nicole
Navas said, declining to comment further.

Rotenberg said he doubts the question of conflict of interest will lead to
recusal.

The irony is that, although the Supreme Court has narrowed the legal
protections established in the Privacy Act, "personal records of the
justices, their clerks and staff were likely among those disclosed in the
OPM breach," he said.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!