Technology

Appeals court allows data breach lawsuit by federal workers to go forward

by Emily Birnbaum

The D.C. Circuit Court of Appeals on Friday ruled that two groups of federal workers can move forward with their class action lawsuits against the Office of Personnel Management (OPM) over a 2015 data breach that exposed the personal information of 22 million people.

According to the appeals court, the data breach left the plaintiffs vulnerable to identity theft, a substantial and ongoing “injury” that can be traced back to OPM’s failure to adequately safeguard its systems.

{mosads}Hackers in 2014 began stealing personal information such as Social Security numbers, birth dates, fingerprints and addresses from OPM, which functions as the federal government’s human resources department.

In the years since, federal workers affected by the breach have reported various types of identity theft, including credit cards being opened and fraudulent tax returns in their name, according to the lawsuit.

The breach set off a flurry of lawsuits, which were combined into two complaints in D.C. In 2017, a federal judge dismissed the complaints, saying plaintiffs lacked sufficient evidence that they faced a substantial or imminent threat of identity theft.

The appeals court on Friday argued there is evidence the hack left federal workers vulnerable to identity theft or fraud.

“There is no question that the OPM hackers … now have in their possession all the information needed to steal [plaintiffs’] identities,” the court wrote. “Plaintiffs have alleged that the hackers stole Social Security numbers, birth dates, fingerprints, and addresses, among other sensitive personal information. It hardly takes a criminal mastermind to imagine how such information could be used to commit identity theft.”

The appeals court also criticized the lower court for citing outside reports to conclude that the Chinese government was behind the attack.

“As an initial matter, the district court should not have relied even in part on its own surmise that the Chinese government perpetrated these attacks,” the opinion states.

Experts have tied the hack to the Chinese government, alleging it was a form of espionage, but the appeals court on Friday argued that identity theft could be part of an espionage plot.

“Given that espionage and identity theft are not mutually exclusive, the likely existence of an espionage-related motive hardly renders implausible [plaintiffs’] claim that they face a substantial future risk of identity theft and financial fraud as a result of the breaches,” the court wrote.

The groups of federal workers will now be allowed to move forward with their lawsuits against OPM, which the appeals court said still has not secured its systems against future cyberattacks.