Searching over 5,500,000 cases.


searching
Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

In re U.S. Office of Personnel Management Data Security Breach Litigation

United States Court of Appeals, District of Columbia Circuit

June 21, 2019

In re: U.S. Office of Personnel Management Data Security Breach Litigation,
v.
Office of Personnel Management, et al., Appellees American Federation of Government Employees, AFL-CIO, et al., Appellees National Treasury Employees Union, et al., Appellants

          Argued November 2, 2018

          Appeals from the United States District Court for the District of Columbia (No. 1:15-mc-01394)

          Peter A. Patterson argued the cause for Arnold Plaintiffs-Appellants in No. 17-5232. With him on the briefs were David H. Thompson, Daniel C. Girard, Jordan Elias, Tina Wolfson, Gary E. Mason, and Richard B. Rosenthal.

          Paras N. Shah argued the cause for appellants National Treasury Employees Union, et al. in No. 17-5217. With him on the briefs were Gregory O'Duden, Larry J. Adkins, and Allison C. Giles.

          Marc Rotenberg and Alan Butler were on the brief for amici curiae Electronic Privacy Information Center (EPIC) and Forty-Four Legal Scholars and Technical Experts in support of appellants.

          Sonia M. Carson, Attorney, U.S. Department of Justice, argued the cause for federal appellees. With her on the brief was Mark B. Stern.

          Jason J. Mendro argued the cause for appellee KeyPoint Government Solutions, Inc. With him on the brief were F. Joseph Warin, Matthew S. Rozen, and Jeremy M. Christiansen.

          Alan Charles Raul, Kwaku A. Akowuah, Daniel J. Hay, and Steven P. Lehotsky were on the brief for amicus curiae The Chamber of Commerce of the United States of America in support of appellees.

          Before: Tatel and Millett, Circuit Judges, and Williams, Senior Circuit Judge.

          OPINION

          PER CURIAM.

         In 2014, cyberattackers breached multiple U.S. Office of Personnel Management ("OPM") databases and allegedly stole the sensitive personal information-including birth dates, Social Security numbers, addresses, and even fingerprint records-of a staggering number of past, present, and prospective government workers. All told, the data breaches affected more than twenty-one million people. Unsurprisingly, given the scale of the attacks and the sensitive nature of the information stolen, news of the breaches generated not only widespread alarm, but also several lawsuits. These suits were ultimately consolidated into two complaints: one filed by the National Treasury Employees Union and three of its members, and another filed by the American Federation of Government Employees on behalf of several individual plaintiffs and a putative class of others similarly affected by the breaches. Both sets of plaintiffs alleged that OPM's cybersecurity practices were woefully inadequate, enabling the hackers to gain access to the agency's treasure trove of employee information, which in turn exposed plaintiffs to a heightened risk of identity theft and a host of other injuries. The district court dismissed both complaints for lack of Article III standing and failure to state a claim. For the reasons set forth below, we reverse in part and affirm in part.

         I

         As its name suggests, the U.S. Office of Personnel Management serves as the federal government's chief human resources agency. In that capacity, OPM maintains electronic personnel files that contain, among other information, copies of federal employees' birth certificates, military service records, and job applications identifying Social Security numbers and birth dates.

         The agency also oversees more than two million background checks and security clearance investigations per year. To facilitate these investigations, OPM collects a tremendous amount of sensitive personal information from current and prospective federal workers, most of which it then stores electronically in a "Central Verification System." Consolidated Amended Complaint, In re United States Office of Pers. Mgmt. Data Security Breach Litig., No. 1:15-mc-01394, ¶ 65 (D.D.C. March 14, 2016) ("Arnold Plaintiffs' Compl."), J.A. 61. The investigation-related information stored by OPM includes birth dates, Social Security numbers, residency details, passport information, fingerprints, and other records pertaining to employees' criminal histories, psychological and emotional health, and finances. In recent years, OPM has relied on a private investigation and security firm, KeyPoint Government Solutions, Inc. ("KeyPoint"), to conduct the lion's share of the agency's background and security clearance investigation fieldwork. KeyPoint investigators have access to the information stored in OPM's Central Verification System and can transmit data to and from the agency's network through an electronic portal.

         It turns out that authorized KeyPoint investigators have not been the only third parties to access OPM's data systems. Cyberattackers hacked into the agency's network on several occasions between November 2013 and November 2014. Undetected for months, at least two of these breaches resulted in the theft of vast quantities of personal information. According to the complaint, after breaching OPM's network "using stolen KeyPoint credentials" around May 2014, Arnold Plaintiffs' Compl. ¶ 127, J.A. 73, the cyberintruders extracted almost 21.5 million background investigation records from the agency's Central Verification System. They gained access to another OPM system near the end of 2014, stealing over four million federal employees' personnel files. Among the types of information compromised were current and prospective employees' Social Security numbers, birth dates, and residency details, along with approximately 5.6 million sets of fingerprints. The breaches also exposed the Social Security numbers and birth dates of the spouses and cohabitants of those who, in order to obtain a security clearance, completed a Standard Form 86. According to the complaints, since these 2014 breaches, individuals whose information was stolen have experienced incidents of financial fraud and identity theft; many others whose information has not been misused-at least, not yet-remain concerned about the ongoing risk that they, too, will become victims of financial fraud and identity theft in the future.

         After announcing the breaches in the summer of 2015, OPM initially offered individuals whose information had been compromised fraud monitoring and identity theft protection services and insurance at no cost for either eighteen months or three years, depending on whether their Social Security numbers had been exposed. But OPM's offer failed to address the concerns of all such parties, and the agency soon found itself named as a defendant in breach-related lawsuits across the country. The Judicial Panel on Multidistrict Litigation transferred these actions to the U.S. District Court for the District of Columbia for coordinated pretrial proceedings. The suits were ultimately consolidated into two complaints: one brought by the American Federation of Government Employees on behalf of thirty-eight individuals affected by the breaches and a putative class of similarly situated breach victims ("Arnold Plaintiffs") and another for declaratory and injunctive relief brought by the National Treasury Employees Union ("NTEU") and three of its members ("NTEU Plaintiffs"). Below we summarize the relevant allegations and claims contained in each complaint, accepting all factual allegations "as true" and drawing "reasonable inferences * * * in the plaintiffs' favor." Philipp v. Federal Republic of Germany, 894 F.3d 406, 409 (D.C. Cir. 2018) (internal quotation marks omitted).

         Arnold Plaintiffs allege that KeyPoint's "information security defenses did not conform to recognized industry standards" and that the company unreasonably failed to protect the security credentials that the hackers used to unlawfully access one of OPM's systems in mid-2014. Arnold Plaintiffs' Compl. ¶ 222, J.A. 98. Specifically, they assert that "KeyPoint knew or should have known that its information security defenses did not reasonably or effectively protect Plaintiffs' and Class members' [personal information] and the credentials used to access it on KeyPoint's and OPM's systems." Id. As for OPM, Arnold Plaintiffs allege that the agency had long been on notice that its systems were prime targets for cyberattackers. OPM experienced data breaches related to cyberattacks in 2009 and 2012, and it is no secret that its network is regularly subject to a strikingly large number of hacking attempts. Despite this, say Arnold Plaintiffs, OPM repeatedly failed to comply with the Federal Information Security Management Act of 2002, 44 U.S.C. §§ 3541 et seq. (repealed 2014), and its replacement, the Federal Information Security Modernization Act of 2014, 44 U.S.C. §§ 3551 et seq. (collectively, "Information Security Act"), which require agencies to "develop, implement, and maintain a security program that assesses information security risks and provides adequate security for the operations and assets of programs and software systems under agency and contractor control." Arnold Plaintiffs' Compl. ¶ 83, J.A. 65.

         As early as 2007, Information Security Act compliance audits conducted by OPM's Office of the Inspector General regularly identified major information security deficiencies that left the agency's network vulnerable to attack. Such problems included "severely outdated" security policies and procedures, understaffed and undertrained cybersecurity personnel, and a lack of a centralized information security management structure. Arnold Plaintiffs' Compl. ¶¶ 92-95, J.A. 67-68. As a result, in every year from 2007 through 2013, the Inspector General identified "serious concerns that * * * pose an immediate risk to the security of assets or operations"-termed "material weaknesses"-in the agency's information security governance program. Id. ¶¶ 87-88, J.A. 66; see also id. ¶¶ 90-97, J.A. 66-68 (listing those weaknesses). Although in 2014 the Inspector General, acting on the basis of "imminently planned improvements," id. ¶ 98, J.A. 68, reclassified OPM's security governance program as a "significant deficiency" (an improvement over the more serious "material weakness"), other serious issues resurfaced at that time. Specifically, in 2014, the agency failed to complete an Information Security Act-required Security Assessment and Authorization for eleven of the twenty-one OPM systems due for reauthorization. Because the agency was unable to ensure the functionality of security controls for the systems that lacked a valid authorization-one of which was "a general system that supported and provided the electronic platform for approximately two-thirds of all information systems operated by OPM"-the Inspector General advised the agency to shut them down. Id. ¶¶ 102-103, J.A. 69-70. Despite the Inspector General's recommendation, OPM continued to operate the systems. The agency compounded existing security vulnerabilities by failing to encrypt sensitive data-including Social Security numbers-and failing to enforce multifactor authentication requirements. To make matters worse, when the 2014 data breaches occurred, the agency lacked a centralized network security operations center from which it could continuously and comprehensively monitor all system security controls and threats.

         The 2014 cyberattacks were "sophisticated, malicious, and carried out to obtain sensitive information for improper use." Arnold Plaintiffs' Compl. ¶¶ 128, 132, J.A. 73-74. Arnold Plaintiffs assert that as a result of these attacks, they have suffered from a variety of harms, including the improper use of their Social Security numbers, unauthorized charges to existing credit card and bank accounts, fraudulent openings of new credit card and other financial accounts, and the filing of fraudulent tax returns in their names. At least three named Arnold Plaintiffs purchased credit monitoring services after falling victim to such fraud; others have spent time and money attempting to unwind fraudulent transactions made in their names. And some Arnold Plaintiffs who have yet to experience a fraud incident purchased credit monitoring services and spent extra time monitoring their accounts to mitigate the "increased risk" of identity theft caused by the breaches. Id. ¶ 163, J.A. 81-83.

         Arnold Plaintiffs assert several claims against OPM, but they press only one on appeal: that the agency "willfully failed" to establish appropriate safeguards to ensure the security and confidentiality of their private information, in violation of Section 552a(e)(10) of the Privacy Act of 1974. Arnold Plaintiffs' Compl. ¶ 182, J.A. 89; see also 5 U.S.C. § 552a(e)(10) (requiring the agency to "establish appropriate administrative, technical, and physical safeguards to insure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained"). They also bring a variety of common-law and statutory claims against KeyPoint, alleging that the company's "actions and inactions constitute[d] negligence, negligent misrepresentation and concealment, invasion of privacy, breach of contract, and violations of the Fair Credit Reporting Act and state statutes." Arnold Plaintiffs' Compl. ¶ 9, J.A. 38. Arnold Plaintiffs seek damages from OPM under the Privacy Act; from KeyPoint, they request money damages and an order requiring the company to extend free lifetime identity theft and fraud protection services to all putative class members, among other things.

         The other complaint, filed by the National Treasury Employees Union, seeks declaratory and injunctive relief against the Acting Director of OPM in her official capacity based on essentially the same set of facts. NTEU Plaintiffs assert that when they provided OPM with the sensitive personal information ultimately exposed in the breaches, they did so upon the agency's assurance that it "would be safeguarded" and kept confidential. Amended Complaint for Declaratory and Injunctive Relief, In re United States Office of Pers. Mgmt. Data Security Breach Litig., No. 1:15-mc-01394, ¶ 75 (D.D.C. June 3, 2016) ("NTEU Plaintiffs' Compl."), J.A. 179. They allege that OPM's "reckless failure to safeguard [NTEU Plaintiffs'] personal information," which ultimately "resulted in [its] unauthorized disclosure" during the 2014 attacks, id. at 3, J.A. 155, amounted to a violation of what they describe as their "constitutional right to informational privacy," id. ¶ 98, J.A. 186.

         NTEU Plaintiffs further allege that, despite the fallout from the 2014 breaches, OPM has yet to make the cybersecurity improvements necessary to protect their personal information from future attacks. According to the complaint, the agency's Inspector General warned at the end of 2015 that OPM was ill-equipped to protect itself from another attack, given "the overall lack of compliance that seems to permeate the agency's IT security program." NTEU Plaintiffs' Compl. ¶ 88, J.A. 182 (quoting United States Office of Pers. Mgmt., Office of the Inspector General, Office of Audits, Final Audit Report: Federal Information Security Modernization Act Audit FY 2015, at 5 (Nov. 10, 2015)). NTEU Plaintiffs seek a declaration that OPM's failure to protect their information violated their putative constitutional right to informational privacy and an order requiring the agency to provide them with free lifetime credit monitoring and identity theft protection. They also request an injunction requiring OPM "to take immediately all necessary and appropriate steps to correct deficiencies in [its] IT security program so that NTEU members' personal information will be protected from unauthorized disclosure" in the future. Id. at 35, J.A. 187.

         OPM and KeyPoint moved to dismiss Arnold Plaintiffs' complaint, arguing that they lacked Article III standing, that their claims were barred by sovereign immunity, and that they failed to state valid claims under the state and federal statutes and common-law theories invoked. OPM moved to dismiss NTEU Plaintiffs' complaint for lack of standing and failure to state a claim upon which relief could be granted-that is, failure to allege a cognizable constitutional violation. The district court granted both motions to dismiss on the ground that neither Arnold Plaintiffs nor NTEU Plaintiffs pled sufficient facts to demonstrate Article III standing. Rejecting plaintiffs' argument that they faced a heightened risk of identity theft due to the breaches, the court held that the facts alleged failed to plausibly support the conclusion that this risk of future injury was either substantial or clearly impending. The district court ultimately concluded that only those plaintiffs who specifically identified out-of-pocket losses stemming from the actual misuse of their data had suffered an injury in fact sufficient for standing purposes. But even those plaintiffs lacked standing, the district court concluded, because they failed to allege facts demonstrating that the misuse of their information was traceable to the OPM breaches in particular.

         The district court went on to explain that it also lacked subject matter jurisdiction over Arnold Plaintiffs' claims for the additional reasons that (i) they failed to plead the actual damages necessary to bring them within the Privacy Act's waiver of sovereign immunity; and (ii) as a government contractor, KeyPoint enjoyed derivative sovereign immunity from suit. Finally, the court concluded that Arnold Plaintiffs failed to plausibly allege a Privacy Act claim and that NTEU Plaintiffs' complaint failed to state a constitutional claim. Both sets of plaintiffs have appealed.

         We reverse in part and affirm in part the district court's judgment. We hold that both sets of plaintiffs have alleged facts sufficient to satisfy Article III standing requirements. Arnold Plaintiffs have stated a claim for damages under the Privacy Act, and have unlocked OPM's waiver of sovereign immunity, by alleging OPM's knowing refusal to establish appropriate information security safeguards. KeyPoint is not entitled to derivative sovereign immunity because it has not shown that its alleged security faults were directed by the government, and it is alleged to have violated the Privacy Act standards incorporated into its contract with OPM. Finally, we agree with the district court that, assuming a constitutional right to informational privacy, NTEU Plaintiffs have not alleged any violation of such a right.

         II

         "[T]he irreducible constitutional minimum of standing consists of three elements." Spokeo, Inc. v. Robins, 136 S.Ct. 1540, 1547 (2016) (internal quotation marks omitted). First, plaintiffs must demonstrate that they suffered an injury in fact that is "concrete and particularized and actual or imminent, not conjectural or hypothetical." Id. at 1548 (internal quotation marks omitted). "An allegation of future injury" passes Article III muster only if it "is 'certainly impending,' or there is a 'substantial risk' that the harm will occur." Susan B. Anthony List v. Driehaus, 573 U.S. 149, 158 (2014) (quoting Clapper v. Amnesty Int'l USA, 568 U.S. 398, 414 & n.5 (2013)). Second, plaintiffs must demonstrate causation; that is, they must show that their claimed injury is "fairly traceable to the challenged conduct of the defendant." Spokeo, 136 S.Ct. at 1547. "Article III standing does not require that the defendant be the most immediate cause, or even a proximate cause, of the plaintiffs' injuries; it requires only that those injuries be 'fairly traceable' to the defendant." Attias v. Carefirst, Inc., 865 F.3d 620, 629 (D.C. Cir. 2017), cert. denied, 138 S.Ct. 981 (2018). And third, plaintiffs must demonstrate that "it is likely, as opposed to merely speculative, that the[ir] injury will be redressed by a favorable decision." Friends of the Earth, Inc. v. Laidlaw Environmental Servs. (TOC), Inc., 528 U.S. 167, 181 (2000).

         Where, as here, defendants challenge standing at the pleading stage without disputing the facts alleged in the complaint, "we accept the well-pleaded factual allegations as true and draw all reasonable inferences from those allegations in the plaintiff's favor," but we do not assume the truth of legal conclusions or accept inferences that are unsupported by the facts alleged in the complaint. Arpaio v. Obama, 797 F.3d 11, 19 (D.C. Cir. 2015). "We review de novo the district court's dismissal for lack of standing." Id. The question at this early juncture in the litigation is whether plaintiffs have plausibly alleged standing. Contrary to the district court's ruling, plaintiffs need not yet establish each element of standing by a preponderance of the evidence. See Lujan v. Defenders of Wildlife, 504 U.S. 555, 561 (1992) ("[E]ach element [of standing] must be supported in the same way as any other matter on which the plaintiff bears the burden of proof, i.e., with the manner and degree of evidence required at the successive stages of the litigation.").

         A

         We begin with NTEU Plaintiffs. For standing purposes, we assume that NTEU Plaintiffs have, as they claim, a "constitutional right to informational privacy" that was violated "the moment that [cyberattackers stole] their inherently personal information * * * from OPM's deficiently secured databases." NTEU Br. 11; see also Estate of Boyland v. Department of Agric., 913 F.3d 117, 123 (D.C. Cir. 2019) ("[W]hen considering whether a plaintiff has Article III standing, a federal court must assume, arguendo, the merits of his or her legal claim.") (internal quotation marks omitted). Furthermore, given NTEU Plaintiffs' allegations regarding OPM's continued failure to adequately secure its databases, it is reasonable to infer that there remains a "substantial risk" that their personal information will be stolen from OPM again in the future. NTEU Plaintiffs' Compl. ¶ 88, J.A. 182. With respect to this claim, the loss of a constitutionally protected privacy interest itself would qualify as a concrete, particularized, and actual injury in fact. And the ongoing and substantial threat to that privacy interest would be a concrete, particularized, and imminent injury in fact. Both claimed injuries are plausibly traceable to OPM's challenged conduct, and the latter is redressable either by a declaration that the agency's failure to protect NTEU Plaintiffs' personal information is unconstitutional or by an order requiring OPM to immediately correct deficiencies in its cybersecurity programs. Cf. ACLU v. Clapper, 785 F.3d 787, 801 (2d Cir. 2015) (holding that, where plaintiffs allege a Fourth Amendment "injury [stemming] from the very collection of their telephone metadata," they "have suffered a concrete and particularized injury fairly traceable to the challenged program and redressable by a favorable ruling"). Accordingly, NTEU Plaintiffs have standing based on their claimed constitutional injury.

         B

         Arnold Plaintiffs allege no such constitutional injury, but they do claim to have suffered a variety of past and future data-breach related harms. See, e.g., Arnold Plaintiffs' Compl. ¶ 22, J.A. 44-45 (alleging that Plaintiff Jane Doe has "suffer[ed] stress resulting from concerns for her personal safety and that of her family members" since being informed by the FBI that her personal information "had been acquired by the so-called Islamic State of Iraq and al-Sham ('ISIS')"). For purposes of our standing analysis, we focus on one injury they all share: the risk of future identity theft. As we have already recognized, "identity theft * * * constitute[s] a concrete and particularized injury." Attias, 865 F.3d at 627; see also Hancock v. Urban Outfitters, Inc., 830 F.3d 511, 514 (D.C. Cir. 2016) (offering the "increased risk of fraud or identity theft" as an "example" of a "concrete consequence" for standing purposes). Yet, the district court concluded that Arnold Plaintiffs' complaint provided an insufficient basis from which to infer that, in the wake of the OPM breaches, Arnold Plaintiffs faced any meaningful risk of future identity theft, much less a "substantial" one. In re United States Office of Pers. Mgmt. Data Security Breach Litig. ("In re OPM"), 266 F.Supp.3d 1, 35 (D.D.C. 2017). Furthermore, finding that "the risk of identity theft was neither clearly impending nor substantial," the district court concluded that any expenses that Arnold Plaintiffs incurred attempting to mitigate that risk likewise failed to qualify as an Article III injury in fact. Id. at 36; see also Clapper, 568 U.S. at 416 ("[R]espondents cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.").

         Arnold Plaintiffs argue that the district court's conclusion is incompatible with our decision in Attias v. CareFirst. In that case, we determined that the victims of a cyberattack on CareFirst, a health insurance company, "cleared the low bar to establish their standing at the pleading stage" by plausibly alleging that they faced a substantial risk of identity theft as a result of the company's negligent failure to thwart the attack. Attias, 865 F.3d at 622. Specifically, the complaint alleged that the breach exposed "all of the information wrongdoers need for appropriation of a victim's identity": personal identification information, credit card numbers, and Social Security numbers. Id. at 628 (internal quotation marks omitted). Based largely on the nature of the information compromised in the attack, we concluded that it was reasonable to infer that the cyberattackers had "both the intent and the ability to use that data for ill." Id.; see also id. at 628-629 ("Why else would hackers break into a * * * database and steal consumers' private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers' identities.") (quoting Remijas v. Neiman Marcus Grp., 794 F.3d 688, 693 (7th Cir. 2015)). Accordingly, we explained, "[n]o long sequence of uncertain contingencies involving multiple independent actors has to occur before the plaintiffs in this case will suffer any harm; a substantial risk of harm exists already, simply by virtue of the hack and the nature of the data that the plaintiffs allege was taken." Id. at 629.

         Although the OPM cyberattacks differ in several respects from the breach at issue in Attias, there is no question that the OPM hackers, too, now have in their possession all the information needed to steal Arnold Plaintiffs' identities. Arnold Plaintiffs have alleged that the hackers stole Social Security numbers, birth dates, fingerprints, and addresses, among other sensitive personal information. It hardly takes a criminal mastermind to imagine how such information could be used to commit identity theft. Indeed, several Arnold Plaintiffs claim that they have already experienced various types of identity theft, including the unauthorized opening of new credit card and other financial accounts and the filing of fraudulent tax returns in their names. Moreover, unlike existing credit card numbers, which, if compromised, can be changed to prevent future fraud, Social Security numbers and addresses cannot so readily be swapped out for new ones. And, of course, our birth dates and fingerprints are with us forever. Viewing the allegations in the light most favorable to Arnold Plaintiffs, as we must, we conclude that not only do the incidents of identity theft that have already occurred illustrate the nefarious uses to which the stolen information may be put, but they also support the inference that Arnold Plaintiffs face a substantial-as opposed to a merely speculative or theoretical-risk of future identity theft.

         It is worth noting that several Arnold Plaintiffs also allege that unauthorized charges have appeared on their existing credit card and bank account statements since the breaches. According to OPM, because none of these Arnold Plaintiffs "specifically alleged the OPM incidents affected their existing account information," the reported incidents of fraud on existing accounts (and, presumably, the risk of future fraud on those accounts) cannot plausibly be attributed to the OPM breaches. Gov't Br. 21. But we need not travel down that road because, regardless of whether the hackers obtained all the information necessary to make unauthorized charges to existing accounts, it is undisputed that the other forms of fraud alleged-the opening of new accounts and the filing of fraudulent tax returns-may be accomplished using the information stolen during the breaches at issue.

         OPM argues that Arnold Plaintiffs' allegations of "scattered instances of widely varying fraud" are insufficient to support a plausible inference that Arnold Plaintiffs face an ongoing, substantial risk of identity theft. Gov't Br. 20. Specifically, OPM contends that despite the sensitive nature of the information stolen in the attacks, "[i]t is impossible under these circumstances to 'easily construct any kind of colorable theory' that a desire to commit fraud motivated" the OPM breaches. Id. at 21 (quoting In re OPM, 266 F.Supp.3d at 38). This is especially the case, OPM argues, because "this is not just a data breach," but rather "a data breach arising out of a particular sort of cyberattack" against the United States. Id. at 23 (quoting In re OPM, 266 F.Supp.3d at 9). According to OPM, it is illogical to assume that the same goals that typically motivate hackers of commercial databases animated the "sophisticated" actors who engineered these data breaches. Id. at 27. The district court agreed with OPM on this point. Although neither amended complaint contains any allegations regarding the cyberattackers' identity, the court noted that news articles and congressional reports had suggested that the suspected perpetrator was not a common criminal, but rather the Chinese government. Despite acknowledging that "a finding concerning the source of the breach" was "beyond the scope of [the] proceeding at this juncture," the court appears to have relied at least partially on this external information in reaching the conclusion that it was implausible that the OPM hackers intended to steal Arnold Plaintiffs' identities. In re OPM, 266 F.Supp.3d at 34.

         As an initial matter, the district court should not have relied even in part on its own surmise that the Chinese government perpetrated these attacks. Absent any factual allegations regarding the identity of the cyberattackers, the district court was not free to conduct its own extra-record research and then draw inferences from that research in OPM's and KeyPoint's favor. See Arpaio, 797 F.3d at 19 (explaining that where the defendant challenges the plaintiff's standing at the motion-to-dismiss stage, we "draw all reasonable inferences * * * in the plaintiff's favor"). Beyond that, although a cyberattack on a government system might well be motivated by a purpose other than identity theft, given the type of information stolen in the OPM breaches and Arnold Plaintiffs' allegations regarding the subsequent misuse of that information, it is just as plausible to infer that identity theft is at least one of the hackers' goals, even if those hackers are indeed affiliated with a foreign government.

         Our dissenting colleague takes a different tack, suggesting that because this case involves government databases, "espionage * * * is * * * an 'obvious alternative explanation'" for the attacks. See Dissenting Op. at 4 (quoting Ashcroft v. Iqbal, 556 U.S. 662, 682 (2009)). We disagree as to just how obvious an explanation this is based on the facts alleged in the complaint. Furthermore, given that espionage and identity theft are not mutually exclusive, the likely existence of an espionage-related motive hardly renders implausible Arnold Plaintiffs' claim that they face a substantial future risk of identity theft and financial fraud as a result of the breaches. See, e.g., Watson Carpet & Floor Covering, Inc. v. Mohawk Indus., Inc., 648 F.3d 452, 458 (6th Cir. 2011) ("Ferreting out the most likely reason for the defendants' actions is not appropriate at the pleadings stage * * * . [T]he plausibility of [one particular] reason for the refusals to sell carpet does not render all other reasons implausible."). By contrast, in the cases cited by the dissent, the obvious alternative explanations were necessarily incompatible with the plaintiffs' versions of events. See Iqbal, 556 U.S. at 682 (rejecting claims of invidious discrimination as implausible where there existed an obvious, nondiscriminatory law enforcement justification for the challenged acts); Bell Atl. Corp. v. Twombly, 550 U.S. 544, 567-568 (2007) (rejecting a conspiracy claim as implausible where history and market forces provided "a natural explanation" for the defendants' behavior).

         In any case, although we found in Attias that the circumstances of that breach made it at least plausible that the hackers there had "both the intent and the ability to use [the plaintiffs'] data for ill," 865 F.3d at 628, a hacker's "intent" to use breach victims' personal data for identity theft becomes markedly less important where, as here, several victims allege that they have already suffered identity theft and fraud as a result of the breaches. When considered in combination with the obvious potential for fraud presented by the information stolen during the breaches, the fact that certain Arnold Plaintiffs have already had fraudulent accounts opened and tax returns filed in their names moves the risk of future identity theft across the line from speculative to substantial, at least at this early stage in the proceedings. See id. at 625 (explaining that at the pleading stage, "plaintiffs are required only to state a plausible claim that each of the standing elements is present") (internal quotation marks omitted).

         The circumstances here differ markedly from those in the two cases OPM cites in support of its argument that Arnold Plaintiffs' risk of future identity theft is merely conjectural. In Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017), a laptop containing patients' unencrypted personal information, "including names, birth dates, the last four digits of social security numbers, and physical descriptors," and four boxes of medical records that contained names and Social Security numbers went missing from a Veterans Affairs medical center. Id. at 267-269. The Fourth Circuit held that the risk of future identity theft stemming from the incidents was too speculative to satisfy the injury-in-fact requirement because the plaintiffs failed to allege either (i) that the thief "intentionally targeted" the personal information contained in the laptop and boxes or (ii) that the thief subsequently used that information to commit identity theft. Id. at 274-275 ("[E]ven after extensive discovery, the * * * plaintiffs [who sued over the theft of the laptop] have uncovered no evidence that the information contained on the stolen laptop has been accessed or misused or that they have suffered identity theft, nor, for that matter, that the thief stole the laptop with the intent to steal their private information."); id. at 275 ("Watson's complaint suffers from the same deficiency with regard to the four missing boxes of pathology reports."). Without such allegations, the Fourth Circuit explained, there was nothing to "push the threatened injury of future identity theft beyond the speculative to the sufficiently imminent." Id. at 274.

         In the other case, Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011), an unknown hacker infiltrated a payroll processing firm's database, "potentially" gaining access to employees' "personal and financial information." Id. at 40. It was "not known whether the hacker read, copied, or understood the data," id., and none of the affected parties alleged that their data had since been misused, id. at 44 ("Appellants have alleged no misuse."). Because the plaintiffs' claimed risk of future identity theft therefore rested solely on "hypothetical speculations concerning the possibility of future injury," the Third Circuit held that the risk was insufficient to support standing. Id. at 43.

         Here, in contrast to those two cases, Arnold Plaintiffs both allege that the OPM cyberattackers intentionally targeted their information and point out the subsequent misuse of that information. See Arnold Plaintiffs' Compl. ¶¶ 128, 130, J.A. 73-74 (alleging that the hackers targeted-and extracted data from-the agency's "Electronic Official Personnel Folder system" and the database used to collect background check information); see, e.g., id. ¶¶ 21-22, 24, 26, J.A. 44-48 (alleging incidents involving misuse of information). These are precisely the types of allegations missing in Beck and Reilly. See Beck, 848 F.3d at 275 ("[T]he mere theft of these items, without more, cannot confer Article III standing.") (emphasis added); Reilly, 664 F.3d at 44 ("Here, there is no evidence that the intrusion was intentional or malicious. Appellants have alleged no misuse * * * . Indeed, no identifiable taking occurred; all that is known is that a firewall was penetrated.").

         Although it is true, as a general principle, that "'as * * * breaches fade further into the past,' * * * threatened injuries become more and more speculative," we are unpersuaded by the dissent's suggestion that the passage of less than two years between these particular attacks and Arnold Plaintiffs' filing of the operative complaint is enough to render the threat of future harm insubstantial. Dissenting Op. at 7 (quoting Beck, 848 F.3d at 275). The plaintiffs in Beck suffered no misuse of their data prior to filing their complaint. See supra at 19-20. And the same was true of the plaintiffs in Chambliss v. Carefirst, Inc., 189 F.Supp.3d 564 (D. Md. 2016), the case cited by the dissent and the court in Beck for the proposition that the threat of future injury diminishes over time. See id. at 570 (noting that plaintiffs had not experienced "any misuse" of their data prior to filing their complaint). Although the passage of two years in a run-of-the-mill data breach case might, absent allegations of subsequent data misuse, suggest that a claim of future injury is less than plausible, that is not the situation we face here. Conducted over several months by sophisticated and apparently quite patient cyberhackers, the attacks at issue in this case affected over twenty-one million people and involved information far more sensitive than credit card numbers. Cyberhacking on such a massive scale is a relatively new phenomenon, and we are unwilling at this stage to assume that the passage of a year or two without any clearly identifiable pattern of identity theft or financial fraud means that all those whose data was compromised are in the clear.

         Drawing all reasonable inferences in Arnold Plaintiffs' favor, we conclude that they have alleged facts sufficient to support their claim of future injury, notwithstanding the passage of time and the governmental character of the databases at issue here. Given the nature of the information stolen and the fact that several named Arnold Plaintiffs have already experienced some form of identity theft since the breaches, it is at least plausible that Arnold Plaintiffs run a substantial risk of falling victim to other such incidents in the future. See Hutton v. National Bd. of Examiners in Optometry, Inc., 892 F.3d 613, 621-622 (4th Cir. 2018) (finding a substantial risk of identity theft where the plaintiffs alleged not only that their information had been stolen by hackers, but also that it was subsequently "used in a fraudulent manner"). Because Arnold Plaintiffs adequately allege a substantial risk of future identity theft, any expenses they have reasonably incurred to mitigate that risk likewise qualify as injury in fact. See id. at 622 ("[T]he [Supreme] Court has recognized standing to sue on the basis of costs incurred to mitigate or avoid harm when a substantial risk of harm actually exists.") (citing Clapper, 568 U.S. at 414 n.5); see also Hearing Tr. 35 (Oct. 27, 2016) (credit protection services for victims of the breaches announced in June 2015 were not "up and running until September" of that year); Arnold Plaintiffs' Compl. ¶ 28, J.A. 48-49 (Plaintiff Kelly Flynn purchased credit monitoring in July 2015).

         The district court evaluated the second element of Article III standing, causation, only as to the incidents of identity theft and fraud that Arnold Plaintiffs had already experienced. Observing that such incidents were "separated across time and geography, and they follow no discernable pattern," In re OPM, 266 F.Supp.3d at 38, the court determined that it could not reasonably infer causation because Arnold Plaintiffs had not alleged "any facts that plausibly connect the various isolated incidents of the misuse * * * to the breaches at issue here," id. at 37. The district court did not go on to consider whether Arnold Plaintiffs plausibly alleged that a risk of future identity theft was fairly traceable to OPM's and KeyPoint's cybersecurity failings, presumably because it had already rejected that risk as merely speculative. We can make relatively short work of such an inquiry here.

         Arnold Plaintiffs have alleged facts supporting a reasonable inference that their claimed data breach-related injuries are fairly traceable to OPM's failure to secure its information systems. Not only do Arnold Plaintiffs detail OPM's failure to heed repeated warnings by its own Inspector General regarding serious vulnerabilities in the agency's systems, but they also allege that as a result of that failure, hackers managed to breach key OPM systems on several different occasions.

         With respect to KeyPoint, Arnold Plaintiffs further allege that the company's failure to properly secure its login credentials "was a substantial factor in causing the Data Breaches." Arnold Plaintiffs' Compl. ¶ 228, J.A. 99. KeyPoint contends that Arnold Plaintiffs' complaint fails to trace the breaches to any actual misconduct by KeyPoint, but that argument lacks merit. Arnold Plaintiffs' complaint alleges not only that the hackers accessed OPM's systems "using stolen KeyPoint credentials," id. ¶ 127, J.A. 73, but also that the company was negligent in "failing to protect and secure its * * * credentials," id. ¶ 228, J.A. 99, by, among other things, "failing to * * * comply with industry-standard data security practices," id. ¶ 223(b), J.A. 98. It is reasonable to infer that "data security practices" would cover practices related to securing credentials. It is likewise reasonable to infer, based on the allegations contained in the complaint, that KeyPoint is at least partially to blame for the breaches due to its failure to comply with such practices.

         As previously explained, even if the breaches in question did not expose all information necessary to make fraudulent charges on victims' existing financial accounts, the personal data the hackers did manage to obtain is enough, by itself, to enable several forms of identity theft. That fact, combined with the allegations that at least some of the stolen information was actually misused after the breaches, suffices to support a reasonable inference that Arnold Plaintiffs' risk of future identity theft is traceable to the OPM cyberattacks. Neither the likelihood that some Arnold Plaintiffs experienced other types of unrelated fraud nor the speculative possibility that they might also have been the victims of other data breaches renders causation implausible here. See In re Zappos.com, Inc., 888 F.3d 1020, 1029 (9th Cir. 2018) ("That hackers might have stolen Plaintiffs' [personal identifying information] in unrelated breaches, and that Plaintiffs might suffer identity theft or fraud caused by the data stolen in those other breaches * * *, is less about standing and more about the merits of causation and damages."), cert. denied, 139 S.Ct. 1373 (2019). Nor are we troubled, as OPM suggests we should be, by certain Arnold Plaintiffs' failure to specify exactly when, in relation to the data breaches, fraudsters first misused their data. The Supreme Court has explained that "[a]t the pleading stage, general factual allegations of injury resulting from the defendant's conduct may suffice, for on a motion to dismiss we presume that general allegations embrace those specific facts that are necessary to support the claim." Lujan, 504 U.S. at 561 (formatting altered). Accordingly, as in Attias, at this early stage, we have "little difficulty concluding," 865 F.3d at 629, that Arnold Plaintiffs have met their "relatively modest" burden of alleging that their risk of future identity theft is fairly traceable to OPM's and KeyPoint's challenged conduct, Bennett v. Spear, 520 U.S. 154, 171 (1997).

         This brings us, then, to the final element of standing, where, as previously noted, we ask whether "it is likely, as opposed to merely speculative" that Arnold Plaintiffs' claimed injury "will be redressed by a favorable decision." Friends of the Earth, 528 U.S. at 181. Although the district court never reached this question, we think Arnold Plaintiffs have easily demonstrated that their substantial risk of future identity theft and related mitigation expenses are redressable.

         Granting that it may well be impossible at this point to eliminate the risk of future identity theft stemming from the OPM breaches, the money damages Arnold Plaintiffs seek can redress certain proven injuries related to that risk (such as reasonably-incurred credit monitoring costs). See, e.g., In re Zappos.com, 888 F.3d at 1030 ("The injury from the risk of identity theft is also redressable by relief that could be obtained through this litigation. If Plaintiffs succeed on the merits, any proven injury could be compensated through damages.") (citation omitted); Attias, 865 F.3d at 629 ("The fact that plaintiffs have reasonably spent money to protect themselves against a substantial risk creates the potential for them to be made whole by monetary damages.").

         In sum, like the Attias plaintiffs, both sets of plaintiffs here have "cleared the low bar to establish their standing at the pleading stage." 865 F.3d at 622. Arnold Plaintiffs have plausibly alleged a substantial risk of future identity theft that is fairly traceable to OPM's and KeyPoint's cybersecurity failings and likely redressable, at least in part, by damages, and NTEU Plaintiffs have plausibly alleged actual and imminent constitutional injuries that are likewise traceable to OPM's challenged conduct and redressable either by a declaration that the agency's failure to protect plaintiffs' personal information is unconstitutional or by an order requiring OPM to correct deficiencies in its cybersecurity program. We therefore have no need to address the other bases for standing asserted by NTEU and Arnold Plaintiffs. See, e.g., id. at 626 n.2 (explaining that when plaintiffs have standing "based on their heightened risk of future identity theft," it is unnecessary to address their other theories of injury in fact).

         Having resolved the standing issue in NTEU and Arnold Plaintiffs' favor, we turn to another potential jurisdictional stumbling block: sovereign immunity.

         III

         It is "axiomatic" that a waiver of sovereign immunity is a jurisdictional "prerequisite" for Arnold Plaintiffs' claims against OPM to get out of the starting gate. United States v. Mitchell, 463 U.S. 206, 212 (1983); accord Federal Deposit Ins. Corp. v. Meyer, 510 U.S. 471, 475 (1994). The Privacy Act, 5 U.S.C. § 552a, provides just such a waiver of sovereign immunity. That statute "safeguards the public from unwarranted collection, maintenance, use and dissemination of personal information contained in agency records." Henke v. Department of Commerce, 83 F.3d 1453, 1456 (D.C. Cir. 1996) (quoting Bartel v. Federal Aviation Admin., 725 F.2d 1403, 1407 (D.C. Cir. 1984)). As part of that obligation, the Act mandates that federal agencies "protect the privacy of individuals identified in information systems maintained by [them]." Pub. L. No. 93-579, ยง 2(a)(5), 88 Stat. 1896, 1896 (1974). The Privacy Act waives sovereign immunity by expressly ...


Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.