Data breach lawsuits against Office of Personnel Management dismissedReprints
A federal judge has dismissed two consolidated lawsuits filed against defendants including the U.S. Office of Personnel Management and a government contractor in connection with the June 2015 data breach in which the personal data of more than 21 million were hacked.
Judge Amy Berman Jackson of U.S. District Court in Washington, D.C., said plaintiffs do not have standing to sue, and they had not established they were harmed by the breach, according to Tuesday’s ruling in In Re U.S. Office of Personnel management Data Security Breach Litigation.
One consolidated complaint in the multidistrict action assigned to the court was filed by 38 individuals and the Washington-based American Federation of Government Employees union, which in addition to the OPM named Loveland, Colorado-based federal contractor KeyPoint Government Solutions Inc., which performed background investigations for OPM, as a defendant.
The second complaint was filed by three individuals and the Washington-based National Treasury Employees Union against the OPM acting director.
To proceed with their case, the plaintiffs must demonstrate they have constitutional standing to sue and that the federal government has not “expressly waived its sovereign immunity,” but they have not done so, said the ruling.
On the damages issue, the ruling says plaintiffs who allege they have experienced an actual misuse of their credit card numbers or personal information “cannot tie those disparate incidents to this breach.”
“The right to bring a claim for damages under the Privacy Act is expressly limited to those who can demonstrate that they have suffered actual economic harm as a result of the government’s statutory violation,” said the ruling.
“The law is clear that the statute does not create cause of action for those who have been merely aggrieved by, or even actively worried about, the fact that their information has been taken,” the ruling said.
On the standing issue, the ruling said: “Plaintiffs have failed to overcome the arguments that the federal defendants are immune from suit under the Privacy Act and the Administrative Procedure Act, and that KeyPoint is shielded by government contractor immunity, so that the Court lacks subject matter jurisdiction to hear those claims.”
Moreover, said the ruling, “Plaintiffs seek damages for improper disclosure of information and for a failure to maintain safeguards under the Privacy Act, but they have not alleged that private information was ‘disclosed,’ as opposed to stolen, and they have not alleged facts to show that the claimed injuries were the results of the agency’s failure,” said the ruling, in granting the defendants’ motions to dismiss the case.
In August, a federal appeals court reinstated a putative class action lawsuit filed by health insurer CareFirst Inc. customers in connection with a 2014 data breach, holding their potential risk of injury from the breach is “substantial.”