A union-sponsored lawsuit arising from the OPM database breaches should go to trial, a federal appeals court has said in overruling a lower court.
The case involves the hacking of a government-wide personnel records database held by the Interior Department under contract to OPM and a database of background investigation records held by OPM itself. The former contained personal records and career information on more than 4 million current and former federal employees, while the latter contained personal information on more than 21 million federal, contractor and military personnel. Some federal employees were affected by both breaches, which were discovered in April 2015 and revealed publicly about a month later.
A case brought by the AFGE and NTEU unions argues that the OPM violated its duty to protect that information under the Constitution and the Privacy Act. A federal district judge however ruled that they lacked legal “standing” to bring the case, saying that no direct connection had been drawn between the breaches and the identity thefts that some victims have experienced, and that there is no constitutional right to “information privacy.”
The federal appeals court in the District of Columbia agreed regarding the constitutional claims but found that there was enough evidence of a connection between the breaches and the cases of theft the unions described to warrant a trial on the Privacy Act claims.
The suit seeks reimbursement for costs that affected persons have incurred or will incur in the future to protect themselves against possible identity theft or to respond to instances of actual theft.