(Photo: Credit: Gorodenkoff/Shutterstock.com) (Photo: Gorodenkoff/Shutterstock.com)

While the longest partial federal government shutdown in U.S. history ended Monday after 35 days, cybersecurity experts have said the federal shutdown's effects could have significant negative impact that puts national security or personal data at risk.

But, even as data breaches materialize, those affected will have little recourse to seek damages. Lawyers said litigation seeking monetary damages would be hard-fought and perhaps for naught, as the federal government has sovereign immunity, and showing harm may be difficult.

During the shutdown, those tasked with protecting government agencies' cybersecurity were understaffed, according to reports. News of failure to renew government agency websites' certificates—which ensure communication between websites and devices are encrypted and secure—grabbed headlines, with some questioning if this could lead to a higher risk of data breaches.

But Grant Kirkwood, founder of cloud-based solutions provider Unitas Global Cloud, thinks concerns over the risks may be overblown.

“[Expired security certificates are] pretty inconvenient and a little egg on the face, certainly it's pretty embarrassing and it could potentially be used to exploit websites, but they are websites,” said Kirkwood. “They are on the internet and on the domain. The much bigger risk is the stuff not public.”

Kirkwood cited crucial information the government houses behind its firewall regarding U.S. infrastructure and national security.

While it may be unlikely expired certificates on government websites will significantly increase data breaches, U.S. government agencies are no strangers to breach. Several have experienced massive hacks because of their reported lack of response to sophisticated cyberattacks.

In 2015, the U.S. Office of Personnel Management was hacked, leading to 25 million individuals' sensitive data being  breached, including their Social Security numbers, residential addresses and copies of their fingerprints.

Unsurprisingly, litigation ensued after OPM announced the massive data breach. Government worker unions National Treasury Employees Union and the American Federation of Government Employees brought two separate class actions that included allegations that OPM violated federal laws prohibiting the government from disseminating individuals personal information.

Judge Amy Berman Jackson of the U.S. District Court for the District of Columbia dismissed the suits in 2017, in part, because the federal government has sovereign immunity, and actual injury wasn't shown from the breach. In November 2018, a three-judge panel of the U.S. Court of Appeals for the D.C. Circuit heard the plaintiffs' appeal.

While the lawyers wait for an opinion from the court, lawyers contacted by Legaltech News said the plaintiffs face a difficult battle.

“It would be fair to say that data breach lawsuits against a government agency is definitely an uphill battle,” said Craig Newman, a Patterson Belknap Webb & Tyler partner and chair of its privacy data security group. “The added component of sovereign immunity makes it far more complex and challenging for the plaintiffs bar.”

“Normally what you read about most recently is the Marriott breach that was grabbing the headlines,” Newman added. “The plaintiff had to show they had standing, they suffered concrete harm or injury that has been a hotbed of contention in data breach litigation.” Newman noted courts have taken differing positions on the issue of cognizable damage from data breaches.

However the OPM plaintiffs have cited case law they say allows legal remedies for data breaches without actual harm.

“The unions that represent the employees have asserted a number of arguments and are relying on a case, the Attias v. Carefirst case, that says the plaintiffs in that case could plausibly show there is a risk of future injury because of the data breach,” said Kirkland & Ellis partner Erica Williams.

Both lawyers agreed the court of appeal's decision will be watched closely, as it may offer plaintiffs a worthwhile avenue to pursue data breach claims against the government.