Office of Personnel Management in Washington, D.C. Photo by Diego Radzinschi/ALM

On June 21, the U.S. Court of Appeals for the D.C. Circuit handed victims of a data breach at the  U.S. Office of Personnel Management (OPM) a win when it reversed a district court's early ruling dismissing two cases suing the federal agency.  

In a 2-1 decision, the court of appeals wrote that “plaintiffs face a substantial—as opposed to a merely speculative or theoretical—risk of future identity theft.” The D.C. court's decision allowing plaintiffs to sue for risk of harm, as opposed to actual harm after a data breach underscores a deepening divide among the circuit courts. What's more, by holding a federal agency civilly liable for a data breach, it also potentially exposes the government to more lawsuits, lawyers said. 

Friday's decision was the latest development after the 2014 cyberattack of the OPM. Over 21 million federal government employees' and job candidates' information, including Social Security numbers, birth dates and fingerprints, were accessed by hackers. 

The D.C. Court of Appeals wrote, “'An allegation of future injury' passes Article III muster only if it is 'certainly impending,' or there is a 'substantial risk' that the harm will occur.'” Plus, plaintiffs ”must show that their claimed injury is 'fairly traceable to the challenged conduct of the defendant.'” The court held plaintiffs sufficiently argued both points.

To be sure the D.C. Circuit, along with the Ninth, Third, Sixth and Seventh circuits, is already seen as a more plaintiff-friendly court for arguing damages from a data breach. Baker Botts special counsel Cynthia Cole notes that because of that, more lawsuits are likely to be filed in its jurisdiction. 

“If we have a standard lower bar for injury or harm, it raises the specter of more litigation,” she said. 

The U.S. Supreme Court declined to decide whether actual or the threat of damages are needed to have Article III standing earlier this year when it denied writ of certiorari in a Zappos case. Currently, the Third, Sixth, Seventh, Ninth and D.C. circuits grant standing to sue if there's a risk of harm after a data breach, while other circuits require actual misuse of breached data. 

While the OPM decision doesn't change the nature of the split, Covington & Burling partner Alexander Berengaut noted the case may “pique the [Supreme] Court's interest” because it concerns a high-profile case of the government's obligations.

Both lawyers also said the OPM decision could signal more government agencies are held responsible in civil court for data breaches. Cole noted that while OPM employed a third-party private company for its cybersecurity, the court still held the agency responsible for the breach.

Notably, along with finding that the plaintiffs sufficiently alleged facts to meet Article III standing, the D.C. court of appeals said the plaintiffs class, a federal employee union and a putative class of individuals breached, had “unlocked” OPM's waiver of sovereign immunity by alleging OPM's “knowing refusal to establish appropriate information security safeguards.” The court of appeals also threw out OPM's third-party cybersecurity vendor's derivative sovereign immunity.

For those reasons, plaintiffs attorneys might be watching the OPM appeal decision closely after the recent data breach announcement by FEMA and cyberattacks levied at Philadelphia's court system and Baltimore.