Plaintiffs' attorneys suing over data breaches scored a big win Friday after a federal appeals court reinstated lawsuits brought on behalf of victims of data breaches that hit the U.S. Office of Personnel Management.
The U.S. Court of Appeals for the D.C. Circuit found that the plaintiffs in two consolidated cases had standing to sue in federal court under Article III of the U.S. Constitution. The ruling reversed a district judge's 2017 dismissal of both cases, one of which was a class action, against the OPM and its contractor, KeyPoint Government Solutions Inc.
The class plaintiffs “have plausibly alleged a substantial risk of future identity theft that is fairly traceable to OPM's and KeyPoint's cybersecurity failings and likely redressable, at least in part, by damages,” the panel wrote. Further, the plaintiffs in the second case, who are members of the National Treasury Employees Union, “have plausibly alleged actual and imminent constitutional injuries that are likewise traceable to OPM's challenged conduct and redressable.”
The panel affirmed dismissal as to only the NTEU's allegations that the OPM breaches violated its members' constitutional right to privacy.
Lawyers who handle data breach class actions have closely watched the OPM cases, which was one of several to address whether victims of data breaches have sufficient injuries to sue, especially if they did not suffer fraudulent charges or other immediate costs associated with a cyberattack. In many cases, victims of data breaches allege nothing more than the risk of identity theft, but some cases have named plaintiffs who suffered fraudulent tax returns, charges to their credit cards or other costs.
Courts have split over whether those injuries are sufficient to have standing, with Friday's ruling siding for the plaintiffs.
“The court's decision represents another strong endorsement for the growing recognition by courts that plaintiffs can establish Article III standing in data breach cases based upon the substantial risk of future identity theft, and the rejection of the narrow view that standing only exists in these cases where there are 'out-of-pocket' losses,” wrote Andrew Friedman, a Washington, D.C., partner at Cohen Milstein Sellers & Toll, in an email. He is a lead plaintiffs attorney in class actions over data breaches at Home Depot and Anthem.
“The decision should further bolster data breach lawsuits where the majority of the class has not yet experienced fraud losses, yet the real risk of injury to those class members is significant,” he wrote.
The American Federation of Government Employees, along with 38 individuals, brought the class action, while the NTEU, and three government employees who had filled out background investigation forms, filed the second case.
Peter Patterson, a partner at Cooper & Kirk, for the class plaintiffs, did not respond to a request for comment.
“NTEU is disappointed that the Court disagreed with our view of the constitutional right to informational privacy,” wrote NTEU president Tony Reardon in an emailed statement. But, he added, NTEU has pursued remedies outside of court. “Working with Congress, NTEU has secured 10 years' worth of identity theft protection for affected federal workers, and we will continue to push for lifetime protections for these public servants whose personal data was compromised.”
A spokeswoman for the U.S. Justice Department declined to comment.
“We are disappointed that a divided panel of the D.C. Circuit reversed the district court's careful decision to dismiss these claims,” wrote KeyPoint attorney Jason Mendro, a Washington, D.C., partner at Gibson, Dunn & Crutcher, in a statement. “We are evaluating our next steps and are confident that these claims, ultimately, will be found to lack merit.”
The 2-1 ruling split along party lines, with Democratic appointees David Tatel and Patricia Millett making up the majority opinion, and Ronald Reagan appointee Stephen Williams writing a dissent.
The OPM breaches compromised the Social Security numbers and other personal information of 21 million federal government employees, and prospective employees, at OPM. The personal data included names, birth dates, addresses and Social Security numbers.
The class action brought claims under the federal Privacy Act, while the NTEU alleging OPM violated its members' constitutional right to privacy of information.
Before U.S. District Judge Amy Berman Jackson dismissed the cases, the D.C. Circuit reversed dismissal of a case related to a 2014 breach at health insurer CareFirst. In that 2017 decision, the panel found that the district judge had taken too narrow a view of harm to the plaintiffs in finding that the increased risk of identity theft was speculative.
Jackson, however, found the cases to be different because Attias v. CareFirst dealt with a domestic hack in which credit card or bank fraud was at issue, while OPM's breach appeared to be from a foreign state and involved Social Security numbers.
In their appeal, plaintiffs latched onto CareFirst, which the D.C. Circuit cited in finding “there is no question that the OPM hackers, too, now have in their possession all the information needed” to steal the identities of class members, who, unlike the CareFirst breach, had their Social Security numbers, birth dates and fingerprints stolen.
“It hardly takes a criminal mastermind to imagine how such information could be used to commit identity theft,” the panel wrote.
And, the panel wrote, the fact that the breach occurred two years before plaintiffs sued does not defeat standing based on whether their alleged injuries were caused by the OPM hack, as opposed to another data breach.
“Cyberhacking on such a massive scale is a relatively new phenomenon, and we are unwilling at this stage to assume that the passage of a year or two without any clearly identifiable pattern of identity theft or financial fraud means that all those whose data was compromised are in the clear,” the panel wrote.
Further, plaintiffs alleged OPM failed to heed repeated warnings about its security risks by its own Inspector General.
In a dissent limited to the standing of the class plaintiffs, Williams found the risk of identity theft was speculative given that the hack, believed to have ties to the Chinese government, involved the “handiwork of foreign spies” aimed at espionage. Further, he wrote, the plaintiffs could not prove that the OPM hack caused any of their damages two years later.
The panel also reversed the district judge's separate finding that sovereign immunity shielded the federal government and KeyPoint from the class claims under the Privacy Act, which required the OPM to secure private information.
“The complaint alleges in no uncertain terms that OPM dropped that ball because appropriate safeguards were not in place,” the panel wrote. “Despite that pervading threat, OPM effectively left the door to its records unlocked by repeatedly failing to take basic, known and available steps to secure the trove of sensitive information on its hands.”
Several of the class representatives, the panel noted, alleged costs such as legal fees, credit repair services and delays in tax refunds.
Affirming dismissal of the NTEU's constitutional claims, the panel wrote, “Not once do NTEU plaintiffs quote the very document from which they purport to derive their claimed right: the Constitution of the United States.”
Williams, in his dissent, also had no issues with the majority's holding on immunity and constitutional claims. However, he raised concerns about subjects that lawyers did not argue in the appeal, such as a “plausible argument for preemption” as to KeyPoint, a federal government contractor, and the use of pseudonyms for five of the plaintiffs.
“Although pseudonymous plaintiffs were once a rarity, there appears now to be a trend permitting adult plaintiffs to litigate incognito, with little more than pro-forma gatekeeping, if any, by the district courts—even though the practice is aberrant from the perspective of core constitutional and rule of law norms, not to mention the federal rules of procedure,” he wrote.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllLitigators of the Week: After a 74-Day Trial, Shook Fends Off Claims From Artist’s Heirs Against UMB Bank
‘It's Your Funeral’: Avoiding Doing Damage to Your Client’s Case With Uncivil Behavior
Tips From—and About—the New Judges on the Northern District of California Bench
Trending Stories
- 1Litigation Leaders: Greenspoon Marder’s Beth-Ann Krimsky on What Makes Her Team ‘Prepared, Compassionate and Wicked Smart’
- 2A Look Back at High-Profile Hires in Big Law From Federal Government
- 3Grabbing Market Share From Rivals, Law Firms Ramped Up Group Lateral Hires
- 4Navigating Twitter's 'Rocky Deal Process' Helped Drive Simpson Thacher's Tech and Telecom Practice
- 5Public Notices/Calendars
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250