Cybersecurity-Lock-Hand Photo Credit: Shutterstock.com

Plaintiffs suing over a 2014 data breach at the U.S. Office of Personnel Management—which may have compromised information for 21.5 million persons—have asked a federal appeals court to revive their cases, citing a significant decision last year finding standing to sue over a cyberattack.

Plaintiffs filed opening briefs before the U.S. Court of Appeals for the District of Columbia Circuit on Thursday in two cases—one on behalf of a class of victims of the data breach and the other by a government employees union. They asked the panel to reverse a district judge's Sept. 19, 2017, opinion that dismissed their cases, in large part on the ground that the plaintiffs didn't have standing to sue in federal courts because they hadn't been injured. In so ruling, U.S. District Judge Amy Berman Jackson of the District of Columbia “wrongly sidestepped” the D.C. Circuit's Aug. 1, 2017, decision in Attias v. CareFirst , a data breach case that called for a broader view of standing.

“The district court's cramped view of standing is incompatible with this court's decision in Attias,” wrote Jordan Elias, a partner at San Francisco's Girard Gibbs who represents plaintiffs in the class action. “The district court's reasoning is incompatible with this court's holding in Attias that the unauthorized taking of Social Security numbers—and here, an additional vast array of exceedingly sensitive information—does create a threat of identity theft sufficient to confer Article III standing.”

In an email, Elias wrote: “This is an important matter for the millions of federal government workers whose highly personal facts were stolen. We look forward to hearing the reviewing court's views, including on whether the victims of this serious breach have standing. Under controlling law, we believe they do.”

Paras Shah, assistant counsel at the National Treasury Employees Union, which filed a separate brief, did not respond to a request for comment.

The U.S. Department of Justice, which represents the OPM, and Gibson, Dunn & Crutcher partners F. Joseph Warin and Jason Mendro, who represent contractor KeyPoint Government Solutions Inc. in one of the cases, also did not respond.

In the OPM breach, according to court papers, 21.5 million persons had their names, birth dates, addresses and Social Security numbers stolen. Lawsuits filed over the breach were coordinated into multidistrict litigation in 2015.

The American Federation of Government Employees, along with 38 individuals, brought the class action alleging violations of the federal Privacy Act and Fair Credit Reporting Act. The Treasury union, along with three individual government employees who had filled out background investigation forms, alleged in a separate suit that the breach violated its members' right to privacy of information under the Fifth Amendment.

Before Jackson ruled, the D.C. Circuit issued its Attias decision, reversing dismissal of a case brought over the 2014 cyberattack of the health insurer. It was one of the first data breach cases to address standing under the U.S. Supreme Court's holding in Spokeo v. Robins, which found that a plaintiff suing in federal court must allege an injury that is “particularized” and “concrete,” rather than speculative.

The panel found that U.S. District Judge Christopher Cooper of the District of Columbia had “given the complaint an unduly narrow reading” in finding that the plaintiffs' claims of increased risk of identity theft were speculative. The panel sided with plaintiffs in citing the U.S. Court of Appeals for the Seventh Circuit's seminal 2015 decision in Remijas v. Neiman Marcus Group, which concluded that the purpose of a hack was to make fraudulent charges or steal identities.

Both appeal briefs in the OPM case cited the Seventh Circuit ruling. They also said Attias aligned with other decisions, such as the U.S. Court of Appeals for the Third Circuit's 2017 ruling in In re: Horizon Healthcare Services Data Breach Litigation, and the U.S. Court of Appeals for the Ninth Circuit's 2010 holding in Krottner v. Starbucks, which was upheld this year in In re: Zappos.com.

In her ruling, Jackson acknowledged Attias, which made standing “a very close and difficult question in this case.” But she found the OPM case was different because, unlike Attias, there was no evidence that “credit card or bank fraud” was involved or that the stolen information would be used to commit such crimes given that the Chinese government, rather than a domestic hacker, was behind it.

In the class action, Jackson also found that immunity shielded the federal government and KeyPoint.

The Treasury union appealed within an hour of Jackson's ruling.

In the Treasury union's appeal brief, Shah wrote that the judge's “flawed injury-in-fact analysis” relied too heavily on whether financial information was at issue and that a foreign government could have been behind the cyberattack. In the class action brief, Elias wrote that plaintiffs suffered economic injuries, such as credit monitoring and other expenses to deal with identity theft, lost time and distress.

The Electronic Privacy Information Center filed a notice that it planned to file an amicus brief supporting the plaintiffs in the OPM case.

“EPIC's brief is necessary to address the privacy interests at stake in the case under review, and to inform the court about the right of individuals to keep confidential their personal information,” wrote Marc Rotenberg, EPIC's president and executive director.