D.C. Circuit Breathes New Life into OPM Data Breach Litigation
The U.S. Office of Personnel Management (“OPM”) made headlines when several hacks of confidential data came to light in 2015, intrusions that compromised the personal data of over 20 million individuals. On July 21, 2019, in AFGE v. OPM (In re United States OPM Data Sec. Breach Litig.), Nos. 17-5217, 17-5232, (D.C. Cir. June 21, 2019), a divided panel of the United States Court of Appeals for the D.C. Circuit breathed new life into litigation stemming from those breaches and injected yet another piece into the growing puzzle surrounding constitutional standing in breach litigation. The case had previously been dismissed after a district court held that the plaintiffs lacked standing based on their failure to allege concrete injuries. In a divided opinion, the D.C. Circuit panel reversed, holding that the plaintiffs’ allegations of potential future harm were sufficient for the case to move forward.
Among other duties, OPM is largely responsible for the United States government’s security clearance processes. The breaches, which took place in 2013 and 2014, exposed information regarding approximately 20 million people who had undergone government background checks. Suits related to the breach were ultimately consolidated in the United States District Court for the District of Columbia. The suits, brought by federal employees and labor unions against OPM and a private contractor, seek, among other relief, an injunction requiring OPM to correct all deficiencies in its IT security program and an order requiring the private contractor to offer free lifetime identify theft and fraud protection services to class members.
The district court dismissed the complaints in September 2017 after finding that neither group of plaintiffs pled sufficient facts to demonstrate injury-in-fact for purposes of Article III standing. The district court found that few plaintiffs identified any specific losses stemming from the use of their hacked data, and that ultimately even those plaintiffs failed to identify how any misuse of their data was caused by the OPM breaches.
In a decision that may preview future Supreme Court review, the D.C. Circuit reversed the district court, holding that Article III standing may be found in data breach litigation based on allegations of risk of potential future harm—with no allegations of actual harm—from the unauthorized disclosure of a plaintiff’s personal information. This holding echoes a prior decision from the same court, Attias v. CareFirst, Inc., 865 F.3d 620 (D.C. Cir. 2017), which held that plaintiffs need only allege a substantial risk of future identity theft traceable to a hack to establish Article III standing at the pleading stage.
In the D.C. Circuit’s decision in the OPM case, focusing on the sensitive data exposed in the OPM hacks, the court explained:
[T]he OPM hackers . . . now have in their possession all the information needed to steal [ ] Plaintiffs’ identities. . . . It hardly takes a criminal mastermind to imagine how such information could be used to commit identity theft. . . .
Viewing the allegations in the light most favorable to [ ] Plaintiffs, as we must, we conclude that not only do the incidents of identity theft that have already occurred illustrate the nefarious uses to which the stolen information may be put, but they also support the inference that [ ] Plaintiffs face a substantial—as opposed to a merely speculative or theoretical—risk of future identity theft.
Different approaches to determining standing in data breach litigation throughout the federal circuits may lead to the Supreme Court clarifying the issue. The U.S. courts of appeals are currently split. We previously reported on standing decisions in the Third, Fourth, Sixth, Seventh, and Ninth Circuits. The Supreme Court had the opportunity to enter the fray after Carefirst and more recently after the Ninth Circuit’s March 2018 decision in Stevens v. Zappos.com, Inc. (In re Zappos.com, Inc.), 884 F.3d 893 (9th Cir. 2018), cert. denied, 138 S. Ct. 981 (2018). In Zappos, the Ninth Circuit held that customers who brought suit after a hack of Zappos’s system had “sufficiently alleged an injury in fact based on a substantial risk that the Zappos hackers will commit identity fraud or identity theft.” Zappos filed a petition for writ of certiorari requesting that the Supreme Court clarify “[w]hether individuals whose personal information is held in a database breached by hackers have Article III standing simply by virtue of the breach even without concrete injury, as the Third, Sixth, Seventh, Ninth, and D.C. Circuits have held, or whether concrete injury as a result of the breach is required for Article III standing, as the First, Second, Fourth, and Eighth Circuits have held.” Nonetheless, the Supreme Court declined to review the case and has not taken any others that might clarify this issue in the coming 2019 October Term.
Until the Supreme Court provides guidance in this area, litigants may be left to look at where a case is filed to determine what rules of standing might apply in data breach litigation. We will continue to monitor developments in this area as they arise.