Union Argues Court Should Not Grant OPM’s Motion to Dismiss Hack Lawsuit

A federal employee union is fighting the federal government’s attempt to dismiss the group’s lawsuit seeking further remedies after a hack of data maintained by the Office of Personnel Management exposed the personal information of millions of current and former civil servants.

The National Treasury Employees Union announced its suit in July of 2015, shortly after OPM announced its personnel records had been breached and 4.2 million current and former feds were impacted. In May, OPM, through the Justice Department, filed a motion to dismiss the suit, arguing NTEU did not have grounds to make its claims. In October and again on Thursday, NTEU defended its standing in the case in the U.S. District Court for the District of Columbia.

OPM and Justice said NTEU did not show the two individuals named specifically in the case, nor its 150,000 members, were harmed by the hack in “any material way,” according to court documents. The union alleged “general suffering,” which the government argued was insufficient to merit a lawsuit. The threat of potential damage, Justice attorneys said, does not represent a “cognizable injury.” Nor does the allegation of emotional stress, they said, citing past cybersecurity-related cases and a lack of an “imminent threat to the information.”

NTEU is seeking a declaration that OPM’s conduct was unconstitutional, a mandate that OPM provide lifetime credit monitoring and identity theft protection services, and a prohibition on OPM storing NTEU members’ information in electronic form. Currently, hack victims are scheduled to receive 10 years of protection services.

OPM and Justice argued the union has failed to show at least one of its individual members has standing in his or her own right. They also said NTEU has no grounds to pursue its case on a constitutional basis. The Constitution, the government attorneys said, does not require the government to “affirmatively provide certain minimal levels of safety and security,” and the 1974 Privacy Act allays any privacy concerns with constitutional roots. NTEU’s claim of a due process violation fails to meet the previously established threshold of conduct “so egregious, so outrageous, that it may fairly be said to shock the contemporary conscience,” the government argued. 

NTEU said in its oral arguments attempting to prevent the dismissal that it both had standing and that its constitutional argument had merit. By failing to “take adequate steps to safeguard information submitted by its members,” NTEU argued, OPM violated the constitutional right to information privacy.

Nineteen other groups have brought lawsuits against OPM as a result of the breaches, all of which have been consolidated into one case also being heard by U.S. District Court for D.C. An attorney hired by the American Federation of Government Employees is heading that suit up. AFGE and the other groups are relying on the Privacy Act to make their claim, rather than the Constitution. 

Greg O’Duden, NTEU’s general counsel, said last year it is “very difficult” to prevail in court under the Privacy Act. Additionally, NTEU is filing its claim only on behalf of its 150,000 members, while the consolidated case was filed on behalf of all 22 million individuals affected by both the personnel files and background investigation breaches. AFGE et al are pursuing financial compensation as well as injunctive relief in its case.

A spokeswoman for NTEU said there is currently no timetable for when the court will issue a ruling on OPM’s motion to dismiss the lawsuit. The union is the only group to pursue its own case against the agency, with all other complainants joining the consolidated effort.