The U.S. Office of Personnel Management (OPM) recently joined the infamous ranks of class action defendants (like Target and Home Depot), when the American Federation of Government Employees (AFGE)—the federal government’s largest labor union—filed a class action lawsuit arising out of the massive June 2015 cyber attack on OPM’s systems. That breach involved about 18 million federal employees’ personal and security files. However, unlike the victims of the Target and Home Depot data breaches, the victims of a cyber attack involving the federal government have limited legal options. One of the only tested legal approaches is the Privacy Act of 1974, under 5 U.S.C. § 552a(b), and even this remedy has its limitations for recovery.
One of the biggest questions that remain unanswered by courts under the Privacy Act is what constitutes “actual damages.” This question is further complicated for the victims of the OPM cyber attack when one considers the frequency of cyber attacks on other major businesses that maintain personal identifiable information for millions and the inevitable overlap between the different groups of victims. Which raises several important questions: How broadly or narrowly will courts today define “actual damages” under the Privacy Act for victims of a cyber attack or data breach when the new normal contemplates a major data breach involving the release of personal identifiable information every week? What types of damages (e.g., credit monitoring) will be accepted as “actual damages” under the act? Will a victim need to directly link his or her damages to the cyber attack under the act?
The June 2015 class action lawsuit filed by the AFGE in the U.S. District Court for the District of Columbia was brought on behalf of all the past and present federal employees whose personal identifiable information was stored in the compromised databases. To date, OPM has notified some 4 million people that their personal information was compromised. The number of victims is likely to grow in the coming months.