By way of background, the OPM is the government agency responsible for maintaining data about federal applicants, providing “investigative products and services for over 100 Federal agencies to use as a basis for suitability and security clearance determinations as required by Executive Orders and other rules and regulations. The OPM provides over 90% of the Government’s background investigations, conducting over two million investigations a year.” See U.S. Office of Pers. Mgmt., Background Investigations. The class action lawsuit alleges in great detail that since at least 2007, “the OPM has been on notice of significant deficiencies in its cyber security protocol . . . and failed to take steps to remedy those deficiencies.” Taking the most direct and tested route, the class plaintiffs selected the Privacy Act of 1974 as the lead vehicle for redress against the OPM in this lawsuit. The class plaintiffs also filed a claim against OPM under the Administrative Procedure Act, 5 U.S.C. § 701 et seq., and a common-law negligence claim and sought declaratory judgment against an independent contractor to the OPM, KeyPoint.
One may be surprised to learn that as early as 2008, the AFGE filed a class action lawsuit against the federal government, albeit a different agency, for failing to establish appropriate safeguards to ensure the security and confidentiality of electronic personnel records. In American Federation of Government Employees v. Hawley, 543 F. Supp. 2d 44 (D.D.C. 2008), the class action plaintiffs were allegedly injured when a computer hard drive containing personnel data for some100,000 individuals employed by the Transportation Security Administration (TSA) was “missing from a controlled area at the TSA Headquarters Office of Human Capital.” Id. at 45. The class plaintiffs brought claims under the Aviation and Transportation Security Act and the Privacy Act. Granted, Hawley did not involve a cyber attack and it was decided over six years ago; however, the decision of the D.C. District Court will still be very instructive with respect to the Privacy Act claim in the OPM case.
The Privacy Act of 1974 requires that
[e]ach agency that maintains a system of records shall . . . establish appropriate administrative, technical, and physical safeguards to insure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained. . . .
Hawley, 543 F. Supp. 2d 44 (D.D.C. 2008) (quoting 5 U.S.C. § 552a(e)(10)).
As the Hawley court explained, in order to plead a Privacy Act claim, one must allege that “(a) defendants acted intentionally or willfully; (b) plaintiffs were adversely affected; and (c) plaintiffs sustained actual damages.” Id. at 51. Looking at each of the three elements, the court found that the AFGE met the threshold pleading requirements to survive the government’s motion to dismiss. Notably, the Hawley decision settled several major questions under the Privacy Act: standing, ripeness, what constitutes intentional and willful acts, and whether plaintiffs were adversely affected. Id. at 50–53. However, the district court did not delve into what constituted “actual damages.” Id. at 53.
With respect to the requirement that the government acted intentionally and willfully, the court found that the defendants’ conduct would be deemed intentional and willful if they “were warned of deficiencies in their information security but failed to establish proper safeguards.” Id. at 51 (citing In re Dep’t of Veterans Affairs Data Theft Litig., Misc. No. 06-5606 (D.D.C. Nov. 11, 2007) (Robertson, J.), ECF No. 30 at 11 (“holding that plaintiffs’ allegations were sufficient because, if proven, they would support a finding that VA’s conduct was ‘intentional and willful’”)). This gross negligence concept is crucial for a plaintiff’s success in a case involving a cyber attack where the government will claim that the loss of information was not an intentional or willful act, but was more akin to an accident.
With respect to the element requiring “adverse affect,” the Hawley court found that the plaintiffs sufficiently alleged that they “experienced adverse effects due to Defendants’ failure to safeguard the Personnel Data and/or disclosure, including but not limited to, embarrassment, inconvenience, mental distress, concern for identity theft, concern for damage to credit report, concern for damage to financial suitability requirements in employment, and future substantial financial harm.” Id. at 52–53. However, the question of how much evidence will be required to link the adverse effect to the data breach remains unclear, like the question of “actual damages,” and will be a crucial question when one considers how many data breaches the class plaintiffs in the OPM case have been involved in, in the past year.
In discussing actual damages, the Hawley court acknowledged the Supreme Court case of Doe v. Chao [login required], 540 U.S. 614, 624–25 (2004), which held that a plaintiff must prove actual damages to recover under section 552a(g)(4) of the Privacy Act, but noted that the Supreme Court “left open the question of what constitutes ‘actual damages,’ noting that the courts of appeals ‘are divided as to whether actual damages are limited to pecuniary loss or can be awarded for emotional damages without any out-of-pocket loss.’” See Hawley, 543 F. Supp. 2d at 53 (quoting Doe, 540 U.S. at 627 n.12) (citing Albright [login required], 732 F.2d 181, 186 (D.C. Cir. 1984) (“declining to consider whether non-economic injuries or damages other than out-of-pocket expenses could qualify as ‘actual damages’ under Section 552a(g)(4)”)). The TSA argued “that the Court should interpret ‘actual damages’ narrowly, as is required in construing a waiver of sovereign immunity, to mean only out of pocket expenses, not emotional damages.” Id. at 53. In Hawley, Judge Kennedy rejected the government’s narrow approach and, in support, cited Montemayor v. Federal Bureau of Prisons, 2005 WL 3274508, at *5 (D.D.C. Aug. 25, 2005) [login required] (citing cases) (“rejecting argument to narrowly interpret ‘actual damages’ to mean only pecuniary losses and following instead ‘the recent trend at the District Court level . . . to allow Privacy Act suits seeking general compensatory damages, such as pain and suffering and non-pecuniary losses, to proceed’ past the motion to dismiss stage”). However, make no mistake, the court saved the question of what constitutes actual damages for another day, and the OPM in this case will certainly raise this issue.
Ultimately, the Hawley case did not make it to trial and was settled. If history is any indicator, the likely outcome of the OPM class action lawsuit will be a massive settlement, rather than a trial that may result in an expansive and victim-friendly definition of “actual damages” under the Privacy Act.
Keywords: criminal litigation, actual damages, American Federation of Government Employees (AFGE), U.S. Office of Personnel Management (OPM), Privacy Act of 1974, cyber attack
Mathew A.S. Esworthy is a partner at Shapiro Sher Guinot & Sandler in Baltimore, Maryland. Aaron M. Danzig is a partner at Arnall Golden Gregory LLP in Atlanta, Georgia.