In AFGE v. OPM (In re United States OPM Data Sec. Breach Litig.), Nos. 17-5217, 17-5232, 2019 U.S. App. LEXIS 18609 (D.C. Cir. June 21, 2019), the Court of Appeals for the DC Circuit held that ID theft victims represented by their Union had article III standing. The facts are rather dramatic.
As its name suggests, the U.S. Office of Personnel Management serves as the federal government’s chief human resources agency. In that capacity, OPM maintains electronic personnel files that contain, among other information, copies of federal employees’ birth certificates, military service records, and job applications identifying Social Security numbers and birth dates. The agency also oversees more than two million background checks and security clearance investigations per year. To facilitate these investigations, OPM collects a tremendous amount of sensitive personal information from current and prospective federal workers, most of which it then stores electronically in a “Central Verification System.” Consolidated Amended Complaint, In re United States Office of Pers. Mgmt. Data Security Breach Litig., No. 1:15-mc-01394, ¶ 65 (D.D.C. March 14, 2016) (“Arnold Plaintiffs’ [*4] Compl.”), J.A. 61. The investigation-related information stored by OPM includes birth dates, Social Security numbers, residency details, passport information, fingerprints, and other records pertaining to employees’ criminal histories, psychological and emotional health, and finances. In recent years, OPM has relied on a private investigation and security firm, KeyPoint Government Solutions, Inc. (“KeyPoint”), to conduct the lion’s share of the agency’s background and security clearance investigation fieldwork. KeyPoint investigators have access to the information stored in OPM’s Central Verification System and can transmit data to and from the agency’s network through an electronic portal. It turns out that authorized KeyPoint investigators have not been the only third parties to access OPM’s data systems. Cyberattackers hacked into the agency’s network on several occasions between November 2013 and November 2014. Undetected for months, at least two of these breaches resulted in the theft of vast quantities of personal information. According to the complaint, after breaching OPM’s network “using stolen KeyPoint credentials” around May 2014, Arnold Plaintiffs’ Compl. ¶ 127, J.A. 73, [*5] the cyberintruders extracted almost 21.5 million background investigation records from the agency’s Central Verification System. They gained access to another OPM system near the end of 2014, stealing over four million federal employees’ personnel files. Among the types of information compromised were current and prospective employees’ Social Security numbers, birth dates, and residency details, along with approximately 5.6 million sets of fingerprints. The breaches also exposed the Social Security numbers and birth dates of the spouses and cohabitants of those who, in order to obtain a security clearance, completed a Standard Form 86. According to the complaints, since these 2014 breaches, individuals whose information was stolen have experienced incidents of financial fraud and identity theft; many others whose information has not been misused—at least, not yet—remain concerned about the ongoing risk that they, too, will become victims of financial fraud and identity theft in the future.
The Plaintiffs alleged that:
Specifically, in 2014, the agency failed to complete an Information Security Act-required Security Assessment and Authorization for eleven of the twenty-one OPM systems due for reauthorization. Because the agency was unable to ensure the functionality of security controls for the systems that lacked a valid authorization—one of which was “a general system that supported and provided the electronic platform for approximately two-thirds of all information systems operated by OPM”—the Inspector General advised the agency to shut them down. Id. ¶¶ 102-103, J.A. 69-70. Despite the Inspector General’s recommendation, OPM continued to operate the systems. The agency compounded existing security vulnerabilities by failing to encrypt sensitive data—including Social Security numbers—and failing to enforce multifactor authentication requirements. To make matters worse, when the 2014 data breaches occurred, the agency lacked a centralized network security operations center from which it could continuously and comprehensively monitor all system security controls and threats. The 2014 cyberattacks [*10] were “sophisticated, malicious, and carried out to obtain sensitive information for improper use.” Arnold Plaintiffs’ Compl. ¶¶ 128, 132, J.A. 73-74. Arnold Plaintiffs assert that as a result of these attacks, they have suffered from a variety of harms, including the improper use of their Social Security numbers, unauthorized charges to existing credit card and bank accounts, fraudulent openings of new credit card and other financial accounts, and the filing of fraudulent tax returns in their names.
The Court of Appeals found standing for the Union to pursue the claims for its members.
For standing purposes, we assume that NTEU Plaintiffs have, as they claim, a “constitutional right to informational privacy” that was violated “the moment that [cyberattackers stole] their inherently personal information * * * from OPM’s deficiently secured databases.” NTEU Br. 11; see also Estate of Boyland v. Department of Agric., 913 F.3d 117, 123 (D.C. Cir. 2019) (HN3 “[W]hen considering whether a plaintiff has Article [*18] III standing, a federal court must assume, arguendo, the merits of his or her legal claim.”) (internal quotation marks omitted). Furthermore, given NTEU Plaintiffs’ allegations regarding OPM’s continued failure to adequately secure its databases, it is reasonable to infer that there remains a “substantial risk” that their personal information will be stolen from OPM again in the future. NTEU Plaintiffs’ Compl. ¶ 88, J.A. 182. With respect to this claim, the loss of a constitutionally protected privacy interest itself would qualify as a concrete, particularized, and actual injury in fact. And the ongoing and substantial threat to that privacy interest would be a concrete, particularized, and imminent injury in fact. Both claimed injuries are plausibly traceable to OPM’s challenged conduct, and the latter is redressable either by a declaration that the agency’s failure to protect NTEU Plaintiffs’ personal information is unconstitutional or by an order requiring OPM to immediately correct deficiencies in its cybersecurity programs. Cf. ACLU v. Clapper, 785 F.3d 787, 801 (2d Cir. 2015) (holding that, where plaintiffs allege a Fourth Amendment “injury [stemming] from the very collection of their telephone metadata,” they “have suffered a concrete and [*19] particularized injury fairly traceable to the challenged program and redressable by a favorable ruling”). Accordingly, NTEU Plaintiffs have standing based on their claimed constitutional injury.
The Court of Appeals also held that the Individual Plaintiffs had standing.
Arnold Plaintiffs allege no such constitutional injury, but they do claim to have suffered a variety of past and future data-breach related harms. See, e.g., Arnold Plaintiffs’ Compl. ¶ 22, J.A. 44-45 (alleging that Plaintiff Jane Doe has “suffer[ed] stress resulting from concerns for her personal safety and that of her family members” since being informed by the FBI that her personal information “had been acquired by the so-called Islamic State of Iraq and al-Sham (‘ISIS’)”). For purposes of our standing analysis, we focus on one injury they all share: the risk of future identity theft. As we have already recognized, HN4 “identity theft * * * constitute[s] a concrete and particularized injury.” Attias, 865 F.3d at 627; see also Hancock v. Urban Outfitters, Inc., 830 F.3d 511, 514, 424 U.S. App. D.C. 251 (D.C. Cir. 2016) (offering the “increased risk of fraud or identity theft” as an “example” of a “concrete consequence” for standing purposes). Yet, the district court concluded that Arnold Plaintiffs’ complaint provided an insufficient basis from which to infer that, in the wake of the OPM breaches, Arnold Plaintiffs [*20] faced any meaningful risk of future identity theft, much less a “substantial” one. In re United States Office of Pers. Mgmt. Data Security Breach Litig. (“In re OPM”), 266 F. Supp. 3d 1, 35 (D.D.C. 2017). Furthermore, finding that “the risk of identity theft was neither clearly impending nor substantial,” the district court concluded that any expenses that Arnold Plaintiffs incurred attempting to mitigate that risk likewise failed to qualify as an Article III injury in fact. Id. at 36; see also Clapper, 568 U.S. at 416 (“[R]espondents cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.”). Arnold Plaintiffs argue that the district court’s conclusion is incompatible with our decision in Attias v. CareFirst. In that case, we determined that the victims of a cyberattack on CareFirst, a health insurance company, “cleared the low bar to establish their standing at the pleading stage” by plausibly alleging that they faced a substantial risk of identity theft as a result of the company’s negligent failure to thwart the attack. Attias, 865 F.3d at 622. Specifically, the complaint alleged that the breach exposed “all of the information wrongdoers need for appropriation of a victim’s identity”: [*21] personal identification information, credit card numbers, and Social Security numbers. Id. at 628 (internal quotation marks omitted). Based largely on the nature of the information compromised in the attack, we concluded that it was reasonable to infer that the cyberattackers had “both the intent and the ability to use that data for ill.” Id.; see also id. at 628-629 (“Why else would hackers break into a * * * database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.”) (quoting Remijas v. Neiman Marcus Grp., 794 F.3d 688, 693 (7th Cir. 2015)). Accordingly, we explained, “[n]o long sequence of uncertain contingencies involving multiple independent actors has to occur before the plaintiffs in this case will suffer any harm; a substantial risk of harm exists already, simply by virtue of the hack and the nature of the data that the plaintiffs allege was taken.” Id. at 629. Although the OPM cyberattacks differ in several respects from the breach at issue in Attias, there is no question that the OPM hackers, too, now have in their possession all the information needed to steal Arnold Plaintiffs’ identities. Arnold Plaintiffs have alleged that the hackers stole Social Security numbers, birth dates, fingerprints, and addresses, among other sensitive personal information. It hardly takes a criminal mastermind to imagine how such information could be used to commit identity theft. Indeed, several Arnold Plaintiffs claim that they have already experienced various types of identity theft, including the unauthorized opening of new credit card and other financial accounts and the filing of fraudulent tax returns in their names. Moreover, unlike existing credit card numbers, which, if compromised, can be changed to prevent future fraud, Social Security numbers and addresses cannot so readily be swapped out for new ones. And, of course, our birth dates and fingerprints are with us forever. Viewing the allegations in the light most favorable to Arnold Plaintiffs, as we must, we conclude that not only do the incidents of identity theft that have already occurred illustrate the nefarious uses to which the stolen information may be put, but they also support the inference that Arnold Plaintiffs face a substantial—as opposed to a merely speculative or theoretical—risk of future identity theft. It is worth noting that several Arnold Plaintiffs also allege that unauthorized charges have appeared on their existing credit card and bank account statements since the breaches. According to OPM, because none of these Arnold Plaintiffs “specifically alleged the OPM incidents affected their existing account information,” the reported incidents of fraud on existing accounts (and, presumably, the risk of future fraud on those accounts) cannot plausibly be attributed to the OPM breaches. Gov’t Br. 21. But we need not travel down that road because, regardless of whether the hackers obtained all the information necessary to make unauthorized charges to existing accounts, it is undisputed that the other forms of fraud alleged—the opening of new accounts and the filing of fraudulent tax returns—may be accomplished using the information stolen during the breaches at issue.