By LawInspectsOPM Lawsuit involved the US Office of Personnel Management, US Government contractor Peraton Risk Decision Inc., American Federation of Government Employees and National Treasury Employees Union, and concerned data breaches that allegedly compromised the personal information of 22 million current and former federal employees and their families along with contractors and applicants for federal employment. OPM is a federal agency which handles a part of the federal employee recruitment process, while Peraton Risk Decision Inc. is a private conductor which carries out investigations and security checks on behalf of OPM. AFGE and NTEU, on the other hand, are unions representing federal employees and other workers of various departments and agencies of the US Government.
OPM Lawsuit concerned constitutional and statutory claims on two separate incidents of data breaches in the 2013-2015 period which was one of the largest data breaches in the history of United States. The major plaintiffs were AFGE and NTEU, while the defendants were OPM and its contractor, Peraton Risk Decision Inc. The lawsuit was initially dismissed but restored on appeal. In the year 2022, a settlement of $63 million was concluded.
Background of the Lawsuit
In the 2013-14 period, hackers infiltrated the electronic information systems of Peraton, and stole sensitive information, including the electronic manuals of the company’s systems, security system documents and log-in credential of an employee of Peraton. Thereafter, in the 2014-15 period, the hackers used the stolen log-in credentials to intrude into OPM’s network and install a malware which effected the data breach. Stolen information included federal employees’ names, birthdates, current and former addresses, and social security numbers. Altogether, the breach compromised the personal information of nearly 22 million federal employees and their families.
OPM notified 48,000 federal employees that their information may have been compromised, in a communication issued on April 27, 2015. The agency initially claimed that the data breach had affected about 4.2 million federal employees and contractors. On June 12, 2015, OPM revised this figure to 14 million. On July 9, 2015, the agency announced that this number had increased to almost 22 million.
OPM notified each and every person whose information had been compromised in the data breach, and offered free identity protection services for up to three years.
Legal Machinations
In the year 2015, the American Federation of Government Employees filed a class action lawsuit against OPM and Peraton, alleging negligence on the part of federal officers which led to data breach. A separate lawsuit was filed by the National Treasury Employees Union, alleging that the data breach violated the constitutional right to informational privacy of the federal employees. Subsequently, multiple lawsuits were filed across the country.
The United States Judicial Panel on Multidistrict Litigation consolidated the lawsuits in the District Court for the District of Columbia. The consolidated lawsuit alleged that OPM violated Privacy Act, Administrative Procedure Act and Little Tucker Act. Peraton Risk Decision Inc., on the other hand, was accused of negligence, misrepresentation and concealment, breach of contract, invasion of privacy, and violating Fair Credit Reporting Act and other statutes related to data security and unfair trade practices.
In separate motions filed before the court, OPM and Peraton sought dismissal of the lawsuit, citing protection under sovereign immunity, lack of subject matter jurisdiction of the court, lack of standing of the plaintiffs, and the failure of the plaintiffs to state the provisions under Rule 12(b) (6) of the Federal Rules of Civil Procedure, to seek relief.
On September 19, 2017, the US District Court for the District of Columbia dismissed the case. The court ruled that AFGE failed to establish standing under Article III, and did not meet the damages requirements under the Privacy Act, while NTEU failed to establish a constitutional claim.
On October 12, 2017, the plaintiffs appealed the dismissal to the United States Court of Appeals for the DC Circuit.
Settlement
In June 2022, a settlement was reached between the defendants, OPM and Peraton, and the plaintiffs led by AFGE and NTEU. A fairness hearing held in October 2022 at a federal district court formalized the settlement at $63 million. Individuals who could establish that they were victims of the data breach and incurred out-of-pocket expenses or lost compensable time, were eligible for compensation.
Eligible individuals received a minimum of $700 and up to $10,000, under the settlement agreement.