The federal government’s biggest labor union is suing the Office of Personnel Management to strengthen its cyber defenses and compensate federal employees harmed by the recent attacks on the agency’s personnel databases.
Leaders of the American Federation of Government Employees said they believe the lawsuit can compel the agency to act where numerous congressional hearings and calls for OPM Director Katherine Archuleta to resign have not.
“Sometimes it takes the court system to mandate that agencies do various things,” said AFGE President J. David Cox in a media briefing Tuesday. “This has rose to such a level that clearly we’re looking for relief and all the proper procedures to be put into place. If the only way we can get that is through the court system, then that’s the direction we have to go.”
A judge can break the government’s inertia by making specific orders and imposing deadlines, added Dan Girard, AFGE’s attorney in the case. Girard’s San Francisco firm represents plaintiffs in similar suits against Target, Home Depot, Adobe and Anthem.
The AFGE lawsuit, filed in U.S. District Court in the District of Columbia, seeks class-action status to represent all the past and present federal employees whose personally identifiable information was stored in the compromised databases. OPM has told 4 million people that their data was accessed. But the agency said the number of victims is likely to grow as the investigation into the breaches continue. Some in Congress have suggested as many as 32 million people could be impacted.
The suit alleges that OPM violated the Privacy Act of 1974 by failing to fix cybersecurity flaws that it had known about since at least 2009. It says the agency was negligent because it did not act on the warnings of its inspector general. Keeping the databases operating without interruption was more important to OPM than protecting the sensitive information those databases stored, Girard said.
“That was a choice they made. That choice is what led to the compromise of their information,” he said. “Our position is: That’s not an acceptable way to do business until these systems have been enhanced to a point at which these individuals are no longer at risk.”
The suit names Archuleta, OPM Chief Information Officer Donna Seymour and OPM contractor Keypoint Government Solutions as co-defendants. An earlier breach of Keypoint’s network gave the hackers the user credential they needed to break into OPM’s systems, Archuleta said in Congressional testimony.
OPM spokesman Sam Schumach said in a statement that OPM will not comment on the pending litigation and directed all questions to the Justice Department.
“When Katherine Archuleta was sworn in as the Director of the Office of Personnel Management 19 months ago, she recognized that in order to meet the agency goals of building and managing an engaged, inclusive, and well-trained workforce, we would need a thorough assessment of our information technology at OPM. One of her first priorities was the development of a comprehensive IT strategic plan, which immediately identified security vulnerabilities in the agency’s aging legacy systems, and led to an aggressive modernization and security overhaul of our network and its systems,” Schumach said. “Government and non-government entities are under constant attack by advanced and evolving cyber adversaries. In an average month, OPM thwarts millions of intrusion attempts targeting our network. It was only because of OPM’s aggressive efforts to update its cybersecurity posture, adding numerous tools and capabilities to its network, that the recent cybersecurity incidents and vulnerabilities were identified.”
AFGE wants OPM to implement the cybersecurity recommendations of its inspector general so that, at a minimum, it complies with the Federal Information Security Management Act. It should hire cybersecurity personnel and take steps to purge information that is stored in OPM or Keypoint systems that are not adequately protected, Girard said.
The lawsuit also seeks damages for the breach victims. Because of the breach, federal employees have suffered financial and emotionally, AFGE said. Some have spent their own money on identity theft protection services beyond what OPM has offered victims. The union also has received reports from victims about falsified tax returns and attempts to open credit cards in their names. It is trying to verify these accounts, Girard said.
But there’s no doubting the anxiety the breaches have caused federal employees, said Cox. As a former government employee, he has received notice that his information was accessed. His wife and daughter-in-law received similar notices.
OPM warns 4 million federal employees following cyber-intrusion
“I can demonstrate it to you every day of my life from a first-hand experience. Our phones are ringing off the hook,” he said. “It’s the topic of conversation from the time people get up to the time they go to bed at night, worrying about harm, trying to spend time changing numbers, getting to websites and all this.”
The lawsuit’s success hinges on whether AFGE can prove victims suffered actual damages, financial or otherwise, but there’s rarely a smoking gun in these situations, said Matt Esworthy, a Baltimore lawyer who sits on the American Bar Association Cybersecurity Legal Task Force.
“Often the bad actors — the hackers — take your information and sit on it. Or they sell it on the black market. People may or may not use it. They may use it later on, a couple of months from the date of the event, in a way you might not expect. So it’s often hard to tie the data breach to the consequences,” he said.
In addition, there have been so many data breaches in the past few years that the government may be able to convince the court that another breach was responsible for the victim’s injury, he said.
On the other hand, there’s good reason to believe OPM would settle to avoid litigating such a sensitive matter, he said. The Transportation Security Administration in 2008 chose that route after AFGE accused it of violating the Privacy Act. The agency admitted it lost an external hard drive with employment and payroll data on it.
Some members of Congress have called for President Barack Obama to fire Archuleta and Seymour. But Cox said AFGE is not pursuing their termination because OPM’s cybersecurity issues predate their terms in office. Still, he said he’d like to see Archuleta do a better job of protecting federal employees from harm.