OPM left doors open on personal and confidential data

Don’t make promises you can’t keep and don’t forget to lock the door.

If there’s anything to be learned from the ongoing litigation between the National Treasury Employees Union (NTEU) and the Office of Personnel Management, it’s the importance of confidentiality and security.

The two parties met in court for the first time Oct. 27,  to present their oral arguments related to OPM’s alleged role in the 2015 cyber breach.

NTEU members have been harmed “in a real way” by the breaches, Paras Shah, NTEU assistant counsel, told Federal News Radio. When people provide their inherently personal information to the government, there’s a promise of confidentiality.

Advertisement

That promise of confidentiality “can’t be a hollow one,” Shah said.

“Where our members provide this information to the government on that explicit promise of confidentially, the government must take reasonable measures to protect that information as it promised to do,” Shah said. “So in other words, they can’t simply take that information in and then in effect leave it in a room with all the doors and windows open, completely unguarded. We argue that by ignoring its  own Inspector General’s reports for nearly a decade, OPM effectively left all the doors and windows open.”

At issue is the role OPM played, or didn’t play, in the theft of personal data of 22 million current and former federal employees.

From NTEU’s standpoint, OPM owes a number of things to its members, including lifetime credit monitoring, stopping the electronic storage of NTEU members’ information, and requiring OPM “to take ‘all necessary and appropriate steps’ in the future regarding its IT program.”

OPM directed a request for comment to the Justice Department. The Justice Department did not immediately respond.

Insufficient injuries

OPM filed its motion to dismiss the case June 27, based on a “lack of subject matter jurisdiction and for failure to state a claim upon which relief may be granted.”

In its motion, OPM’s counsel argues that the alleged past and future injuries to breach victims are not enough to ask for injunctive relief.

NTEU claims past injuries include an unidentified third party filing a fraudulent tax return using one victim’s name, fraudulent charges were made to an existing credit card for another victim, and three union members say they suffered emotional distress, court documents state.

“None of these alleged injuries is sufficient to establish standing for declaratory and injunctive relief because all of them have already occurred — the fraudulent tax return has already been filed, the fraudulent credit card charges have already been made (and resolved), the emotional distress has already been suffered, and plaintiffs’ information has already allegedly been stolen from OPM’s systems,” OPM argues in its motion.

OPM also points out that NTEU’s request for lifelong credit monitoring lacks standing.

“The likelihood of this future injury occurring is based on an entirely speculative sequence of events: (1) that the individual or individuals who allegedly improperly accessed the OPM information want to commit financial malfeasance detectable by data or credit monitoring with respect to one of the named plaintiffs; (2) that such an individual is capable of doing so; (3) that they identify and target the data of the named plaintiffs (out of a group of approximately 22 million); (4) that such an individual actually does so; (5) that such an act is successful; and (6) that such an act actually causes one of the named plaintiffs financial injury,” OPM says.

NTEU argues in its July 2016 opposition to OPM’s motion, that the agency “[disregarded] its Inspector General’s urgent security warnings for nearly a decade.”

“Even OPM’s own Inspector General agrees that there is a very real risk that OPM’s data systems will be breached again, and NTEU in turn believes that because of that substantial risk, that OPM’s information systems will be breached, our members’ inherently personal information is at real risk of being accessed again without authorization,” Shah said.

Not the only one

NTEU’s lawsuit against OPM is one of more than 20 cases nationwide involving the agency and the data breach. The American Federation of Government Employees was the first union to file a class-action lawsuit for the current and former federal employees who were victims of the OPM data breach.

NTEU successfully argued for its suit to stand alone based on its claims and requested relief.