July 1, 2019

DC Circuit rules on Article III standing in data security breach litigation

On June 21, 2019, the United States Court of Appeals for the District of Columbia Circuit held that plaintiffs whose personal information was stolen in a large-scale hack of the Office of Personnel Management database had standing to sue even though they did not allege specific out-of-pocket losses caused by misuse of the hacked data, which for many victims included passport information, fingerprints, social security numbers, birth dates and criminal and psychological records.  The court, reversing the lower court on the issue of standing, stated that the plaintiffs had satisfied the three-pronged test established by Spokeo, Inc. v. Robins, 136 S. Ct. 1540:  

  1. The first of the two separate groups of plaintiffs in this consolidated litigation had claimed a constitutionally protected privacy interest, and the court determined that these plaintiffs had Article III standing because the loss of a constitutionally protected privacy interest itself would qualify as a concrete, particularized and actual injury in fact. As for the second group, the court said that they demonstrated an injury in fact that is concrete and particularized and actual or imminent by alleging a substantial risk of identity theft, following the precedent set in Attias v. CareFirst, 865 F.3d 620 (DC Cir. 2017), cert. denied, 138 S. Ct. 981 (2018); 
  2. The plaintiffs showed that their injury – among others, the risk of identity theft — is fairly traceable to the conduct of OPM and Keypoint Government Solutions, Inc. a third-party contractor that conducted background investigations for OPM, since OPM failed to heed warnings by the Inspector General regarding security vulnerabilities, leaving the door open for hackers to access the system, and according to the allegations, KeyPoint is at least partially to blame for the breaches due to its failure to comply with data security practices; and 
  3. They succeeded in demonstrating that a favorable decision in the litigation would likely redress their injury, through monetary damages or otherwise.

The court said that the plaintiffs also overcame the defendants’ claim of sovereign immunity, since, under the Privacy Act, sovereign immunity is waived if the plaintiff alleges that a federal agency intentionally or willfully violated the statute’s requirements for protecting the confidentiality of personal information.