Jump to Navigation | Jump to Content
American Bar Association

Criminal Litigation

Will the Court Define "Actual Damages" in the OPM Cyber-Attack Lawsuit?

By Matthew A.S. Esworthy and Aaron M. Danzig – September 17, 2015


The U.S. Office of Personnel Management (OPM) recently joined the infamous ranks of class action defendants (like Target and Home Depot), when the American Federation of Government Employees (AFGE)—the federal government’s largest labor union—filed a class action lawsuit arising out of the massive June 2015 cyber attack on OPM’s systems. That breach involved about 18 million federal employees’ personal and security files. However, unlike the victims of the Target and Home Depot data breaches, the victims of a cyber attack involving the federal government have limited legal options. One of the only tested legal approaches is the Privacy Act of 1974, under 5 U.S.C. § 552a(b), and even this remedy has its limitations for recovery.


One of the biggest questions that remain unanswered by courts under the Privacy Act is what constitutes “actual damages.” This question is further complicated for the victims of the OPM cyber attack when one considers the frequency of cyber attacks on other major businesses that maintain personal identifiable information for millions and the inevitable overlap between the different groups of victims. Which raises several important questions: How broadly or narrowly will courts today define “actual damages” under the Privacy Act for victims of a cyber attack or data breach when the new normal contemplates a major data breach involving the release of personal identifiable information every week? What types of damages (e.g., credit monitoring) will be accepted as “actual damages” under the act? Will a victim need to directly link his or her damages to the cyber attack under the act?


The June 2015 class action lawsuit filed by the AFGE in the U.S. District Court for the District of Columbia was brought on behalf of all the past and present federal employees whose personal identifiable information was stored in the compromised databases. To date, OPM has notified some 4 million people that their personal information was compromised. The number of victims is likely to grow in the coming months.


By way of background, the OPM is the government agency responsible for maintaining data about federal applicants, providing “investigative products and services for over 100 Federal agencies to use as a basis for suitability and security clearance determinations as required by Executive Orders and other rules and regulations. The OPM provides over 90% of the Government’s background investigations, conducting over two million investigations a year.” See U.S. Office of Pers. Mgmt., Background Investigations. The class action lawsuit alleges in great detail that since at least 2007, “the OPM has been on notice of significant deficiencies in its cyber security protocol . . . and failed to take steps to remedy those deficiencies.” Taking the most direct and tested route, the class plaintiffs selected the Privacy Act of 1974 as the lead vehicle for redress against the OPM in this lawsuit. The class plaintiffs also filed a claim against OPM under the Administrative Procedure Act, 5 U.S.C. § 701 et seq., and a common-law negligence claim and sought declaratory judgment against an independent contractor to the OPM, KeyPoint.


One may be surprised to learn that as early as 2008, the AFGE filed a class action lawsuit against the federal government, albeit a different agency, for failing to establish appropriate safeguards to ensure the security and confidentiality of electronic personnel records. In American Federation of Government Employees v. Hawley, 543 F. Supp. 2d 44 (D.D.C. 2008), the class action plaintiffs were allegedly injured when a computer hard drive containing personnel data for some100,000 individuals employed by the Transportation Security Administration (TSA) was “missing from a controlled area at the TSA Headquarters Office of Human Capital.” Id. at 45. The class plaintiffs brought claims under the Aviation and Transportation Security Act and the Privacy Act. Granted, Hawley did not involve a cyber attack and it was decided over six years ago; however, the decision of the D.C. District Court will still be very instructive with respect to the Privacy Act claim in the OPM case.


The Privacy Act of 1974 requires that


[e]ach agency that maintains a system of records shall . . . establish appropriate administrative, technical, and physical safeguards to insure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained. . . .


Hawley, 543 F. Supp. 2d 44 (D.D.C. 2008) (quoting 5 U.S.C. § 552a(e)(10)).


As the Hawley court explained, in order to plead a Privacy Act claim, one must allege that “(a) defendants acted intentionally or willfully; (b) plaintiffs were adversely affected; and (c) plaintiffs sustained actual damages.” Id. at 51. Looking at each of the three elements, the court found that the AFGE met the threshold pleading requirements to survive the government’s motion to dismiss. Notably, the Hawley decision settled several major questions under the Privacy Act: standing, ripeness, what constitutes intentional and willful acts, and whether plaintiffs were adversely affected. Id. at 50–53. However, the district court did not delve into what constituted “actual damages.” Id. at 53.


With respect to the requirement that the government acted intentionally and willfully, the court found that the defendants’ conduct would be deemed intentional and willful if they “were warned of deficiencies in their information security but failed to establish proper safeguards.” Id. at 51 (citing In re Dep’t of Veterans Affairs Data Theft Litig., Misc. No. 06-5606 (D.D.C. Nov. 11, 2007) (Robertson, J.), ECF No. 30 at 11 (“holding that plaintiffs’ allegations were sufficient because, if proven, they would support a finding that VA’s conduct was ‘intentional and willful’”)). This gross negligence concept is crucial for a plaintiff’s success in a case involving a cyber attack where the government will claim that the loss of information was not an intentional or willful act, but was more akin to an accident.


With respect to the element requiring “adverse affect,” the Hawley court found that the plaintiffs sufficiently alleged that they “experienced adverse effects due to Defendants’ failure to safeguard the Personnel Data and/or disclosure, including but not limited to, embarrassment, inconvenience, mental distress, concern for identity theft, concern for damage to credit report, concern for damage to financial suitability requirements in employment, and future substantial financial harm.” Id. at 52–53. However, the question of how much evidence will be required to link the adverse effect to the data breach remains unclear, like the question of “actual damages,” and will be a crucial question when one considers how many data breaches the class plaintiffs in the OPM case have been involved in, in the past year.


In discussing actual damages, the Hawley court acknowledged the Supreme Court case of Doe v. Chao [login required], 540 U.S. 614, 624–25 (2004), which held that a plaintiff must prove actual damages to recover under section 552a(g)(4) of the Privacy Act, but noted that the Supreme Court “left open the question of what constitutes ‘actual damages,’ noting that the courts of appeals ‘are divided as to whether actual damages are limited to pecuniary loss or can be awarded for emotional damages without any out-of-pocket loss.’” See Hawley, 543 F. Supp. 2d at 53 (quoting Doe, 540 U.S. at 627 n.12) (citing Albright [login required], 732 F.2d 181, 186 (D.C. Cir. 1984) (“declining to consider whether non-economic injuries or damages other than out-of-pocket expenses could qualify as ‘actual damages’ under Section 552a(g)(4)”)). The TSA argued “that the Court should interpret ‘actual damages’ narrowly, as is required in construing a waiver of sovereign immunity, to mean only out of pocket expenses, not emotional damages.” Id. at 53. In Hawley, Judge Kennedy rejected the government’s narrow approach and, in support, cited Montemayor v. Federal Bureau of Prisons, 2005 WL 3274508, at *5 (D.D.C. Aug. 25, 2005) [login required] (citing cases) (“rejecting argument to narrowly interpret ‘actual damages’ to mean only pecuniary losses and following instead ‘the recent trend at the District Court level . . . to allow Privacy Act suits seeking general compensatory damages, such as pain and suffering and non-pecuniary losses, to proceed’ past the motion to dismiss stage”). However, make no mistake, the court saved the question of what constitutes actual damages for another day, and the OPM in this case will certainly raise this issue.


Ultimately, the Hawley case did not make it to trial and was settled. If history is any indicator, the likely outcome of the OPM class action lawsuit will be a massive settlement, rather than a trial that may result in an expansive and victim-friendly definition of “actual damages” under the Privacy Act.


Keywords: criminal litigation, actual damages, American Federation of Government Employees (AFGE), U.S. Office of Personnel Management (OPM), Privacy Act of 1974, cyber attack


Mathew A.S. Esworthy is a partner at Shapiro Sher Guinot & Sandler in Baltimore, Maryland. Aaron M. Danzig is a partner at Arnall Golden Gregory LLP in Atlanta, Georgia.


 
Copyright © 2017, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).