Every month, it seems, there is another major cyber-attack on a U.S. corporation or government agency. The July 9, 2015, report of 21.5 million Social Security numbers stolen from the Office of Personnel Management (OPM) is the latest – but surely will not be the last. And, as night follows day, each breach spawns new litigation. 

Unlike the recent attacks on corporations like Sony Pictures and Anthem, however, OPM has an additional and powerful defense: sovereign immunity. Two recent suits filed by labor unions against OPM will put this defense to the test.

Background on sovereign immunity

Thanks to sovereign immunity (or “governmental immunity” in the case of state political subdivisions), any suit against a federal or state agency or subdivision is an uphill battle. 

The United States enjoys sovereign immunity from suits against the federal government or any of its agencies absent a waiver of immunity, which can only be granted by Congress through statute. See Christopher M. Ernst, Ernst Tort Law (Second), Baldwin’s Ohio Practice, Vol. 4, § 69.2, pp. 821-22. Any waiver of  sovereign immunity must be strictly construed in favor of the United States. Id. at § 69.3, p. 822.

Foreign governments are generally immune from the jurisdiction of U.S. courts under the Federal Sovereign Immunities Act (FISA). Id. at § 69.4, p. 822.

In Ohio, governmental immunity for political subdivisions is established under Revised Code Section 2744.  Qualifying subdivisions are defined in 2744.01(f). The Ohio Supreme Court has described the procedure for determining the applicability of immunity under the Code as a three-tiered analysis:

  1. First, R.C. 2744.02(A) sets forth the general rule of immunity that political subdivisions are “not liable indamages in a civil action for injury, death, or loss to person or property allegedly caused by any act or omission of the political subdivision.”
     
  2. The immunity afforded a political subdivision in R.C. 2744.02(A)(1) is not absolute, but is, by its express terms, subject to the five exceptions to immunity listed in former R.C. 2744.02(B). Thus, once immunity is established under R.C. 2744.02(A)(1), the second tier of analysis is whether any of the five exceptions to immunity in subsection (B) apply. 
     
  3. Finally, under the third tier of analysis, immunity can be reinstated if the political subdivision can successfully argue that one of the defenses contained in R.C. 2744.03 applies.

See Cater v. City of Cleveland (Ohio 1998), 83 Ohio St.3d 24, 28, 697 N.E.2d 610 (citations omitted).

Recent suits against OPM

Despite the hurdles, at least with respect to data breaches, plaintiffs are demonstrating their willingness to continue probing for vulnerabilities to sovereign and governmental immunity. 

On June 29, 2015, the American Federation of Government Employees and representative members filed a class action suit against OPM and other defendants for their failures related to securing the information of its members. The complaint includes counts for violations of the Privacy Act of 1974, violations of the Administrative Procedure Act, negligence, and declaratory judgment and seeks damages, attorney’s fees and injunctive relief.

On July 8, 2015, the National Treasury Employees Union also sued the OPM alleging that OPM’s reckless failures to safeguard its data were violations of its 85,000 members’ constitutional right to privacy. The NTEU filed its complaint one day before the media reported that OPM’s estimate of the number of affected individuals had increased from four million to 21.5 million people. The complaint does not include a claim for damages but, instead, limits it prayer to declaratory and injunctive relief.

The implications

If one of these or future cases succeed in breaching the sovereign immunity barrier, they could establish new pathways for individuals and businesses to sue the federal and state government for the harm caused by the government’s failure to secure their data. Absent legislative action eliminating such pathways, the current regulatory regimes operated by government agencies, which depend upon the collection and storage of massive amounts of personal and corporate data, would likely become economically infeasible to maintain in their present state.

One could speculate that heightened exposure to civil damages could prompt positive reforms in the government’s security apparatus for the personal and business data it collects. Certainty there is already a high degree of focus within government to improve data security, both from a technological and human standpoint. However, it is presently unclear whether and how such improvements to the cybersecurity problem will succeed in stemming the tide of evermore sophisticated attacks. As such, look for government agencies to attempt to shift more of the burden of data storage – and security – onto the individuals and businesses they regulate.