On August 14, 2015, a class action was filed in the United States District Court for the District of Columbia on behalf of about 21.5 million federal employees, contractors, and job applicants whose personal information was stolen in the data breach at the U.S. Office of Personnel Management (“OPM”). The complaint is the latest of at least seven class actions against OPM and its private contractor, KeyPoint Government Solutions.
The most recent suit is notable not only because it is another suit in what some congressional representatives have called the “most devastating cyber attack in our nation’s history,” but also because it is the first suit filed since the Seventh Circuit’s decision in the Neiman Marcus data breach case granting customers standing, a key hurdle in data breach suits.
In April 2015, OPM discovered that the personnel data of 4.2 million current and former federal government employees had been stolen. While investigating that incident, in early June 2015, OPM discovered that additional information had been compromised, including background investigation records of current, former, and prospective federal employees and contractors. The second incident affected 21.5 million individuals.
The biggest challenge for data breach plaintiffs has been standing. In 2013, the Supreme Court held in Clapper v. Amnesty International that plaintiffs challenging the government’s surveillance power under the Foreign Intelligence Surveillance Act (FISA) did not have standing based on allegations that they could be subjects of potential surveillance. The Supreme Court stated that injury must be “certainly impending” and that allegations of “possible future injury” are not sufficient. In the data breach context, Clapperhas posed problems for plaintiffs who have found it difficult to establish standing based merely on the allegation that theft of their personal data makes them more likely to be targets of potential harm. Clapper states that a plaintiff cannot establish standing based on a “speculative chain of possibilities” that might never occur. Data breach defendants have usedClapper to knock out at least ten actions by data breach plaintiffs.
However, on July 20, 2015, the Seventh Circuit held that under Clapper, risk of future harm could be enough to satisfy constitutional standing requirements in certain circumstances. In particular, according to the appellate court, “customers should not have to wait until hackers commit identity theft or credit card fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood’ that such an injury will occur.” Thus, the Seventh Circuit held that standing can be established when there is a “substantial risk” of harm and plaintiffs “reasonably incur costs to mitigate or avoid that harm.” The Seventh Circuit’s ruling is the only post-Clapper federal appellate decision on standing in a data breach class action, and it is binding on federal district court judges in Illinois, Wisconsin, and Indiana.
Late last month, the Justice Department asked the Judicial Panel on Multidistrict Litigation to consolidate the cases and transfer all of them to Judge Amy Jackson of the United States District Court for the District of Columbia, who is already presiding over the American Federation of Government Employees’ class action against OPM and KeyPoint. It will be interesting to see if the newest and the pre-existing class actions against OPM will end up being transferred to Judge Jackson and, when a court is chosen, whether or not it will follow the Seventh Circuit’s interpretation of Clapper.