In what is quickly becoming the newest trending topic in class action litigation, another class action has been filed alleging the disclosure of employee personally identifiable information due to a cyber attack.
This time, the employer is the federal government, and another target in the lawsuit is the third party vendor allegedly used by the federal government to conduct its background checks during the time of the breach.
On June 29, 2015, the American Federation of Government Employees filed suit against the U.S. Office of Personnel Management, as well as its Director and Chief Information Officer (the “OPM Defendants”) and KeyPoint Government Solutions (“KeyPoint”), on behalf of two named plaintiffs and a putative class of 18 million current and former employees and prospective employees (the “Plaintiffs”) of the federal government whose personally identifiable information was put at risk by a massive data breach suffered by OPM, which was made public early last month (AFGE, et al. v. OPM, et al., Case 1:15-cv-01015, D.D.C., June 29, 2015).
Although the claims asserted in the case are somewhat different than those we have seen in cases filed against private employers, the types of injuries for which the employees are seeking redress are not. In their Complaint, Plaintiffs are seeking to recover damages for the following alleged injuries that they claim to have already suffered or from which they are “at increased risk of suffering”:
- “out-of-pocket costs associated with the prevention, detection, and recover from identity theft or unauthorized use of financial and medical accounts,” such as putting in place credit monitoring and obtaining credit reports;
- “lost opportunity costs” associated with putting preventative measures in place, including time spent “researching how to prevent, detect, contest and recover from identity and health care/medical data misuse.”
- costs associated with the unavailability of frozen or flagged credit or assets and complete denial of credit or use of credit;
- freezing and unfreezing of credit and penalties resulting from the unavailability of frozen credit;
- diminution in the value and/or use of their personally identifiable information; and
- the continued risk to their personally identifiable information and future costs that will be expended to “prevent, detect, contest and repair the impact” of their compromised information.
It is unclear at this time what injuries the Court will deem sufficiently non-speculative to confer standing on Plaintiffs or establish a viable cause of action.
Plaintiffs are asserting claims against the OPM defendants for violations of the Privacy Act and the Administrative Procedure Act. However, Plaintiffs are also suing KeyPoint, which according to the Complaint, is the OPM contractor that handled the majority of the background checks for OPM at the time of the cyber attack. As is commonplace in suits of this nature, Plaintiffs assert a garden variety negligence claim against KeyPoint. The thrust of the negligence claim, as stated in the Complaint, is that KeyPoint owed Plaintiffs a duty of care and did not take reasonable steps to maintain and protect their personally identifiable information, especially in light of the fact that the “OPM employee data was an attractive target for cyber attackers” and KeyPoint’s cyber security systems had sustained a prior breach in late 2014.
Although the Plaintiffs in the OPM litigation do not advance a separate claim based on delayed notification of the data breach — despite the fact that Plaintiffs claim OPM delayed months in disclosing the data breach to those affected — many states have laws that require certain notifications to take place within a specific timeframe in the event of a data breach. Accordingly, employers need to make sure they are aware of such laws in the states in which their employees work and are prepared to comply with them in the event of a breach. Moreover, every company should have an information security policy in place that states what actions the employer will take in the event of a data breach. A number of the state data breach notification laws provide a safe-harbor for employers who comply with the notification procedure in their own information security policies in response to a breach.
It remains to be seen if the defendants in the OPM litigation will move to dismiss all or some of Plaintiffs’ claims and whether or not they will be successful if they do. However, the filing of this complaint serves as yet another cautionary tale about the many ways in which employees and applicants can seek to impose liability on employers in the event of a data breach. Moreover, the inclusion of KeyPoint in the lawsuit is a reminder to employers that they need to vet carefully any third party vendors to whom they entrust employee or applicant personally identifiable information. Employers should review their data security measures — as well as those of their vendors — in light of the ever-evolving threat posed by hackers. Employers need to ensure that the measures they have in place will be viewed as reasonable in light of the type of personally identifiable information that they obtain from employees (e.g., medical, financial, personal, etc.) and their history of vulnerability in this area. Companies should be expending the same level of effort to protect employee information as well as consumer information. Indeed, some might argue that a company’s duty of care to its employees is greater than the duty owed to consumers. A consumer has a choice in the free market about to whom he or she gives personally identifiable information; the same cannot necessarily be said of an employee whose employer requires that certain financial information be provided by the employee in order to have a paycheck deposited or that certain medical information be provided in order or process benefits.