A few weeks ago, the Department of Justice (DOJ) asked the D.C. Circuit for panel rehearing and rehearing en banc of its ruling in American Federation of Government Employees v. OPM, 928 F.3d 42 (D.C. Cir 2019), decided last June. The District Court had dismissed the case, saying that plaintiffs – victims of the massive Office of Personnel Management (OPM) data breach from 2014 – lacked standing to sue (and that any plaintiffs with standing had failed to state a claim).

A divided panel of the D.C. Circuit reversed, holding that the case could go forward. Now, the Department of Justice (DOJ) wants the court to take another look, and just this week, plaintiffs filed their opposition to DOJ’s request.

The case illustrates a recurring problem in data breach litigation: How to reconcile our intuitive, common-sense understanding of the risk of harm (the risk of identity theft) with the three-part test for Article III standing laid out in Spokeo (a “concrete and particularized” injury in fact, “fairly traceable” to the defendant), that can be redressed by a win in court.

How can risk – something that has not yet led to actual harm – constitute a sufficiently “concrete” injury to support standing?

The D.C. Circuit had no problem concluding that plaintiffs’ allegations regarding causation and redressability were adequate. Plaintiffs clearly claimed that OPM (and a contractor) had not adequately secured OPM’s systems, and money damages could redress the plaintiffs’ harms. The question, in the words of the court (quoting Clapper v. Amnesty International) was whether there was a “substantial risk” that some potential future harm – identity theft – will occur.

The court parsed the question this way:

  • First, identity theft – the harm that data breach plaintiffs were worried about – would be a concrete injury if it were to occur.
  • Second, the hackers who got into OPM’s databases took all the information they needed to engage in identity theft – birthdates, social security numbers, and more.
  • Third, while the OPM hackers may have had other motives too (see below), identity theft was likely one of their goals.

As the court observed (quoting the 7th Circuit), “why else would hackers break into a … database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.” Given all this, the risk of identity theft was sufficiently concrete to support standing.

Basically, in the court’s view, as long as plaintiffs allege that hackers have extracted enough sensitive information to commit identity theft, then their intent to do so is presumed, which is enough to support standing.

DOJ, in its petition for rehearing, doesn’t seem to disagree with that logic in the normal data breach case. But, says DOJ, things here aren’t that simple. According to DOJ, this case is different because of the nature of the hack itself, as laid out in Judge Williams’ partial dissent.

Judge Williams noted that hacking a government database is not the same as hacking a private, commercial database. Relying on Ashcroft v. Iqbal, 556 U.S. 662 (2009), he argued that plaintiffs have to show that the facts they allege in support of standing are not reasonably subject to an alternative explanation that is inconsistent with standing.

Here, as Judge Williams saw it, the likely purpose of the OPM hackers wasn’t “small potatoes” identity theft – it was espionage against the United States. If the information had been stolen from a commercial enterprise, Judge Williams would likely have agreed with the majority that the case could proceed. But because this was a government database, likely hacked by or at the behest of a foreign power, identity theft was likely not the motive.

In Judge Williams’ view, this meant that the plaintiffs’ allegations regarding standing – at least for plaintiffs who had not already been subject to identity theft – weren’t good enough under Iqbal. The bulk of DOJ’s petition for rehearing is devoted to this point, although they also argue that the plaintiffs’ alleged monetary harms were not sufficient actual injury to support a Privacy Act claim.

There is clearly some strength to the claim that the OPM hackers were interested in espionage, not identity theft. Indeed, the relatively small number of claimed instances of identity theft, even several years after a major breach involving millions of people, does suggest that identity theft was not the hackers’ main focus.

But should that defeat standing in this case? In this regard, DOJ’s argument might prove too much. Interpreting Iqbal to require plaintiffs in a government hacking case to plead facts showing that espionage was not the motive could effectively insulate the government from any data breach claim under the Privacy Act.

When would a hack of a government database not be subject to an argument that the real purpose of the hack was espionage? And how could private plaintiffs, with no access to counterintelligence counterintelligence information, be able to allege in good faith that the hack was motivated by greed alone?

The plaintiffs’ opposition gives short shrift to the DOJ’s (and Judge Williams’) notion that this is really a spying case. They emphasize that some plaintiffs have already experienced identity theft. They also argue that once sensitive data is hacked, it can be passed on from one bad actor to another, so that even if the original hack was espionage by a foreign power, the sensitive data can be reused reused for plain old identity theft by plain old criminals.

The essence of their argument is that what matters is that the sensitive data is now “out there,” not the motives of the original hackers.

The court may decide to deny DOJ’s request without opinion – a not uncommon resolution of requests for rehearing en banc. But given the nature of DOJ’s arguments, it will be interesting to see whether, and how, the court responds. And regardless of what the D.C. Circuit does, this case may be destined for Supreme Court review.