OPM Data Breach Lawsuit
Stueve Siegel Hanson filed one of the nation’s first class action lawsuits against the U.S. Office of Personnel Management (OPM) and government contractor KeyPoint Government Solutions Inc. relating to a 2015 breach that exposed the personal information of up to 21.5 million individuals, including their Social Security numbers, birth dates, fingerprints and addresses, among other sensitive personal information.
Following consolidation before the U.S. District Court for the District Columbia, Stueve Siegel Hanson was tasked with leading plaintiff vetting, selection, and complaint-drafting efforts in the MDL. The consolidated complaint alleges that the OPM violated the Administrative Procedure Act and Privacy Act of 1974 which requires federal agencies to establish appropriate safeguards to ensure the security and confidentiality of individuals’ records.
Defendant KeyPoint is a government contractor that was tasked with handling most of the federal background checks managed by the OPM. In December 2014, KeyPoint suffered its own cyber-security breach whereby attackers were able to access KeyPoint’s OPM credentials. The combination of KeyPoint’s data security weaknesses and the OPM’s cyber-security failures contributed to the massive scope of the OPM breach.
After the district court initially dismissed the lawsuit on Article III standing grounds in September 2017, Stueve Siegel Hanson served on the appellate team that won a full reversal before the D.C. Circuit in In re U.S. Office of Personnel Management Data Security Breach Litigation, 928 F.3d 42 (D.C. Cir. 2019).
In a published June 2019 decision, the D.C. Circuit held that the allegations support the finding that victims are at an imminent risk of harm: “There is no question that the OPM hackers ... now have in their possession all the information needed to steal [plaintiffs’] identities,” the Court held. “Plaintiffs have alleged that the hackers stole Social Security numbers, birth dates, fingerprints, and addresses, among other sensitive personal information. It hardly takes a criminal mastermind to imagine how such information could be used to commit identity theft.”
The cases have been remanded for further proceedings in the district court.