In re OPM Data Security Breach Litigation

Whether the government's failure to safeguard sensitive personal data from a breach, and the resulting disclosure of that personal data, violated individuals' constitutional right to informational privacy and caused a cognizable injury under Article III
    More top news »
  • EPIC to DC Circuit: Informational Privacy is a Constitutional Right » (May. 18, 2018)
    EPIC has filed a "friend of the court" brief, joined by forty-four technical experts and legal scholars (members of the EPIC Advisory Board), in the OPM Data Breach case. The case concerns the data breach at the US Office of Personnel and Management in 2015 that affected 22 million federal employees, their friends, and family members. In the brief to the federal appeals court, EPIC said that "when personal data is collected by a government agency, that agency has a constitutional obligation to protect the personal data it has obtained." In a 2011 case NASA v. Nelson, EPIC urged the Supreme Court to limit data collection by federal agencies, citing the growing risk of data breach in the federal government.
  • FTC Strengthens Penalties Against Uber for Covering Up Data Breach » (Apr. 12, 2018)
    The Federal Trade Commission has strengthened its 2017 settlement with Uber because the company hid a massive data breach and bug bounty program in 2016. Under the revised settlement, Uber must submit all of its privacy audits to the FTC, and will face civil penalties if it fails to disclose another breach. In February 2018, EPIC advised Congress that "bug bounty programs do not excuse non-compliance with data breach notification laws." The FTC's 2017 settlement with Uber was the result of EPIC's 2015 complaint to the Commission detailing Uber's numerous privacy abuses. In public comments, EPIC advised the FTC to strengthen the settlement by making all of Uber's privacy audits available to the public.
  • DC Circuit Sets Briefing Schedule in Information Privacy Case » (Mar. 26, 2018)
    The D.C. Circuit has set the briefing schedule for the OPM Data Security Breach case, concerning a pair of data breaches in 2015 that affected 22 million federal employees, their friends, and family members. EPIC recently informed the Court that it will file an amicus brief, which will now be due on May 17, 2018. EPIC has long warned that federal agencies collect far too much personal data that they fail to protect. In the 2012 case NASA v. Nelson, concerning repeated data breaches at the space agency, EPIC urged the Supreme Court to recognize a right to "informational privacy" that would limit data collection by federal agencies.
  • EPIC FOIA: CFPB Raise Further Questions About Equifax Investigation » (Mar. 26, 2018)
    Through a Freedom of Information Act request, EPIC obtained records of email communications between Consumer Financial Protection Bureau staff members regarding the Equifax data breach investigation. The emails reveal that the CFPB was contacted by a Reuters reporter days before the article alleging the CFPB halted the Equifax investigation was published to confirm certain facts about the story. At that time, the CFPB did not correct the allegations in the article but instead provided the reporter a brief official statement stating they will not comment to ongoing investigations but the CFPB has the "desire, expertise, and know-how, in-house, to vigorously hypothetically pursue matters such as these." In the aftermath of the Reuters Equifax article, the CFPB exchanged emails about how to respond to the story and one staffer stated, "no more specific reaction than 'reports are incorrect.'" Acting Director Mick Mulvaney has since publicly confirmed that the CFPB's Equifax investigation is still ongoing.
  • EPIC to File Brief in D.C. Circuit on Right to Information Privacy » (Mar. 15, 2018)
    EPIC has informed the D.C. Circuit Court of Appeals that it will file an amicus brief in the OPM Data Security Breach case. The case concerns a pair of data breaches in 2015 that affected 22 million federal employees, their friends, and family members. EPIC has long warned that federal agencies collect far too much personal data that they fail to protect. In the 2012 case NASA v. Nelson, concerning repeated data breaches at the space agency, EPIC urged the Supreme Court to recognize a right to "informational privacy" that would limit data collection by federal agencies.
  • Appeals Court Revives Data Breach Suit Against Zappos » (Mar. 9, 2018)
    A federal appeals court has ruled that consumers affected by a Zappos.com data breach have the right to sue the online retailer. The 2012 breach exposed the personal data of more than 24 million Zappos customers. A lower court previously held that the consumers lacked "standing" to bring a lawsuit against Zappos because their injuries were merely "conjectural." But the Ninth Circuit Court of Appeals reversed that decision and allowed the case to continue. "With each new hack comes a new hacker, each of whom independently could choose to use the data to commit identity theft," the court wrote. EPIC regularly files amicus briefs defending standing in consumer privacy cases, most recently in Eichenberger v. ESPN (where the Ninth Circuit also held for consumers), Gubala v. Time Warner Cable, and In re SuperValu Customer Data Security Breach Litigation.
  • SEC Issues Guidance on Cybersecurity Disclosures » (Mar. 5, 2018)
    The Securities and Exchange Commission has released guidance for cybersecurity risks and incidents. The SEC stated that "in light of the increasing significance of cybersecurity incidents," it is "critical" for companies to routinely report cybersecurity threats. The Commission also emphasized that corporate officers must not trade on nonpublic information. Equifax waited six weeks to notify the public of its data breach, and its executives were accused of insider trading after it was revealed that they sold Equifax stock prior to informing the public of the breach. EPIC has long advocated for mandatory breach notification. EPIC President Marc Rotenberg recently testified on data security and breach notification before the House and Senate, explaining that companies' failure to protect data threatens not only consumers but also national security.
  • Rep. Lieu Introduces Two Consumer Data Protection Bills » (Mar. 1, 2018)
    Today Rep. Lieu (D-CA) introduced two bills to safeguard consumer data: the "Protecting Consumer Information Act of 2018" and the "Ending Forced Arbitration for Victims of Data Breaches Act." The first bill will expand the Federal Trade Commission's enforcement authority over credit reporting agencies, while allowing state attorneys general to also bring enforcement actions. The second bill will prohibit entities from enforcing mandatory arbitrary clauses—which prohibit consumers from filing lawsuits—in data breach cases. In a press release announcing the legislation, Rep. Lieu said, "these bills forge a path forward that can both prevent future breaches and ensure victims can seek due process when they occur." Rep. Lieu's announcement came the same day that Equifax disclosed an addition 2.4 million people were impacted by last year's data breach, bringing the total to approximately 148 million people. EPIC President Marc Rotenberg recently testified before Congress to call for comprehensive privacy legislation and the creation of a federal data protection agency.
  • Supreme Court Leaves Data Breach Decision In Place » (Feb. 20, 2018)
    The Supreme Court has denied a petition for a writ of certiorari in Carefirst, Inc. v. Attias, a case concerning standing to sue in data breach cases. Consumers had sued health insurer Carefirst after faulty security practices allowed hackers to obtain 1.1 million customer records. EPIC filed an amicus brief backing the consumers, arguing that if "companies fail to invest in reasonable security measures, then consumers will continue to face harm from data breaches." The federal appeals court agreed with EPIC and held that consumers may sue companies that fail to safeguard their personal data. Carefirst appealed the decision, but the Supreme Court chose not to take the case. EPIC regularly files amicus briefs defending standing in consumer privacy cases, most recently in Eichenberger v. ESPN, where the Ninth Circuit also held for consumers, as well as Gubala v. Time Warner Cable and In re SuperValu Customer Data Security Breach Litigation.
  • House Draft Data Security Bill Preempts Stronger State Safeguards » (Feb. 16, 2018)
    Rep. Luetkemeyer (R-MO) and Rep. Maloney (D-NY) circulated a draft bill, the "Data Acquisition and Technology Accountability and Security Act," that would set federal requirements for companies collecting personal data and require prompt breach notification. The Federal Trade Commission, which has often failed to pursue important data breach cases, and state Attorneys General would both be responsible for enforcing the law. The law would only trigger liability if the personal data breached is "reasonably likely to result in identity theft, fraud, or economic loss" and would preempt stronger state data breach laws. Earlier this week, EPIC President Marc Rotenberg testified before the House, calling for comprehensive data privacy legislation that would preserve stronger state laws. Last fall, EPIC testified at a Senate hearing on the Equifax breach, calling it one of the worst in U.S. history.
  • In Congressional Testimony, EPIC to Call For Comprehensive Privacy Law, New Privacy Agency » (Feb. 12, 2018)
    EPIC President Marc Rotenberg will testify before the House Financial Services Committee this week. Rotenberg will say that "Data breaches pose enormous challenges to the security of American families, as well as our country's national security." EPIC will call for comprehensive data protection legislation and the creation of a federal data protection agency. EPIC also challenged the decision of the CFPB Director to drop the investigation into the Equifax data breach. EPIC has repeatedly urged Congress to address the data protection crisis in the United States, warning that it endangers national security and international trade. Last year EPIC testified before the Senate in the wake of the Equifax breach, emphasizing the growing risks to American consumers.
  • Following EPIC Letter, 31 Senators Demand Answers from CFPB on Equifax Investigation » (Feb. 8, 2018)
    A group of 31 Senators wrote to Acting Director Leandra English and Director Mick Mulvaney of the Consumer Financial Protection Bureau about the agency's failure to pursue the probe of the 2017 Equifax breach. The Senators wrote that "the CFPB has a clear duty to supervise consumer reporting agencies, investigate how this breach has or will harm consumers, and bring enforcement actions as necessary." Earlier this week, EPIC urged the Senate Banking Committee to investigate the CFPB. EPIC also filed a FOIA request seeking records about Mulvaney's decision to halt the CFPB's Equifax investigation.
  • EPIC Files FOIA Request About Mulvaney's Decision to Halt CFPB Equifax Investigation » (Feb. 7, 2018)
    EPIC has filed an urgent Freedom of Information Act request for records about Acting Director Mulvaney's decision to shut down the CFPB investigation of Equifax. The 2017 data breach, likely undertaken by a foreign adversary, compromised the personal data of 143 million Americans. Last year CFPB warned that US servicemembers were at particular risk as a result of the Equifax breach. EPIC is seeking communication between Mulvaney and Equifax officials, as well as records of meetings and any related memos regarding the decision to close the investigation. In a letter to the Senate Banking Committee yesterday, EPIC recommended that the Committee undertake a thorough investigation of the CFPB's recent decision regarding the investigation.
  • EPIC Urges Senate to Investigate Mulvaney’s Failure to Pursue Equifax Probe » (Feb. 6, 2018)

    According to recent reports, the Consumer Financial Protection Bureau has shut down the investigation of the 2017 Equifax data breach that exposed the personal data of 145.5 million Americans. CFPB Acting Director Mulvaney failed to seek subpoenas or obtain sworn testimony from Equifax executives. Mr. Mulvaney also ended plans to test Equifax’s security systems, and rejected offers from regulators to assist with the investigation. EPIC urged the Senate Banking Committee to investigate, stating: “If the reports are accurate, Director Mulvaney’s failure to pursue a thorough investigation of the Equifax matter verges on malfeasance.” Last fall, EPIC President Marc Rotenberg testified at a Senate hearing on the Equifax breach. EPIC described the data breach as one of the worst in U.S. history. EPIC’s Christine Bannan also proposed steps to strengthen data protection safeguards for American consumers.

  • EPIC Advises Congress on Uber Data Breach, Bug Bounties » (Feb. 5, 2018)
    EPIC submitted a statement to the Senate in advance of a hearing to examine the October 2016 Uber breach and the value of bug bounty programs. Last fall, Uber admitted that hackers stole the data of 57 million Uber customers and drivers and that the company paid the hackers $100,000 to delete the data. This has raised legal questions about Uber's failure to notify those affected by the breach and about "bug bounty" programs, where companies pay hackers that bring vulnerabilities to their attention. EPIC explained to the Senate that, "bug bounty programs do not excuse non-compliance with data breach notification laws." EPIC's 2015 complaint with the FTC regarding Uber's abuse of personal data led to an FTC settlement in August, 2017. EPIC has also proposed a privacy law for Uber and other similar transportation companies.
  • Data Breaches on the Rise » (Jan. 25, 2018)
    2017 marked the "worst year ever" for data breaches, according to a pair of reports by Thales and the Online Trust Alliance. Data breaches nearly doubled from 2016 to 2017, and 73% of all U.S. companies have now been breached. Noteworthy were the data security failures of Equifax and Uber. In testimony before the Senate Banking Committee following the Equifax breach last year, EPIC called on Congress to enact meaningful reforms, including default credit freezes and prompt data breach notification. Two years ago, EPIC launched the DataProtection2016 campaign to promote stronger privacy safeguards in the U.S.
  • Senators Warren and Warner Introduce Bill To Hold Credit Reporting Agencies Accountable » (Jan. 10, 2018)
    Senators Elizabeth Warren (D-MA) and Mark Warner (D-VA) have introduced legislation to hold credit reporting agencies accountable for data breaches. The Data Breach Prevention and Compensation Act establishes an office of cybersecurity within the FTC to give it direct supervisory authority over the credit reporting industry and imposes mandatory penalties for breaches involving consumer data at credit reporting agencies. The bill is a direct response to the Equifax data breach last year that exposed the sensitive personal information of over 145 million Americans. "Senator Warner and Senator Warren have proposed a concrete response to a serious problem facing American consumers," said EPIC President, Marc Rotenberg. EPIC testified before Congress last year following the Equifax breach, urging legislation to give consumers more control over their credit reports. Senators Warren and Brian Schatz (D-HI) also introduced a bill last year that would allow consumers to freeze and unfreeze their credit reports for free.
  • Federal Student Aid Office Not Protecting Student Privacy, GAO Audit Finds » (Dec. 6, 2017)
    The Federal Student Aid office (FSA) at the Department of Education is not doing enough to protect student privacy, according to an audit by the Government Accountability Office. The GAO found that FSA has failed to hold schools accountable for their lax data security practices that have resulted in numerous data breaches, and has not assessed the privacy risks for its own electronic records system. FSA collects personal information on students and their families to evaluate schools that receive federal student aid. The FSA claims that the FTC can manage privacy protection. EPIC has done extensive work to protect student privacy including a 2014 complaint to the FTC about a massive data breach that impacted students in Maricopa County. The FTC failed to act even though Maricopa county violated the FTC Safeguards Rule by failing to protect students' financial information. EPIC also urged Congress to strengthen student privacy protections following a FAFSA data breach. In 2012 EPIC sued the Department of Education for weakening student privacy protections. EPIC has proposed a Student Privacy Bill of Rights.
  • Senator Warner Questions Uber CEO On Why It Hid Data Breach » (Nov. 28, 2017)
    Senator Mark Warner sent a letter to the Uber CEO, Dara Khosrowshahi, questioning him about why the company covered up a data breach that affected 57 million consumers last year. Uber recently admitted that it hid a massive data breach from the public and paid the hackers $100,000 to delete the data. The stolen data included names, e-mail addresses, phone numbers, and drivers' licenses. Senator Warner told the Uber CEO that he had "grave concerns about your handling of a breach," including the fact that the company disclosed the breach to investors but not the public. Senator Warner has co-sponsored bipartisan legislation that would provide consumers with one free credit freeze per year and protect the credit ratings of veterans wrongly penalized by medical bills. EPIC's 2015 complaint with the FTC regarding Uber's abuse of personal data led to an FTC settlement in August, 2017. EPIC has also proposed a privacy law for Uber and other ride-sharing companies.
  • EPIC Provides U.S. Report for Privacy Experts Meeting » (Nov. 27, 2017)
    EPIC has provided a comprehensive report explaining the latest developments in U.S. privacy law and policy to the International Working Group on Data Protection in Telecommunications. The Berlin-based Working Group includes Data Protection Authorities and experts, from around the world, who work together to address emerging privacy challenges. The EPIC report details legislative proposals to address privacy and security risks of automated vehicles, pending Supreme Court case concerning cell phone location tracking Carpenter v. United States, U.S. investigation of the Russian interference in the 2016 election, the Equifax data breach, and more. The 62nd meeting to the IWG will take place in Paris, France on November 27-28. In April 2017, EPIC hosted the 61st meeting of the IWG in Washington, D.C. at the Goethe-Institut, Germany's cultural institute.
  • Uber Hid Massive Data Breach For Over A Year And Paid Hackers » (Nov. 21, 2017)
    Uber just admitted that hackers stole the personal data of 57 million Uber customers and drivers in October 2016. The data included names, e-mail addresses, phone numbers, and the license numbers of 600,000 drivers. Rather than disclose the data breach to the public, as required by law, Uber paid the hackers $100,000 to delete the information. Uber has a well-documented history of abusing consumer privacy. EPIC recently testified in the Senate for strong data breach legislation that would require companies to immediately notify affected consumers of data breaches. EPIC filed a complaint with the FTC in 2015 regarding Uber's egregious misuse of personal data. That complaint led to an FTC settlement with Uber in August, 2017. In 2015, EPIC also proposed a privacy law for Uber and other ride-sharing companies.
  • Senator Leahy Introduces Legislation To Protect Consumer Privacy » (Nov. 15, 2017)
    Senator Patrick Leahy (D-VT), joined by six other Senators, introduced comprehensive legislation to protect consumers from data breach and identity theft. The Consumer Privacy Protection Act of 2017 requires companies to provide notice to consumers after a data breach and meet certain baseline privacy and data security standards. The Consumer Privacy Act also prohibits companies from using a data breach to force consumers into individual arbitration, and would punish companies for concealing security breaches. Senator Leahy stated, "Companies that profit from our personal information should be obligated to take steps to keep it safe." Senator Leahy added, "In today's world, data security is no longer just about protecting our identities and our bank accounts; it is about protecting our privacy and even our national security." EPIC recently testified before the Senate Banking Committee in the wake of Equifax breach calling for consumer control over their personal data. EPIC President Marc Rotenberg also outlined several steps for Congress to reform the credit reporting industry in the Harvard Business Review.
  • Equifax, Yahoo Testify Before Senate on Data Breaches » (Nov. 9, 2017)
    The Senate Commerce Committee heard testimony this week from Equifax, Yahoo, and Verizon executives in a hearing on "Protecting Consumers in the Era of Major Data Breaches." A witness for a company selling identification systems recommended an "identity framework," with fingerprints and facial recognition to replace the Social Security Number. EPIC President Marc Rotenberg recently warned against replacing the SSN with a national biometric identifier in testimony before the Senate Banking Committee. Rotenberg has detailed how the credit reporting industry is broken and the steps Congress should take to give consumers greater control over their personal data. EPIC has urged the Senate Judiciary Committee, the House Financial Services Committee, and the House Energy Committee to establish new safeguards for consumers following the Equifax data breach.
  • Senate Restores Forced Arbitration, Undermines Data Protection » (Oct. 26, 2017)
    The Senate voted 51-50 (with Vice President Pence breaking the tie) to repeal the CFPB rule that prevented financial companies from forcing consumers into individual arbitration. Fine-print arbitration clauses in consumer contracts have proliferated ever since a pair of Supreme Court rulings held that courts must enforce these clauses. Equifax generated public outrage after its breach when it lured consumers into signing away their rights to sue the company. As the CFPB found, arbitration clauses that ban class actions inhibit consumers from obtaining meaningful relief and holding financial institutions like Equifax and Wells Fargo accountable when they break the law. Senators Franken (D-MN) and Leahy (D-VT) have introduced legislation that would prohibit companies from denying individuals their right to go to court. EPIC President recently testified before the Senate Banking Committee on the Equifax data breach. Rotenberg said, the "company tried to trick consumer into an arbitration agreement, guaranteeing that there would be few legal remedies for consumers following the breach."
  • In Senate Testimony, EPIC Calls for Reform of Credit Reporting Industry » (Oct. 16, 2017)
    EPIC's President Marc Rotenberg will testify this week before the Senate Banking Committee on reform of the credit reporting industry following the Equifax breach. The hearing, "Consumer Data Security and the Credit Bureaus," follows several Congressional hearings with Equifax CEO Richard Smith. Rotenberg will emphasize the need to limit the use of the Social Security number in the private sector and to give consumers control over their personal data. EPIC will recommend a national credit "freeze" and free life-term credit monitoring services for all U.S. consumers. Rotenberg detailed how the credit reporting industry is broken in a recent article in the Harvard Business Review. He also warned that the failure to update U.S. privacy law has placed the digital economy at risk and may lead to the suspension of trans-border data flows. EPIC has previously testified before the House and Senate on the need for Congress to address data breach and identity theft.
  • EPIC Urges Congress To Hold Equifax Accountable, Update Data Protection Law » (Oct. 3, 2017)
    EPIC has sent statements to Congress ahead of hearings in the House and Senate on the Equifax data breach. EPIC underscored the risk to American consumers of data breaches which are increasingly severe. EPIC urged Congress to require prompt data breach notification, data minimization, and privacy enhancing techniques. In 2011 EPIC testified in the House and Senate on data breaches in the financial services sector. EPIC President Marc Rotenberg recently outlined in the Harvard Business Review steps Congress should now take to protect American consumers.
  • Court Dismisses Suits Against OPM Over Data Breach that Affected 22 Million » (Sep. 20, 2017)
    A federal court in Washington, DC has dismissed two lawsuits against the Office of Personnel Management over the data breaches that compromised the records of 22 million federal employees and family members. The court acknowledged the "troubling allegations" raised by OPM's victims but ruled that "the fact that a person's data was taken" is not "enough by itself to create standing to sue." EPIC has long argued that data breach victims should not wait until they suffer identity theft to sue the parties that failed to protect their data. EPIC also filed comments last year with OPM recommending limits on data collection, has recommended updates to the federal Privacy Act, and has urged the Supreme Court to recognize a right to "informational privacy" and to ensure Privacy Act damages for non-economic harm.
  • Senators Introduce Data Breach Legislation In The Wake Of Equifax Breach » (Sep. 15, 2017)
    Senator Markey (D-MA) and several other Senators have introduced legislation that would provide consumers with more control over their personal data. The Data Broker Accountability and Transparency Act would allow consumers to access and correct their personal data and stop data brokers from using, disclosing, or selling their information for marketing purposes. The bill also requires data brokers to develop comprehensive privacy and data security measures and provide "reasonable notice" in the event of a breach. For years, EPIC has supported stronger data breach notification laws, and EPIC has testified before the Senate and House in support of a federal law. EPIC supports consumer control over personal data, and EPIC recommends mandatory breach notification procedures to ensure the consumers are aware when their personal data is wrongly obtained by others. Additionally, last year EPIC created http://www.dataprotection2016.org/ to promote the adoption of stronger privacy safeguards in the U.S.
  • 143 Million US Consumers Suffer Massive Data Breach, Equifax at Fault » (Sep. 8, 2017)

    In one of the most serious data breaches in U.S. history, the credit records of more than 140 million consumers, maintained by Equifax, have been compromised. Credit reports typically include social security numbers, drivers license infomation, and other personal data that make possible identity theft and financial fraud. Senator Warner said the breach, “represents a real threat to the economic security of Americans." For years, EPIC has urged Congress to strengthen privacy laws and to require Privacy Enhancing Techniques that minimize or eliminate the collection of personal data. In 2011, EPIC testified before the House and the Senate on the specific risk of data breaches in the financial services sector. Equifax has set up www.equifaxsecurity2017.com to help consumers. But last year EPIC created www.dataprotection2016.org to promote the adoption of stronger privacy safeguards in the U.S.

  • EPIC Backs Privacy Act Protections for "Insider Threat" Database » (Jul. 5, 2017)
    EPIC has sent comments to the Department of Justice criticizing a proposed "insider threat" database. This database replaces a similar database that was proposed and later rescinded by the FBI last fall and would allow the DOJ to collect virtually unlimited amounts of personal data from employees, contractors, interns, and visitors to DOJ facilities. Citing the size and scope of the database combined with recent government data breaches, EPIC warned that the database was putting federal employees and contractors at risk. EPIC has consistently warned against inaccurate, insecure, and overbroad government databases.
  • EPIC to Congress: Protect Student Privacy » (May. 2, 2017)
    EPIC has sent a statement to the House Committee on Oversight for the upcoming hearing on the FAFSA ("Free Application for Federal Student Aid") data breach, which compromised more than 100,000 taxpayer records. EPIC urged the Committee to protect student privacy. EPIC's testimony: (1) explained how the U.S. Education Department weakened key safeguards for student records, (2) described the privacy risks that students today face, (3) underscored the need for data security safeguards for student information, and (4) recommended that Congress adopt EPIC's Student Privacy Bill of Rights. EPIC has previously urged Congress, the Education Department, and the Federal Trade Commission to strengthen student privacy.
  • D.C. Circuit Hears Arguments in Data Breach Case » (Mar. 31, 2017)
    A federal appeals court in Washington, D.C. heard arguments today in a major data breach suit. The faulty security practices of Carefirst, a health insurer, allowed hackers to obtain the personal information of more than 1,100,000 customers. But a lower court dismissed the case because the judge believed that consumers must suffer actual identity theft before before filing a lawsuit. EPIC's amicus brief explained that the judge misunderstood the law and confused the harm consumers eventually suffer with the failure of companies to uphold obligations to safeguard the data they choose to collect. The appellate judges today voiced similar doubts about the lower court's decision, suggesting that consumers don't have to wait until their identity is stolen to bring a lawsuit. One judge compared the case to a person putting down her driver's license to rent a Segway, only to have it stolen from the rental company. EPIC regularly files briefs defending the privacy rights of consumers.
  • Yahoo Responds to Senators About Data Breach » (Feb. 24, 2017)
    Yahoo has responded to a letter from Senators John Thune (R-SD) and Jerry Moran (R-KS) inquiring into data breaches that exposed over a billion user records in 2013 and 2014. Yahoo said in its response that it has notified users affected by the breaches, required users who had not changed their passwords since 2014 to do so, and encouraged all users to review their passwords and security questions. Yahoo's letter also discussed the steps the company has taken to improve its security program. EPIC testified in support of strong data breach notification laws in 2009 and 2011, launched "Data Protection 2016" to make privacy a campaign issue and recently filed an amicus brief to protect the ability of consumer to sue companies that fail to protect their personal information.
  • Trump Order Threatens Consumer Protection, Public Safety » (Jan. 31, 2017)
    The President has issued an executive order requiring every new regulation to be offset by the repeal of at least two existing regulations. The Order could directly impact rules that safeguard consumers against data breach, financial fraud, and identity theft. EPIC has also recommended new public safety regulations concerning aerial drones, connected vehicles, and the Internet of Things. In EPIC v. FAA, EPIC is challenging the failure of the agency to protect the public from aerial surveillance.
  • White House Publishes Privacy Report, Data Breaches Continue to Rise, as Obama Leaves Office » (Jan. 19, 2017)
    As one of the final acts of the outgoing President, the White House has released "Privacy in our Digital Lives: Protecting Individuals and Promoting Innovation." In 2008, President Obama announced "Change We Can Believe In" and said he would "strengthen the privacy protections for the digital age and to harness the power of technology to hold government and business accountable for violations of personal privacy." Beginning after his election, privacy groups across the county urged the President to strengthen privacy in America. In 2012, Obama proposed a Consumer Privacy Bill of Rights but no legislation followed. After the Snowden revelations, Congress enacted the Freedom Act and Obama reformed intelligence practices, but the US failed to limit data collection outside the US. The "Privacy Shield," a framework to gather data for commercial use without legal protections, was put in place even after NGOs urged comprehensive reforms in the US and the EU. Between 2009 and 2016, the levels of data breach, identity theft, and financial fraud in the United States skyrocketed, even as Americans called for stronger protections. The 2016 Presidential election was marked by data breaches, email disclosures and cyber attack The U.S. is still one of the few democratic nations in the world without a data protection agency.
  • EPIC Defends Right of Data Breach Victims to Seek Legal Relief » (Jan. 18, 2017)
    EPIC has filed a "friend-of-the-court" brief urging a federal appeals court to protect consumers' ability to sue companies that fail to safeguard personal information. A group of consumers sued health insurer Carefirst after the company's faulty security practices allowed hackers to obtain the personal information of 1,100,000 customers. A lower court wrongly dismissed the case because the judge believed that consumers must suffer identity theft before a court can consider violations of legal obligations. In the amicus brief, EPIC explained that the court misunderstood the relevant law, and confused the legal responsibility of companies to maintain good security with the harms that consumers eventually suffer. EPIC said courts should focus on whether companies have breached a legal obligation to safeguard personal data. EPIC regularly files briefs defending consumer privacy.
  • EPIC Urges TSA to Drop REAL ID Data Collection Plan » (Jan. 10, 2017)
    In comments to the TSA, EPIC urged the agency to abandon a proposed information collection plan under the REAL ID Act. REAL ID is a federal to turn the state driver's license into a national identity statement. Many states have opposed REAL ID. The TSA now plans to subject Americans, without a TSA "compliant" ID, to broad information collection requirements. EPIC, supported by a broad coalition, opposed REAL ID because it compromised privacy and enabled government surveillance. EPIC provided detailed comments to DHS later issued a report. Since adoption of REAL ID, many states have suffered data breaches of DMVs because of criminals seeking REAL ID mandated documents.
  • White House Issues Data Breach Guidance for Federal Agencies » (Jan. 4, 2017)
    The White House Office of Management and Budget has released guidance establishing common standards and practices for how federal agencies manage data breaches. The Data Breach Memorandum sets out a risk-based framework for evaluating data breaches and requires each agency to develop a data breach response plan. Not all breaches will trigger individual notification under the guidance. The new guidance comes four months after a House Government and Oversight Committee report criticized the Office of Personnel Management about the 2015 data breaches that compromised the records of 22 million federal employees and family members. EPIC testified in 2009 and 2011 in support of strong data breach notification laws, filed comments with the Office of Personal Management recommending limits on data collection, and has urged the Supreme Court to recognize a right of "information privacy" that would limit the ability of the federal government to collect personal information.
  • Data Stolen from Over One Billion User Accounts in Second Yahoo Data Breach » (Dec. 15, 2016)
    Yahoo announced this week that data was stolen from over one billion user accounts in August 2013. The breach included names, email addresses, telephone numbers, dates of birth, passwords, and security questions and answers. More than 150,000 U.S. government and military employees are among the victims. Yahoo's earlier breach drew wide-ranging concern from U.S. Senators to European privacy officials. EPIC testified in support of strong data breach notification laws in 2009 and 2011 (urging Congress to establish a short timeline for notification to users of breaches), launched the Data Protection 2016 campaign to make privacy a campaign issue, and recently filed an amicus brief to protect the ability of consumer to sue companies that fail to protect their personal information.
  • EPIC Scrutinizes FBI "Insider Threat" Database » (Oct. 20, 2016)
    In comments to the FBI, EPIC criticized a proposed "Insider Threat" database that would gather virtually unlimited amounts of personal data outside the protections of the federal Privacy Act. EPIC urged the FBI to limit the scope of data collection and drop proposed Privacy Act exemptions. Citing the recent surge in government data breaches, including the breach of 21.5 m records at OPM, EPIC warned that FBI data practices pose a risk to federal employees. EPIC has consistently warned against inaccurate, insecure, and overbroad government databases. Earlier this year, EPIC filed comments with DOD and DHS regarding similarly flawed proposals to expand data collection without adequate privacy safeguards.
  • Senators Seek Answers About Yahoo's Massive Data Breach » (Sep. 27, 2016)
    Led by Senator Patrick Leahy, several senators sent a letter to Yahoo’s CEO, Marissa Mayer, seeking answers about the massive data breach that compromised the sensitive data of 500 million accounts. The Senators were troubled by the delay in breach notification, stating “We are even more disturbed that user information was first compromised in 2014, yet the company only announced the breach last week.” EPIC testified in support of strong data breach notification laws in 2009 and 2011 and urged Congress to ensure that users are “notified promptly” when personal information is wrongfully disclosed. EPIC launched “Data Protection 2016” to make privacy a campaign issue and recently filed an amicus brief to protect the ability of consumer to sue companies that fail to protect their personal information.
  • Data Protection 2016: 500 Million Yahoo Users Victims of Massive Data Breach » (Sep. 22, 2016)
    Yahoo has announced that the personal data of at least 500 million users was breached in late 2014. The breach included users’ names, email addresses, telephone numbers, dates of birth, passwords and security questions and answers. For many years, EPIC has urged the Administration and Congress to promote Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information. This year EPIC launched “Data Protection 2016,” a non-partisan campaign to make data protection an issue in the 2016 election, calling it “the most important, least well understood issue” of this election.
  • House Report Criticizes OPM Handling of Massive Data Breach Last Year » (Sep. 7, 2016)

    In a press release, the House Oversight and Government Reform Committee released a report criticizing the Office of Personnel Management’s handling of the data breach in 2015. The breach compromised the information of over 21.5 million individuals, including federal employees, their families and friends. The report concluded the OPM breach was preventable and recommended numerous measures including less use of social security numbers. For many years, EPIC has urged the Administration and Congress to promote Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information. EPIC has also supported new limits on the collection and use of the SSN. This year EPIC launched “Data Protection 2016,” a non-partisan campaign to make data protection an issue in the 2016 election.

  • Data Protection 2016: Nationwide Hotel Data Breach » (Aug. 15, 2016)
    Sheraton, Hyatt, Westin, and Marriott hotels in 10 states and Washington, D.C. have announced that hotel payment records were breached beginning as early as March 2015. Malware discovered in at least 20 hotels across the country collected customers’ names and payment card numbers, card expiration dates, and verification codes. Surprisingly, the hotels said that they will not notify individual customers of the breach. Almost every state in the country has  a mandatory breach notification law. Hyatt announced another payment card breach earlier this year at 250 hotels in approximately 50 countries. EPIC launched “Data Protection 2016,” a non-partisan campaign to make data protection an issue in the 2016 election, calling it “the most important, least well understood issue” of this election.
  • EPIC Defends Right of Data Breach Victims to Seek Legal Relief » (Jul. 20, 2016)
    EPIC has filed an amicus brief urging a federal appeals court to protect a consumer’s ability to sue companies that fail to protect their personal information. A group of consumers sued a grocery chain after faulty security practices left  their credit card information exposed to hackers. A lower court dismissed the privacy case because consumers had not yet suffered from fraudulent transactions. In its brief, EPIC explained that the court misunderstood the relevant law, confusing the legal obligations of companies to maintain good security with the harm that consumers eventually suffer. For the purposes of filing a lawsuit, EPIC said courts should focus on whether companies have violated a legal obligation such as safeguarding personal data, including credit card information. EPIC regularly files briefs defending consumer privacy.
  • NY Attorney General Reports 40% Increase in Data Breaches » (May. 5, 2016)

    New York Attorney General Eric Schneiderman announced that his office has received 459 notices of data breaches impacting New Yorkers so far in 2016, representing a 40 percent increase over the same period last year. The office expects to receive a record-setting thousand notices or more this year. "Data breaches are an escalating threat to our personal and national security, and companies need to do more to ensure reasonable security practices and best standards are in place to protect our most sensitive information," said Schneiderman. EPIC recently launched “Data Protection 2016,” a non-partisan campaign to make data protection an issue in the 2016 election.

  • California AG Releases 2016 Data Breach Report, Retail and Financial Sectors Most Vulnerable » (Feb. 18, 2016)
    A new report from California Attorney General Kamala Harris examines data breaches in California from 2012 to 2015. There were 657 data breaches during the last four years, which compromised over 49 million records. The retail sector experienced the largest share of breaches at 25%, followed by the financial sector at 18%. Among several recommendations, the report recommends that organizations adopt strong encryption. "Government and the private sector have a shared responsibility to safeguard consumers from threats to their privacy, finances, and personal security," Attorney General Harris stated. The Attorney General received a 2015 EPIC Champion of Freedom Award. EPIC recently launched "Data Protection 2016," a non-partisan campaign to make data protection an issue in the 2016 election.
  • Hackers Breach US Government Database, No Recourse for Non-Americans » (Feb. 9, 2016)
    Less than a week after the European and US governments struck a deal for a framework to permit transborder data flows of personal data, hackers breached sensitive personal data at the US Department of Homeland Security. The DHS stores vast amounts of personal information on non-US persons, including detailed travel information. Under current law, non-US persons have no legal rights when federal agencies fail to safeguard their personal data. EPIC is seeking release of the so-called "Privacy Shield" and has launched a new campaign to promote Data Protection in the United States.
  • Federal Appeals Court Recognizes "Substantial Risk of Future Harm" » (Jul. 29, 2015)
    In a landmark opinion, the Seventh Circuit Court of Appeals has ruled that a class action lawsuit against Neiman Marcus may continue because of the ongoing risk to customers whose personal information was compromised in a data breach. The case stems from a breach of the Neiman Marcus customer database that led to the release of 350,000 credit cards and exposed more than 9,200 customers to fraud. A lower court ruled that since the identified fraud victims had been reimbursed, Neiman Marcus was off the hook for future claims. However, the Seventh Circuit ruled that the plaintiffs, customers who were not yet aware of fraud, faced a "substantial risk of future harm," and that risk was enough to allow the class action to continue. According to the Federal Trade Commission, identity theft remains the top concern of American consumers.
  • Massive Government Data Breach Even Worse than Reported » (Jun. 25, 2015)
    A Congressional hearing on the Office of Personnel Management data breach has now revealed one of the worst data breaches in US history. The agency initially reported that the personal information of 4 million government employees was obtained, but news reports suggest the breach was much larger--exposing the social security numbers of more than 18 million people. EPIC has urged the White House and Congress to promote Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information. EPIC has also testified in Congress and the Senate in support of stronger security measures to protect personal data.
  • California AG Urges Congress to Reform Data Breach Notification Bill » (May. 21, 2015)
    California Attorney General Kamala Harris has admonished the House Energy and Commerce Committee about the proposed Data Security and Breach Notification Act. In a letter to Committee leadership, Harris wrote, "I urge you to recognize the important role that states play in developing innovative approaches to consumer protection, and to reject a one-size-fits all law that establishes a ceiling rather than a floor on data security and data breach notification and consumer protection." California's Constitution guarantees the right to privacy, and California passed the first ever state data breach notification law. EPIC has also warned that the House bill would preempt stronger state laws and strip the FCC of its authority to defend consumer privacy.
  • EPIC Launches State Policy Project » (May. 5, 2015)
    EPIC has launched the EPIC State Policy Project to track legislation across the county concerning privacy and civil liberties. The EPIC State Project will identify new developments and model legislation. The Project builds on EPIC's extensive work on emerging privacy and civil liberties issues in the states. The new State Project will focus on student privacy, drones, consumer data security, data breach notification, location privacy, genetic privacy, the right to be forgotten, and auto black boxes.
  • House Reconsiders Data Breach Bill » (Apr. 15, 2015)
    Members of the Energy and Commerce Committee have convened to rework the Data Security and Breach Notification Act. The Act, introduced by Reps. Blackburn and Welch, would require businesses to notify consumers of a data breach "unless there is no reasonable risk of identity theft or financial harm." The bill would also preempt stronger state laws, and would strip the FCC of its authority to protect consumer privacy. Rep. Frank Pallone and others have raised concerns. EPIC previously urged Congress to adopt baseline federal law that would allow states to develop innovative legislative responses to privacy risks.
  • Data Breach Bill Would Preempt State Law, Weaken FCC Authority » (Mar. 13, 2015)
    Representatives Burgess, Blackburn, and Welch have proposed a bill for data breach notification. The Data Security and Breach Notification Act would require businesses to notify consumers of a data breach "unless there is no reasonable risk of identity theft or financial harm." The bill would also preempt stronger state laws, and would strip the FCC of its authority to protect consumers privacy. In 2005, EPIC testified before Congress on "Identity Theft and Data Broker Services" and urged the regulation of data brokers following the disclosure that Choicepoint sold personal information to identity thieves. In 2009 and again in 2011, EPIC favored baseline federal law that would allow states to innovate and develop new legislative responses to privacy risks.
  • Anthem breach Shows Risks of "Big Data" » (Feb. 5, 2015)
    One of the largest health insurers in the country has lost millions of medical records of American consumers. The most recent breach of sensitive medical information shows the dangers of "Big Data" and the mistaken conclusion of the report of the Presidents Science Advisors, which simply assumed the benefits of data collection. EPIC has urged the FTC to establish data minimization procedures for companies limit the risks of data breaches.
  • EPIC Urges House to Safeguard Consumer Privacy » (Jan. 26, 2015)
    EPIC has sent a statement to the House Commerce Committee for the hearing, "What are the Elements of Sound Data Breach Legislation?". EPIC had testified before the House Committee in 2011 on data breach notification, urging Congress to set a national baseline standard. EPIC also supports enactment of the Consumer Privacy Bill of Rights. EPIC also urged the House Committee to promote "algorithmic transparency." EPIC has warned that “[t]he ongoing collection of personal information in the United States without sufficient privacy safeguards has led to staggering increases in identity theft,security breaches, and financial fraud.”
  • Data Breach Legislation Moves Forward in the Senate » (Sep. 26, 2011)
    Three data breach bills are headed to the Senate floor after a favorable vote in the Senate Judiciary Committee. The bills [S. 1151, S. 1535, S. 1408] set out a variety of approaches to protecting user data and warning users when personal data is improperly released. Testifying recently before the Senate and the House, EPIC has supported new measures for online privacy but warned against a federal law that would "preempt" stronger state laws.
  • California Passes Updated Data Breach Legislation » (Sep. 1, 2011)
    California has enacted Senate Bill 24, first introduced in 2001 by Senator Joe Simitian, which strengthens existing state breach notification law. Since 2002, California law has required data holders to notify individuals if their data is breached, but the law did not specify what information should be included in the notification. This new law specifies the information that should be provided, including instructions on how to contact credit agencies. The law also requires that the state Attorney General be notified in the event of a breach. EPIC testified in 2009 before the House Commerce Committee against "federal preemption" in national data breach legislation, citing important legislative innovations to protect consumers that take place in states such as California. For more information, see EPIC: ID Theft.
  • House Subcommittee Approves Weak Data Breach Bill » (Jul. 21, 2011)
    A House Commerce Subcommittee voted in favor of the SAFE Data Act, a data breach bill sponsored by Rep. Bono Mack (R-CA). The bill requires companies to act quickly in the case of breach and encourages minimization of data collection. However, the bill preempts stronger state laws and does not adequately protect personal information. EPIC Executive Director Marc Rotenberg testified before the Subcommittee on this bill. EPIC emphasized the growing problem of data breaches and the likelihood that problems would get worse as more user data moves to cloud-based services. For more information, see EPIC: Identity Theft. Webcast.
  • In Response to Mounting Evidence of Data Breach Risk, EPIC Urges Congress to Act » (Jun. 21, 2011)
    EPIC Executive Director Marc Rotenberg testified before the Senate Banking Committee, urging lawmakers to apply breach notification regulations to financial institutions and promote authentication techniques that reduce risks to consumers. EPIC observed that "current laws do not adequately protect consumers," and highlighted a series of recent high profile data breaches in the financial sector. The hearing, "Cybersecurity and Data Protection in the Financial Sector" follows May 2011 data breaches at Citigroup and Bank of America. The breaches exposed sensitive financial data linked to hundreds of thousands of consumers; individuals lost millions of dollars from their accounts. EPIC previously testified before the House concerning data breach legislation. For more, see EPIC: Identity Theft and EPIC Testifies in Congress on Data Breach Legislation.
  • EPIC Testifies in Congress on Data Breach Legislation » (Jun. 15, 2011)
    EPIC Executive Director Marc Rotenberg testified today before the House Commerce Committee on the SAFE Data Act, a bill introduced by Rep. Bono-Mack to require greater protection for sensitive consumer data and timely notification in case of breach. EPIC emphasised the growing problem of data breaches and the likelihood that problems would get worse as more user data moves to cloud-based services. EPIC supported recent changes in the bill that would require companies to act more quickly in case of breach and encourage minimization of data collection. EPIC recommended changes in the bill to strengthen enforcement, require notification, protect identifiers linked to individuals, and ensure that state governments are able to respond on behalf of consumers as new problems emerge. Webcast
  • Epsilon Data Breach Threatens E-mail Privacy of Millions » (Apr. 7, 2011)
    Epsilon, a large marketing firm, has lost the names and e-mail addresses of customers of Walgreens, JP Morgan Chase, Capitol One, Tivo, and other large companies. The firm announced the data breaches late last week. Data service providers, such as Epsilon, are not well known by consumers and are not typically regulated. Epsilon provides data analytics, targeting, profiling of customers, as well as e-mail tracking services. Previously, EPIC provided comments to the Federal Trade Commission and testimony to the United States Congress on the need for comprehensive privacy protection for customer data. For more information, see EPIC: Identity Theft.
  • Senate Holds Hearing on Data Security and Breach Notification Bill » (Sep. 24, 2010)
    The Senate Commerce Committee held a hearing on S. 3742, The Data Security and Breach Notification Act of 2010. This bill requires security policies for consumer information, regulates the information broker industry, and establishes a national breach notification law. EPIC director Marc Rotenberg testified on a similar bill in the House recommending support but also urging lawmakers to strengthen the proposed law by adopting a broader definition of "personally identifiable information" and permitting stronger state laws to remain. The Senate thus far has not addressed these concerns. For more information, see EPIC: Identity Theft.
  • California Governor Vetoes Consumer Privacy Bill, but Signs Bill to Strengthen Celebrity Privacy » (Oct. 16, 2009)
    Governor Schwarzenegger has terminated S.B. 20, a bill that would have strengthened California's data breach laws by requiring that consumers be notified every time their privacy was compromised. But the Governor and "Terminator" star signed A.B. 524, an amendment to California's current anti-paparazzi law that will protect the privacy of celebrities by making it easier to sue photographers and media outlets for taking or purchasing unauthorized pictures. For more information about privacy in California, see the California Office of Information Security and Privacy Protection.
  • New Cybersecurity Legislation Introduced in Congress » (Jul. 23, 2009)
    Senator Patrick Leahy (D-Vt) introduced The Personal Data Privacy and Security Act of 2009. The statute requires data brokers, business entities and federal agencies to create and implement data privacy and security practices. The bill requires data breach notification, enforces disclosure and accuracy requirements, and establishes an Office of Federal Identity Protection within the FTC. However, the bill preemepts stronger state privacy laws and fails to provide a right of private action for consumers. For more information, see EPIC Identity Theft, EPIC Personal Data and Privacy Protection, and EPIC Preemption Page.
  • EPIC Submits Comments on Health Breach Notification to the FTC » (Jun. 1, 2009)
    The Federal Trade Commission proposed a rule requiring notification when the security of medical information is compromised. EPIC recommends that all entities handling health records be subject to standard security; tightening exemptions for de-identified data, enhancing media notification of health data breaches, ensuring additional breach notification through means such as text messages and social networking sites, and verification of receipt of notifications. See also EPIC's Page on Medical Privacy.

“When the State takes a person’s data and holds it in a fashion outside the person’s control, the State has done to that data exactly what Chief Justice Rehnquist said was necessary to trigger Due Process Clause protection: it has ‘by the affirmative exercise of its power’ taken the data and ‘so restrain[ed]’ it that the original owner is unable to exert any control whatsoever over how the government stores or secures it. The government’s ‘affirmative duty to protect’ the data ‘arises . . . from the limitation which it has imposed on his freedom to act on his own behalf’ to keep the data secure.”
A. Michael Froomkin, Government Data Breaches, 24 Berkley Tech. L. J. 1019, 1049 (2009), as quoted in In re OPM Data Security Breach Litigation, 266 F.Supp.3d 1 (D.D.C. 2017).

Summary

In Re: U.S. Office of Personnel Management Data Security Breach Litigation, Nos. 17-5217, 17-5232, concerns constitutional and statutory claims based on data breaches that affected 22 million federal employees and family members in 2015. The Office of Personnel Management (“OPM”) disclosed that hackers had stolen troves of data on federal employees in two separate breaches. The stolen information included names, birthdates, current and former addresses, and Social Security numbers. In 2015, the American Federation of Government Employees ("AFGE") and individual government workers filed a class action lawsuit against OPM, alleging that the breach stemmed from gross negligence by federal officers and violated both federal and state laws. A separate suit was brought by the National Treasury Employees Union ("NTEU") alleging a violation of federal employees' constitutional right to informational privacy. On September 19, 2017, the U.S. District Court for the District of Columbia granted OPM’s motion to dismiss both suits. The court concluded that the NTEU plaintiffs failed to "allege a legally cognizable constitutional claim" and that only the two named plaintiffs who suffered out-of-pocket identity theft expenses could establish standing to sue under Article III. On appeal, the D.C. Circuit is evaluating the grounds for dismissal and determining both the scope of the constitutional right to informational privacy and the application of Article III standing doctrine to data breach victims.

Background

Factual Background

Defendant OPM is a federal agency that handles portions of the federal employee recruitment process. Defendant KeyPoint Government Solutions (“KeyPoint”) is a private contractor that conducts background investigations and security clearance checks for OPM. Plaintiffs are victims of alleged OPM data breaches that occurred in 2013 and 2014. Several times, hackers infiltrated OPM’s systems and stole sensitive information, including security system documents and electronic manuals about the agency’s systems and the user log-in credentials of a KeyPoint employee. The login information was subsequently used to access OPM’s network and install malware, creating “a conduit through which data could be ex-filtrated.” This breach affected nearly 22 million federal employees and family members. Hackers had stolen information including federal employees’ names, birthdates, current and former addresses, and Social Security numbers.

On April 27, 2015, OPM notified approximately 48,000 federal employees that their personal information might have been exposed in a data breach that compromised about 4.2 million federal employees and contractors. On June 12, 2015, OPM announced that the scope of the breach was broader and likely affected 14 million. On July 9, 2015, this number again increased to almost 22 million, majority of which was information included in background checks. The agency notified each individual whose private information had been compromised and offered free identity theft protection services for up to three years, depending on the sensitivity of the information.

Procedural Background

A number of lawsuits were filed around the country after the data breaches had been announced. The United States Judicial Panel on Multidistrict Litigation consolidated the cases before the District Court of the District of Columbia. In the consolidated complaint, the AFGE plaintiffs alleged that OPM violated the Privacy Act, the Little Tucker Act, and the Administrative Procedure Act, and that KeyPoint is liable for “negligence, negligent misrepresentation and concealment, invasion of privacy, breach of contract, and violations of the Fair Credit Reporting Act and various state statutes governing unfair and deceptive trade practices and data security.” Plaintiffs seek declaratory and injunctive relief against both OPM and KeyPoint. The NTEU plaintiffs alleged that the disclosure of their personal information by the federal government violated their constitutional right to informational privacy.

OPM and KeyPoint each filed motions to dismiss the complaint, arguing that the court lacked subject matter jurisdiction and that plaintiffs do not have standing. Furthermore, defendants argued that they are protected by sovereign immunity and plaintiffs failed to state a claim upon which relief could be granted under Rule 12(b)(6) of the Federal Rules of Civil Procedure.

The lower court focused on the question of whether the NTEU plaintiffs could assert a violation of their constitutional right to informational privacy and whether the AFGE plaintiffs had standing under Article III. As to the right to informational privacy, the lower court provided a detailed overview of the cases that have gone before the Supreme Court and the D.C. Circuit addressing the right to informational privacy. The court discussed the three Supreme Court cases that addressed the constitutional right to privacy - NASA v. Nelson, Nixon v. Adm'r of Gen. Servs., and Whalen v. Roe. In these cases, while the holding did not ultimately hinge on finding a violation of the constitutional right to informational privacy, the Court did assume the existence of such a right. For instance, in discussing Whalen, the court re-emphasized that "the government's right to collect and use private data for public purposes is 'typically accompanied by a concomitant statutory or regulatory duty to avoid unwarranted disclosures,' and 'that in some circumstances, that duty arguably has its roots in the Constitution." Also, the court cited Nixon in establishing that "when Government intervention is at stake, public officials, including the President, are not wholly without constitutionally protected privacy rights in matters of personal life unrelated to any acts done by them in their public capacity."

The lower court opinion also cited Professor Michael Froomkin's article on Government Data Breaches, stating:

"when the State takes a person's data and holds it in a fashion outside the person's control, the State has done to that data exactly what Chief Justice Rehnquist said was necessary to trigger Due Process Clause protection: it has 'by the affirmative exercise of its power' taken the data and 'so restrain[ed]' it that the original owner is unable to exert any control whatsoever over how the government stores or secures it. The government's 'affirmative duty to protect' the data 'arises … from the limitation which it has imposed on his freedom to act on his own behalf' to keep the data secure."
Nonetheless, the court found that, similar to other cases acknowledging the constitutional right to privacy, it would "avoid wading into the legal waters surrounding the existence or scope of any constitutional right to informational privacy in general when it is not necessary to do so."

As to standing, the court found a distinction between a data breach caused by a cyberattack against the United States from other cases (including Carefirst) involving breaches of retail establishments and financial entities. The court posited that a data breach occurring as a result of a cyberattack on the United States might not be done for the purpose of facilitating identity theft.

Ultimately, the lower court granted defendants’ motion to dismiss on failure of the NTEU plaintiffs to state a claim under the constitution and failure of the AFGE plaintiffs to meet the Article III standing requirements and the Privacy Act damages requirements.

Both sets of plaintiffs filed appeals in the D.C. Circuit. The NTEU plaintiffs appeal was docketed on September 27, 2017, No. 17-5217. The AFGE plaintiffs appeal was docketed on October 12, 2017, No. 17-5232.

EPIC's Interest

EPIC has a strong interest in ensuring privacy lawsuits proceed to redress the harms of privacy violations and ensure greater privacy protections thereafter. EPIC has long argued that data breach victims should not have to wait until they suffer identity theft to sue the parties that failed to protect their data. EPIC filed comments last year with OPM recommending limits on data collection; has recommended updates to the federal Privacy Act; and has urged the Supreme Court to recognize a right to “informational privacy” and to ensure Privacy Act damages for non-economic harm.

In NASA v. Nelson, 562 U.S. 134 (2011), EPIC filed an amicus brief arguing that the right to informational privacy is well recognized and that NASA violated that right when it required contractors to submit sensitive personal data without adequate protections. The Supreme Court found that the government's invasive background checks for government contractors implicated "a privacy interest of Constitutional significance." The Court had earlier recognized in Whalen v. Roe, 429 U.S. 589 (1977), that the constitutional right to informational privacy protects "the individual interest in avoiding disclosure of personal matters." And also considered the right in Nixon v. Administrator of General Services, 433 U.S. 425 (1977). The Court in NASA confirmed that both of these seminal cases recognized a constitutional right to informational privacy. EPIC subsequently filed amicus briefs in IMS Health, Inc. v. Sorrell v. IMS Health, Inc., 564 U.S. 552 (2011), arguing that data-mining of prescriber information Implicates the constitutional right to informational privacy, and in Doe v. Luzerne County, 660 F.3d 169 (3d Cir. 2011), arguing that the constitution protects public employees from surreptitious video surveillance while undressed as they shower at their workplace.

EPIC has also filed several briefs in cases concerning the right of individuals to seek redress for data breach. In 2017, EPIC filed a brief in the D.C. Circuit in Attias v. CareFirst, Inc., . In 2016, EPIC filed a brief in the Eighth Circuit in In re Supervalu Consumer Data Security Breach Litigation, which involved a very similar question as Carefirst. EPIC also filed a brief on this issue in the Third Circuit in Storm v. Paytime, Inc.. EPIC argued that consumers are facing unprecedented threat from data breaches and subsequent misuse of their personal data. Accordingly, now is not the time to be limiting consumers’ options for recourse. EPIC also argued that consequential, downstream harms such as identity theft and financial fraud are irrelevant to whether data breach victims have standing to sue breached companies.

In January 2016, EPIC launched Data Protection 2016, a nonpartisan campaign to make data protection an issue in the 2016 election. The campaign advocates for reduced identity theft and financial fraud and for investigations of the misuse of personal data.

Legal Documents

United States Court of Appeals for the D.C. Circuit, No. 17-5232

United States District Court for the District of Columbia, No. 15-1394

News

Share this page:

Support EPIC

EPIC relies on support from individual donors to pursue our work.

Defend Privacy. Support EPIC.