On June 21, 2019, the DC Circuit doubled down on its August 2017 decision in Attias v. Carefirst, Inc., 865 F.3d 620 (D.C. Cir. 2017), reviving litigation against the US Office of Personnel Management (OPM) and its vendor that was filed following a highly publicized data breach OPM suffered in 2014. In the ruling, the court concluded that a heightened risk of identity theft was enough to clear what it characterized as a “low bar” for establishing standing at the pleading stage.
In reaching this conclusion, the DC Circuit remains aligned with the Sixth, Seventh and Ninth Circuits, which have concluded that a heightened risk of identity theft alone can provide data breach litigants with standing to pursue their claims. The DC Circuit's decision, however, remains at odds with decisions issued by the Second, Third, Fourth and Eighth Circuits, all of which have found similar allegations insufficient to satisfy Article III standing requirements – deepening the circuit split on this critical issue.
The OPM data breach
The litigation arose out of a data breach suffered by the OPM, which serves as the federal government's chief human resources agency. The breach resulted in the theft of social security numbers, birth dates and residency details for 21.5 million current, former and prospective federal employees, along with 5.6 million sets of fingerprints.
As is typical of high-profile data breaches, numerous class actions were filed and ultimately consolidated by the Judicial Panel on Multidistrict Litigation before the US District Court for the District of Columbia. Unlike many data breach litigation cases, however, the plaintiffs pursued just one claim on appeal against OPM, a violation of Section 552a(e)(10) of the Privacy Act of 1974, reserving the standard common-law and statutory claims for KeyPoint Government Solutions, the OPM's third-party private investigation and security firm through which the hackers were able to gain access to the OPM records. According to the complaints, some of the individuals whose information was stolen experienced incidents of financial fraud and identity theft, while others did not. The latter category of individuals, however, alleged that they remained concerned about the ongoing risk that they could also become victims of financial fraud and identity theft in the future.
The district court found the plaintiffs' complaint provided an insufficient basis from which to infer that the plaintiffs faced any meaningful risk of future identity theft, much less a substantial one. But the DC Circuit, in a per curiam opinion, disagreed, relying heavily on the type of personal identifying information compromised in the breach: “It hardly takes a mastermind to imagine how such information could be used to commit identity theft . . . . Moreover, unlike existing credit card numbers, which, if compromised, can be changed to prevent future fraud, Social Security numbers and addresses cannot so readily be swapped for new ones. And, of course, our birth dates and fingerprints are with us forever.”
The government had argued that the motivation of the hacker (widely reported to be the Chinese government rather than an individual) made the plaintiffs’ alleged fear of future harm implausible, and the district court had concurred. The DC Circuit, however, rejected that argument. In doing so, the DC Circuit chastised the district court for conducting “its own extra-record research and then draw[ing] inference from that research in [the defendants'] favor.” The court found that while a nation-sponsored cyberattack on a government system might be motivated by a purpose other than identity theft, the two are not mutually exclusive. The court concluded that the type of information stolen combined with the alleged misuse of that information alleged by some of the named plaintiffs made it just as plausible that identity theft was one of the hacker's goals.
Based on the allegations of actual fraud, the court was also able to distinguish the OPM case before it from the Fourth Circuit’s decision in Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017) and the Third Circuit's decision in Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011). Neither involved allegations of intentional targeting of information or subsequent misuse of the compromised information, which according to the DC Circuit, justified those courts' decisions.
Finally, the court dismissed the defendants claims that plaintiffs' charges of causation relating to the allegations of actual fraud were insufficient, even though the complaint lacked specifics regarding the nature and timing of the alleged fraud.
In addition to concluding that the plaintiffs had standing, the DC Circuit rejected the OPM's sovereign immunity argument, finding that the plaintiffs had successfully unlocked the Privacy Act's waiver of sovereign immunity by alleging a “willful” violation of the Act’s requirements and stating a cognizable claim for damages under the Act. The DC Circuit also rejected KeyPoint's argument that it was entitled to derivative sovereign immunity, finding that the plaintiffs'allegations that KeyPoint failed to adhere to the OPM's explicit instructions and federal law standards deprived KeyPoint of such a claim.
Although the Supreme Court has repeatedly denied writs of certiorari seeking clarity on the issue of standing in data breach litigation cases, including most recently in In re Zappos.com, Inc., 888 F.3d 1020, 1029 (9th Cir. 2018), cert. denied, 139 S.Ct. 1373 (2019), the DC Circuit's opinion demonstrates the continuing need for clarity in this area. Defendants' risk of exposure and plaintiffs' ability to seek relief following a data breach should not depend solely on the geographic location where the motion to dismiss is ultimately heard.
The decision is also significant for its conclusion that harm and damages can be inferred despite extrinsic evidence that the cyberattack was orchestrated for purposes other than identity theft. While the extent to which a court may consider matters outside the pleadings for purposes of resolving a motion to dismiss can differ across jurisdictions, the DC Circuit's opinion demonstrates its exceedingly narrow view of what a court may properly consider on a motion to dismiss. Indeed, it provides little solace to defendants who are forced to defend against a complaint in which plaintiffs have purposefully avoided including allegations of attribution, particularly when signs point to a nation state perpetrator with alternative motives.
Like several cases before it, this decision continues to demonstrate the importance of vendor management: regardless of contractual rights, data owners can and will be held responsible for the security lapses of their vendors.
Finally, the DC Circuit's decision is one of the first involving a federal government agency and shows that even the federal government and its vendors are not immune from the tidal wave of data breach cases sweeping the private sector.
Learn more about the implications of this ruling for your business by contacting the author or your usual DLA Piper lawyer.