A few weeks after the massive breach of private data from the Office of Personnel Management (OPM), some legal experts claim that federal employees affected by the breach can take action against the United States government.
The Washington Post reports that despite the notifications the OPM is sending out to current and former employees who might be affected, some of the employees feel the action doesn’t go far enough. The breach, which some people believe was perpetrated by the Chinese government, exposed the Social Security numbers, dates of birth, addresses, and other personal information of nearly four million federal employees. The OPM is providing victims with 18 months of credit monitoring and identity theft safeguards but many worry that once those protections expire, the victims will still be vulnerable to fraud.
As a result, legal experts and even some of the victims are talking about the possibility of filing lawsuits against the agency or the federal government in general. Marc Rotenberg, the executive director of the Electronic Privacy Information Center, claims that there are laws in place that uphold a victim’s right to take the OPM to court.
“The Privacy Act of 1974 clearly placed an obligation on federal agencies to protect information they collected,” Rotenberg said. “It also created a mechanism for people to bring lawsuits against agencies that failed to safeguard information in their protection.”
However, there are a few problems with Rotenberg’s interpretation. First, the OPM took initial precautions against litigation in a letter it sent out to federal employees affected by the hack. “[N]othing in this letter should be construed as OPM or the U.S. Government accepting liability for any of the matters covered by this letter or for any other purpose,” the letter said. “Any alleged issues of liability concerning OPM or the United States for the matters covered by this letter or for any other purpose are determined solely in conformance with appropriate Federal law.”
Second, the Privacy Act does not include anything about cyberattacks (which makes sense given when the law was passed), making any potential lawsuit against the government problematic.
Still, Rotenberg is convinced that victims could argue in court that the government was so negligent in protecting the data of its employees that its actions were tantamount to “willful disclosure.” The agency, after all, reviewed internal documents from its Inspector General that warned it about lapses in cyber protection.
“The agency was on notice that it had a security problem and failed to rectify it,” he said.
There are already several laws on the books that protect victims against digital fraud. Any CEO or CFO who makes false certifications in their digital content, for example, are subject to penalties such as a $5 million fine or a jail sentence of up to 20 years.
For its part, the OPM is steadfast in its claim that it bears no responsibility for the cyber attack. “The intrusions into OPM’s systems were criminal acts committed by unknown adversaries for criminal purposes,” an agency spokesperson told the Washington Post. “As a result, we have done and continue to do everything possible to protect the security of OPM systems and the records contained in those systems. We will also continue to contact those who may have been affected, and to offer credit monitoring.”