A federal court in part reversed a previous ruling in two class action suits against the Office of Personnel Management as a result of its 2015 data breach which affected more than 21 million people.

The U.S. Court of Appeals for the District of Columbia Circuit decided that the American Federation of Government Employees and the National Treasury Employees Union, as well as individual named plaintiffs, could show they had suffered harm as a result of the data breach, and that OPM had waived its sovereign immunity to lawsuits under the Privacy Act.

The appeals court also ruled that KeyPoint, the contractor hired by OPM that was compromised by hackers, was not immune. But the higher court upheld the lower court decision that said NTEU failed to demonstrate people’s constitutional right to privacy had been violated as a result of personal information being stolen from OPM.

Two cases were brought before the court against OPM and KeyPoint. In one, the plaintiffs were AFGE and 38 individuals affected by the data breach and who sought damages. The other was brought by NTEU and three of its members, which sought declaratory and injunctive relief. According to Friday’s brief, both sets of plaintiffs alleged that OPM’s cybersecurity practices were woefully inadequate, which allowed hackers to access to the agency’s storage of employee information, background investigation and security clearance data that exposed individuals to heightened risk of identity theft. They also claimed that given the time which has passed since the data breach, it is possible they will suffer future harm “traceable” to the OPM data breach.


On these points the appeals court sided with the plaintiffs.

“It hardly takes a criminal mastermind to imagine how such information could be used to commit identity theft,” the decision said, adding that some plaintiffs claimed they received fraudulent tax returns in their names or that their identifies were used to open fake credit cards.

The court did acknowledge OPM had failed to heed repeated warnings by its own inspector general cyber vulnerabilities in the agency’s networks, and that KeyPoint was at least partially to blame for the data breaches due to its failure to comply with “data security practices” called for in its contract with OPM.

An AFGE spokesman said in a statement that the union’s attorneys “are still reviewing the court’s lengthy opinion, but it looks like a positive step for our members affected by the data breach.”

But in the matter of NTEU’s claim that OPM’s data storage failures violated the Constitution, Friday’s ruling upheld the district court decision. The court said neither it nor the U.S. Supreme Court had ever defined the “precise contours of” a putative right to informational privacy granted by the Constitution.

NTEU President Tony Reardon issued a statement on the ruling, saying it was disappointed with the court’s stance on their constitutional argument.

“NTEU, however, appreciates the Court’s acknowledgment of ‘the severity and scope of OPM’s data security shortcomings. NTEU has laid bare that OPM was aware of the critical weaknesses in its system and that it has done nothing meaningful to strengthen its safeguards,” Reardon said. “Working with Congress, NTEU has secured 10 years’ worth of identity theft protection for affected federal workers, and we will continue to push for lifetime protections for these public servants whose personal data was compromised. We also expect OPM to take every precaution available to protect the information it holds so no other federal employees are ever faced with an uncertain future because their personal information has been stolen.”