The country’s largest federal workers union has filed a class action lawsuit against the government agency at the center of the recent hack that exposed millions of people’s sensitive information.

The American Federation of Government Employees (AFGE) on Monday became the first to sue the Office of Personnel Management (OPM) in the wake of the massive data breach that has shaken the government.

ADVERTISEMENT

A breach at the agency, revealed in early June, compromised the personnel files on 4.2 million current and former federal employee. A second, more devastating, intrusion was acknowledged a week later. That breach laid bare the security clearance background investigations on upwards of 18 million people.

Government officials have called China the “leading suspect” in the attack. Experts believe it’s part of a Chinese digital espionage scheme to collect a comprehensive database on U.S. government workers.

The AFGE suit specifically demands a jury trial against OPM Director Katherine Archuleta and OPM Chief Information Officer Donna Seymour.

Both officials have come under heavy scrutiny for their responses to several inspector general reports that identified serious security vulnerabilities in the OPM networks. Many have called for their firing.

Archuleta and Seymour have been chided for not agreeing with an inspector general recommendation that 11 of the agency’s 47 computer networks be shut down because they lacked the proper security credentials. Archuleta defended the decision, arguing such a move would have caused a lapse in employee paychecks and benefits.

The AFGE lawsuit is likely not the only that will be filed against OPM over the breach. Private-sector companies felled by hackers, such as Target and Home Depot, are usually hit with a rash of suits after major data breaches.

But suing the government is much tougher.

The government often enjoys “sovereign immunity,” meaning it cannot face civil suits or prosecution over most subjects, several people said. Essentially, you cannot sue the government unless it says you can.

The law does allow exemptions for people to sue federal employees for negligence, however. There are also '70s-era laws requiring the government to protect information it collects. The decades-old statutes do not specifically address data breaches, though.

The OPM seemed to try and get out in front of the situation in its notification letter sent to victims of the breach.

“Nothing in this letter should be construed as OPM or the U.S. Government accepting liability for any of the matters covered by this letter or for any other purpose,” it read.