Data Privacy Exposure Hits the Public Sector: Lessons from the OPM Data Breach Class Action, Whistleblower Actions, and the GAO Cybersecurity Report
Data privacy litigation and enforcement actions continue to roil the private sector, most recently with the Federal Trade Commission (FTC)’s announcement of a $425 million settlement with Equifax in the wake of the Equifax data breach. Less discussed is the fact that data privacy and security remains a real threat in the public sector. As we recently reported, the 2019 Verizon Data Breach Investigations Report found that 16% of confirmed data breaches were in the public sector. Three recent developments highlight the breadth and scope of the threat, reflecting that federal agencies and government contractors remain vulnerable to cyberattacks and may be subject to liability for cybersecurity failures.
The OPM Data Breach Action
The District of Columbia Circuit’s June 21st panel decision in the In re Office of Personnel Management Data Security Breach Litigation held that a federal agency and its private contractor were not entitled to sovereign immunity and derivative sovereign immunity, respectively, for class action claims in the wake of a data breach in which hackers allegedly used stolen contractor credentials to steal almost 21.5 million background investigation records and over 4 million federal employees’ personnel files. Specifically, the panel opinion found that The Privacy Act, 5 U.S.C. § 552a, “safeguards the public from unwarranted collection, maintenance, use, and dissemination of personal information collected in agency records” and thus “waives sovereign immunity by expressly authorizing a cause of action for damages against federal agencies that violated its rules….” Reversing the lower court, the DC Circuit panel noted that the history of agency data breaches and failure to comply with critical information security standards showed that OPM’s conduct was “willful” or “intentional,” as required to waive sovereign immunity. In addition, the panel found that plaintiffs – who alleged that they suffered credit monitoring costs, fraudulent charges, and false tax returns in the wake of the breach – had plausibly alleged actual damages as a result of the breach. Moreover, a majority of the panel found that plaintiffs alleged standing based on the increased “risk of future identify theft” as a result of the breach, consistent with the DC Circuit’s prior holding in Attias v. CareFirst; thus, it reversed the lower court and remanded for further proceedings on plaintiffs’ Privacy Act claims. By contrast, the remaining panel judge dissented in part, finding that the mere fear of identity theft in the wake of a data breach is not enough for standing, where – as here – the motive of the breach appeared to be cyber-espionage, not identity theft. Finally, the panel affirmed the lower court’s refusal to recognize claims based on a broader constitutional right to privacy that is allegedly violated when a third party steals information voluntarily submitted to a government agency.
Recent False Claims Act developments emphasize that government contractors may face whistleblower liability for cybersecurity failures even in the absence of any evidence of unauthorized access to their systems. For example, on August 1, New York’s Attorney General announced a $6 million multistate settlement with a government contractor in the wake of a former employee’s whistleblower action alleging that the contractor failed to disclose flaws in its security surveillance systems sold to the federal government and various states. The ensuing multistate investigation “uncovered no evidence that a hack or any unauthorized access of security surveillance systems ever took place.” Moreover, on May 8, a DC federal district court denied defendant government contractors’ motion to dismiss certain whistleblower claims under 31 U.S.C. § 3729(a)(1)(A)-(B) alleging that the contractors entered into contracts with the federal government despite knowing they did not meet the minimum cybersecurity standards required to be awarded contracts with the Department of Defense or NASA.
The GAO Report
On July 26th, the Government Accountability Office (“GAO”) released its report titled: “Cybersecurity: Agencies Need to Fully Establish Risk Management Programs and Address Challenges” relaying to Congress the findings of its February 2018 through July 2019 audit of the cybersecurity readiness of 23 federal agencies. That report emphasizes that federal agencies have considerable work to do to guard against cyberattacks going forward. Specifically, the report found that 11 agencies had not developed an agency-wide cybersecurity risk management strategy, and another 5 agencies had only partially developed strategies that did not address all elements of the NIST framework. Only 6 of the 23 agencies had fully established cybersecurity policies and procedures; the GAO found gaps in the policies and procedures at the remaining 17 agencies. Just 12 of the 23 agencies had developed a process for conducting an agency-wide cybersecurity risk assessment. Eight of 23 agencies had no approach to coordinating between cybersecurity and enterprise risk management.
The above developments emphasize the importance of cybersecurity in the public sector. First, the OPM decision suggests that government entities and their private contractors cannot necessarily rely on sovereign immunity to shield them from liability for cyber breaches. OPM and its contractor have requested and received an extension until September 4, 2019 to file a motion for rehearing or rehearing en banc of the DC Circuit’s panel opinion – including its holding on sovereign immunity. One issue to watch is the standing question – whether plaintiffs who merely fear identity theft in the wake of a breach fail to satisfy the injury-in-fact threshold for standing to sue under Article III of the U.S. Constitution. As we previously reported, Federal Circuit Courts of Appeal are split on this issue, and the Supreme Court has repeatedly denied petitions for writ of certiorari to resolve the question. The OPM opinion is unique in its focus on standing in the context of cyber-espionage breaches – which according to the 2019 Verizon Data Breach Investigations Report, accounted for an estimated 25% of 2018 breaches overall, and 42% of breaches in the public sector. Hence, any reconsideration of the majority’s view that cyber-espionage and identity theft are not mutually exclusive goals in favor of the dissenting panelist’s narrower view could have wide ranging implications for both public and private sector entities’ exposure in data breach litigation. Second, recent developments in whistleblower actions reflect that government contractors may face exposure for cybersecurity deficiencies even in the absence of a data breach. Finally, the GAO Report–noting various deficiencies in the cybersecurity readiness of federal government agencies–implies that cybersecurity exposure in the public sector is likely to remain a significant issue going forward.