AFGE v. OPM (In re United States OPM Data Sec. Breach Litig.) - 442 U.S. App. D.C. 42, 928 F.3d 42 (2019)

Rule:

The irreducible constitutional minimum of standing consists of three elements. First, plaintiffs must demonstrate that they suffered an injury in fact that is concrete and particularized and actual or imminent, not conjectural or hypothetical. An allegation of future injury passes U.S. Const. art. III, § 2, cl. 1, muster only if it is certainly impending, or there is a substantial risk that the harm will occur. Second, plaintiffs must demonstrate causation; that is, they must show that their claimed injury is fairly traceable to the challenged conduct of the defendant. Article III standing does not require that the defendant be the most immediate cause, or even a proximate cause, of the plaintiffs' injuries; it requires only that those injuries be fairly traceable to the defendant. And third, plaintiffs must demonstrate that it is likely, as opposed to merely speculative, that their injury will be redressed by a favorable decision.

Facts:

In 2014, cyberattackers breached multiple U.S. Office of Personnel Management ("OPM") databases and allegedly stole the sensitive personal information—including birth dates, Social Security numbers, addresses, and even fingerprint records—of a staggering number of past, present, and prospective government workers. Due to the breach, several complaints were filed which were consolidated into two complaints: one filed by the National Treasury Employees Union (“NTEU”) and three of its members, and another filed by the American Federation of Government Employees on behalf of several individual plaintiffs and a putative class of others similarly affected by the breaches. Both sets of plaintiffs alleged that OPM's cybersecurity practices were woefully inadequate, enabling the hackers to gain access to the agency's treasure trove of employee information, which in turn exposed plaintiffs to a heightened risk of identity theft and a host of other injuries. The district court dismissed both complaints for lack of Article III standing. The district court also held that the complaint filed by the American Federation of Government Employees failed to plausibly allege a Privacy Act claim and that NTEU Plaintiffs' complaint failed to state a constitutional claim. The plaintiffs appealed. 

Issue:

1. Did the plaintiffs lack Article III standing to institute the complaints? 
2. Did both complaints fail to state a claim?  

Answer:

1) No. 2) No.

Conclusion:

The court reversed the district court’s judgment in part and affirmed in part. The court first held that the union members alleged facts sufficient to satisfy U.S. Const. art. III, § 2, cl. 1, standing where the claimed loss of a constitutionally protected privacy interest and the ongoing and substantial threat to that privacy interest were concrete, particularized, and actual injuries, the claimed injuries were plausibly traceable to OPM's challenged conduct, and the ongoing and substantial threat was redressable by requiring OPM to immediately correct deficiencies in its cybersecurity programs. The court also held that the American Federation of Government Employees sufficiently alleged standing where the incidents of identity theft that had already occurred supported an inference that they faced a substantial risk of future identity theft. Anent the second issue, the court held the American Federation of Government Employees have stated a claim for damages under the Privacy Act, and have unlocked OPM's waiver of sovereign immunity, by alleging OPM's knowing refusal to establish appropriate information security safeguards. However, the court agreed with the district court in holding that the NTEU Plaintiffs' complaint have not alleged any violation of a constitutional right to informational privacy.