Victims of the massive data breach at the Office of Personnel Management (OPM) have no legal recourse, according to a DC federal court ruling this week.
The decision cuts down a class action lawsuit filed on behalf of some of the 21 million Americans who had their names, addresses, and social security numbers exposed in a cyber intrusion against OPM in 2015, allegedly by Chinese hackers
Those affected were primarily current, former, and prospective government employees. Interest groups and labor organizations, on their behalf, are seeking damages from OPM and federal IT contractor KeyPoint Government Solutions, which managed the agency’s breached systems.
District Judge Amy Berman Jackson temporarily halted the suit on Tuesday, finding that the victims of the breach have no legal standing.
“There is no authority for the proposition that the Constitution gives rise to an affirmative duty–separate and apart from the statutory requirements enacted by Congress–to protect the information in any particular manner from the criminal acts of third parties,” Judge Jackson said in her ruling.
“No court has expressly recognized a right to data security arising under the Constitution,” she added.
Jackson said that she wanted “to avoid wading into the legal waters surrounding the existence or scope of any constitutional right to informational privacy in general.” She also told plaintiffs that they needed to prove the OPM breach caused “actual economic harm.”
“The law is clear that the statute does not create a cause of action for those who have been merely aggrieved by, or are even actively worried about, the fact that their information has been taken,” Judge Jackson stated.
The court further found that KeyPoint didn’t violate any provisions of its contract or engage in illegal behavior and, thus, couldn’t be held liable due to government contractor immunity provisions.
Plaintiff groups like the National Treasury Employees Union (NTEU) and the American Federation of Government Employees (AFGE) reacted to the ruling, and promised to swiftly move to overturn it.
“We immediately appealed the district court’s decision to the US Court of Appeals for the D.C. Circuit,” said NTEU President Tony Reardon in a statement, according to Courthouse News.
The AFGE said it was “disappointed” with the judge’s “unduly narrow view of the rights of data breach victims.”
“OPM failed to keep our most private and sensitive information from getting into the hands of Chinese hackers,” the labor group said in a statement.