<b><i>Online Extra:</b></i> DOJ Wants Massive Government Data Breach Suits Consolidated

By Amanda Bronstad
October 01, 2015

It was the worst data breach in the history of the U.S. government, and now the Justice Department says the ensuing lawsuits filed in six different jurisdictions belong in a single court in Washington, D.C.

On Oct. 1, the U.S. Judicial Panel on Multidistrict Litigation in New York was set to hear arguments on a motion filed in July by DOJ trial lawyers who want to coordinate what are now eight lawsuits pertaining to the massive data breach last summer at the U.S. Office of Personnel Management.

The first breach, announced on June 4, compromised the personnel files of more than 4 million current and former federal employees. A second hack compromised the personal information of more than 21 million people who applied for security clearances, including'judges'and judicial staff.

This month, the OPM awarded a $133 million contract to provide identity theft protection for those affected by the hacks.

A Justice Department spokeswoman declined to comment about the lawsuits.

Most of the lawsuits are class actions filed on behalf of current, former and prospective federal government employees, contractors and family members who, citing the reports of OPM's Office of the Inspector General, claim that the agency has been negligent since 2007 in failing to prevent cybersecurity hacks. They assert claims under the Privacy Act of 1974, which prohibits the disclosure of records maintained by government agencies, and the Administrative Procedure Act, which controls the way in which U.S. administrative agencies regulate. They seek damages for identify theft and costs tied to credit monitoring and frozen accounts.

One class action was brought by the American Federation of Government Employees, AFL-CIO, which represents about 650,000 government employees. Another labor union, the National Treasury Employees Union, which represents 150,000 federal workers, brought an individual case against former OPM director Katherine Archuleta, who'resignedon July 10 following several contentious hearings on Capitol Hill. NTEU is opposing consolidation with the other OPM cases.

'We have a single claim, a constitutional claim, based on the constitutional right to informational privacy, which is an amorphous right that is firmly established,' said Paras Shah, assistant general counsel at NTEU. 'The primary thing we want to have happen is for OPM to adequately secure its IT databases.'

The cases were brought in federal courts in the District of Columbia, Colorado, Kansas, Georgia, Idaho and California. Plaintiffs lawyers in the class actions have supported consolidation in the District of Columbia or Colorado, where another defendant, KeyPoint Government Solutions, the contractor that handled many of the background checks, is based in Loveland. Jason Mendro, a partner in the Washington office of Gibson, Dunn & Crutcher, who represents KeyPoint, did not respond to a request for comment.

One case was brought by Teresa McGarry, an administrative law judge in the Social Security Administration's Office of Disability Adjudication and Review in Jacksonville, Florida, who has had two background checks done. She also named the U.S. Department of Homeland Security, which was tasked with overseeing a program to detect cyberattacks of federal government databases.

The cases also name OPM Acting Director Beth Cobert; U.S. Ambassador to Australia John Berry, who was OPM director from 2009 to 2013; OPM Chief Information Officer Donna Seymour; and U.S. Court of Federal Claims Judge Elaine Kaplan, former OPM general counsel who served as the agency's acting director in the months before Archuleta came on board in 2013.

The MDL panel typically rules on consolidation motions a few weeks after its hearings.

Amanda Bronstad, The National Law Journal

'