(Article from Insurance Law Alert, July/August 2019)
For more information, please visit the Insurance Law Alert Resource Center.
The Circuit Court of Appeals for the District of Columbia reversed in part and affirmed in part a district court’s dismissal of claims arising out of a cyberattack, finding that certain plaintiffs had standing and that the complaint sufficiently alleged actual damages. In re: U.S. Office of Personnel Mgmt. Data Sec. Breach Litig., 2019 WL 2552955 (D.C. Cir. June 21, 2019).
A cyberattack on the database of the U.S. Office of Personnel Management (“OPM”) affected the personal information of more than 21 million government employees. The compromised information included social security numbers, names and addresses and in some cases, fingerprint records. Numerous lawsuits were brought against OPM and its security firm, which were ultimately consolidated into two complaints alleging willful failure to implement appropriate safeguards to ensure the security of plaintiffs’ private information. One action—the Arnold action—was brought by a putative class of breach victims seeking monetary damages based on alleged violations of the Privacy Act of 1974 and various other statutory and common law claims. The second action was brought by the National Treasury Employees Union (“NTEU”), a putative class seeking declaratory and injunctive relief based on alleged violation of a “constitutional right to informational privacy.”
The district court dismissed both complaints based on lack of standing. The court reasoned that allegations of a heightened risk of identity theft were insufficient to allege a substantial risk of future injury, and that even for plaintiffs that had alleged actual past injury, the complaint failed to allege that the misuse of their information was caused by the OPM cyberattack. The district court also held that the Arnold plaintiffs failed to plead actual damages. Finally, the district court concluded that NTEU plaintiffs failed to state a constitutional claim.
The D.C. Court of Appeals reversed in part and affirmed in part. The court ruled that both putative classes alleged facts sufficient to satisfy Article III standing, finding both complaints alleged a substantial risk of future identity theft given the highly sensitive nature of the compromised information. The court further held that the Arnold plaintiffs stated a claim for damages under the Privacy Act, concluding that in addition to unlawful charges on plaintiffs’ accounts, plaintiffs incurred “actual damages” in the form of costs incurred for credit monitoring, legal fees and delayed tax refunds. The court affirmed the dismissal of the NTEU action, stating: “assuming (without deciding) the existence of a constitutional right to informational privacy, it affords relief only for intentional disclosures or their functional equivalent—which NTEU Plaintiffs do not allege.”
Notably, the Eighth Circuit recently affirmed a dismissal of data breach privacy claims based on lack of standing, finding that plaintiffs had failed to allege a prospective injury because the likelihood of future identity theft was “purely speculative.” See June 2019 Alert.