Union Lawsuit Demonstrates Link Between Security Clearance Backlog and OPM Data Breaches
Last week the Court of Appeals for the D.C. Circuit reversed a lower court decision in two class action lawsuits against the Office of Personnel Management (OPM) for the 2015 data breach that affects more than 21 million people. The court decided that the American Federation of Government Employees (AFGE) and the National Treasury Employees Union (NTEU) ā along with any individually named plaintiffs ā could show that they had suffered harm as a result of the data breach.
The court also ruled that OPM waived its sovereign immunity to lawsuits under the Privacy Act, and reversed the decision of the lower court, which had thrown out the case.
What this ruling means for the future of OPM
OPM will now have to defend itself in court as a result of this ruling. More importantly, AFGE and NTEU may be able to collect damages as the Court of Appeals noted that those impacted by the breach could be left vulnerable to future identity theft.
The court summarized its ruling:
āPlaintiffs have plausibly alleged a substantial risk of future identity theft that is fairly traceable to OPMās and KeyPointās cybersecurity failings and likely redressable, at least in part, by damages, and NTEU Plaintiffs have plausibly alleged actual and imminent constitutional injuries that are likewise traceable to OPMās challenged conduct and redressable either by a declaration that the agencyās failure to protect plaintiffsā personal information is unconstitutional or by an order requiring OPM to correct deficiencies in its cybersecurity program.ā
An AFGE spokesperson called the ruling a āpositive step for our members affected by the data breach.ā
the OPM Data Breach and Clearance Backlog Go Hand-in-Hand
This isnāt the end of the matter however, as OPM and KeyPoint will have to defend their respective actions in court. Yet, the breach has been seen as something that should have been avoidable.
āThe first thing to remember is that we got into this mess because the background check process was so backlogged,ā explained Dan Meyer, managing partner for the D.C. offices of Tully Rinckey PLLC.
āWeāre now in the third decade of the federal government not understanding how to do background investigations,ā Meyer told ClearanceJobs.
The move to having OPM handle the investigations and away from its stated mission of ārecruiting, retaining and honoring a world-class force to serve the American peopleā has been called out by many as a disaster waiting to happen. As a result, the Department of Defense, as well the intelligence agencies, are now taking back their investigations.
āWeāre back to a system that didnāt really work before and resulted in a backlog,ā added Meyer.
Clearance backlog: Lifelong Problem With No Solution
Some plaintiffs have said that as a result of the breach, theyāve received fraudulent tax returns and had their identities used to open fake credit cards. Given that the amount of information that was compromised, this could be much more than just bad credit.
āThose affected are going to need monitoring for life,ā warned Meyer. āAnd this isnāt just credit monitoring.ā
For federal employees whose identity is compromised, it could result in a loss of clearance ā an irony as OPMās role was to aid in the clearance process.
āThis could include a situation where an employeeās credential review is held up, and they could be suspended from a job,ā noted Meyer. āThe worst part of it is that those employees will have to go out and defend themselves, and prove they were part of the OPM mismanagement of their personal information.ā
This could be a six month process, but Meyer told ClearanceJobs that one case he worked on lasted for years.
āPeople havenāt gotten a hold of how serious this problem is, and we havenāt thought through the outstanding liability,ā he added. āThe most important takeaway is this: employees should acquire hard copies of documents that clearly state that they were a victim of the OPM mismanagement in case of any identity theft.ā
Ā
Gloss