Skip to content

Discerning Data

  • About Us
  • Additional Resources
  • Contact Us

DISCERNING DATA

A Faegre Drinker Blog Covering the Latest in Privacy, Cybersecurity and Data Strategy
  • Privacy
  • Cybersecurity
  • Data Strategy

Data Privacy Exposure Hits the Public Sector: Lessons from the OPM Data Breach Class Action, Whistleblower Actions, and the GAO Cybersecurity Report

Share

Data privacy litigation and enforcement actions continue to roil the private sector, most recently with the FTC’s announcement of a $425 million settlement with Equifax in the wake of the Equifax data breach. Less discussed is the fact that data privacy and security remains a real threat in the public sector. As we recently reported, the 2019 Verizon Data Breach Investigations Report found that 16% of confirmed data breaches were in the public sector. Three recent developments highlight the breadth and scope of the threat, reflecting that federal agencies and government contractors remain vulnerable to cyberattacks and may be subject to liability for cybersecurity failures.

The OPM Data Breach Action

The District of Columbia Circuit’s June 21st panel decision in the In re Office of Personnel Management Data Security Breach Litigation held that a federal agency and its private contractor were not entitled to sovereign immunity and derivative sovereign immunity, respectively, for class action claims in the wake of a data breach in which hackers allegedly used stolen contractor credentials to steal almost 21.5 million background investigation records and over 4 million federal employees’ personnel files. Specifically, the panel opinion found that The Privacy Act, 5 U.S.C. § 552a, “safeguards the public from unwarranted collection, maintenance, use, and dissemination of personal information collected in agency records” and thus “waives sovereign immunity by expressly authorizing a cause of action for damages against federal agencies that violated its rules….” Reversing the lower court, the DC Circuit panel noted that the history of agency data breaches and failure to comply with critical information security standards showed that OPM’s conduct was “willful” or “intentional,” as required to waive sovereign immunity. In addition, the panel found that plaintiffs – who alleged that they suffered credit monitoring costs, fraudulent charges, and false tax returns in the wake of the breach – had plausibly alleged actual damages as a result of the breach. Moreover, a majority of the panel found that plaintiffs alleged standing based on the increased “risk of future identify theft” as a result of the breach, consistent with the DC Circuit’s prior holding in Attias v. CareFirst; thus, it reversed the lower court and remanded for further proceedings on plaintiffs’ Privacy Act claims. By contrast, the remaining panel judge dissented in part, finding that the mere fear of identity theft in the wake of a data breach is not enough for standing, where – as here – the motive of the breach appeared to be cyber-espionage, not identity theft. Finally, the panel affirmed the lower court’s refusal to recognize claims based on a broader constitutional right to privacy that is allegedly violated when a third party steals information voluntarily submitted to a government agency.

Whistleblower Actions

Recent False Claims Act developments emphasize that government contractors may face whistleblower liability for cybersecurity failures even in the absence of any evidence of unauthorized access to their systems.  For example, on August 1, New York’s Attorney General announced a $6 million multistate settlement with a government contractor in the wake of a former employee’s whistleblower action alleging that the contractor failed to disclose flaws in its security surveillance systems sold to the federal government and various states.   The ensuing multistate investigation “uncovered no evidence that a hack or any unauthorized access of security surveillance systems ever took place.”   Moreover, on May 8, a California federal district court denied defendant government contractors’ motion to dismiss certain whistleblower claims under 31 U.S.C. § 3729(a)(1)(A)-(B) alleging that the contractors entered into contracts with the federal government despite knowing they did not meet the minimum cybersecurity standards required to be awarded contracts with the Department of Defense or NASA.

The GAO Report

On July 26th, the Government Accountability Office (“GAO”) released its report titled: “Cybersecurity: Agencies Need to Fully Establish Risk Management Programs and Address Challenges” relaying to Congress the findings of its February 2018 through July 2019 audit of the cybersecurity readiness of 23 federal agencies. That report emphasizes that federal agencies have considerable work to do to guard against cyberattacks going forward. Specifically, the report found that 11 agencies had not developed an agency-wide cybersecurity risk management strategy, and another 5 agencies had only partially developed strategies that did not address all elements of the NIST framework. Only 6 of the 23 agencies had fully established cybersecurity policies and procedures; the GAO found gaps in the policies and procedures at the remaining 17 agencies. Just 12 of the 23 agencies had developed a process for conducting an agency-wide cybersecurity risk assessment. Eight of 23 agencies had no approach to coordinating between cybersecurity and enterprise risk management.

Takeaways

The above developments emphasize the importance of cybersecurity in the public sector. First, the OPM decision suggests that government entities and their private contractors cannot necessarily rely on sovereign immunity to shield them from liability for cyber breaches. OPM and its contractor have requested and received an extension until September 4, 2019 to file a motion for rehearing or rehearing en banc of the DC Circuit’s panel opinion – including its holding on sovereign immunity. One issue to watch is the standing question – whether plaintiffs who merely fear identity theft in the wake of a breach fail to satisfy the injury-in-fact threshold for standing to sue under Article III of the U.S. Constitution. As we previously reported, Federal Circuit Courts of Appeal are split on this issue, and the Supreme Court has repeatedly denied petitions for writ of certiorari to resolve the question. The OPM opinion is unique in its focus on standing in the context of cyber-espionage breaches – which according to the 2019 Verizon Data Breach Investigations Report, accounted for an estimated 25% of 2018 breaches overall, and 42% of breaches in the public sector. Hence, any reconsideration of the majority’s view that cyber-espionage and identity theft are not mutually exclusive goals in favor of the dissenting panelist’s narrower view could have wide ranging implications for both public and private sector entities’ exposure in data breach litigation. Second, recent developments in whistleblower actions reflect that government contractors may face exposure for cybersecurity deficiencies even in the absence of a data breach. Finally, the GAO Report–noting various deficiencies in the cybersecurity readiness of federal government agencies–implies that cybersecurity exposure in the public sector is likely to remain a significant issue going forward.

Subscribe and Receive Alerts to New Articles

SUBSCRIBE
August 13, 2019
Written by: Kristin Ann Shepard
Category: Privacy
Tags: Data Breach, data privacy, GAO, whistleblower liability

Post navigation

Previous Previous post: An Update on Federal Policy Regarding Chief Data Officers and Data Governance: New OMB Memo
Next Next post: NIST Unveils IoT Baseline of Core Cybersecurity Features for Comment

Search the Blog

Sign Up for Email Alerts

PODCASTS

Faegre Drinker on Law and Technology

©2021 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

  • About Us
  • Additional Resources
  • Contact Us
We use cookies to improve your experience with our website. By browsing our site, you are agreeing to the use of cookies. For more information about how we use cookies, please review our privacy policy and cookie policy. OK
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Non-necessary

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.

SAVE & ACCEPT