U.S. Office of Pers. Mgmt. Data SEC. Breach Litig. v. Office of Pers. Mgmt.
U.S. Court of Appeals6/21/2019
AI Case Brief
Generate an AI-powered case brief with:
đKey Facts
âïžLegal Issues
đCourt Holding
đĄReasoning
đŻSignificance
Estimated cost: $0.001 - $0.003 per brief
Full Opinion
United States Court of Appeals
FOR THE DISTRICT OF COLUMBIA CIRCUIT
Argued November 2, 2018 Decided June 21, 2019
No. 17-5217
IN RE: U.S. OFFICE OF PERSONNEL MANAGEMENT DATA
SECURITY BREACH LITIGATION,
AMERICAN FEDERATION OF GOVERNMENT EMPLOYEES,
AFL-CIO, ET AL.,
APPELLEES
NATIONAL TREASURY EMPLOYEES UNION, ET AL.,
APPELLANTS
v.
OFFICE OF PERSONNEL MANAGEMENT, ET AL.,
APPELLEES
Consolidated with 17-5232
Appeals from the United States District Court
for the District of Columbia
(No. 1:15-mc-01394)
Peter A. Patterson argued the cause for Arnold Plaintiffs-
Appellants in No. 17-5232. With him on the briefs were David
H. Thompson, Daniel C. Girard, Jordan Elias, Tina Wolfson,
Gary E. Mason, and Richard B. Rosenthal.
2
Paras N. Shah argued the cause for appellants National
Treasury Employees Union, et al. in No. 17-5217. With him
on the briefs were Gregory O=Duden, Larry J. Adkins, and
Allison C. Giles.
Marc Rotenberg and Alan Butler were on the brief for
amici curiae Electronic Privacy Information Center (EPIC) and
Forty-Four Legal Scholars and Technical Experts in support of
appellants.
Sonia M. Carson, Attorney, U.S. Department of Justice,
argued the cause for federal appellees. With her on the brief
was Mark B. Stern.
Jason J. Mendro argued the cause for appellee KeyPoint
Government Solutions, Inc. With him on the brief were F.
Joseph Warin, Matthew S. Rozen, and Jeremy M. Christiansen.
Alan Charles Raul, Kwaku A. Akowuah, Daniel J. Hay,
and Steven P. Lehotsky were on the brief for amicus curiae The
Chamber of Commerce of the United States of America in
support of appellees.
Before: TATEL and MILLETT, Circuit Judges, and
WILLIAMS, Senior Circuit Judge.
Opinion for the Court filed PER CURIAM.
Opinion concurring in part and dissenting in part filed by
Senior Circuit Judge WILLIAMS.
PER CURIAM: In 2014, cyberattackers breached multiple
U.S. Office of Personnel Management (âOPMâ) databases and
allegedly stole the sensitive personal informationâincluding
3
birth dates, Social Security numbers, addresses, and even
fingerprint recordsâof a staggering number of past, present,
and prospective government workers. All told, the data
breaches affected more than twenty-one million people.
Unsurprisingly, given the scale of the attacks and the sensitive
nature of the information stolen, news of the breaches
generated not only widespread alarm, but also several lawsuits.
These suits were ultimately consolidated into two complaints:
one filed by the National Treasury Employees Union and three
of its members, and another filed by the American Federation
of Government Employees on behalf of several individual
plaintiffs and a putative class of others similarly affected by the
breaches. Both sets of plaintiffs alleged that OPMâs
cybersecurity practices were woefully inadequate, enabling the
hackers to gain access to the agencyâs treasure trove of
employee information, which in turn exposed plaintiffs to a
heightened risk of identity theft and a host of other injuries.
The district court dismissed both complaints for lack of Article
III standing and failure to state a claim. For the reasons set
forth below, we reverse in part and affirm in part.
I
As its name suggests, the U.S. Office of Personnel
Management serves as the federal governmentâs chief human
resources agency. In that capacity, OPM maintains electronic
personnel files that contain, among other information, copies
of federal employeesâ birth certificates, military service
records, and job applications identifying Social Security
numbers and birth dates.
The agency also oversees more than two million
background checks and security clearance investigations per
year. To facilitate these investigations, OPM collects a
tremendous amount of sensitive personal information from
current and prospective federal workers, most of which it then
4
stores electronically in a âCentral Verification System.â
Consolidated Amended Complaint, In re United States Office
of Pers. Mgmt. Data Security Breach Litig., No. 1:15-mc-
01394, ¶ 65 (D.D.C. March 14, 2016) (âArnold Plaintiffsâ
Compl.â), J.A. 61. The investigation-related information
stored by OPM includes birth dates, Social Security numbers,
residency details, passport information, fingerprints, and other
records pertaining to employeesâ criminal histories,
psychological and emotional health, and finances. In recent
years, OPM has relied on a private investigation and security
firm, KeyPoint Government Solutions, Inc. (âKeyPointâ), to
conduct the lionâs share of the agencyâs background and
security clearance investigation fieldwork. KeyPoint
investigators have access to the information stored in OPMâs
Central Verification System and can transmit data to and from
the agencyâs network through an electronic portal.
It turns out that authorized KeyPoint investigators have not
been the only third parties to access OPMâs data systems.
Cyberattackers hacked into the agencyâs network on several
occasions between November 2013 and November 2014.
Undetected for months, at least two of these breaches resulted
in the theft of vast quantities of personal information.
According to the complaint, after breaching OPMâs network
âusing stolen KeyPoint credentialsâ around May 2014, Arnold
Plaintiffsâ Compl. ¶ 127, J.A. 73, the cyberintruders extracted
almost 21.5 million background investigation records from the
agencyâs Central Verification System. They gained access to
another OPM system near the end of 2014, stealing over four
million federal employeesâ personnel files. Among the types
of information compromised were current and prospective
employeesâ Social Security numbers, birth dates, and residency
details, along with approximately 5.6 million sets of
fingerprints. The breaches also exposed the Social Security
numbers and birth dates of the spouses and cohabitants of those
5
who, in order to obtain a security clearance, completed a
Standard Form 86. According to the complaints, since these
2014 breaches, individuals whose information was stolen have
experienced incidents of financial fraud and identity theft;
many others whose information has not been misusedâat
least, not yetâremain concerned about the ongoing risk that
they, too, will become victims of financial fraud and identity
theft in the future.
After announcing the breaches in the summer of 2015,
OPM initially offered individuals whose information had been
compromised fraud monitoring and identity theft protection
services and insurance at no cost for either eighteen months or
three years, depending on whether their Social Security
numbers had been exposed. But OPMâs offer failed to address
the concerns of all such parties, and the agency soon found
itself named as a defendant in breach-related lawsuits across
the country. The Judicial Panel on Multidistrict Litigation
transferred these actions to the U.S. District Court for the
District of Columbia for coordinated pretrial proceedings. The
suits were ultimately consolidated into two complaints: one
brought by the American Federation of Government
Employees on behalf of thirty-eight individuals affected by the
breaches and a putative class of similarly situated breach
victims (âArnold Plaintiffsâ) and another for declaratory and
injunctive relief brought by the National Treasury Employees
Union (âNTEUâ) and three of its members (âNTEU
Plaintiffsâ). Below we summarize the relevant allegations and
claims contained in each complaint, accepting all factual
allegations âas trueâ and drawing âreasonable
inferences * * * in the plaintiffsâ favor.â Philipp v. Federal
Republic of Germany, 894 F.3d 406, 409 (D.C. Cir. 2018)
(internal quotation marks omitted).
6
Arnold Plaintiffs allege that KeyPointâs âinformation
security defenses did not conform to recognized industry
standardsâ and that the company unreasonably failed to protect
the security credentials that the hackers used to unlawfully
access one of OPMâs systems in mid-2014. Arnold Plaintiffsâ
Compl. ¶ 222, J.A. 98. Specifically, they assert that âKeyPoint
knew or should have known that its information security
defenses did not reasonably or effectively protect Plaintiffsâ
and Class membersâ [personal information] and the credentials
used to access it on KeyPointâs and OPMâs systems.â Id. As
for OPM, Arnold Plaintiffs allege that the agency had long
been on notice that its systems were prime targets for
cyberattackers. OPM experienced data breaches related to
cyberattacks in 2009 and 2012, and it is no secret that its
network is regularly subject to a strikingly large number of
hacking attempts. Despite this, say Arnold Plaintiffs, OPM
repeatedly failed to comply with the Federal Information
Security Management Act of 2002, 44 U.S.C. §§ 3541 et seq.
(repealed 2014), and its replacement, the Federal Information
Security Modernization Act of 2014, 44 U.S.C. §§ 3551 et seq.
(collectively, âInformation Security Actâ), which require
agencies to âdevelop, implement, and maintain a security
program that assesses information security risks and provides
adequate security for the operations and assets of programs and
software systems under agency and contractor control.â
Arnold Plaintiffsâ Compl. ¶ 83, J.A. 65.
As early as 2007, Information Security Act compliance
audits conducted by OPMâs Office of the Inspector General
regularly identified major information security deficiencies
that left the agencyâs network vulnerable to attack. Such
problems included âseverely outdatedâ security policies and
procedures, understaffed and undertrained cybersecurity
personnel, and a lack of a centralized information security
management structure. Arnold Plaintiffsâ Compl. ¶¶ 92â95,
7
J.A. 67â68. As a result, in every year from 2007 through 2013,
the Inspector General identified âserious concerns
that * * * pose an immediate risk to the security of assets or
operationsââtermed âmaterial weaknessesââin the agencyâs
information security governance program. Id. ¶¶ 87â88, J.A.
66; see also id. ¶¶ 90â97, J.A. 66â68 (listing those
weaknesses). Although in 2014 the Inspector General, acting
on the basis of âimminently planned improvements,â id. ¶ 98,
J.A. 68, reclassified OPMâs security governance program as a
âsignificant deficiencyâ (an improvement over the more
serious âmaterial weaknessâ), other serious issues resurfaced at
that time. Specifically, in 2014, the agency failed to complete
an Information Security Act-required Security Assessment and
Authorization for eleven of the twenty-one OPM systems due
for reauthorization. Because the agency was unable to ensure
the functionality of security controls for the systems that lacked
a valid authorizationâone of which was âa general system that
supported and provided the electronic platform for
approximately two-thirds of all information systems operated
by OPMââthe Inspector General advised the agency to shut
them down. Id. ¶¶ 102â103, J.A. 69â70. Despite the Inspector
Generalâs recommendation, OPM continued to operate the
systems. The agency compounded existing security
vulnerabilities by failing to encrypt sensitive dataâincluding
Social Security numbersâand failing to enforce multifactor
authentication requirements. To make matters worse, when the
2014 data breaches occurred, the agency lacked a centralized
network security operations center from which it could
continuously and comprehensively monitor all system security
controls and threats.
The 2014 cyberattacks were âsophisticated, malicious, and
carried out to obtain sensitive information for improper use.â
Arnold Plaintiffsâ Compl. ¶¶ 128, 132, J.A. 73â74. Arnold
Plaintiffs assert that as a result of these attacks, they have
8
suffered from a variety of harms, including the improper use of
their Social Security numbers, unauthorized charges to existing
credit card and bank accounts, fraudulent openings of new
credit card and other financial accounts, and the filing of
fraudulent tax returns in their names. At least three named
Arnold Plaintiffs purchased credit monitoring services after
falling victim to such fraud; others have spent time and money
attempting to unwind fraudulent transactions made in their
names. And some Arnold Plaintiffs who have yet to experience
a fraud incident purchased credit monitoring services and spent
extra time monitoring their accounts to mitigate the âincreased
riskâ of identity theft caused by the breaches. Id. ¶ 163, J.A.
81â83.
Arnold Plaintiffs assert several claims against OPM, but
they press only one on appeal: that the agency âwillfully
failedâ to establish appropriate safeguards to ensure the
security and confidentiality of their private information, in
violation of Section 552a(e)(10) of the Privacy Act of 1974.
Arnold Plaintiffsâ Compl. ¶ 182, J.A. 89; see also 5 U.S.C.
§ 552a(e)(10) (requiring the agency to âestablish appropriate
administrative, technical, and physical safeguards to insure the
security and confidentiality of records and to protect against
any anticipated threats or hazards to their security or integrity
which could result in substantial harm, embarrassment,
inconvenience, or unfairness to any individual on whom
information is maintainedâ). They also bring a variety of
common-law and statutory claims against KeyPoint, alleging
that the companyâs âactions and inactions constitute[d]
negligence, negligent misrepresentation and concealment,
invasion of privacy, breach of contract, and violations of the
Fair Credit Reporting Act and state statutes.â Arnold
Plaintiffsâ Compl. ¶ 9, J.A. 38. Arnold Plaintiffs seek damages
from OPM under the Privacy Act; from KeyPoint, they request
money damages and an order requiring the company to extend
9
free lifetime identity theft and fraud protection services to all
putative class members, among other things.
The other complaint, filed by the National Treasury
Employees Union, seeks declaratory and injunctive relief
against the Acting Director of OPM in her official capacity
based on essentially the same set of facts. NTEU Plaintiffs
assert that when they provided OPM with the sensitive personal
information ultimately exposed in the breaches, they did so
upon the agencyâs assurance that it âwould be safeguardedâ
and kept confidential. Amended Complaint for Declaratory
and Injunctive Relief, In re United States Office of Pers. Mgmt.
Data Security Breach Litig., No. 1:15-mc-01394, ¶ 75 (D.D.C.
June 3, 2016) (âNTEU Plaintiffsâ Compl.â), J.A. 179. They
allege that OPMâs âreckless failure to safeguard [NTEU
Plaintiffsâ] personal information,â which ultimately âresulted
in [its] unauthorized disclosureâ during the 2014 attacks, id. at
3, J.A. 155, amounted to a violation of what they describe as
their âconstitutional right to informational privacy,â id. ¶ 98,
J.A. 186.
NTEU Plaintiffs further allege that, despite the fallout
from the 2014 breaches, OPM has yet to make the
cybersecurity improvements necessary to protect their personal
information from future attacks. According to the complaint,
the agencyâs Inspector General warned at the end of 2015 that
OPM was ill-equipped to protect itself from another attack,
given âthe overall lack of compliance that seems to permeate
the agencyâs IT security program.â NTEU Plaintiffsâ Compl.
¶ 88, J.A. 182 (quoting United States Office of Pers. Mgmt.,
Office of the Inspector General, Office of Audits, Final Audit
Report: Federal Information Security Modernization Act Audit
FY 2015, at 5 (Nov. 10, 2015)). NTEU Plaintiffs seek a
declaration that OPMâs failure to protect their information
violated their putative constitutional right to informational
10
privacy and an order requiring the agency to provide them with
free lifetime credit monitoring and identity theft protection.
They also request an injunction requiring OPM âto take
immediately all necessary and appropriate steps to correct
deficiencies in [its] IT security program so that NTEU
membersâ personal information will be protected from
unauthorized disclosureâ in the future. Id. at 35, J.A. 187.
OPM and KeyPoint moved to dismiss Arnold Plaintiffsâ
complaint, arguing that they lacked Article III standing, that
their claims were barred by sovereign immunity, and that they
failed to state valid claims under the state and federal statutes
and common-law theories invoked. OPM moved to dismiss
NTEU Plaintiffsâ complaint for lack of standing and failure to
state a claim upon which relief could be grantedâthat is,
failure to allege a cognizable constitutional violation. The
district court granted both motions to dismiss on the ground
that neither Arnold Plaintiffs nor NTEU Plaintiffs pled
sufficient facts to demonstrate Article III standing. Rejecting
plaintiffsâ argument that they faced a heightened risk of
identity theft due to the breaches, the court held that the facts
alleged failed to plausibly support the conclusion that this risk
of future injury was either substantial or clearly impending.
The district court ultimately concluded that only those
plaintiffs who specifically identified out-of-pocket losses
stemming from the actual misuse of their data had suffered an
injury in fact sufficient for standing purposes. But even those
plaintiffs lacked standing, the district court concluded, because
they failed to allege facts demonstrating that the misuse of their
information was traceable to the OPM breaches in particular.
The district court went on to explain that it also lacked
subject matter jurisdiction over Arnold Plaintiffsâ claims for
the additional reasons that (i) they failed to plead the actual
damages necessary to bring them within the Privacy Actâs
11
waiver of sovereign immunity; and (ii) as a government
contractor, KeyPoint enjoyed derivative sovereign immunity
from suit. Finally, the court concluded that Arnold Plaintiffs
failed to plausibly allege a Privacy Act claim and that NTEU
Plaintiffsâ complaint failed to state a constitutional claim. Both
sets of plaintiffs have appealed.
We reverse in part and affirm in part the district courtâs
judgment. We hold that both sets of plaintiffs have alleged
facts sufficient to satisfy Article III standing requirements.
Arnold Plaintiffs have stated a claim for damages under the
Privacy Act, and have unlocked OPMâs waiver of sovereign
immunity, by alleging OPMâs knowing refusal to establish
appropriate information security safeguards. KeyPoint is not
entitled to derivative sovereign immunity because it has not
shown that its alleged security faults were directed by the
government, and it is alleged to have violated the Privacy Act
standards incorporated into its contract with OPM. Finally, we
agree with the district court that, assuming a constitutional right
to informational privacy, NTEU Plaintiffs have not alleged any
violation of such a right.
II
â[T]he irreducible constitutional minimum of standing
consists of three elements.â Spokeo, Inc. v. Robins, 136 S. Ct.
1540, 1547 (2016) (internal quotation marks omitted). First,
plaintiffs must demonstrate that they suffered an injury in fact
that is âconcrete and particularized and actual or imminent, not
conjectural or hypothetical.â Id. at 1548 (internal quotation
marks omitted). âAn allegation of future injuryâ passes Article
III muster only if it âis âcertainly impending,â or there is a
âsubstantial riskâ that the harm will occur.â Susan B. Anthony
List v. Driehaus, 573 U.S. 149, 158 (2014) (quoting Clapper v.
Amnesty Intâl USA, 568 U.S. 398, 414 & n.5 (2013)). Second,
plaintiffs must demonstrate causation; that is, they must show
12
that their claimed injury is âfairly traceable to the challenged
conduct of the defendant.â Spokeo, 136 S. Ct. at 1547. âArticle
III standing does not require that the defendant be the most
immediate cause, or even a proximate cause, of the plaintiffsâ
injuries; it requires only that those injuries be âfairly traceableâ
to the defendant.â Attias v. Carefirst, Inc., 865 F.3d 620, 629
(D.C. Cir. 2017), cert. denied, 138 S. Ct. 981 (2018). And
third, plaintiffs must demonstrate that âit is likely, as opposed
to merely speculative, that the[ir] injury will be redressed by a
favorable decision.â Friends of the Earth, Inc. v. Laidlaw
Environmental Servs. (TOC), Inc., 528 U.S. 167, 181 (2000).
Where, as here, defendants challenge standing at the
pleading stage without disputing the facts alleged in the
complaint, âwe accept the well-pleaded factual allegations as
true and draw all reasonable inferences from those allegations
in the plaintiffâs favor,â but we do not assume the truth of legal
conclusions or accept inferences that are unsupported by the
facts alleged in the complaint. Arpaio v. Obama, 797 F.3d 11,
19 (D.C. Cir. 2015). âWe review de novo the district courtâs
dismissal for lack of standing.â Id. The question at this early
juncture in the litigation is whether plaintiffs have plausibly
alleged standing. Contrary to the district courtâs ruling,
plaintiffs need not yet establish each element of standing by a
preponderance of the evidence. See Lujan v. Defenders of
Wildlife, 504 U.S. 555, 561 (1992) (â[E]ach element [of
standing] must be supported in the same way as any other
matter on which the plaintiff bears the burden of proof, i.e.,
with the manner and degree of evidence required at the
successive stages of the litigation.â).
A
We begin with NTEU Plaintiffs. For standing purposes,
we assume that NTEU Plaintiffs have, as they claim, a
âconstitutional right to informational privacyâ that was
13
violated âthe moment that [cyberattackers stole] their
inherently personal information * * * from OPMâs deficiently
secured databases.â NTEU Br. 11; see also Estate of Boyland
v. Department of Agric., 913 F.3d 117, 123 (D.C. Cir. 2019)
(â[W]hen considering whether a plaintiff has Article III
standing, a federal court must assume, arguendo, the merits of
his or her legal claim.â) (internal quotation marks omitted).
Furthermore, given NTEU Plaintiffsâ allegations regarding
OPMâs continued failure to adequately secure its databases, it
is reasonable to infer that there remains a âsubstantial riskâ that
their personal information will be stolen from OPM again in
the future. NTEU Plaintiffsâ Compl. ¶ 88, J.A. 182. With
respect to this claim, the loss of a constitutionally protected
privacy interest itself would qualify as a concrete,
particularized, and actual injury in fact. And the ongoing and
substantial threat to that privacy interest would be a concrete,
particularized, and imminent injury in fact. Both claimed
injuries are plausibly traceable to OPMâs challenged conduct,
and the latter is redressable either by a declaration that the
agencyâs failure to protect NTEU Plaintiffsâ personal
information is unconstitutional or by an order requiring OPM
to immediately correct deficiencies in its cybersecurity
programs. Cf. ACLU v. Clapper, 785 F.3d 787, 801 (2d Cir.
2015) (holding that, where plaintiffs allege a Fourth
Amendment âinjury [stemming] from the very collection of
their telephone metadata,â they âhave suffered a concrete and
particularized injury fairly traceable to the challenged program
and redressable by a favorable rulingâ). Accordingly, NTEU
Plaintiffs have standing based on their claimed constitutional
injury.
B
Arnold Plaintiffs allege no such constitutional injury, but
they do claim to have suffered a variety of past and future data-
breach related harms. See, e.g., Arnold Plaintiffsâ Compl. ¶ 22,
14
J.A. 44â45 (alleging that Plaintiff Jane Doe has âsuffer[ed]
stress resulting from concerns for her personal safety and that
of her family membersâ since being informed by the FBI that
her personal information âhad been acquired by the so-called
Islamic State of Iraq and al-Sham (âISISâ)â). For purposes of
our standing analysis, we focus on one injury they all share:
the risk of future identity theft. As we have already recognized,
âidentity theft * * * constitute[s] a concrete and particularized
injury.â Attias, 865 F.3d at 627; see also Hancock v. Urban
Outfitters, Inc., 830 F.3d 511, 514 (D.C. Cir. 2016) (offering
the âincreased risk of fraud or identity theftâ as an âexampleâ
of a âconcrete consequenceâ for standing purposes). Yet, the
district court concluded that Arnold Plaintiffsâ complaint
provided an insufficient basis from which to infer that, in the
wake of the OPM breaches, Arnold Plaintiffs faced any
meaningful risk of future identity theft, much less a
âsubstantialâ one. In re United States Office of Pers. Mgmt.
Data Security Breach Litig. (âIn re OPMâ), 266 F. Supp. 3d 1,
35 (D.D.C. 2017). Furthermore, finding that âthe risk of
identity theft was neither clearly impending nor substantial,â
the district court concluded that any expenses that Arnold
Plaintiffs incurred attempting to mitigate that risk likewise
failed to qualify as an Article III injury in fact. Id. at 36; see
also Clapper, 568 U.S. at 416 (â[R]espondents cannot
manufacture standing merely by inflicting harm on themselves
based on their fears of hypothetical future harm that is not
certainly impending.â).
Arnold Plaintiffs argue that the district courtâs conclusion
is incompatible with our decision in Attias v. CareFirst. In that
case, we determined that the victims of a cyberattack on
CareFirst, a health insurance company, âcleared the low bar to
establish their standing at the pleading stageâ by plausibly
alleging that they faced a substantial risk of identity theft as a
result of the companyâs negligent failure to thwart the attack.
15
Attias, 865 F.3d at 622. Specifically, the complaint alleged that
the breach exposed âall of the information wrongdoers need for
appropriation of a victimâs identityâ: personal identification
information, credit card numbers, and Social Security numbers.
Id. at 628 (internal quotation marks omitted). Based largely on
the nature of the information compromised in the attack, we
concluded that it was reasonable to infer that the cyberattackers
had âboth the intent and the ability to use that data for ill.â Id.;
see also id. at 628â629 (âWhy else would hackers break into
a * * * database and steal consumersâ private information?
Presumably, the purpose of the hack is, sooner or later, to make
fraudulent charges or assume those consumersâ identities.â)
(quoting Remijas v. Neiman Marcus Grp., 794 F.3d 688, 693
(7th Cir. 2015)). Accordingly, we explained, â[n]o long
sequence of uncertain contingencies involving multiple
independent actors has to occur before the plaintiffs in this case
will suffer any harm; a substantial risk of harm exists already,
simply by virtue of the hack and the nature of the data that the
plaintiffs allege was taken.â Id. at 629.
Although the OPM cyberattacks differ in several respects
from the breach at issue in Attias, there is no question that the
OPM hackers, too, now have in their possession all the
information needed to steal Arnold Plaintiffsâ identities.
Arnold Plaintiffs have alleged that the hackers stole Social
Security numbers, birth dates, fingerprints, and addresses,
among other sensitive personal information. It hardly takes a
criminal mastermind to imagine how such information could
be used to commit identity theft. Indeed, several Arnold
Plaintiffs claim that they have already experienced various
types of identity theft, including the unauthorized opening of
new credit card and other financial accounts and the filing of
fraudulent tax returns in their names. Moreover, unlike
existing credit card numbers, which, if compromised, can be
changed to prevent future fraud, Social Security numbers and
16
addresses cannot so readily be swapped out for new ones. And,
of course, our birth dates and fingerprints are with us forever.
Viewing the allegations in the light most favorable to Arnold
Plaintiffs, as we must, we conclude that not only do the
incidents of identity theft that have already occurred illustrate
the nefarious uses to which the stolen information may be put,
but they also support the inference that Arnold Plaintiffs face a
substantialâas opposed to a merely speculative or
theoreticalârisk of future identity theft.
It is worth noting that several Arnold Plaintiffs also allege
that unauthorized charges have appeared on their existing
credit card and bank account statements since the breaches.
According to OPM, because none of these Arnold Plaintiffs
âspecifically alleged the OPM incidents affected their existing
account information,â the reported incidents of fraud on
existing accounts (and, presumably, the risk of future fraud on
those accounts) cannot plausibly be attributed to the OPM
breaches. Govât Br. 21. But we need not travel down that road
because, regardless of whether the hackers obtained all the
information necessary to make unauthorized charges to
existing accounts, it is undisputed that the other forms of fraud
allegedâthe opening of new accounts and the filing of
fraudulent tax returnsâmay be accomplished using the
information stolen during the breaches at issue.
OPM argues that Arnold Plaintiffsâ allegations of
âscattered instances of widely varying fraudâ are insufficient
to support a plausible inference that Arnold Plaintiffs face an
ongoing, substantial risk of identity theft. Govât Br. 20.
Specifically, OPM contends that despite the sensitive nature of
the information stolen in the attacks, â[i]t is impossible under
these circumstances to âeasily construct any kind of colorable
theoryâ that a desire to commit fraud motivatedâ the OPM
breaches. Id. at 21 (quoting In re OPM, 266 F. Supp. 3d at 38).
17
This is especially the case, OPM argues, because âthis is not
just a data breach,â but rather âa data breach arising out of a
particular sort of cyberattackâ against the United States. Id. at
23 (quoting In re OPM, 266 F. Supp. 3d at 9). According to
OPM, it is illogical to assume that the same goals that typically
motivate hackers of commercial databases animated the
âsophisticatedâ actors who engineered these data breaches. Id.
at 27. The district court agreed with OPM on this point.
Although neither amended complaint contains any allegations
regarding the cyberattackersâ identity, the court noted that
news articles and congressional reports had suggested that the
suspected perpetrator was not a common criminal, but rather
the Chinese government. Despite acknowledging that âa
finding concerning the source of the breachâ was âbeyond the
scope of [the] proceeding at this juncture,â the court appears to
have relied at least partially on this external information in
reaching the conclusion that it was implausible that the OPM
hackers intended to steal Arnold Plaintiffsâ identities. In re
OPM, 266 F. Supp. 3d at 34.
As an initial matter, the district court should not have
relied even in part on its own surmise that the Chinese
government perpetrated these attacks. Absent any factual
allegations regarding the identity of the cyberattackers, the
district court was not free to conduct its own extra-record
research and then draw inferences from that research in OPMâs
and KeyPointâs favor. See Arpaio, 797 F.3d at 19 (explaining
that where the defendant challenges the plaintiffâs standing at
the motion-to-dismiss stage, we âdraw all reasonable
inferences * * * in the plaintiffâs favorâ). Beyond that,
although a cyberattack on a government system might well be
motivated by a purpose other than identity theft, given the type
of information stolen in the OPM breaches and Arnold
Plaintiffsâ allegations regarding the subsequent misuse of that
information, it is just as plausible to infer that identity theft is
18
at least one of the hackersâ goals, even if those hackers are
indeed affiliated with a foreign government.
Our dissenting colleague takes a different tack, suggesting
that because this case involves government databases,
âespionage * * * is * * * an âobvious alternative explanationââ
for the attacks. See Dissenting Op. at 4 (quoting Ashcroft v.
Iqbal, 556 U.S. 662, 682 (2009)). We disagree as to just how
obvious an explanation this is based on the facts alleged in the
complaint. Furthermore, given that espionage and identity
theft are not mutually exclusive, the likely existence of an
espionage-related motive hardly renders implausible Arnold
Plaintiffsâ claim that they face a substantial future risk of
identity theft and financial fraud as a result of the breaches.
See, e.g., Watson Carpet & Floor Covering, Inc. v. Mohawk
Indus., Inc., 648 F.3d 452, 458 (6th Cir. 2011) (âFerreting out
the most likely reason for the defendantsâ actions is not
appropriate at the pleadings stage * * * . [T]he plausibility of
[one particular] reason for the refusals to sell carpet does not
render all other reasons implausible.â). By contrast, in the
cases cited by the dissent, the obvious alternative explanations
were necessarily incompatible with the plaintiffsâ versions of
events. See Iqbal, 556 U.S. at 682 (rejecting claims of
invidious discrimination as implausible where there existed an
obvious, nondiscriminatory law enforcement justification for
the challenged acts); Bell Atl. Corp. v. Twombly, 550 U.S. 544,
567â568 (2007) (rejecting a conspiracy claim as implausible
where history and market forces provided âa natural
explanationâ for the defendantsâ behavior).
In any case, although we found in Attias that the
circumstances of that breach made it at least plausible that the
hackers there had âboth the intent and the ability to use [the
plaintiffsâ] data for ill,â 865 F.3d at 628, a hackerâs âintentâ to
use breach victimsâ personal data for identity theft becomes
19
markedly less important where, as here, several victims allege
that they have already suffered identity theft and fraud as a
result of the breaches. When considered in combination with
the obvious potential for fraud presented by the information
stolen during the breaches, the fact that certain Arnold
Plaintiffs have already had fraudulent accounts opened and tax
returns filed in their names moves the risk of future identity
theft across the line from speculative to substantial, at least at
this early stage in the proceedings. See id. at 625 (explaining
that at the pleading stage, âplaintiffs are required only to state
a plausible claim that each of the standing elements is presentâ)
(internal quotation marks omitted).
The circumstances here differ markedly from those in the
two cases OPM cites in support of its argument that Arnold
Plaintiffsâ risk of future identity theft is merely conjectural. In
Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017), a laptop
containing patientsâ unencrypted personal information,
âincluding names, birth dates, the last four digits of social
security numbers, and physical descriptors,â and four boxes of
medical records that contained names and Social Security
numbers went missing from a Veterans Affairs medical center.
Id. at 267â269. The Fourth Circuit held that the risk of future
identity theft stemming from the incidents was too speculative
to satisfy the injury-in-fact requirement because the plaintiffs
failed to allege either (i) that the thief âintentionally targetedâ
the personal information contained in the laptop and boxes or
(ii) that the thief subsequently used that information to commit
identity theft. Id. at 274â275 (â[E]ven after extensive
discovery, the * * * plaintiffs [who sued over the theft of the
laptop] have uncovered no evidence that the information
contained on the stolen laptop has been accessed or misused or
that they have suffered identity theft, nor, for that matter, that
the thief stole the laptop with the intent to steal their private
information.â); id. at 275 (âWatsonâs complaint suffers from
20
the same deficiency with regard to the four missing boxes of
pathology reports.â). Without such allegations, the Fourth
Circuit explained, there was nothing to âpush the threatened
injury of future identity theft beyond the speculative to the
sufficiently imminent.â Id. at 274.
In the other case, Reilly v. Ceridian Corp., 664 F.3d 38 (3d
Cir. 2011), an unknown hacker infiltrated a payroll processing
firmâs database, âpotentiallyâ gaining access to employeesâ
âpersonal and financial information.â Id. at 40. It was ânot
known whether the hacker read, copied, or understood the
data,â id., and none of the affected parties alleged that their data
had since been misused, id. at 44 (âAppellants have alleged no
misuse.â). Because the plaintiffsâ claimed risk of future
identity theft therefore rested solely on âhypothetical
speculations concerning the possibility of future injury,â the
Third Circuit held that the risk was insufficient to support
standing. Id. at 43.
Here, in contrast to those two cases, Arnold Plaintiffs both
allege that the OPM cyberattackers intentionally targeted their
information and point out the subsequent misuse of that
information. See Arnold Plaintiffsâ Compl. ¶¶ 128, 130, J.A.
73â74 (alleging that the hackers targetedâand extracted data
fromâthe agencyâs âElectronic Official Personnel Folder
systemâ and the database used to collect background check
information); see, e.g., id. ¶¶ 21â22, 24, 26, J.A. 44â48
(alleging incidents involving misuse of information). These
are precisely the types of allegations missing in Beck and
Reilly. See Beck, 848 F.3d at 275 (â[T]he mere theft of these
items, without more, cannot confer Article III standing.â)
(emphasis added); Reilly, 664 F.3d at 44 (âHere, there is no
evidence that the intrusion was intentional or malicious.
Appellants have alleged no misuse * * * . Indeed, no
21
identifiable taking occurred; all that is known is that a firewall
was penetrated.â).
Although it is true, as a general principle, that
ââas * * * breaches fade further into the past,â * * * threatened
injuries become more and more speculative,â we are
unpersuaded by the dissentâs suggestion that the passage of less
than two years between these particular attacks and Arnold
Plaintiffsâ filing of the operative complaint is enough to render
the threat of future harm insubstantial. Dissenting Op. at 7
(quoting Beck, 848 F.3d at 275). The plaintiffs in Beck suffered
no misuse of their data prior to filing their complaint. See supra
at 19â20. And the same was true of the plaintiffs in Chambliss
v. Carefirst, Inc., 189 F. Supp. 3d 564 (D. Md. 2016), the case
cited by the dissent and the court in Beck for the proposition
that the threat of future injury diminishes over time. See id. at
570 (noting that plaintiffs had not experienced âany misuseâ of
their data prior to filing their complaint). Although the passage
of two years in a run-of-the-mill data breach case might, absent
allegations of subsequent data misuse, suggest that a claim of
future injury is less than plausible, that is not the situation we
face here. Conducted over several months by sophisticated and
apparently quite patient cyberhackers, the attacks at issue in
this case affected over twenty-one million people and involved
information far more sensitive than credit card numbers.
Cyberhacking on such a massive scale is a relatively new
phenomenon, and we are unwilling at this stage to assume that
the passage of a year or two without any clearly identifiable
pattern of identity theft or financial fraud means that all those
whose data was compromised are in the clear.
Drawing all reasonable inferences in Arnold Plaintiffsâ
favor, we conclude that they have alleged facts sufficient to
support their claim of future injury, notwithstanding the
passage of time and the governmental character of the
22
databases at issue here. Given the nature of the information
stolen and the fact that several named Arnold Plaintiffs have
already experienced some form of identity theft since the
breaches, it is at least plausible that Arnold Plaintiffs run a
substantial risk of falling victim to other such incidents in the
future. See Hutton v. National Bd. of Examiners in Optometry,
Inc., 892 F.3d 613, 621â622 (4th Cir. 2018) (finding a
substantial risk of identity theft where the plaintiffs alleged not
only that their information had been stolen by hackers, but also
that it was subsequently âused in a fraudulent mannerâ).
Because Arnold Plaintiffs adequately allege a substantial risk
of future identity theft, any expenses they have reasonably
incurred to mitigate that risk likewise qualify as injury in fact.
See id. at 622 (â[T]he [Supreme] Court has recognized standing
to sue on the basis of costs incurred to mitigate or avoid harm
when a substantial risk of harm actually exists.â) (citing
Clapper, 568 U.S. at 414 n.5); see also Hearing Tr. 35 (Oct. 27,
2016) (credit protection services for victims of the breaches
announced in June 2015 were not âup and running until
Septemberâ of that year); Arnold Plaintiffsâ Compl. ¶ 28, J.A.
48â49 (Plaintiff Kelly Flynn purchased credit monitoring in
July 2015).
The district court evaluated the second element of Article
III standing, causation, only as to the incidents of identity theft
and fraud that Arnold Plaintiffs had already experienced.
Observing that such incidents were âseparated across time and
geography, and they follow no discernable pattern,â In re
OPM, 266 F. Supp. 3d at 38, the court determined that it could
not reasonably infer causation because Arnold Plaintiffs had
not alleged âany facts that plausibly connect the various
isolated incidents of the misuse * * * to the breaches at issue
here,â id. at 37. The district court did not go on to consider
whether Arnold Plaintiffs plausibly alleged that a risk of future
identity theft was fairly traceable to OPMâs and KeyPointâs
23
cybersecurity failings, presumably because it had already
rejected that risk as merely speculative. We can make
relatively short work of such an inquiry here.
Arnold Plaintiffs have alleged facts supporting a
reasonable inference that their claimed data breach-related
injuries are fairly traceable to OPMâs failure to secure its
information systems. Not only do Arnold Plaintiffs detail
OPMâs failure to heed repeated warnings by its own Inspector
General regarding serious vulnerabilities in the agencyâs
systems, but they also allege that as a result of that failure,
hackers managed to breach key OPM systems on several
different occasions.
With respect to KeyPoint, Arnold Plaintiffs further allege
that the companyâs failure to properly secure its login
credentials âwas a substantial factor in causing the Data
Breaches.â Arnold Plaintiffsâ Compl. ¶ 228, J.A. 99. KeyPoint
contends that Arnold Plaintiffsâ complaint fails to trace the
breaches to any actual misconduct by KeyPoint, but that
argument lacks merit. Arnold Plaintiffsâ complaint alleges not
only that the hackers accessed OPMâs systems âusing stolen
KeyPoint credentials,â id. ¶ 127, J.A. 73, but also that the
company was negligent in âfailing to protect and secure
its * * * credentials,â id. ¶ 228, J.A. 99, by, among other
things, âfailing to * * * comply with industry-standard data
security practices,â id. ¶ 223(b), J.A. 98. It is reasonable to
infer that âdata security practicesâ would cover practices
related to securing credentials. It is likewise reasonable to
infer, based on the allegations contained in the complaint, that
KeyPoint is at least partially to blame for the breaches due to
its failure to comply with such practices.
As previously explained, even if the breaches in question
did not expose all information necessary to make fraudulent
24
charges on victimsâ existing financial accounts, the personal
data the hackers did manage to obtain is enough, by itself, to
enable several forms of identity theft. That fact, combined with
the allegations that at least some of the stolen information was
actually misused after the breaches, suffices to support a
reasonable inference that Arnold Plaintiffsâ risk of future
identity theft is traceable to the OPM cyberattacks. Neither the
likelihood that some Arnold Plaintiffs experienced other types
of unrelated fraud nor the speculative possibility that they
might also have been the victims of other data breaches renders
causation implausible here. See In re Zappos.com, Inc., 888
F.3d 1020, 1029 (9th Cir. 2018) (âThat hackers might have
stolen Plaintiffsâ [personal identifying information] in
unrelated breaches, and that Plaintiffs might suffer identity
theft or fraud caused by the data stolen in those other
breaches * * * , is less about standing and more about the
merits of causation and damages.â), cert. denied, 139 S. Ct.
1373 (2019). Nor are we troubled, as OPM suggests we should
be, by certain Arnold Plaintiffsâ failure to specify exactly
when, in relation to the data breaches, fraudsters first misused
their data. The Supreme Court has explained that â[a]t the
pleading stage, general factual allegations of injury resulting
from the defendantâs conduct may suffice, for on a motion to
dismiss we presume that general allegations embrace those
specific facts that are necessary to support the claim.â Lujan,
504 U.S. at 561 (formatting altered). Accordingly, as in Attias,
at this early stage, we have âlittle difficulty concluding,â 865
F.3d at 629, that Arnold Plaintiffs have met their ârelatively
modestâ burden of alleging that their risk of future identity theft
is fairly traceable to OPMâs and KeyPointâs challenged
conduct, Bennett v. Spear, 520 U.S. 154, 171 (1997).
This brings us, then, to the final element of standing,
where, as previously noted, we ask whether âit is likely, as
opposed to merely speculativeâ that Arnold Plaintiffsâ claimed
25
injury âwill be redressed by a favorable decision.â Friends of
the Earth, 528 U.S. at 181. Although the district court never
reached this question, we think Arnold Plaintiffs have easily
demonstrated that their substantial risk of future identity theft
and related mitigation expenses are redressable.
Granting that it may well be impossible at this point to
eliminate the risk of future identity theft stemming from the
OPM breaches, the money damages Arnold Plaintiffs seek can
redress certain proven injuries related to that risk (such as
reasonably-incurred credit monitoring costs). See, e.g., In re
Zappos.com, 888 F.3d at 1030 (âThe injury from the risk of
identity theft is also redressable by relief that could be obtained
through this litigation. If Plaintiffs succeed on the merits, any
proven injury could be compensated through damages.â)
(citation omitted); Attias, 865 F.3d at 629 (âThe fact that
plaintiffs have reasonably spent money to protect themselves
against a substantial risk creates the potential for them to be
made whole by monetary damages.â).
In sum, like the Attias plaintiffs, both sets of plaintiffs here
have âcleared the low bar to establish their standing at the
pleading stage.â 865 F.3d at 622. Arnold Plaintiffs have
plausibly alleged a substantial risk of future identity theft that
is fairly traceable to OPMâs and KeyPointâs cybersecurity
failings and likely redressable, at least in part, by damages, and
NTEU Plaintiffs have plausibly alleged actual and imminent
constitutional injuries that are likewise traceable to OPMâs
challenged conduct and redressable either by a declaration that
the agencyâs failure to protect plaintiffsâ personal information
is unconstitutional or by an order requiring OPM to correct
deficiencies in its cybersecurity program. We therefore have
no need to address the other bases for standing asserted by
NTEU and Arnold Plaintiffs. See, e.g., id. at 626 n.2
(explaining that when plaintiffs have standing âbased on their
26
heightened risk of future identity theft,â it is unnecessary to
address their other theories of injury in fact).
Having resolved the standing issue in NTEU and Arnold
Plaintiffsâ favor, we turn to another potential jurisdictional
stumbling block: sovereign immunity.
III
It is âaxiomaticâ that a waiver of sovereign immunity is a
jurisdictional âprerequisiteâ for Arnold Plaintiffsâ claims
against OPM to get out of the starting gate. United States v.
Mitchell, 463 U.S. 206, 212 (1983); accord Federal Deposit
Ins. Corp. v. Meyer, 510 U.S. 471, 475 (1994). The Privacy
Act, 5 U.S.C. § 552a, provides just such a waiver of sovereign
immunity. That statute âsafeguards the public from
unwarranted collection, maintenance, use and dissemination of
personal information contained in agency records.â Henke v.
Department of Commerce, 83 F.3d 1453, 1456 (D.C. Cir. 1996)
(quoting Bartel v. Federal Aviation Admin., 725 F.2d 1403,
1407 (D.C. Cir. 1984)). As part of that obligation, the Act
mandates that federal agencies âprotect the privacy of
individuals identified in information systems maintained by
[them].â Pub. L. No. 93-579, § 2(a)(5), 88 Stat. 1896, 1896
(1974). The Privacy Act waives sovereign immunity by
expressly authorizing a cause of action for damages against
federal agencies that violate its rules protecting the
confidentiality of private information in agency records. See
Tomasello v. Rubin, 167 F.3d 612, 617â618 (D.C. Cir. 1999).
The district court nonetheless ruled that OPMâs sovereign
immunity remained intact, reasoning that Arnold Plaintiffs
failed to allege the type of harms covered by the Privacy Act.
Reviewing the district courtâs dismissal of the Privacy Act
claim de novo, Skinner v. Department of Justice, 584 F.3d
27
1093, 1096 (D.C. Cir. 2009), we reverse. OPMâs allegedly
willful failure to protect Arnold Plaintiffsâ sensitive personal
information against the theft that occurred falls squarely within
the Privacy Actâs ambit.
To unlock the Privacy Actâs waiver of sovereign immunity
and state a cognizable claim for damages, a plaintiff must
allege that (i) the agency âintentional[ly] or willful[ly]â
violated the Actâs requirements for protecting the
confidentiality of personal records and information; and (ii) she
sustained âactual damagesâ (iii) âas a result ofâ that violation.
5 U.S.C. § 552a(g)(4); see Chichakli v. Tillerson, 882 F.3d 229,
233 (D.C. Cir. 2018). At this threshold stage of the litigation,
Arnold Plaintiffs have plausibly alleged each of those
elements.
A
To start, Arnold Plaintiffs have straightforwardly alleged
a âwillfulâ violation of the Privacy Actâs requirements. 5
U.S.C. § 552a(g)(4). OPM was necessarily aware that the
Privacy Act requires it to âestablish appropriate administrative,
technical, and physical safeguardsâ that âinsure the security
and confidentiality of records,â and to âprotect against any
anticipated threats or hazards to their security or integrity
which could result in substantial harm, embarrassment,
inconvenience, or unfairness to any individual on whom
information is maintained.â 5 U.S.C. § 552a(e)(10).
The complaint alleges in no uncertain terms that OPM
dropped that ball because appropriate safeguards were not in
place. See, e.g., Arnold Plaintiffsâ Compl. ¶ 134, J.A. 74
(âOPMâs decisions not to comply with [Information Security
Act] requirements for critical security safeguards enabled
hackers to access and loot OPMâs systems for nearly a year
28
without being detected.â); id. ¶ 178, J.A. 87 (âDespite known
and persistent threats from cyberattacks, OPM allowed
multiple âmaterial weaknessesâ in its information security
systems to continue unabated. As a result, Plaintiffsâ and Class
membersâ [government investigation information] under
OPMâs control was exposed, stolen, and misused.â).
Of course, violating the Privacy Act is not by itself
enough. The agencyâs transgression must have been
âintentional or willful.â 5 U.S.C. § 552a(g)(4). Under the
Privacy Act, willfulness means more than âgross negligence.â
Maydak v. United States, 630 F.3d 166, 179 (D.C. Cir. 2010);
see also Coleman v. United States, 912 F.3d 824, 836â837 (5th
Cir. 2019) (âat least gross negligenceâ); Beaven v. Department
of Justice, 622 F.3d 540, 549 (6th Cir. 2010) (âsomething
greater than gross negligenceâ); Hogan v. England, 159 F.
Appâx 534, 537 (4th Cir. 2005) (âsomewhat greater than gross
negligenceâ) (formatting altered); Johnston v. Horne, 875 F.2d
1415, 1422 (9th Cir. 1989) (âconduct amounting to more than
gross negligenceâ), overruled on other grounds, Irwin v.
Department of Veterans Affairs, 498 U.S. 89 (1990).
Allegations that the agencyâs conduct was âdisjointedâ or
âconfused,â or that errors were âinadvertent[]â will not suffice.
Maydak, 630 F.3d at 180 (internal quotation marks omitted).
Instead, a complaint must plausibly allege that the
agencyâs security failures were âin flagrant disregard of [their]
rights under the Act,â were left in place âwithout grounds for
believing them to be lawful,â or were âso patently egregious
and unlawful that anyone undertaking the conduct should have
known it unlawful.â Maydak, 630 F.3d at 179; accord 120
Cong. Rec. 40406 (1974) (âAnalysis of House and Senate
Compromise Amendments to the Federal Privacy Actâ) (âOn a
continuum between negligence and the very high standard of
willful, arbitrary, or capricious conduct, this standard is viewed
29
as only somewhat greater than gross negligence.â); see also
Beaven, 622 F.3d at 549 (requiring defendants to have
âcommitt[ed] the act without grounds for believing it to be
lawful, or flagrantly disregard[ed] othersâ rights under the
Privacy Actâ) (formatting altered); Andrews v. Veterans
Admin., 838 F.2d 418, 425 (10th Cir. 1988) (agency âaction
[must be] so patently egregious and unlawful that anyone
undertaking the conduct should have known it unlawful, or
conduct committed without grounds for believing it to be
lawful or [an] action flagrantly disregarding othersâ rights
under the Actâ) (formatting altered). 1
Arnold Plaintiffsâ complaint clears that hurdle by plausibly
and with specificity alleging that OPM was willfully indifferent
to the risk that acutely sensitive private information was at
substantial risk of being hacked. According to the complaint,
at the time of the breach, OPM had long known that its
electronic record-keeping systems were prime targets for
hackers. The agency suffered serious data breaches from
hackers in 2009 (millions of usersâ personal information stolen)
and 2012 (OPM access credentials stolen and posted online),
and is subject to at least ten million unauthorized electronic
1
Cf. McLaughlin v. Richland Shoe Co., 486 U.S. 128, 132â133
(1988) (âwillfulâ under the Fair Labor Standards Act includes
âreckless[]â violations); Trans World Airlines, Inc. v. Thurston, 469
U.S. 111, 126 (1985) (willfulness in the Age Discrimination in
Employment Act includes âreckless disregard for the matter of
whether [the defendantâs] conduct was prohibited byâ the Act);
United States v. Murdock, 290 U.S. 389, 395 (1933) (âwillfulâ
violation of the Revenue Acts of 1926 and 1928 is âmarked by
careless disregard [for] whether or not one has the right so to actâ);
Dayton Tire v. Secretary of Labor, 671 F.3d 1249, 1254 (D.C. Cir.
2012) (willful violation of the Occupational Safety and Health Act is
âan act done voluntarily with either an intentional disregard of, or
plain indifference to, the Actâs requirementsâ).
30
intrusion attempts every month. Arnold Plaintiffsâ Compl.
¶¶ 78â79, J.A. 64.
Despite that pervading threat, OPM effectively left the
door to its records unlocked by repeatedly failing to take basic,
known, and available steps to secure the trove of sensitive
information in its hands. Information Security Act audits by
OPMâs Inspector General repeatedly warned OPM about
material deficiencies in its information security systems.
Among the identified flaws were
âą severely outdated security policies and procedures;
âą permitting employees to leave open, or to not
terminate, remote access;
âą understaffed and undertrained cybersecurity
personnel;
âą failure to implement or enforce multi-factor
identification in any of its major information
systems;
âą declining to patch or install security updates for its
systems promptly;
âą lacking a mature vulnerability scanning program to
find and track the status of security weaknesses in
its systems;
âą failure to maintain a centralized information
security management structure that would
continuously monitor security events and controls;
âą lacking the ability to detect unauthorized devices
connected to its network; and
âą failure to engage in appropriate oversight of its
contractor-operated systems.
So forewarned, OPM chose to leave those critical
information security deficiencies (and more) in place. On top
of that, in the year that the hacks occurred, OPM (allegedly)
31
also left undone mandated security assessments and
authorizations for half of its electronic record-keeping systems.
44 U.S.C. § 3554(b); id. § 3544(b) (repealed 2014); Arnold
Plaintiffsâ Compl. ¶¶ 101â102, J.A. 69 (no information
security assessments conducted for eleven of the twenty-one
systems). The risk created by these lapses was so serious that
the Inspector General took the unprecedented step of advising
OPM to shut down all the systems lacking valid authorizations
until adequate security measures could be put in place. OPM
declined, choosing instead to continue operating these systems.
The complaintâs plausible allegations that OPM decided to
continue operating in the face of those repeated and forceful
warnings, without implementing even the basic steps needed to
minimize the risk of a significant data breach, is precisely the
type of willful failure to establish appropriate safeguards that
makes out a claim under the Privacy Act. See American Fedân
of Govât Employees v. Hawley, 543 F. Supp. 2d 44, 52 (D.D.C.
2008) (Department of Homeland Securityâs failure to establish
appropriate safeguards to prevent losing a computer hard drive
was âintentional and willfulâ given the Inspector Generalâs
repeated warnings of ârecurring, systemic, and fundamental
deficienciesâ in the agencyâs information security); In re
Department of Veterans Affairs (VA) Data Theft Litig., No. 06â
0506 (JR), 2007 WL 7621261, at *4â5 (D.D.C. Nov. 16, 2007)
(Department of Veterans Affairsâ failure to establish
appropriate safeguards to protect against theft of laptop and
hard drive was âintentional and willfulâ in light of the
Government Accountability Officeâs repeated warnings of
âdeficienciesâ in the agencyâs âinformation securityâ).
B
Arnold Plaintiffsâ lawsuit is not in the clear yet. The
complaint must also allege facts showing that they suffered
32
âactual damagesâ as âa result ofâ OPMâs Privacy Act violation.
5 U.S.C. § 552a(g)(4). The complaint rises to that task as well.
1
âActual damagesâ within the meaning of the Privacy Act
are limited to proven pecuniary or economic harm. Federal
Aviation Admin. v. Cooper, 566 U.S. 284, 298â299 (2012).
The district court concluded that only two Arnold Plaintiffs had
properly alleged that they suffered âactual damagesâ: Jane
Doe, who incurred legal fees when she retained a law firm to
close fraudulent accounts opened in her name, and Charlene
Oliver, whose electricity account had been fraudulently
accessed and saddled with unauthorized charges.
While those harms certainly qualify as actual damages, the
complaint contains still more relevant allegations of injury.
First, nine of the named Arnold Plaintiffs purchased credit
protection and/or credit repair services after learning of the
breach. Paul Daly, for example, purchased credit monitoring
services after a fraudulent 2014 tax return was filed in his
name. And Teresa J. McGarry subscribed to a monthly credit
and identity protection service to prevent identity theft. Those
reasonably incurred out-of-pocket expenses are the
paradigmatic example of âactual damagesâ resulting from the
violation of privacy protections. See Cooper, 566 U.S. at 298. 2
OPM counters that those individual purchases were
unnecessary because Congress provided credit monitoring
2
Congress authorized the expenditure of hundreds of millions
of taxpayer dollars to purchase ten yearsâ worth of fraud and credit
monitoring services to protect victims of the data breach. See
Consolidated Appropriations Act, Pub. L. No. 115-31, § 633(a), 131
Stat. 135, 376 (2017).
33
services for potentially affected individuals. Congress, though,
did not offer credit repair services. Anyhow, the argument
wrongly assumes facts in OPMâs favor at the complaint stage,
such as that the services offered were equal or superior to those
obtained privately, or that they took effect in a timely manner
and for a sufficient period of time. See Agnew v. District of
Columbia, 920 F.3d 49, 53 (D.C. Cir. 2019) (on a motion to
dismiss âwe assume the truth of all plaintiffsâ plausibly pleaded
allegations, and draw all reasonable inferences in their favorâ).
Notably, at least one named plaintiff purchased credit
monitoring services before OPMâs offered services were âup
and running.â Compare Hearing Tr. 35, with Arnold Plaintiffsâ
Compl. ¶ 28, J.A 48â49.
Second, seven of the named Arnold Plaintiffs had accounts
opened and purchases made in their names. For example, Kelly
Flynn and her husband had several new credit card accounts
fraudulently opened in their names. They also discovered that
two separate loans totaling $6,400 had been taken out in their
names without their permission and were now delinquent.
Those financial losses qualify as âactual damages.â See
Cooper, 566 U.S. at 298â299.
The district court deemed those damages insufficient
because Arnold Plaintiffs did not further allege that their costs
went unreimbursed. That was error. At this stage of the
litigation, all facts and reasonable inferences must be drawn in
favor of Arnold Plaintiffs, and the complaint provides no basis
for disregarding the claimed financial losses based on OPMâs
speculation that Arnold Plaintiffs were indemnified. See
Hancock v. Urban Outfitters, Inc., 830 F.3d 511, 513â514
(D.C. Cir. 2016).
Anyhow, âan injured person may usually recover in full
from a wrongdoer regardless of anything he may get from a
34
collateral source unconnected with the wrongdoer.â Kassman
v. American Univ., 546 F.2d 1029, 1034 (D.C. Cir. 1976) (per
curiam) (formatting altered); accord Restatement (Second) of
Torts § 920A(2). That rule prevents the victimâs benefits from
becoming the tortfeasorâs windfall. See Hudson v. Lazarus,
217 F.2d 344, 346 (D.C. Cir. 1954). So too here.
OPM also objects that only some forms of reimbursement
qualify for the collateral source rule. Govât Br. 45. Again,
OPM gets the cart before the horse, because the complaint
contains no allegations about recompense at all, let alone what
their sources were. OPMâs argument also offers an overly
cramped vision of the collateral source rule. See Hudson, 217
F.2d at 346 (without limiting the collateral source ruleâs
application, observing that it applies to âgift[s] or the product
of a contract of employment or of insuranceâ); Restatement
(Second) of Torts § 920A cmt. c (offering a non-exclusive list
of âtypes of benefitsâ to which the collateral source rule
applies); see also, e.g., Temme v. Bemis Co., 762 F.3d 544, 549
(7th Cir. 2014) (per curiam) (applying the collateral source rule
to attorneysâ fees payments).
Third, Plaintiffs Kelly Flynn and six others had false tax
returns filed using their information and have experienced
delays in receiving federal and state tax refunds. The delay in
those Plaintiffsâ receipt of their refunds, and the forgone time
value of that money, is an actual, tangible pecuniary injury.
OPM argues âno harm, no foulâ because the Internal
Revenue Service must pay taxpayers interest due for delayed
refunds. See 26 U.S.C. § 6611. That misses the mark. To start,
interest on tax overpayments is itself taxable income, id.
§ 61(a)(4); Megibow v. Commissioner, 102 T.C.M. (CCH) 232
(2011), while interest incurred in taking out loans to cover the
delayed refunds is not deductible, 26 U.S.C. § 163(h)(1). That
35
makes the IRSâs payment scheme inherently under
compensatory. On top of that, the IRS pays interest only on
delayed federal refunds, not state tax refunds. Arnold
Plaintiffsâ Compl. ¶ 28, J.A. 49 (alleging delay in state tax
refund); see generally 26 U.S.C. § 6611(a) (âInterest shall be
allowed and paid upon any overpayment in respect of any
internal revenue tax.â) (emphasis added).
Lastly, one Plaintiff, Lillian Gonzalez-Colon, spent more
than 100 hours to resolve the fraudulent tax return filing and to
close a fraudulently opened account. Those efforts ârequired
her to take time off work[]â to address the consequences of the
OPM breach. Arnold Plaintiffsâ Compl. ¶ 31, J.A. 50â51; see
Beaven, 622 F.3d at 557â559 (concluding that plaintiffs could
claim damages for âlost timeâ spent âdealing with the
disclosureâ of their Bureau of Prison personnel files).
OPM urges us to hold Gonzalez-Colon to Federal Rule of
Civil Procedure 9(g)âs requirement that âspecial damagesâ be
âspecifically stated.â Fed. R. Civ. P. 9(g). We have not yet
addressed whether Rule 9(g)âs heightened pleading standard
applies to Privacy Act claims, and we have no occasion to do
so here. Gonzalez-Colonâs specific allegations about the time
lost from work addressing the fraudulent tax return and
Verizon Wireless account suffice either way. See 5A Charles
A. Wright & Arthur R. Miller, Federal Practice & Procedure
§ 1311 (4th ed. 2019) (â[A]llegations of special damage will be
deemed sufficient for the purpose of Rule 9(g) if they are
definite enough to notify the opposing party and the court of
the nature of the damages and enable the preparation of a
responsive pleading.â).
For all of those reasons, Arnold Plaintiffs have adequately
alleged actual damages within the meaning of the Privacy Act.
36
2
The complaint also explains how Arnold Plaintiffsâ actual
damages were the âresult ofâ OPMâs Privacy Act violations. 5
U.S.C. § 552a(g)(4)(A).
To meet the Privacy Actâs causation requirement, Arnold
Plaintiffs must plausibly allege that the OPM hack was the
âproximate causeâ of their damages. Dickson v. Office of Pers.
Mgmt., 828 F.2d 32, 37 (D.C. Cir. 1987). That is, OPMâs
conduct must have been a âsubstantial factorâ in the sequence
of events leading to Arnold Plaintiffsâ injuries, and those
injuries must have been âreasonably foreseeable or anticipated
as a natural consequenceâ of OPMâs conduct. Owens v.
Republic of Sudan, 864 F.3d 751, 794 (D.C. Cir. 2017). To be
the proximate cause is not necessarily to be the sole cause. See
Hecht v. Pro-Football, Inc., 570 F.2d 982, 996 (D.C. Cir.
1977). OPM was the proximate cause of the harm befalling
Arnold Plaintiffs so long as its conduct created a foreseeable
risk of harm through the hackersâ intervention. See Staub v.
Proctor Hosp., 562 U.S. 411, 420 (2011); Restatement
(Second) of Torts § 442A.
The complaint alleges facts demonstrating proximate
cause. Arnold Plaintiffs contend that OPMâs failure to
establish appropriate information security safeguards opened
the door to the hackers, giving them ready access to a
storehouse of personally identifiable and sensitive financial
information. In particular, the complaint explains that OPMâs
failure to adopt basic protective measures âforeseeably
heightened the risk of a successful intrusion into OPMâs
systems.â Arnold Plaintiffsâ Compl. ¶ 134, J.A. 74. And its
decisions to disregard the Inspector Generalâs repeated
warnings and ânot to comply with [Information Security Act]
requirements for critical security safeguards enabled hackers to
37
access and loot OPMâs systems for nearly a year without being
detected.â Id.; see id. ¶¶ 105â113, J.A. 70â71.
The proof is in the pudding: Numerous Arnold Plaintiffs
suffered forms of identity theft accomplishable only with the
type of information that OPM stored and the hackers accessed.
That directly links the hack to the theft of the victimsâ private
information, the pecuniary harms suffered, and the ongoing
increased susceptibility to identity theft or financial injury. See
Arnold Plaintiffsâ Compl. ¶¶ 14, 17, 21â22, 24â26, 28â29, 31â
32, 34, 39â41, 45, 49, J.A. 40â59; Attias v. CareFirst, Inc., 865
F.3d 620, 629 (D.C. Cir. 2017) (plaintiffs plausibly alleged risk
of identity theft for Article III standing purposes based on the
nature of the stolen data), cert. denied, 138 S. Ct. 981 (2018). 3
To argue, as OPM does, that the presumed occurrence of other
data breaches defeats a causal connection as a matter of law at
this early stage again wrongly construes inferences drawn from
generic assertions about the general risk of data breaches in the
governmentâs favor. The law would embody quite a âperverse
3
See also Resnick v. AvMed, Inc., 693 F.3d 1317, 1327 (11th
Cir. 2012) (plaintiffs plausibly alleged that data breach proximately
caused their identity theft for purposes of Florida law by âalleg[ing]
that the sensitive information on the stolen laptop was the same
sensitive information used to steal Plaintiffsâ identityâ); Stollenwerk
v. TriâWest Health Care All., 254 F. Appâx 664, 667 (9th Cir. 2007)
(plaintiff established that data breach proximately caused identity
theft for purposes of Arizona law where plaintiff provided his
personal information to defendant, the identity fraud incidents began
six weeks after defendantâs systems were compromised, and plaintiff
had not previously suffered from identity theft); In re Community
Health Sys., Inc., No. 15-CV-222-KOB, 2016 WL 4732630, at *25
(N.D. Ala. Sept. 12, 2016) (plaintiff plausibly alleged causal link
between data breach and identity theft by âalleg[ing] misuse
occurring subsequent to the breach that would be consistent with the
type of data stolenâ).
38
incentiveâ were it to hold at this threshold stage of litigation
that, âso long as enough data breaches take place,â agencies
âwill never be found liable.â In re Equifax, Inc., Customer
Data Security Breach Litig., 362 F. Supp. 3d 1295, 1318 (N.D.
Ga. 2019) (formatting altered); accord In re Anthem, Inc. Data
Breach Litig., 162 F. Supp. 3d 953, 988 (N.D. Cal. 2016).
In any event, OPM makes no claim that these particular
plaintiffs have been subjected to hacks of equivalent breadth
and depth, sweeping in such acutely sensitive personal
information as Social Security numbers, fingerprints, and birth
certificates.
In sum, Arnold Plaintiffs have adequately alleged (i) that
OPM willfully chose not to establish basic and necessary
information security safeguards in violation of Section
552a(e)(10) of the Privacy Act, and (ii) that those actions
proximately caused (iii) actual damages in multiple, specific
ways. Because the complaint, at this threshold stage, states a
viable Privacy Act claim, OPMâs sovereign immunity has been
waived.
IV
In addition to their Privacy Act claim against OPM,
Arnold Plaintiffs assert statutory and common law claims
against OPMâs contractor, KeyPoint Government Solutions.
Arnold Plaintiffsâ Compl. ¶¶ 208â275, J.A. 94â110 (alleging
negligence, negligent misrepresentation and concealment,
invasion of privacy, violation of the Fair Credit Reporting Act,
15 U.S.C. § 1681, violation of âState Statutes Prohibiting
Unfair and Deceptive Trade Practices,â violation of âState Data
Breach Acts,â and breach of contract).
39
OPM tasked KeyPoint with performing background and
security clearance investigations and inputting the sensitive
information it collected into OPMâs electronic recordkeeping
system. The hackers allegedly were able to obtain KeyPoint
credentials and then used them to gain access to OPMâs
network. See Arnold Plaintiffsâ Compl. ¶ 106, J.A. 70.
The district court held that, as OPMâs contractor, KeyPoint
enjoyed âderivative sovereign immunityâ from those claims.
We review the applicability of derivative sovereign immunity
de novo, see Cunningham v. General Dynamics Info. Tech.,
Inc., 888 F.3d 640, 645 (4th Cir. 2018), cert. denied, 139 S. Ct.
417 (2018), and find no basis for its application in this case.
OPMâs contract obligated KeyPoint to meet the same standards
for protecting personal information that the Privacy Act
imposes directly on OPM. Because the improper conduct
alleged would have violated the Privacy Act if committed by
OPM itself and because KeyPointâs challenged misconduct
was not directed by OPM, there is no sovereign immunity for
KeyPoint to derive. 4
As a private company, KeyPoint ordinarily would not
enjoy immunity against the statutory and tort claims asserted
by Arnold Plaintiffs. But government contractors may
sometimes âobtain certain immunity in connection with work
which they do pursuant to their contractual undertakings with
the United States.â Campbell-Ewald Co. v. Gomez, 136 S. Ct.
663, 672 (2016) (internal quotation marks omitted) (quoting
Brady v. Roosevelt S.S. Co., 317 U.S. 575, 583 (1943)).
4
Neither OPM nor the Justice Department in its brief in this
case has endorsed KeyPointâs claim of derivative sovereign
immunity.
40
Derivative sovereign immunity, though, is less
âembraciveâ than the immunity a sovereign enjoys. Campbell-
Ewald, 136 S. Ct. at 672. It applies only when a contractor
takes actions that are âauthorized and directed by the
Government of the United States,â and âperformed pursuant to
the Act of Congressâ authorizing the agencyâs activity. Id. at
673. In that way, derivative sovereign immunity ensures that
ââthere is no liability on the part of the contractorâ who simply
performed as the Government directed.â Id. (quoting Yearsley
v. W.A. Ross Constr. Co., 309 U.S. 18, 21 (1940)); id. at 673
n.7 (âCritical in Yearsley was not the involvement of public
works, but the contractorâs performance in compliance with all
federal directions.â). Said another way, a government
contractor that âviolates both federal law and the governmentâs
explicit instructionsâ loses the shield of derivative immunity
and is subject to suit by those adversely affected by the
contractorâs violations. Id. at 672.
Like the plaintiff in Campbell-Ewald, Arnold Plaintiffs
have plausibly alleged that KeyPointâs failure to secure its
credentials ran afoul of both OPMâs explicit instructions and
federal law standards, rendering derivative sovereign immunity
unavailable.
At the outset, KeyPointâs failure to place in the record its
contract with OPM makes it particularly difficult for it to
establish, on a motion to dismiss, that its alleged security lapses
were âauthorized and directedâ by OPM, Campbell-Ewald, 136
S. Ct. at 673 (quoting Yearsley, 309 U.S at 20). See generally
Banneker Ventures, LLC v. Graham, 798 F.3d 1119, 1133
(D.C. Cir. 2015).
In fact, Privacy Act regulations require OPM, when
contracting âfor the operation * * * of a system of records to
accomplish an agency function,â to âcause the requirementsâ
41
of the Privacy Act to be âapplied to such system.â 5 U.S.C.
§ 552a(m)(1); see 48 C.F.R. §§ 24.102(a), 24.104, 52.224-2.
KeyPoint does not deny that. So KeyPoint was obligated by
contract and regulation to, among other things, establish
âappropriate safeguards to insure the security and
confidentiality of records.â 5 U.S.C. § 552a(e)(10); see Arnold
Plaintiffsâ Compl. ¶ 123, J.A. 72â73.
The complaint expressly asserts that KeyPoint failed to
fulfill those obligations, which led to the break-in. KeyPoint
allegedly violated its regulatory and contractual obligations,
among other things, to (i) âsecure its systems for gathering and
storingâ government investigation information despite
âknowing of [its] vulnerabilities;â (ii) âcomply with industry-
standard data security practices;â (iii) âperform requisite due
diligence and supervision in expanding its workforce;â (iv)
âencrypt [government investigation information] at collection,
at rest, and in transit;â (v) âemploy adequate network
segmentation and layering;â (vi) âensure continuous system
and event monitoring and recording;â and (vii) âotherwise
implement security policies and practices sufficient to protect
* * * [government investigation information] from
unauthorized disclosure.â Arnold Plaintiffsâ Compl. ¶ 223,
J.A. 98. Notably, it was KeyPointâs alleged failure to secure
and protect its employeesâ log-in credentials that allowed the
hackers to access OPMâs system in May 2014, and it was from
there that the hackers ultimately stole 21.5 million background
investigation records.
Unsurprisingly, KeyPoint does not argue that OPM
âauthorized and directedâ it to design its system with the
security flaws that Arnold Plaintiffs identify. Campbell-
Ewald, 136 S. Ct. at 673. So KeyPoint cannot wrap itself in
derivative immunity garb on the ground that it âsimply
performed as the Government directed.â Id.
42
The district court felt differently, concluding that
derivative immunity applied because the Privacy Act is wholly
inapplicable to KeyPoint. It is true that the Privacy Act itself
does not apply directly to government contractors like
KeyPoint. See Abdelfattah v. Department of Homeland
Security, 787 F.3d 524, 533 n.4 (D.C. Cir. 2015) (â[T]he
Privacy Act creates a cause of action against only federal
government agencies and not private corporations or individual
officials.â).
But that is beside the point. To claim immunity, KeyPoint
had to establish âcompliance with all federal directionsâ
pertaining to its relevant conduct, including the regulatory and
contractual obligation to meet the Privacy Actâs standards in its
contract operations. Campbell-Ewald, 136 S. Ct. at 673 n.7.
So what matters for derivative sovereign immunity
purposes is KeyPointâs (i) inability to point to a contractual
provision or other OPM direction authorizing or directing the
very gaps in security protections over which Arnold Plaintiffs
are suing, and (ii) its regulatory duty to ensure informational
security equivalent to that demanded by the Privacy Act. 48
C.F.R. §§ 24.102(a), 24.104, 52.224-2. Add to that the absence
of sovereign immunity protections for OPM from the Privacy
Act claims in this case, and the sovereign immunity well from
which KeyPoint seeks to draw has run dry.
The district court also pointed to Section 552a(m)(1) of the
Privacy Act, which provides that the contractor and its
employees âshall be considered employees of the agency[,]â
and to a regulation providing that âthe system of records
operated under the contract is deemed to be maintained by the
agency.â In re OPM, 266 F. Supp. 3d at 48â49 (quoting 48
43
C.F.R. § 24.102(c)). Neither supports the application of
derivative sovereign immunity here.
Even under the district courtâs reading, Section
552a(m)(1) hurts rather than helps KeyPoint. OPMâs and its
employeesâ own immunity has been waived. So treating
KeyPoint employees like OPM employees gets KeyPoint
nowhere. It cannot derive an immunity that OPM itself does
not have. See Campbell-Ewald, 136 S. Ct. at 666 (asking
whether âthe sovereignâs immunity from suit shield[s] the
[contractor] * * * as wellâ) (emphasis added); see also
Contango Operators, Inc. v. United States, 965 F. Supp. 2d
791, 814 (S.D. Tex. 2013) (because â[n]o sovereign immunity
has been established,â the court âtherefore concludes that there
is no governmental immunity from which an immunity may be
derived for the benefit ofâ the contractor), affâd sub nom.
Contango Operators, Inc. v. Weeks Marine, Inc., 613 F. Appâx
281 (5th Cir. 2015); cf. McMahon v. Presidential Airways, Inc.,
502 F.3d 1331, 1345 (11th Cir. 2007) (reasoning that if a
federal officer cannot claim complete derivative immunity,
then neither can a mere common law agent, because otherwise
âa prison guard employed by the government would have only
qualified immunity, while a private contractor who works in
the prison but is no more than a common law agent would have
absolute immunityâ).
After all, the driving purpose of derivative sovereign
immunity âis to prevent the contractor from being held liable
when the government is actually at fault but is otherwise
immune from liability.â In re World Trade Center Disaster
Site Litig., 456 F. Supp. 2d 520, 560 (S.D.N.Y. 2006) (internal
quotation marks omitted), affâd, 521 F.3d 169 (2d Cir. 2008);
cf. Filarsky v. Delia, 566 U.S. 377, 390â391 (2012) (if
qualified immunity is withheld from private individuals âacting
on behalf of the government,â âgovernment employees will
44
often be protected from suit by some form of immunity, [while]
those working alongside them could be left holding the bagâ
facing full liability for actions taken in conjunction with
government employees who enjoy immunity for the same
activityâ).
In any event, the district court overread the statute. When
the Privacy Act speaks of contractors as âemployeesâ of the
agency, it does so for the purpose of extending criminal
liability to contractors and their employees if they violate
certain Privacy Act requirements. 5 U.S.C. § 552a(i), (m)(1).
Congressâs decision to subject federal contractors to the same
Privacy Act criminal prohibitions as their agency employers
hardly augurs in favor of according those same contractors
more protection from civil liability than the agency itself.
As for the district courtâs reliance on 48 C.F.R.
§ 24.102(c), that regulation says nothing about contractorsâ
responsibility for complying with their contractual and
regulatory obligations. The rule simply holds the contracting
agency responsible for âthe system of records operated under
the contract.â 48 C.F.R. § 24.102(c), (d). Which makes sense.
Otherwise, the government would be able to contract itself out
of the Privacy Act obligations that Congress imposed.
Beyond that, KeyPointâs argument frequently mixes
apples and oranges, citing preemption cases in an effort to
substantiate its claim to derivative immunity. KeyPoint Br.
24â26. That tactic will not work. Those preemption cases do
not turn on the applicability of derivative sovereign immunity.
And KeyPoint has not raised a preemption argument in this
court, so any argument to that effect is forfeited for purposes of
this appeal. See Al-Tamimi v. Adelson, 916 F.3d 1, 6 (D.C. Cir.
2019) (âA party forfeits an argument by failing to raise it in his
opening brief.â).
45
In sum, derivative sovereign immunity has its limits.
KeyPoint exceeded those limits, and for that reason cannot don
the cloak of derivative sovereign immunity.
V
Finally, we turn to NTEU Plaintiffsâ constitutional claim.
In that claim, NTEU Plaintiffs do not allege that OPM
intentionally disclosed the records at issue or performed the
functional equivalent of such a disclosure. See, e.g., NTEU
Plaintiffsâ Compl. ¶ 97, J.A. 186 (alleging âreckless
indifferenceâ). Instead, NTEU Plaintiffs challenge OPMâs
internal record-management and storage practices and policies
as unconstitutionally trenching on their asserted constitutional
right to privacy. See, e.g., id. at 3, J.A. 155 (âAlthough on
notice of serious flaws in its data system security, OPM failed
to adequately secure personal information in its possessionâa
failure that was reckless under the circumstances.â). They
appear to rely on two closely related threads of constitutional
doctrine, one couched in terms of privacy and relying mainly
on dicta from Whalen v. Roe, 429 U.S. 589 (1977), the other
phrased more directly in terms of substantive due process and
relying mainly on cases providing relief for persons harmed
through government neglect of their personal safety. We
address them in that order.
A
As NTEU Plaintiffs see it, the Constitution creates a âzone
of privacyâ that protects an individualâs âinterest in avoiding
disclosure of personal matters.â NTEU Br. 36 (quoting
Whalen, 429 U.S. at 598â599). This putative right to
âinformational privacy,â they contend, is violated not only
where government agents intentionally disclose an individualâs
46
personal information, but where, as alleged here, the agents
âreckless[ly]â fail to prevent a third party from stealing it.
NTEU Plaintiffsâ Compl. 3, J.A. 155; see also Oral Arg. Tr.
44:23â45:5.
Even assuming âwithout deciding[] that the Constitution
protectsâ some âsortâ of privacy âinterest in avoiding
disclosure of personal matters,â NASA v. Nelson, 562 U.S. 134,
138 (2011) (quoting Whalen, 429 U.S. at 599â600), NTEU
Plaintiffs have failed to state a legally cognizable claim. There
is no authority for their contention that the Constitution
imposes on the government an affirmative dutyâuntethered to
specific constitutional provisions such as the First Amendment,
see, e.g., Americans for Prosperity Found. v. Becerra, 903 F.3d
1000, 1019 (9th Cir. 2018)âto âsafeguard personal
informationâ from the criminal acts of third parties, NTEU
Plaintiffsâ Compl. ¶ 97, J.A. 186.
The asserted duty to âadequately secureâ government
computer networks finds no support in the Constitution or our
history. NTEU Plaintiffsâ Compl. 3, J.A. 155. Not once do
NTEU Plaintiffs quote the very document from which they
purport to derive their claimed right: the Constitution of the
United States. Nor, for that matter, do they invoke this
âNationâs history and tradition,â Aka v. United States Tax
Court, 854 F.3d 30, 34 (D.C. Cir. 2017) (quoting Washington
v. Glucksberg, 521 U.S. 702, 720â721 (1997))âan integral
part of the formula for identifying unenumerated rights.
NTEU Plaintiffs instead ground their claim in a single line
of Supreme Court dictum from more than 40 years ago that
describes â[t]he cases sometimes characterized as protecting
âprivacyââ as involving, among other interests, a vague
âindividual interest in avoiding disclosure of personal matters.â
NTEU Br. 36 (quoting Whalen, 429 U.S. at 599). But neither
47
we nor the Supreme Court has ever held that this interest is a
constitutional right. American Fedân of Govât Employees v.
Department of Hous. & Urban Dev., 118 F.3d 786, 791 (D.C.
Cir. 1997) (âThe Supreme Court has addressed the issue in
recurring dicta without, we believe, resolving it.â). Both courts
have, so far, steadfastly rejected all informational privacy
claims purporting to rest on the Constitution, while simply
âassum[ing]ââbut never âdecidingââthat the Constitution
protects a âright of the sort mentioned in Whalen.â NASA, 562
U.S. at 138; see Nixon v. Administrator of Gen. Servs., 433 U.S.
425, 457â458 (1977); Whalen, 429 U.S. at 605; American
Fedân of Govât Employees, 118 F.3d at 791. Indeed, neither
this court nor the Supreme Court has ever elaborated on the
rationale forâor even defined the âprecise contours ofââthe
putative right to informational privacy. American Fedân of
Govât Employees, 118 F.3d at 793; see also, e.g., NASA, 562
U.S. at 147â148. Rather, we have underlined its âambiguity.â
National Fedân of Fed. Employees v. Greenberg, 983 F.2d 286,
293 (D.C. Cir. 1993); cf. Siegert v. Gilley, 500 U.S. 226, 233â
234 (1991) (holding that even malicious government
defamation does not trigger constitutional protection) (citing
Paul v. Davis, 424 U.S. 693 (1976)).
Other circuits, to be sure, have embraced a form of the
putative right. See, e.g., In re Crawford, 194 F.3d 954, 958
(9th Cir. 1999); see also NASA, 562 U.S. at 146 n.9 (collecting
cases). But see Doe v. Wigginton, 21 F.3d 733, 740 (6th Cir.
1994). But NTEU Plaintiffs have identified no case in which
the government has been held to have violated the alleged right
without having âaffirmatively provid[ed] the protected
information to those unauthorized to view it.â NTEU Br. 47
(emphasis added). Neither have we. Absent any plausible
mooring in the Constitutionâs text or the Nationâs history and
tradition, we join the district court in declining to recognize the
proposed constitutional right to informational privacy that
48
would be violated not only when information is intentionally
disclosed (or the functional equivalent), but also âwhen a third
party steals it.â In re OPM, 266 F. Supp. 3d at 46.
Troubled as we are by NTEU Plaintiffsâ allegations
regarding the severity and scope of OPMâs data security
shortcomings, we are nonetheless reluctant to constitutionalize
an information security code for the governmentâs âinternal
operations.â NASA, 562 U.S. at 151 (citing Engquist v. Oregon
Depât of Agric., 553 U.S. 591, 598â599 (2008)). OPM
âcollect[ed] and store[d]â the information at issue here not as
sovereign, but as employerâin âits role as the federal civil
serviceâs personnel manager.â NTEU Plaintiffsâ Compl. ¶ 10,
J.A. 159. In this capacityâââas proprietorâ and manager of
[the governmentâs] âinternal operation,ââ NASA, 562 U.S. at
148 (quoting Cafeteria & Rest. Workers Union v. McElroy, 367
U.S. 886, 896 (1961))âOPM was âdealing âwith citizen
employees,ââ and thus had a âmuch freer handâ than it would
have had if it had brought âits sovereign power to bear on
citizens at large,â id. (emphasis added) (quoting Engquist, 553
U.S. at 598). That âfreer handâ exists for good reason.
Whereas the âConstitution requires that a President chosen by
the entire Nation oversee the execution of the laws,â albeit by
a âvast and varied federal bureaucracy,â Free Enter. Fund v.
Public Co. Accounting Oversight Bd., 561 U.S. 477, 499
(2010), constitutionally micromanaging employment records
management systems, reaching down to the details of âhow
[best] to protectâ the âinformation systemsâ holding employee
data, NTEU Br. 48, would shift a material part of that oversight
function to the judiciary, which generally lacks established
standards or guideposts for making such administrative
judgmentsâat least in the absence of congressional direction.
Cf. Bishop v. Wood, 426 U.S. 341, 349â350 (1976).
49
Another reason counsels hesitation. Establishing judicial
supervision over the security of the governmentâs employee
data would âshort-circuitâ the response that Congress has
already launched. District Attorneyâs Office for Third Judicial
Dist. v. Osborne, 557 U.S. 52, 73 (2009) (citing Glucksberg,
521 U.S. at 720). As the Supreme Court observed in NASA,
Congress has in the Privacy Act adopted significant
âprotections against disclosureâ of personal information that
ââevidence a proper concernâ for individual privacy.â 562 U.S.
at 156 (quoting Whalen, 429 U.S. at 605). Here, as there, the
Act limits the governmentâs ability to maintain records âabout
an individual,â 5 U.S.C. § 552a(e)(1), and âimposes criminal
liability for willful violations of its nondisclosure obligations,â
562 U.S. at 156 (citing 5 U.S.C. § 552a(i)(1)). NTEU
Plaintiffs, of course, allege that OPM has âfail[ed] to satisfyâ
these obligations, NTEU Plaintiffsâ Compl. ¶ 97, J.A. 186, and
argue that their âinherently personal information remains at
substantial risk of additional breaches becauseâ of OPMâs
failures, Oral Arg. Tr. 49:17â19. But if NTEU Plaintiffs are
right (as we must assume in the current posture of the case),
then they may invoke the remedial provisions found by
Congress to best balance privacy and competing interests. See
5 U.S.C. § 552a(g)(1)(D), (g)(4); cf. supra Part III.A (reversing
dismissal of Arnold Plaintiffsâ Privacy Act claims).
Establishing a freestanding constitutional right to
informational privacy that creates a duty to safeguard personal
information from unauthorized access by third parties would
force us to develop a labyrinth of technical rules. See Osborne,
557 U.S. at 73â74. For example, does the Constitution require
data âencrypt[ion]â? NTEU Br. 6 (citing NTEU Plaintiffsâ
Compl. ¶¶ 51â52, J.A. 172â173). If so, must all data be
encrypted in transit, as well as at rest? Cf. Arnold Plaintiffsâ
Compl. ¶¶ 136, 223, J.A. 75, 98. What of the encryption key:
Is 256 bits necessaryâor would 128 bits scrape by,
50
constitutionally speaking? See Orin S. Kerr & Bruce Schneier,
Encryption Workarounds, 106 Geo. L.J. 989, 993 (2018)
(illustrating the difference). How about âpersonal identity
verification (PIV) credentialsââare they constitutionally
mandated? NTEU Plaintiffsâ Compl. ¶ 47, J.A. 171 (internal
quotation marks omitted). And most significant: What âtoolsâ
should âfederal courts * * * use to answerâ these questions?
Osborne, 557 U.S. at 74. NTEU Plaintiffs do not say; more
important, neither does the Constitution.
We therefore hold that, assuming (without deciding) the
existence of a constitutional right to informational privacy, see,
e.g., NASA, 562 U.S. at 138; American Fedân of Govât
Employees, 118 F.3d at 791, it affords relief only for intentional
disclosures or their functional equivalentâwhich NTEU
Plaintiffs do not allege.
B
NTEU Plaintiffs also seek to ground their claim in the Due
Process Clause of the Fifth Amendment, contending
specifically that, in some instances, âreckless or deliberate
indifferenceâ (as opposed to intentional misconduct) âmay
âshock the conscience sufficiently to violate due process.ââ
NTEU Reply Br. 13 (quoting Smith v. District of Columbia,
413 F.3d 86, 93 (D.C. Cir. 2005)); see also NTEU Br. 47â48;
Oral Arg. Tr. 74:3â9. True enough. See, e.g., United States v.
Salerno, 481 U.S. 739, 746 (1987) (citing Rochin v. California,
342 U.S. 165, 172 (1952)).
But the conscienceâs susceptibility to shock varies
radically with whether the government has previously taken an
âaffirmative act of restraining the individualâs freedom to act
on his own behalfâthrough incarceration, institutionalization,
or similar restraint of personal liberty.â DeShaney v.
Winnebago Cnty. Depât of Soc. Servs., 489 U.S. 189, 200
51
(1989). Thus, a prisoner who has âalready been deprived of
[his] liberty,â for example, has a plausible claim to affirmative
governmental protection. Collins v. City of Harker Heights,
503 U.S. 115, 127 (1992); see also Smith, 413 F.3d at 94â95
(same for âjuvenile delinquent held âagainst his willââ). Absent
such a restraint, however, the governmentâs âfailure to protect
an individual from private [acts], even in the face of known
danger, [generally] âdoes not constitute a violation of the Due
Process Clause.ââ Butera v. District of Columbia, 235 F.3d
637, 647 (D.C. Cir. 2001) (quoting DeShaney, 489 U.S. at 197).
âThe state must protect those it throws into snake pits, but the
state need not guarantee that volunteer snake charmers will not
be bitten.â Walker v. Rowe, 791 F.2d 507, 511 (7th Cir. 1986)
(explaining that although a state has a constitutional duty to
protect prisoners in its custody, it has no such obligation toward
prison guards who have voluntarily accepted employment with
the state).
Here, NTEU Plaintiffsâ claims fall on the wrong side of
this line; they assert an affirmative government duty to
safeguard personal information that current and prospective
employees voluntarily submitted to the government.
This lack of compulsion makes all the difference. In
Collins, for example, the Supreme Court rejected the claimâ
made by the widow of a city sanitation worker killed in the
performance of his dutiesâthat the Due Process Clause
required the government to âprovide its employees with certain
minimal levels of safety and security.â 503 U.S. at 127. A
government employee, the Court reasoned, could not maintain
âthat the [government] deprived [him] of his libertyââand thus
incurred a âcontinuing obligationâ to protect that liberty by
guaranteeing him a minimum level of safety and securityâ
âwhen it made, and he voluntarily accepted, an offer of
employment.â Id. at 128. That is precisely why, applying the
52
principle in cases posing the distinction most directly, we have
rejected claims by prison guards. See Fraternal Order of
Police Depât of Corrs. Labor Comm. v. Williams, 375 F.3d
1141, 1147 (D.C. Cir. 2004); Washington v. District of
Columbia, 802 F.2d 1478, 1482 (D.C. Cir. 1986).
Similar logic applies here. Like the sanitation worker in
Collinsâand the prison guards in Williams and Washingtonâ
NTEU Plaintiffs âvoluntarilyâ sought and âacceptedâ an âoffer
of [government] employment.â Collins, 503 U.S. at 128. In
doing so, they voluntarily submitted personal information âas
part of a background investigation.â NTEU Plaintiffsâ Compl.
¶ 60, J.A. 176. In no sense, then, did the government compel
NTEU Plaintiffs to seek government employment; it therefore
bore no constitutional duty under the Due Process Clause to
protect them from the risks associated with applying for such
positions. With no triggering deprivation of liberty or property
to speak of, there arose no constitutional governmental duty to
âprovide [NTEU Plaintiffs] with certain minimal levels of
safety and security,â Collins, 503 U.S. at 127âphysical or
digital.
VI
In sum, we reverse in part and affirm in part. We hold that
(i) NTEU and Arnold Plaintiffs have adequately alleged Article
III standing; (ii) Arnold Plaintiffs have stated a claim under the
Privacy Act, which waives OPMâs sovereign immunity; (iii)
KeyPoint is not protected by derivative sovereign immunity;
and (iv) NTEU Plaintiffs have failed to state a claim that flaws
in OPMâs information-storage measures violated the
Constitution. We remand for further proceedings consistent
with this opinion.
So ordered.
WILLIAMS, Senior Circuit Judge, concurring in part and
dissenting in part:
Why did âsophisticatedâ cyberintruders spend several
months systematically and covertly extracting 21.5 million
highly sensitive background investigation records for federal
government employees from the Office of Personnel
Management? Arnold Plaintiffsâ Compl. ¶ 128, J.A. 73.
Plaintiffsâ answer is identity theft. Might the hackers have
been members of a criminal syndicate looking to sell the
information to identity thieves on the dark web to bilk victims
such as Mr. Travis Arnold out of âapproximately $125â? Id.
¶ 13, J.A. 40. Yes, theoretically. But as a basis for standing
for most Arnold Plaintiffs the garden-variety identity theft
theory lacks the necessary plausibility in light of an obvious
alternative explanation: The breach âd[oes] not plausibly
suggestâ identity theft as the motive (and hence a source of
future harm) because it is âmore likely explainedâ as the
handiwork of foreign spies looking to harvest information
about millions of federal workers for espionage or kindred
purposes having nothing to do with identity theft. Ashcroft v.
Iqbal, 556 U.S. 662, 680 (2009); see Br. of Chamber of
Commerce of U.S. as Amicus Curiae in Support of Appellees
6 (âNation-states frequently target personally identifying
information . . . in order to spy on certain individuals.â
(brackets omitted)).
My colleagues do not deny the possibility. See Maj. op.
17 (â[A] cyberattack on a government system might well be
motivated by a purpose other than identity theft . . . .â). Yet, in
assessing standing, they conclude that âallâ 21.5 million
Arnold Plaintiffs have âplausibly alleged a substantial riskâ
that they will, due to this particular data breach, suffer âfuture
identity theft.â Id. at 14, 25.
Respectfully, I disagree. Because Arnold Plaintiffs have
failed to allege facts that would tend to negate the âobvious
2
alternative explanationâ for the breach (i.e., espionage), they
have not, in my view, ânudged [their] claims . . . across the line
from conceivable to plausible.â Iqbal, 556 U.S. at 680, 682
(quoting Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 567,
570 (2007)). I would therefore affirm the dismissal of Arnold
Plaintiffsâ claims for lack of standingâwith one exception,
discussed below. As a result, I join the courtâs opinion in full
except with respect to any portions that are inconsistent with
this dissent, including but not limited to Parts II.B (holding that
Arnold Plaintiffs stated a plausible claim to standing) and
III.B.2 (holding that Arnold Plaintiffs stated a plausible claim
that their injuries were the âresult ofâ the breach).
* * *
Two aspects of the standing analysis are important here.
First, standing âdepends on the facts as they exist[ed] when the
complaint [was] filed.â Lujan v. Defenders of Wildlife, 504
U.S. 555, 569 n.4 (1992) (emphasis removed) (quoting
Newman-Green, Inc. v. Alfonzo-Larrain, 490 U.S. 826, 830
(1989)). We therefore look, not to the apparent risk of future
identity theft in, say, May 2014âthe date of the first major
breach, see Arnold Plaintiffsâ Compl. ¶ 127, J.A. 73âbut to
the risk apparent in March 2016, when Arnold Plaintiffs filed
their operative complaint.
Second, standing âmust be supported in the same way as
any other matter on which the plaintiff bears the burden of
proof, i.e., with the manner and degree of evidence required at
the successive stages of the litigation.â Susan B. Anthony List
v. Driehaus, 573 U.S. 149, 158 (2014) (quoting Lujan, 504 U.S.
at 561). Thus, âat the motion to dismiss stage,â Arnold
Plaintiffsâ standing allegations must satisfy the pleading
requirements of Twombly and Iqbalâthat is, the complaint
must state ââa plausible claimâ that each element of standing is
3
satisfied.â Hancock v. Urban Outfitters, Inc., 830 F.3d 511,
513 (D.C. Cir. 2016) (quoting Iqbal, 556 U.S. at 678â79). This
standard âasks for more than a sheer possibility,â Iqbal, 556
U.S. at 678, that Arnold Plaintiffs faced a âsubstantial riskâ that
future injury would occur, Susan B. Anthony List, 573 U.S. at
158 (quoting Clapper v. Amnesty Intâl USA, 568 U.S. 398, 414
n.5 (2013)). Facts âthat are âmerely consistent withââ a
substantial risk of future identity theft fall ââshort of the line
between possibility and plausibility of âentitlement to relief.ââ
Iqbal, 556 U.S. at 678 (quoting Twombly, 550 U.S. at 557).
Under these standards, most Arnold Plaintiffs lack
standing. This is not your typical case, where hackers break
into a commercial entityâs servers and steal consumer
information. In those cases, it is generally fair to inferâas this
court has inferredâthat the hackers plan to, âsooner or later,â
âmake fraudulent charges or assume [the victimsâ] identities.â
Attias v. Carefirst, Inc., 865 F.3d 620, 628â29 (D.C. Cir. 2017)
(quoting Remijas v. Neiman Marcus Grp., 794 F.3d 688, 693
(7th Cir. 2015)). âWhy else would hackers break into a . . .
database and steal consumersâ private information?â Id. at 628
(alteration in original) (quoting Remijas, 794 F.3d 693). In
such cases thereâs no obvious alternative explanation.
But here there is. In this case, hackers infiltrated a
government system and stole sensitive âgovernment
investigation information,â Arnold Plaintiffsâ Compl. ¶ 1, J.A.
36, about government employees shortly after a cyberattack on
the same agency had âcompromised critical security
documents,â id. ¶ 3, J.A. 37. It is thus fair to infer, as the
majority quite rightly recognizes, that the hackers âmight well
[have been] motivated by a purpose other than identity theft,â
Maj. op. 17, such as obtaining secret information from the
persons in the files by extortion or surveillance, enlisting them
as agents, obtaining leverage over American businesses, or
4
otherwise jeopardizing U.S. national security, see Br. of
Chamber of Commerce of U.S. as Amicus Curiae in Support of
Appellees 6; cf. Arnold Plaintiffsâ Compl. ¶ 1, J.A. 36
(explaining that exposed and stolen information includes
âprivate facts collected in federal background and security
clearance investigationsâ); see also id. ¶ 129, J.A. 73â74
(specifying that the theft covered âmany million questionnaire
forms containing highly sensitive personal, family, financial,
medical, and associational informationâ). This espionage
motive is, as Iqbal and Twombly put it, an âobvious alternative
explanationââan explanation that Arnold Plaintiffs, to survive
a motion to dismiss, must deflect. Iqbal, 556 U.S. at 682
(quoting Twombly, 550 U.S. at 567).
This they fail to do. Just as âparallel conductâ in Twombly
âdoes not suggest conspiracyâ in antitrust cases because it is
consistent with âindependent actionâ in competitive markets,
Twombly, 550 U.S. at 556â57; and just as detention of
âthousands of Arab Muslim menâ in Iqbal does not suggest
discrimination because (given the identity of the September
11th attackers) it is consistent with legitimate law enforcement
activity, Iqbal, 556 U.S. at 681â82, so too a âcyberattack on a
government systemâ does not suggest identity theft (of the type
alleged by plaintiffs) because it is consistent with an obvious
alternative explanationâforeign espionage, Maj. op. 17; see
also Beck v. McDonald, 848 F.3d 262, 274 (4th Cir. 2017)
(finding no standing based on a ârisk of future identity theftâ
where there is no evidence that the thief stole the laptop âwith
the intent to steal [plaintiffsâ] private informationâ).
What of dual motives, asks the majority? Couldnât the
hackers have been interested in espionage and identity theft?
Maj. op. 18. Yes, thatâs conceivable. But does the
conceivability actually render plaintiffsâ theory plausible? I
donât think so. The majority invokes a syllogism: Because
5
âespionage and identity theft are not mutually exclusive,â it
follows that ascribing an âespionage-related motiveâ doesnât
ârender[] implausibleâ an allegation of âfuture risk of identity
theft and financial fraudâ caused by the data breach. Id. But it
does exactly that. To begin with, even if the alternative
explanations in Iqbal and Twombly happened to be mutually
exclusive with plaintiffsâ theories, the Court has never
suggested that mutual exclusivity is a prerequisite to one
plausible explanationâs rendering some other explanation
implausible. This case shows why such a prerequisite would
be overkill. Just because two states of affairs can co-occur
doesnât make their co-occurrence plausibleâthe legal standard
plaintiffs must clearânor does an otherwise implausible
theory get bootstrapped into a plausible one merely because itâs
conceivable that it could co-occur with an obvious alternative
explanation.
So while a foreign government might theoretically have
enlisted âsophisticatedâ hackers to execute a âmassiveâ
cyberattack on the U.S. government over the course of âseveral
monthsâ to steal highly âsensitiveâ information, Maj. op. at 21,
both to (i) compromise U.S. national security and (ii) commit
fraud by (for example) purchases through an unauthorized Best
Buy account (Arnold Plaintiffsâ Compl. ¶ 39, J.A. 54), this
dual-motive hypothesis seems fanciful for at least two reasons.
First, the goal of identity theft is financial gain. The notion that
a foreign state pursuing a complex, risky, and possibly
expensive cyberespionage scheme would have as even one of
its goals the extraction of small-potatoes sums from individuals
by, e.g., filing fraudulent returns with the United States IRS or
creating a âMy Social Securityâ account, see id. ¶ 14, J.A. 40â
41, falls far short of plausibility. Second, and more important,
a foreign power seeking leverage over the United States would
be most unlikely to permit its agents to use or sell the data for
identity theft purposes, as doing so would risk sabotaging the
6
espionage goal. If data gleaned from the hack is slated for
counterintelligence use, identity theft would undercut this aim
by alerting victims and causing them to alter their data. Since
the expected value of successful counterintelligence likely far
exceeds that of identity theft, an espionage explanation
affirmatively suggests that identity theft will not co-occur. And
that is precisely what the record suggests. There is, as
discussed below, a striking dearth of allegations as to any
pattern of unusual or higher-than-ordinary identity theft or
fraud among Arnold Plaintiffs. What readily comes to mind is
an obvious alternative explanationâhacking focused entirely
on pursuit of espionage and kindred threats to national security.
Thus the Sixth Circuitâs cautionâthat â[f]erreting out the
most likely reason for the defendantsâ actions is not appropriate
at the pleadings stage,â Watson Carpet & Floor Covering, Inc.
v. Mohawk Industries, Inc., 648 F.3d 452, 458 (6th Cir.
2011)âis inapt here. The court states in the immediately
preceding sentence: âOften, defendantsâ conduct has several
plausible explanations.â Id. (emphasis added). Sorting out
which among them is âmost likelyâ is, indeed, out of bounds at
the pleadings stage. Yet the whole thrust of my argument is
that we havenât got âseveral plausible explanations.â We have
one alleged theoryâidentity theftâthat, I argue, is not
plausible in view of an obvious alternative explanation of far
greater probability. Though itâs unimpeachable logic to say
that â[t]he plausibility of [one particular] reason for the refusals
to sell carpet does not render all other reasons implausible,â id.,
the pointâmade in context of a discussion of âseveral
plausible explanationsââis not at play here, and marshaling it
only begs the question whether identity theft is, in fact, a
plausible explanation.
More is needed to ânudge[]â Arnold Plaintiffsâ identity
theft claims âacross the line from conceivable to plausible.â
7
Iqbal, 556 U.S. at 680 (quoting Twombly, 550 U.S. at 570).
That is especially true here given the passage of time. As the
initial breach occurred nearly two years before Arnold
Plaintiffs filed their operative complaint, one would expect to
seeâif plaintiffs were right about the hackersâ motivesâsome
allegation linking Arnold Plaintiffs as a whole to the breachâ
such as indications that persons in the OPM databases suffered
a relatively high rate of identity thefts, or a pattern of similar
thefts. But there are no such allegations. And ââas the breaches
fade further into the past,â the Plaintiffsâ threatened injuries
become more and more speculative.â Beck, 848 F.3d at 275
(quoting Chambliss v. Carefirst, Inc., 189 F. Supp. 3d 564, 570
(D. Md. 2016)).
The majority generally agrees, conceding that the âpassage
of two years in a run-of-the-mill data breach might, absent
allegation of subsequent data misuse, suggest that a claim of
future injury is less than plausible.â Maj. op. 21. Yet my
colleagues think such an inference is not fair game here, where
the breach occurred on âa massive scaleâ reflecting âa
relatively new phenomenon.â Id. Large-scale hacking is no
doubt a recent phenomenon. But I can think of no attributes of
such phenomena or their possible novelty that would invalidate
a common sense expectation that future identity-theft-type
injuries will become less plausible as time drags on without
result. Whatever else may be true, if identity theft is an
operative motive, time remains of the essence, given that much
personal dataâcredit card numbers, bank account information,
addressesâcan go stale with time. If anything, the special
features of this case make the passage of time exceptionally
forceful in undermining plaintiffsâ theory. The extraordinary
volume of people affected and the exceptional sensitivity and
range of the information captured should make it relatively
easy to discern a âpattern of identity theft or financial fraudâ
among the pool of 21.5 million potential victims (and
8
litigants)âif there is one. Id. And yet, as the majority agrees,
we have no âclearly identifiable pattern of identity theft or
financial fraudâ in the Complaint. Id.
To be sure, âcertain Arnold Plaintiffs have already had
fraudulent accounts opened and tax returns filed in their
names.â Maj. op. 19. But that is hardly probative. âIn a society
where around 3.3% of the population will experience some
form of identity theftâ in a given year, it is ânot surprisingâ that
a few plaintiffs in a putative class of 21.5 million would âhave
experienced some form of credit or bank-account fraud.â In re
U.S. Office of Personnel Mgmt. Data Sec. Breach Litig., 266 F.
Supp. 3d 1, 38 (D.D.C. 2017) (quoting In re Science
Applications Intâl Corp. Backup Tape Data Theft Litig., 45 F.
Supp. 3d 14, 32 (D.D.C. 2014)). A handful of Arnold
Plaintiffs, for instance, almost certainly experienced a home
invasion since the data breach. But that doesnât imply a
âsubstantial riskâ that these hackers have plans to break into
the homes of garden-variety government employees.
In sum, Arnold Plaintiffs have alleged no factsâ
disproportionate incidence of identity theft, a distinctive
pattern of fraud, or anything else of that sort among the putative
classâthat can credibly nudge their theory into the realm of
plausibility in the face of an obvious alternative explanation.
So they cannot âallâ meet the threshold requirement for
standing under the pleading standards of Iqbal and Twombly.
Maj. op. 14.
I grant, of course, that in the immediate aftermath of the
cyber-intrusion, some putative class members might
reasonably have been unwilling to assume that the attack was
motivated by a purpose other than identity theft. Thus,
individuals at that early time, before the paucity of identity
theft data emerged, might have âreasonably spent money to
9
protect themselvesâ from identity theft and thus have a
plausible claim to standing to recover their expenses. Attias,
865 F.3d at 629. But that says nothing about whether, when
plaintiffs filed their operative complaint two years later, all
21.5 million putative class members could still âreasonablyâ
fear âa substantial riskâ of identity theft. Id. at 629. They have
shown no such thing.
* * *
For the subset of Arnold Plaintiffs who, as I see it, have
standing, I turn to the issue of sovereign immunity. Arnold
Plaintiffs file a battery of state law claims against a contractor
that OPM engaged to perform background checks of
prospective federal employees. That contractor, KeyPoint
Government Solutions, Inc., maintains that, as a government
contractor, it is entitled to sovereign immunity. The court,
however, disagrees, see Maj. op. Part IVâand I join that part
of the opinion in full.
I write separately to address an important distinction
between contractor immunity, which KeyPoint asserts, and
federal preemption, which KeyPoint fails to raise, and about
which the court therefore expresses no views. See, e.g.,
KeyPointâs Br. 25 (distinguishing between preemption and
immunity); Oral Arg. Tr. 31:3â21 (same); see also
Cunningham v. Gen. Dynamics Info. Tech., Inc., 888 F.3d 640,
646 n.4 (4th Cir. 2018) (same); In re KBR, Inc., Burn Pit Litig.,
744 F.3d 326, 342 n.6 (4th Cir. 2014) (same). Contractor
immunity, it seems to me, immunizes only those acts that
agents of the government are expressly directed by the
government to performâsuch as building a particular dike as
âdirected by the Government of the United States.â See, e.g.,
Yearsley v. W.A. Ross Construction Co., 309 U.S. 18, 20
(1940). Preemption, in contrast, is broader, knocking aside
10
state tort law to the extent that it impermissibly interferes with
a contractorâs ability to perform its federal obligations.
As the Supreme Court explained in Boyle v. United
Technologies Corp., there are âa few areas, involving âuniquely
federal interests,ââ that âare so committed by the Constitution
and laws of the United States to federal control that state law is
pre-empted and replaced, where necessary, by federal law.â
487 U.S. 500, 504 (1988) (quoting Texas Industries, Inc. v.
Radcliff Materials, Inc., 451 U.S. 630, 640 (1981)). The âcivil
liabilities arising out of the performance of federal procurement
contractsâ is one of them. Id. at 505â06. That is because âthe
Federal Governmentâs interest in the procurement of
equipment is implicated byâ state tort suits, even where, as
here, âthe dispute is one between private parties.â Id. at 506.
Specifically, the âimposition of liability on Government
contractors will directly affect the terms of Government
contracts: either the contractor will decline to manufacture the
design specified by the Government, or it will raise its price.
Either way, the interests of the United States will be directly
affected.â Id. at 507.
To protect these interests, state law may be âdisplace[d].â
Id. at 507. This will occur only where âa âsignificant conflictâ
exists between an identifiable âfederal policy or interest and the
[operation] of state law,ââ id. (alteration in original) (quoting
Wallis v. Pan Am. Petroleum Corp., 384 U.S. 63, 68 (1966)),
âor the application of state law would âfrustrate specific
objectivesâ of federal legislation,â id. (quoting United States v.
Kimbell Foods, Inc., 440 U.S. 715, 728 (1979)). âIn some
cases, for example where the federal interest requires a uniform
rule, the entire body of state law applicable to the area conflicts
and is replaced by federal rules.â Id. at 508 (citing Clearfield
Trust Co. v. United States, 318 U.S. 363, 366â67 (1943)). âIn
others, the conflict is more narrow, and only particular
11
elements of state law are superseded.â Id. (citing United States
v. Little Lake Misere Land Co., 412 U.S. 580, 595 (1973)).
Here, there is a plausible argument for preemption. This
case involves a fundamental federal issueâthe hiring, vetting,
and protecting of federal employees, and the balancing of the
costs of keeping the relevant data secure against the costs of
error or neglect in providing that security. And Congress, it
seems, has already created a detailed statutory scheme in the
form of the Privacy Act to address these (and other) issues.
See, e.g., 5 U.S.C. § 552a(e)(10) (requiring âappropriate . . .
technical . . . safeguardsâ). Under that scheme, the agency
must, by contract, âcause the requirements of [the Privacy Act]
to be appliedâ to the contractorâs âsystem of records,â see 5
U.S.C. § 552a(m)(1)âand if the agency fails to do so, then it
faces potential liability, see id. § 552a(g)(1)(D); see also 48
C.F.R. § 24.102(d) (âAgencies, which within the limits of their
authorities, fail to require that systems of records on individuals
operated on their behalf under contracts be operated in
conformance with the Act may be civilly liable to individuals
injured as a consequence of any subsequent failure to maintain
records in conformance with the Act.â). Allowing 50 states to
pile on and impose liability on contractors, with the financial
consequences falling back on federal agencies in contract
negotiations as the Boyle Court foresaw, might be found to
upset the balance intended by Congress.
KeyPoint, however, has not argued for preemptionâonly
for sovereign immunity. So, while it may press these
arguments at future stages of litigation, we need not resolve the
issue now.
* * *
12
This brings me to a final issueâthe propriety of five
plaintiffs proceeding under pseudonyms. Although some of
our sister circuits take the view that a court of appeals has no
jurisdiction over plaintiffs who âfail[] to request permission
from the district court before proceeding anonymously,â
W.N.J. v. Yocom, 257 F.3d 1171, 1172 (10th Cir. 2001); accord,
e.g., United States ex rel. Little v. Triumph Gear Systems, Inc.,
870 F.3d 1242, 1249â50 (10th Cir. 2017); Citizens for a Strong
Ohio v. Marsh, 123 F. Appâx 630, 636â37 (6th Cir. 2005);
Natâl Commodity & Barter Assân v. Gibbs, 886 F.2d 1240,
1245 (10th Cir. 1989) (per curiam), that doctrine, if adopted by
us (which it has not been), would not change our handling of
this appealâs meritsâgiven the presence of other, non-
pseudonymous plaintiffs. Moreover, the five anonymous
plaintiffs in this case, see Arnold Plaintiffsâ Compl. ¶¶ 22â26,
J.A. 44â48, offer reasons that seem highly likely to prove
worthy of district court permissionâonce they request it. But
because pseudonymous filing impinges on values key to fair
adjudication and a free society, it is hard to see how the district
court on remand can avoid the issue once it has been noticed.
Although pseudonymous plaintiffs were once a rarity,
there appears now to be a trend permitting adult plaintiffs to
litigate incognito, with little more than pro-forma gatekeeping,
if any, by the district courtsâeven though the practice is
aberrant from the perspective of core constitutional and rule of
law norms, not to mention the federal rules of procedure.
Under the âcustomary and constitutionally-embedded
presumption of opennessâ that inheres in the nature of an
Anglo-American trial, those who invoke the stateâs coercive
apparatus must do so openly, i.e., under âtheir real names.â
United States v. Microsoft Corp., 56 F.3d 1448, 1464 (D.C. Cir.
1995) (citations omitted); accord, e.g., Doe v. Blue Cross &
Blue Shield United, 112 F.3d 869, 872 (7th Cir. 1997) (Posner,
13
J.) (âThe people have a right to know who is using their
courts.â). For good reason. Public openness may âcause all
trial participants to perform their duties more conscientiously,â
âinduce unknown witnesses to come forward with relevant
testimony,â Gannett Co. v. DePasquale, 443 U.S. 368, 383
(1979), and generally foster âan appearance of fairness, thereby
heightening respect for the judicial process,â Globe Newspaper
Co. v. Superior Court for Norfolk Cnty., 457 U.S. 596, 606
(1982), cf. Richmond Newspapers, Inc. v. Virginia, 448 U.S.
555, 569â73 (1980) (explaining importance of openness in
criminal trial context). Of course, itâs less important that
respect for the judicial process be âheighten[ed]â than that it be
deserved, which is less likely if plaintiffs can routinely act
anonymously. In short, public scrutiny is essential to âthe
integrity of judicial proceedings.â Metlife, Inc. v. Fin. Stability
Oversight Council, 865 F.3d 661, 665 (D.C. Cir. 2017)
(quoting United States v. Hubbard, 650 F.2d 293, 315 (D.C.
Cir. 1980)).
Indeed, it is a matter of â[b]asic fairness.â Microsoft, 56
F.3d at 1463 (quoting Southern Methodist Univ. Assân of
Women Law Students v. Wynne & Jaffe, 599 F.2d 707, 713 (5th
Cir. 1979)). A case brought anonymously can let a winning
plaintiff inflict âdisgraceâ on a defendant and can let a losing
plaintiff launch defamatory charges âwithout shame or
liability,â Doe v. Smith, 429 F.3d 706, 710 (7th Cir. 2005); see
also Wynne, 599 F.2d at 713; even in situations less drastic than
Doe v. Smith, allowance of anonymity creates a structural
asymmetry that can tilt the scales unfairly. If defendants get
named, plaintiffs should too.
The principle of openness is far from an âarcane relic of
ancient English law.â Hubbard, 650 F.2d at 315 n.79 (citation
omitted). Rule 10(a) of the civil rules says straightforwardly
that the âtitle of [a] complaint must name all the parties.â Fed.
14
R. Civ. P. 10(a) (emphases added). Perhaps ânameâ might be
taken to mean something like âreal or fictitious name.â Cf.
Carol M. Rice, Meet John Doe: It Is Time for Federal Civil
Procedure to Recognize John Doe Parties, 57 U. Pitt. L. Rev.
883, 914â15 (1996) (denying that Rule 10(a) bars anonymous
filings). This reading is questionable, not least because it
appears to prove too muchâit would mean that plaintiffs may
proceed anonymously as of right, obviating a need for judicial
approval or balancing, as discussed below. And Rule 10(a)
contains no exception âfor good cause,â which features in
many other contexts. See, e.g., Fed. R. Civ. P. 5(d)(3)(A),
6(c)(1)(C), 16(b)(4), 31(a)(5), 43(a); see also Triumph Gear,
870 F.3d at 1249 (stating that the federal rules âmake no
provision for suits by persons using fictitious names or for
anonymous plaintiffsâ (quoting Commodity & Barter Assân,
886 F.2d at 1245)); cf. McKeever v. Barr, 920 F.3d 842, 845
(D.C. Cir. 2019) (holding that when a rule of criminal
procedure says âmust,â and provides no âresidual exception,â
as the rules do elsewhere, the district court has no inherent
power to create its own âexceptionsâ).
Following our sister circuits, weâve said in dictum thatâ
even though anonymous filing is âan extraordinary break with
precedent,â Microsoft, 56 F.3d at 1464âa district court has
discretion to âgrant the ârare dispensationâ of anonymity
against the world,â id. (quoting James v. Jacobson, 6 F.3d 233,
238 (4th Cir. 1993)); cf. Doe v. Frank, 951 F.2d 320, 323 (11th
Cir. 1992) (âIt is the exceptional case in which a plaintiff may
proceed under a fictitious name.â). But, we explained, this
ârare dispensationâ can be granted only after the district court
has conducted an inquiry into whether the circumstances justify
an âextraordinary breakâ with the normal method of
proceedingâopenlyâin federal court. Microsoft, 56 F.3d at
1464.
15
Anonymity for ârareâ or âextraordinaryâ cases doesnât
appear to be an apt description of current practice. Cf., e.g.,
Coe v. Cnty. of Cook, 162 F.3d 491, 498 (7th Cir. 1998)
(Posner, J.) (criticizing the âoveruse of pseudonyms in federal
litigationâ). Consider that in the twenty-five-year period
between 1945 and 1969, only a single district court decisionâ
anywhere in the countryâfeatured a âJohn Doeâ-like plaintiff
as the lead or sole plaintiff (along with a single Supreme Court
case reviewing a state court decision and three appellate rulings
in administrative appeals). Adam A. Milani, Doe v. Roe: An
Argument for Defendant Anonymity When a Pseudonymous
Plaintiffs Alleges a Stigmatizing Intentional Tort, 41 Wayne L.
Rev. 1659, 1660 (1995); see also Joan Steinman, Public Trial,
Pseudonymous Parties, 37 Hastings L.J. 1, 1 n.2 (1985). And
in the fifty years since that time, we have never âexpressly
condoned [the] practice.â Qualls v. Rumsfeld, 228 F.R.D. 8, 9
(D.D.C. 2005). Yet there are now âtwo different but analogous
tests . . . applied in this circuitâ to rule on anonymity requests,
John Doe Co. v. Consumer Fin. Prot. Bureau, 321 F.R.D. 31,
33 (D.D.C. 2017)âa six-factor test drawn from United States
v. Hubbard, 650 F.2d 293, 317â21 (D.C. Cir. 1980), and a five-
factor test elaborated in National Association of Waterfront
Employers v. Chao, 587 F. Supp. 2d 90, 99 (D.D.C. 2008). Just
last year, in this district alone, at least six published district
court decisions featured âJohn Doeâ as the lead or sole
plaintiff. 1 That is to say nothing of the twenty or so other
orders that permitted Doe and the like to (anonymously) level
1
See Doe 2 v. Trump, 315 F. Supp. 3d 474 (D.D.C. 2018), revâd
on other grounds sub nom. Doe 2 v. Shanahan, 755 F. Appâx 19
(D.C. Cir. 2019); Doe 1 v. Buratai, 318 F. Supp. 3d 218 (D.D.C.
2018); Doe v. George Washington Univ., 305 F. Supp. 3d 126
(D.D.C. 2018); Doe 1 v. FCC, 302 F. Supp. 3d 160 (D.D.C. 2018);
Doe v. Mattis, 288 F. Supp. 3d 195 (D.D.C. 2018); Does 1â144 v.
Chiquita Brands Intâl, Inc., 285 F. Supp. 3d 228 (D.D.C. 2018).
16
accusations against others; many of those orders were sealed 2
or lacked any reasoning at all (thereby omitting the âinquiryâ
required by Microsoft). 3 But cf., e.g., EEOC v. Natâl
Childrenâs Center, Inc., 98 F.3d 1406, 1410 (D.C. Cir. 1996)
(â[I]t is imperative that a district court articulate its reasons for
electing to seal or not to seal a record.â).
Proceedings in this case appear to have gone yet further
down the slope of anonymity. Here, five âDoesâ not only filed
anonymously; they evidently never even bothered to ask the
district court for permission to do so. The âdocket sheet does
not reflect any motion or proceeding dealing with whetherâ
John Does IâIII or Jane Does IâII âcould proceed under
pseudonyms.â Marsh, 123 F. Appâx at 636â37. In their
amended Complaint the anonymous plaintiffs simply
announce, in present participle form, that (for example) John
Doe II âis usingâ a pseudonym âbecause of his personal safety
concerns,â as if such a cursory and conclusory statement
suffices as belated justification in lieu of a courtâs permission.
Arnold Plaintiffsâ Compl. ¶ 25, J.A. 46. That simply cannot
2
See Zelda v. Sessions, No. 1:18-cv-1966 (D.D.C. Aug. 22,
2018), ECF No. 2; Voe v. Mattis, No. 1:18-cv-1251 (D.D.C. June 6,
2018), ECF Nos. 8â9; Kurd v. Repub. of Turkey, No. 1:18-cv-1117
(D.D.C. May 11, 2018), ECF No. 4; Doe A-1 v. Democratic Peopleâs
Repub. of Korea, No. 1:18-cv252 (D.D.C. Feb. 1, 2018), ECF No. 3.
3
See Garcia Ramirez v. ICE, No. 1:18-cv-508 (D.D.C. Aug, 30,
2018) (minute order); Dora v. Sessions, No. 1:18-cv-1938 (D.D.C.
Aug. 17, 2018), ECF No. 2; Usoyan v. Repub. of Turkey, No. 1:18-
cv-1141 (D.D.C. May 15, 2018), ECF No. 5; Damus v. Nielsen, No.
1:18-cv-578 (D.D.C. Mar. 15, 2018), ECF No. 2; Doe v. Kettler
Mgmt., Inc., No. 1:18-cv-585 (D.D.C. Mar. 15, 2018), ECF No. 3;
Doe v. George Washington Univ., No. 1:18-cv-553 (D.D.C. Mar. 8,
2018), ECF No. 2; Doe v. Kipp DC Supporting Corp., No. 1:18-cv-
260 (D.D.C. Feb. 2, 2018), ECF No. 2; Doe v. Syrian Arab Repub.,
No. 1:18-cv-66 (D.D.C. Jan. 11, 2018), ECF No. 2.
17
square with the federal rules or our longstanding commitment
to openness, much less the rule referred to earlier of treating
failure to request permission as fatal to jurisdiction over such
parties.
On remand, then, the district court should consider the
substantive and procedural questions relating to the Doesâ
status in the lawsuit.