[Excerpt] The scope of information believed to have been compromised by a series of cyber-intrusions at the Office of Personnel Management (OPM) continues to grow. OPM recently announced that further investigation of the initial breach affecting 4.2 million current and former federal employees has led officials to conclude that sensitive information on 21.5 million individuals had been stolen from separate OPM databases used in connection with background investigations. In addition to the potential effects on domestic and foreign policy that may result from these breaches, which are discussed here, two recently filed lawsuits raise questions regarding what redress, if any, is due to affected individuals beyond the free credit monitoring that has been offered by OPM.
The two suits, filed separately by the American Federation of Government Employees (AFGE) and the National Treasury Employees Union (NTEU) allege a number of legal theories under which the plaintiffs believe recovery may be available, including claims citing the Privacy Act, the Federal Information Security Management Act (FISMA), common law negligence, and the Due Process clause of the Constitution. While, procedural obstacles to such suits, such as whether the plaintiffs have suffered a sufficiently concrete injury to have a right to sue, are important and may end up being dispositive, this post focuses instead on the extent to which selected sources of statutory, common, and constitutional law may provide a judicially enforceable remedy for current and former federal employees whose personal information may have been exposed during the breach of a federal information technology system.