On Friday, Labaton Sucharow filed a class action on behalf of about 21.5 million (!) federal employees, contractors and job applicants whose personal information was exposed in an epic breach of security at the U.S. Office of Personnel Management, which screens applicants for federal government jobs and conducts security clearance on employees and contractors. Labaton’s complaint is at least the seventh class action against OPM and its private contractor, KeyPoint Government Solutions, including two suits by government employee unions and one with a federal administrative law judge as the lead plaintiff.
Although there is some variation in the alleged causes of action, the suits mostly assert violations of the Privacy Act and the Administrative Procedures Act, as well as negligence against KeyPoint. Late last month, the Justice Department asked the Judicial Panel on Multidistrict Litigation to consolidate the cases and transfer all of them to U.S. District JudgeAmy Jackson of Washington, D.C., who is already presiding over the American Federation of Government Employees’ class action against OPM and KeyPoint.
The JPML said Friday that it would hear oral arguments on Oct. 1 on the government’s motion. Briefs are due before Sept. 14.
It certainly seems likely that the JPML will consolidate the suits, but where they end up transferring them could make a big difference in how this case turns out. The threshold question in data breach suits, as I’ve written many times, is constitutional standing: Can plaintiffs whose personal information has been stolen allege an actual or “certainly impending” threat of injury? That is the standard the U.S. Supreme Court set out in its 2013 decision in Clapper v. Amnesty International, and data breach defendants have since used the Clapper definition to knock out at least 10 class actions by plaintiffs who claimed – like the plaintiffs in the OPM suits – that they have been injured by the increased risk their personal information will be misused.
One of the cases that foundered under Clapper was In re Science Applications International Corp (SAIC) Backup Tape Data Theft Litigation, an MDL consolidated for pretrial proceedings in federal district court in the District of Columbia. The case involved the theft of SAIC data tapes containing personal information, including Social Security numbers, on about 4.7 million members of the U.S. military and their families. U.S. District Judge James Boasberg of Washington concluded in May 2014 that under the Supreme Court’s ruling in Clapper, plaintiffs do not meet constitutional standing requirements when their only alleged injury is the loss of their data and the risk it will be misused.
He did hold plaintiffs had standing when they could plausibly allege their personal information was stolen and misused – one plaintiff, for instance, asserted he had received letters from a credit card company thanking him for a loan application he said he never filed – but Judge Boasberg’s dismissal opinion gutted the case. Plaintiffs ended up voluntarily dismissing what remained.
Plaintiffs’ lawyers have gotten savvier about pleading data breach cases after the initial wave of Clapper dismissals, framing complaints around class members who can show that their information has been misused or that their bank accounts or credit ratings have been impacted by the data theft. But cases redrawn to satisfy standing requirements present cramped damages theories, as we’ve seen in the Target and Sony data breach cases, if the only plaintiffs who can recover are those whose injury is more concrete than the mere loss of personal data and risk that it will be exploited. You can see why the Justice Department wants the OPM case litigated in a district skeptical of standing based on the risk of data misuse.
In one jurisdiction, however, all 21.5 million alleged victims of the OPM data breach may have standing. Last month, a three-judge panel of the 7th Circuit ruled in a data breach case against Neiman Marcus that plaintiffs have standing if they can show they incurred reasonable costs or spent considerable time to mitigate a “substantial risk” of harm. Under the 7th Circuit’s decision, just about anyone whose data has been stolen by hackers can sue because their information may be misappropriated.
Neiman Marcus’ lawyers at Sidley Austin filed a petition for rehearing earlier this month, but unless and until the 7th Circuit grants its motion, the panel’s ruling is the only post-Clapper federal appellate decision on standing in a data breach class action. It’s binding on trial judges in Illinois, Wisconsin and Indiana.
So far, none of the OPM class actions have been filed in those states. Two were brought in Washington, D.C., which, as the Justice Department pointed out in its request for consolidation in that court, is the district of universal venue for the Privacy Act claim at the heart of the OPM suits. Two other plaintiffs filed in California. Others sued in Idaho, Colorado and Kansas. It’s going to be very interesting to see which court plaintiffs ask the JPML to send the OPM litigation to.