The Office of Personnel Management (OPM) is facing yet another class-action lawsuit over the hack that compromised the personal data of millions of federal workers.
The Labaton Sucharow law firm filed suit against the government on Friday, claiming the OPM failed to comply with the Privacy Act of 1974, which requires federal agencies to establish the appropriate safeguards to protect confidential records.
{mosads}It filed the case on behalf of the 21.5 million current, former and prospective federal employees whose data was compromised.
According to the case summary, the OPM had been on notice of “significant deficiencies in its cyber security protocol” since 2007, but failed to correct the weaknesses laid out in various Office of the Inspector General reports — thus violating the Privacy Act.
This is the seventh suit filed against the OPM and its contractor, KeyPoint Government Solutions, since the hack was revealed. Some of these cases, including complaints filed by two major federal workers unions, have been consolidated and transferred to a single district judge in Washington, D.C.
The consolidated cases are built primarily on the same alleged violation of the Privacy Act, as well as alleged negligence on the part of KeyPoint.
Suing the government isn’t a slam-dunk, however.
Some experts have suggested that plaintiffs in data breach cases may struggle to establish legal standing. In other words, if the data hasn’t shown up on the dark Web yet — which the OPM data appears not to have — victims of data breach may have trouble demonstrating they’ve actually been harmed.
In addition, the government often enjoys “sovereign immunity,” meaning it cannot face civil suits or prosecution over most subjects, experts say. The agency has already laid the groundwork to distance itself from liability in its notification letter.
“Nothing in this letter should be construed as OPM or the U.S. Government accepting liability for any of the matters covered by this letter or for any other purpose,” the letter read.