In a statement issued on Wednesday, September 20th, the U.S. Securities and Exchange Commission (SEC) revealed that it was investigating a 2016 data breach of its Electronic Data Gathering, Analysis, and Retrieval (EDGAR) database. The SEC does not believe that personally identifiable information was exposed, but the investigation is still ongoing and raises questions regarding government agencies’ obligations to protect sensitive information, and the potential litigation challenges facing individuals who are impacted by hacks of government agencies.
Federal agencies are obligated to protect personal information they collect under the Federal Information Security Management Act (FISMA) of 2006, the Privacy Act of 1974, and policies and guidance from the Office of Management and Budget on the implementation of these Acts. FISMA requires federal agencies to use measures that are “commensurate with the risk and magnitude of the harm” that could result from a breach, and the Privacy Act of 1974 requires agencies to “establish appropriate administrative, technical, and physical safeguards to insure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained.” However, it appears that lack of compliance with these laws and policies has made federal agencies vulnerable to cyberattacks.
In general, remedies for victims of these cyberattacks may be limited because the federal government is protected by sovereign immunity and may not be sued unless it has waived its immunity or consented to suit. FISMA does not contain a private right of action and therefore has not waived its sovereign immunity under the statute; however, the government has waived its sovereign immunity under other relevant statutes, such as the Administrative Procedures Act, which can provide a potential avenue for bringing suit. On the other hand, there is a private right of action under the Privacy Act, but this waiver of sovereign immunity only applies if a plaintiff can show that (1) the agency disclosed the information improperly, willfully and intentionally, and (2) the disclosure has caused actual damages.
In 2015, U.S. taxpayers brought a class action suit against the IRS after a data breach claiming the agency had violated the Privacy Act because it had acted negligently in failing to adequately protect the taxpayers’ personal information. The U.S. District Court for the District of Columbia dismissed the claim, indicating that Congress had explicitly waived the agency’s sovereign immunity only in situations where the agency had willfully disclosed personal information.
U.S. District Court for the District of Columbia dismissed another class action involving a breach at the Office of Public Management (OPM) in 2015 that affected 21.5 million people because the plaintiffs failed to establish that the government had waived its sovereign immunity, a protection which also applied to the government contractor KeyPoint. The court also found that the agency’s negligent acts did not qualify as “intentional or willful,” and added that the information had been stolen, not disclosed.
Even if plaintiffs can overcome a sovereign immunity defense, they would still have to prove that they have Article III standing. Under the Supreme Court’s Spokeo decision, “Article III standing requires a concrete injury even in the context of a statutory violation.” Although courts have varied in their interpretation of Spokeo and in their determination of what is required to satisfy the concreteness requirement, it is clear that plaintiffs must allege more than “a bare procedural violation.” For example, a recent D.C. district court decision found that standing required showing actual economic losses. The court held that out-of-pocket expenses related to actual identity theft could satisfy this standard, but fees paid to purchase credit monitoring and time spent attempting to rectify fraudulent transactions did not.
In short, while federal agencies have a duty to safeguard personal information, this duty has thus far appeared to be largely unenforceable in practice. In a recent article on the SEC hack, Avi Gesser raises the question of whether the day will come when individuals and companies simply refuse to provide their most sensitive information to government agencies without first receiving some reasonable assurance that their information will be protected by these agencies.