Two U.S. federal employee unions just went full Judge Judy on the Office of Personnel Management (OPM).
Massive data breaches in 2015 exposed the files of 21.5 million individuals. Nextgov explains how the employees responded:
The American Federation of Government Employees and the National Treasury Employees Union are seeking lifetime credit monitoring and identity theft protection for affected individuals, and NTEU also sought to change the way OPM stores and protects personnel data.
NTEU said its clients had a constitutional right to informational privacy and the government violated that right. AFGE is seeking a remedy under the 1974 Privacy Act, including monetary damages from KeyPoint.
And the U.S. Court of Appeals agreed with them.
The judges reversed the decision of the lower court, concluding that the charges against the government were reasonable.
The appeals court said it was concerned only with whether the plaintiffs could plausibly allege standing. In terms of potential damages, the court said it was focusing on "the risk of future identity theft."
OPM has said hackers stole Social Security numbers, birth dates, fingerprints and addresses, among other sensitive personal information.
"It hardly takes a criminal mastermind to imagine how such information could be used to commit identity theft," the court wrote in its majority opinion.
Suing over breaches: a developing area in case law
This court decision doesn't automatically mean that all employees can sue their companies for data breaches, though.
The decision only applies to federal employees, and more cases would need to come up to increase the qualifications for standing.
But the decision certainly opens up an interesting discussion about suing your company for accidentally exposing personal data to hackers.
Cases have popped up in the private sector before, but have consistently been settled out of court.
This happened when Alexandria Stobbe sued Rockhurst University for giving her W-2 to hackers. And when Sony employees sued the entertainment company after their personal information was stolen and posted online.
And while settling cases out of court can ultimately give employees their reparations, it doesn't create legal standards that future victims can rely on.
But this recent decision might just be opening that door.
Watch out, this can go the other way!
But suing is a two-way street. Sometimes companies will sue employees who caused breaches.
Patricia Reilly was a Peebles Media Group employee who fell for a Business Email Compromise (BEC) scam. SecureWorld covered her story:
They sent a series of believable emails to her, posing as her out of office boss who needed help transferring funds to a specific account. Reilly transferred the equivalent of more than $250,000 before her boss discovered that the company was being scammed.
Now, the company is suing the former employee for the wire transfers which could not be stopped, a total of about $138,000.
The scam cost the company money and Reilly her job. And the company is trying to sue her for negligence.
All we can hope for now is this: with more security awareness and cyber literacy, we can reduce the risk of exposing data and suing over it.
