Another federal union group has filed suit over the hack of Office of Personnel Management systems, demanding lifetime credit monitoring for federal employees and requiring the agency to improve its cybersecurity posture before asking for any more employee information.
The National Treasury Employees Union filed the suit Wednesday claiming that the agency's failure to protect employee information violated workers' constitutional rights.
"Federal employees must give the government a great deal of very intimate and personal information about themselves," said NTEU National President Colleen Kelley. "Federal employees are entrusting this information to OPM with the expectation that the information … will all be kept confidential and safe. OPM makes this promise on its official background investigation forms."
The union says OPM failed to keep this promise when hackers breached its systems, exposing employment information and background investigations on millions of current, former and potential federal employees.
OPM Data Breach: What You Need to Know
OPM Director Katherine Archuleta is named as the sole defendant in the case.
The American Federation of Government Employees filed a similar suit in late June, stating that the breach was a direct result of inaction by Archuleta and CIO Donna Seymour, who are both named as defendants in that suit.
The NTEU suit also differs from others in its legal approach.
While other suits — like the one filed by AFGE — are based on alleged violations of the Privacy Act, the NTEU suit makes the case that OPM's failure to secure personal information violated employee's constitutional right to privacy.
Editorial: AFGE lawsuit over OPM hack? Not a shocker
NTEU lawyers noted the Privacy Act requires plaintiffs to meet a higher standard, such as proving damages occurred and that the violation was willful and intentional.
"Our approach isn't really focused on recouping damages," said NTEU general counsel Greg O'Duden. "We are looking for a court injunction that will cure the source of the problem; that will ensure that OPM gets its act together and institutes appropriate security measures."
The NTEU lawsuit asks the court to require OPM to take four specific actions:
- Declare that OPM's failure to improve
cybersecurity was an unconstitutional act; - Order OPM to pay for lifetime credit-monitoring services and identity-theft protection for NTEU members;
- Order OPM to take all the necessary steps to heighten its IT security program and protect NTEU members' data from falling into the hands of hackers in the future; and
- Prevent OPM from collecting personal information from NTEU members electronically or requiring them to submit such data in an electronic form until the court is satisfied with the agency's cybersecurity upgrades.
NTEU is also asking the court to extend credit and liability protections to all current and former federal employees, not just those OPM identifies as potentially affected.
More: Feds worried insurance doesn't cover OPM breach
As it stands, the suit would only apply to NTEU's 85,000 members,
Aaron Boyd is an awarding-winning journalist currently serving as editor of Federal Times — a Washington, D.C. institution covering federal workforce and contracting for more than 50 years — and Fifth Domain — a news and information hub focused on cybersecurity and cyberwar from a civilian, military and international perspective.