On June 29, 2015, the American Federation of Government Employees (AFGE) filed a class-action lawsuit against the Office of Personnel Management (OPM) related to a security breach that released confidential information of millions of current and former federal employees. The AFGE is a federal employee union that represents more than 670,000 federal and D.C government employees. AFGE alleges that OPM violated the Privacy Act of 1974 (the “Privacy Act” or the “Act”) by negligently refusing to follow proposals to secure sensitive employee information. AFGE further alleges that OPM officials were aware of security weaknesses since 2007 yet failed to fix them. This massive data breach compromised personnel files on 4.2 million current and former federal employees, and exposed intimate background investigations of up to 18 million people.
OPM functions as the federal government’s human resources department; it is responsible for conducting background investigations related to security clearances for federal employees, as well as managing the pension benefits and regulating the health and insurance programs for retired employees and their families. Many employees that apply for security clearance must submit a 127-page form that requests highly delicate and specific information on the lives of each applicant, the applicants’ family members and their names, financial history, past residencies, names of neighbors, coworkers and their close friends. The breach released these forms.
OPM Director, Katherine Archuleta, and OPM Chief Information Officer, Donna Seymour, allegedly neglected to follow inspector general recommendations when they were told that eleven of their forty-seven computer networks should be shut down because they lacked the proper security qualifications. “Although they were forewarned about the potential catastrophe that government employees faced, OPM’s data security got worse rather than better,” officials said. This jeopardized the security of classified federal employee information, ultimately resulting in a security breach. A cybersecurity expert hired by AFGE says log-in credentials were stolen and are on sale on the internet.
This incident is a prime example of an employer’s failure to secure employee information. Federal and state laws exist to provide a fundamental ground that protects against any invasion of privacy by a private party or even by an employer. The Privacy Act establishes fair practices that direct the collection, maintenance, use and circulation of personal information of people that is maintained in a system of records by federal agencies. The Act also prohibits the disclosure of any records. By failing to comply with inspector-general recommendations to secure their networks and secure the files of millions of federal employees, OPM may have violated the Privacy Act.