The Trump administration has asked a federal court to reconsider a ruling that opened the door for potential payments to millions of federal employees and others due to the cybertheft of their personal information.
The Justice Department request, filed last week, involves what it calls “massive litigation” stemming from hacks of two government databases revealed in June 2015 but which occurred months earlier.
One breach involved records on about 21.5 million federal, military and contractor personnel and others who had undergone background checks since about 2000, commonly to gain or renew security clearances. The other involved personnel records of about 4.2 million current and former federal employees. Overlap between the two brought the total affected to about 22.1 million.
The American Federation of Government Employees is seeking a monetary award to victims under the Privacy Act, which provides for awards of at least $1,000 per individual if the government willfully fails to protect information on them that it holds.
The suit was combined with one in which the National Treasury Employees Union is seeking lifetime free credit protection for victims and a court order requiring the Office of Personnel Management to shore up its cyberdefenses.
A district judge initially dismissed the case, saying the complaint failed to show that problems some victims later experienced — such as fraudulent tax refund claims, credit card accounts and purchases made in their names — were caused by the breaches.
A panel of the federal Court of Appeals for the District of Columbia Circuit, however, told the lower court to consider the case, saying that OPM had failed to protect the data despite “repeated and forceful warnings” that the databases were vulnerable and a prime target for hackers. It further found that the unions had shown that the types of problems the complaint described can occur only after such a theft of personal information.
However, the Justice Department said the decision ignored evidence that the hacks were motivated by espionage.
“When the circumstances of a cyberattack suggest the attackers have a motive other than identity theft or fraud, the mere occurrence of the attack cannot support standing for all individuals whose data may have been compromised,” it argued.
The unions did not show “any coherent pattern of fraud or identity theft caused by the OPM attacks. Instead, the allegations identify sporadic and isolated episodes” that were not necessarily related to those attacks, it said in asking for…