Q: Can an individual sue OPM for letting her personnel information get hacked?
A: Yes. A suit could be brought alleging a violation of the Privacy Act of 1974 by OPM for failing to protect information contained in a system of records. Specifically, an agency is prohibited from disclosing “any record which is contained in a system of records by any means of communication to a person. . . except pursuant to written request by, or with the written consent of, the individual to whom the record pertains,” subject to exceptions which are not applicable in this case. See, 5 U.S.C. § 552a(b). A “system of records” means “a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to that individual.” 5 U.S.C. § 552a(a)(5). Generally speaking, the personnel records hacked (such as an individual’s Official Personnel Folder) fall into the category of records contained in a system of records. See, The Guide to Personnel Recording Keeping, p. 1-4 (June 1, 2011).
Section e(10) requires agencies to:
Establish appropriate administrative, technical, and physical safeguards to insure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained.
5 U.S.C. §552a(g)(10).
Pursuant to OMB Circular A-130, “Agencies will:
(a) Ensure that information is protected commensurate with the risk and magnitude of the harm that would result from the loss, misuse, or unauthorized access to or modification of such information;
(b) Limit the collection of information which identifies individuals to that which is legally authorized and necessary for the proper performance of agency functions.” The Circular further tasks agencies with incorporating security into their information systems and plans. OMB Circular A-130.
Thus, the Privacy Act and its interpreting directives places a duty on OPM to safeguard the information it has collected and to maintain it in a system of records.
The Privacy Act (5 U.S.C. 552a(g)) provides for civil remedies for injured parties, including actual damages, attorney fees, and litigation costs. You will need to be able to demonstrate actual damages, which could provide the difficulty in bringing any case.
In addition, AFGE has filed a class action against OPM, which if you meet the criteria for the class, you could join. Below is the link to the lawsuit:
