Home Media Center News Releases

Washington, D.C.—The National Treasury Employees Union (NTEU) sued the Office of Personnel Management (OPM) today over the recent cyberattacks, alleging that the agency violated NTEU members’ constitutional rights by failing to protect their private information.

The lawsuit, which was filed in the U.S. District Court for the Northern District of California, accuses OPM of violating the privacy rights of union members whose personnel records may have been compromised by the data breaches disclosed on June 4 and June 12.

“Federal employees entrust highly personal information to OPM with the expectation that it will be kept confidential and safe from unauthorized access. OPM’s failure to do so violated our members’ constitutional right to informational privacy,” said NTEU National President Colleen M. Kelley. “We believe that a lawsuit is the best way to force OPM to take immediate steps to safeguard personnel data, prevent such attacks in the future and help our members protect themselves against the fallout.”

NTEU’s lawsuit asks the court to:

• Declare that OPM’s failure to improve cybersecurity was an unconstitutional act;

• Order OPM to pay for lifetime credit-monitoring services and identity-theft protection for NTEU members;

• Order OPM to take all the necessary steps to heighten its IT security program and protect NTEU members’ data from falling into the hands of hackers in the future; and

• Prevent OPM from collecting personal information from NTEU members electronically or requiring them to submit such data in an electronic form until the court is satisfied with the agency’s cybersecurity upgrades.

NTEU members are among the millions of current, former and retired federal employees who were potentially affected by the recent cyberattacks. Data that may have been accessed includes financial records and highly private information about things like medical conditions and personal relationships that employees must provide in order to work for the federal government.

President Kelley said OPM’s response to the breaches has also been disappointing. The agency has been tight-lipped about precisely how many people may have been affected, what databases were hacked into and to what extent.

“It is outrageous that OPM was told years ago that its cybersecurity protections were woefully inadequate but did little about it. On top of it, OPM has done little to dispel the anxiety that NTEU members are experiencing,” Kelley said.

This litigation is the latest example of NTEU’s extensive, multi-front effort to advocate for employees who were harmed by this breach.

Since the cyberattacks were disclosed, NTEU has met with and written to OPM and sent letters and testimony to Congress and the White House.

Given the delay in notifying employees about the second breach, the union has asked OPM to offer free credit-monitoring and identity-theft protection services to all federal employees. OPM has offered those protections only to 4 million people—the number of affected individuals disclosed on June 4—for 18 months.

OPM has not responded to NTEU’s requests to provide the credit and ID-theft protection to the original 4 million people beyond 18 months and to include coverage for family members whose data also may have been exposed.

Meanwhile, many NTEU members have reported problems with the enrollment process set up by CSID, a private firm hired by OPM to provide the credit-monitoring and ID-theft protections. They report being unable to reach operators on the toll-free phone line and say that the CSID web site frequently crashes or freezes up and rejects assigned personal identification numbers and passwords. Some others say that notification letters were mailed to wrong or old addresses.

NTEU, the nation’s largest independent federal union, represents 150,000 employees in 31 agencies and departments.

Link to NTEU’s lawsuit: http://www.nteu.org/documents/opmbreachlawsuit.pdf