OPM Data Breach Settles for $63 Million

May 9, 2022 – Current, former and prospective government workers who can show economic harm stemming from the notorious 2015 cyberattack on the U.S. Office of Personnel Management would split $63 million under terms of a proposed settlement filed in D.C. federal court.

The proposed deal, submitted late Friday, would set aside awards of between $700 and $10,000 to breach victims who can show that they spent money or time responding to identity theft incidents, freezing or unfreezing credit reports, or acquiring credit monitoring or identity theft protection as a result of the cyberattack.

The July 2015 incident compromised the financial data, mental health records, Social Security numbers and other personal data of anyone who underwent a background check at OPM since 2000, according to the agency. In total, the breach affected around 21.5 million people, making it among the largest thefts of personal data from the U.S. government in history.

If approved, the settlement would put an end to multidistrict litigation that has become a key test of how courts view the issue of whether the threat of future data misuse is enough to allow data breach litigation to move forward.

A D.C. federal judge had dismissed the litigation in September 2017, ruling that the theft of data alone was not enough to establish standing. But the D.C. Circuit Court revived a narrowed version of the claims in June 2019, finding that the heightened risk of identity theft was enough to clear what it called a “low bar” for moving cases forward at the pleading stage.

The settlement payments included in Friday’s proposal are “generous in light of the serious risks that continued prosecution would entail,” plaintiffs’ counsel wrote.

Among the most difficult aspects of taking the case to trial would be the government’s “likely assertion” that OPM’s data security practices and protocols, which the breach victims said were negligent, were a confidential state secret, the attorneys said. The plaintiffs would also have to obtain class certification while overcoming the limits of the federal Privacy Act, which does not apply to cases in which the damages are merely hypothetical, they added.

“This case, arising from cyber intrusions into federal databases, has always involved unique risks and challenges, and the settlement provides class members with all or more than they reasonably could expect from the litigation,” plaintiffs’ counsel wrote.

The proposed deal calls for the federal government to pay $60 million into the settlement fund, while its security contractor Peraton Risk Decision Inc. — known as KeyPoint Government Solutions Inc. at the time of the 2015 breach — would chip in $3 million.

Attorneys for the data breach victims will separately apply for attorney fees, which will be paid separately by the government and will not reduce the settlement fund, Friday’s proposal says. Any unclaimed funds will be sent to the U.S. Treasury.

The consensus among cybersecurity experts is that the OPM attack was carried out by sophisticated nation-state actors, likely from China. U.S. officials have stopped short of directly blaming the Chinese government for the attack, but in 2017 they indicted a Chinese national on charges of conspiracy and computer hacking, accusing him of using a rare form of malware that was also used against OPM.

Representatives for the parties did not immediately respond Monday to requests for comment.

The employees are represented by Daniel C. Girard, Jordan Elias and Simon S. Grille of Girard Sharp LLP, Peter A. Patterson and David H. Thompson of Cooper & Kirk PLLC, Tina Wolfson of Ahdoot & Wolfson PC, Gary E. Mason of Mason LLP, and Richard B. Rosenthal.

The case is In re: Office of Personnel Management Data Security Breach Litigation, Case number 1:15-mc-01394, in the U.S. District Court for the District of Columbia.