Court Declines to Block Federal Government's New "Government-Wide Email System"

From yesterday's decision by Judge Randolph Moss (D.D.C.) in Doe v. Office of Personnel Mgmt.:

In late January 2025, the Office of Personnel Management ("OPM") began to test "'a new capability allowing it to send important communications to ALL civilian federal employees from a single email address,'" and OPM subsequently began using this new system to send messages "to most if not all individuals with Government email addresses." That new system uses the email address HR@opm.gov and is known as the "Government-Wide Email System" or "GWES." This putative class action challenges the process by which OPM implemented this new system.

Plaintiffs are two federal executive branch employees and five other individuals who have ".gov" email addresses but are not executive branch employees. They contend that in the rush to adopt this new system, OPM at first entirely failed to comply with Section 208 of the E-Government Act of 2002, which requires the preparation of a Privacy Impact Assessment ("PIA") before "initiating a new collection of [certain] information … using information technology," and, then, when confronted with that omission, immediately threw together an inaccurate, insufficient, and unconsidered PIA in the hope of mooting the case. According to Plaintiffs, OPM's failure to prepare a meaningful Privacy Impact Assessment has left vast amounts of private information, including the government email addresses of millions of individuals (which reveal their names and, at least in some cases, their employers) at risk of disclosure in the event that the GWES is hacked.

OPM, for its part, contends that it was not required to prepare a PIA because, on OPM's reading, Section 208 does not apply to the collection of information about government employees, as opposed to about members of the public. And, even if that contention is wrong—either because it has misread the statute or because OPM inadvertently collected email addresses from individuals who do not work for the federal government but nonetheless use .gov or .mil email addresses—OPM, in any event, has now prepared a PIA. That is all that is required, on OPM's telling, and the Court lacks the authority to examine the "substance and accuracy" of the PIA that the agency prepared….

Pending before the Court is Plaintiffs' motion for a temporary restraining order ("TRO"), which asks the Court to enjoin OPM "from continuing to operate the Government-Wide Email System or any computer system connected to it prior to the completion and public release of a required legally sufficient Privacy Impact Assessment." But Plaintiffs have failed to carry their burden of demonstrating (1) that they likely have standing to bring this action, and (2) that they are likely to suffer irreparable injury in the absence of emergency relief….

The court held that plaintiffs lacked standing to challenge the government's actions:

[OPM argues Plaintiffs] have failed to identify an "injury in fact" that is "concrete and particularized" and "actual or imminent, not conjectural or hypothetical." It bears emphasis, moreover, that a plaintiff cannot establish standing by merely asserting that the government has failed to follow a required procedure (say, for example, failing to conduct a PIA), since "bare procedural violation[s], divorced from any concrete harm" do not "satisfy the injury-in-fact requirement of Article III." Spokeo, Inc. v. Robins (2016).

As the Supreme Court has explained, not every statutory violation results in the type of concrete injury-in-fact sufficient to support Article III standing. TransUnion LLC v. Ramirez (2021). Rather, "Article III standing requires a concrete injury even in the context of a statutory violation." The question, then, is "[w]hat makes a harm concrete for purposes of Article III?" To answer that question in a case like this one, which does not involve an alleged constitutional violation, Plaintiffs must "identif[y] a close historical or common-law analogue for their asserted injur[ies]." In TransUnion, for example, a credit reporting agency had erroneously placed Office of Foreign Assets Control or "OFAC" alerts in the plaintiffs' credit reports, "labeling them as potential terrorists." The Supreme Court assumed that the credit reporting agency "violated its obligations under the Fair Credit Reporting Act" to maintain accurate information about consumers. But the Court held that plaintiffs whose information had not been communicated to third parties lacked standing to bring that claim. The Court explained that an uncommunicated erroneous OFAC alert was not a "concrete injury" because "there is no historical or common-law analog" to this type of harm. Instead, "the plaintiffs' harm [wa]s roughly the same, legally speaking, as if someone wrote a defamatory letter and then stored it in her desk drawer." Thus, "the mere existence" of an incorrect OFAC alert in a consumer's credit file—even if a violation of federal law—was "insufficient to confer Article III standing."

Here, neither of the injuries that Plaintiffs have identified at this stage of proceeding are sufficient to confer Article III standing. Plaintiffs' first alleged injury—the mere fact that their .gov email addresses are being stored on an allegedly unsecured system—cannot survive TransUnion. Even assuming that Plaintiffs' .gov email addresses are being held on an unsecured system, that alleged injury is no more concrete or actual than the alleged injury of those members of the TransUnion class who complained about uncommunicated erroneous OFAC alerts. Moreover, rather than identify any common-law analogues, as TransUnion requires, Plaintiffs instead resort to a policy argument unmoored to Article III. They contend that, if standing is unavailable here, the only way that any court could ever enjoin any agency from operating an insecure system to prevent it from being hacked would be if it had already been hacked, at which point an injunction would be pointless.

But it is not the job of the federal courts to police the security of the information systems in the executive branch, just as it is not the job of the federal courts to police the internal notations on consumers' credit reports.

{Plaintiffs also conjure a hypothetical, asking the Court to

imagine a scenario in which an agency posted a list of its employees' social security numbers on its website and then argued that no court could make it take the list down until someone's identity was stolen.

But that hypothetical hurts Plaintiffs' argument more than it helps. This case is very different from a case in which the loss of sensitive personal information is a near certainty. Just as TransUnion drew a distinction between those individuals whose erroneous credit reports were shared with third parties and those whose erroneous reports were not, so too is a case where personally identifying information has been published different from one where the harm is a yet-unrealized risk of disclosure.}

Plaintiffs' second theory of standing, which posits that the OPM computers that are connected to the GWES are vulnerable to hacking, fares no better. Although an actual hacking incident or an imminent hack might suffice, Article III requires more than a possibility of future harm—a "theory of future injury" must be "certainly impending" and non-speculative. Clapper v. Amnesty Intern. USA (2013) (internal quotation marks omitted). Here, at least on the present record, Plaintiffs have failed to carry their burden of demonstrating that their .gov email addresses (which reveal their names and, possibly, their places of employment) are at imminent risk of exposure outside the United States government—much less that this risk is a result of OPM's failure to conduct an adequate PIA. Rather, their arguments "rel[y] on a highly attenuated chain of possibilities."

Plaintiffs premise much of their argument on an earlier hack of OPM databases containing sensitive information about millions of government employees, which occurred almost a decade ago. But past is not always prologue, particularly when it comes to Article III. Where, as here, a plaintiff seeks prospective, injunctive relief, the plaintiff must demonstrate that she is "likely to suffer future injury from the" alleged unlawful conduct, and a past violation will not suffice absent reason to believe it will occur again in the future. Here, that means that Plaintiffs must do more than point to a decade-old failure to protect sensitive data; they must show that OPM computer systems that are connected to the GWES are at imminent risk of cyberattack and that this risk would be mitigated were the agency required to conduct a new and improved PIA.

As evidence that a hack is supposedly imminent, Plaintiffs point to a podcast on which an anonymous "systems security expert" discusses potential vulnerabilities related to the GWES. {According to a blurb accompanying the podcast, Plaintiffs' counsel was the person who introduced the podcast host to the "system security expert" who the host interviewed. Plaintiffs' counsel has indicated that this expert is prepared to testify in this matter. Subject to the governing rules, Plaintiffs are welcome to proffer whatever evidence they deem appropriate at a later stage of the proceeding. For present purposes, however, the Court can consider only the evidence that is before it.}

Although that podcast raises questions about the process by which the GWES servers were set up, it does not provide any specific information that would permit the Court to conclude that the servers housing .gov email addresses collected for purposes of the GWES are at imminent risk due to likely cyberattack. To the contrary, the anonymous expert mostly addresses a past vulnerability that has since been rectified. He explains that, when the GWES was first set up, hundreds of "host names" that "appeared" to be linked to "internal" OPM systems (which included systems with names that indicated they were "admin portals" or "security portals") were made "accessible from the internet." But those "host names" were later "redacted" and are no longer visible on the public domain. The fact that those systems were more visible than they should have been for some period of time after the GWES was set up does not support Plaintiffs' assertion that a hack is likely or imminent.

Although the anonymous expert also stated that the GWES servers were possibly set up in ways that were not "within the standard that you would consider an internal system to be held to," he also indicated that the system was protected in other ways, such as by a using "a web application firewall from Akamai" that "provide[s] some degree of protection." The evidence provided by the podcast is, therefore, mixed at best. More is required to satisfy Article III, and more is required to demonstrate, as Plaintiffs must do to obtain emergency injunctive relief, that they are likely to succeed in establishing standing to sue. The information that Plaintiffs have offered does not satisfy Plaintiffs' burden of showing that they face a concrete and impending risk that their .gov email addresses will be misappropriated in the absence of emergency injunctive relief—or that their proposed relief would redress that risk. This is not to say that Plaintiffs will not be able to establish standing at a later stage of the proceeding. But they have failed to carry their burden for purposes of obtaining a TRO.

The Court, accordingly, concludes that Plaintiffs' motion for a TRO fails because they have not shown that they likely have standing to sue….

The court also added, in discussing the separate TRO requirement of "irreparable injury":

In assessing irreparable injury, moreover, the Court must also consider the nature of the potential injury. That matters because this is not a case in which Plaintiffs seek to protect highly sensitive personal information, like tax records or sensitive medical files. Instead, they seek to protect their work email addresses. The Court does not doubt that government employees, at times, have a privacy interest in their work email addresses, which identify their names and oftentimes where they work. In some cases, revealing that information could result in harassment or unwanted attention. But, here, the seven named Plaintiffs have failed to offer any evidence that, even if a massive hack were to occur due to OPM's failure to prepare an adequacy PIA, the disclosure of their .gov email addresses—along with millions of other .gov email addresses—would likely subject them to personal harassment, much less that it would cause them a harm that is "certain" and "great."

{At oral argument, Plaintiffs' counsel indicated that one of the Plaintiffs works for the Federal Emergency Management Agency ("FEMA"), and he argued that associating her with FEMA could invite harassment. But that argument, raised by counsel and without any evidentiary support, is insufficient to justify the issuance of a TRO. And, in any event, the argument fails to address the more fundamental problem with Plaintiffs' theory of irreparable injury; they have failed to offer evidence sufficient to permit the Court to find that the risk of a breach is "certain"—or even likely to occur in the next 14 days [the length of time the TRO would last -EV].}

Were this a case brought under the Freedom of Information Act ("FOIA"), the Court might conclude that the agency is entitled to withhold the email addresses on the ground that disclosure "would constitute a clearly unwarranted invasion of personal privacy." But this is not a FOIA case, and the requirement for issuance of a TRO is far more demanding.

The Court, accordingly, concludes that Plaintiffs have failed to carry their burden of demonstrating that they are likely to incur some irreparable injury if the Court does not enjoin OPM from operating the GWES without first preparing a more robust and accurate PIA….

Elizabeth J. Shapiro and Olivia Grace Horton (Justice Department) represent the government.