No Injunction in Electronic Privacy Information Center v. U.S. Office of Personnel Management

Today's opinion is here. I'm on the run, and can't add more right now, but I thought I'd pass it along.

UPDATE: Just got back, and thought I'd post this excerpt:

Plaintiffs allege that, since February 20, 2025, USDS [DOGE] personnel have obtained unprecedented access to information systems across numerous federal agencies, including Treasury and OPM. In this regard, Treasury operates the Bureau of Fiscal Service ("BFS"), which manages "a federal payment system that distributes nearly 90% of all federal payments, including Social Security benefits, tax refunds, and vendor payments." The BFS payment systems contain the sensitive personal data, such as full Social Security numbers, of "tens of millions of individuals." OPM manages the Enterprise Human Resources Integration ("EHRI") system, which is "responsible for maintaining the integrity of the electronic Official Personnel Folder (eOPF), which protects information rights, benefits, and entitlements of federal employees." The EHRI contains "Social Security numbers, dates of birth, salaries, home addresses, and job descriptions of all civil government workers, along with any disciplinary actions they have faced." Plaintiffs further assert that the BFS and EHRI systems and the information contained therein are typically protected by information security protocols mandated by the Federal Information Security Act of 2014 ("FISMA"), privacy protections established by the Privacy Act of 1974 (the "Privacy Act"), and supervision by trained personnel.

Plaintiffs allege that, at the direction of the DOGE Defendants, the Government Defendants have abandoned these safeguards by providing the DOGE Defendants with unlawful access to sensitive and protected data in the BFS and EHRI systems and allowing the data to be used for prohibited purposes. On January 27, 2025, after being confirmed as Secretary of the Treasury, Defendant Scott Bessent granted USDS personnel access to the BFS payment systems, allegedly giving USDS personnel the ability to "stop payments from the federal government."

As a consequence of granting this access, Plaintiffs assert that Secretary Bessent and the Treasury Department disclosed personal information contained in those systems to individuals not authorized by law to access them. After USDS personnel received access to the BFS systems, the official USDS/DOGE account on Twitter/X tweeted that it was "stopping improper payments." Similarly, Elon Musk, "an individual who is either Acting USDS Administrator or otherwise exercising substantial authority within USDS," stated on his personal Twitter/X account that "[t]he @DOGE team is rapidly shutting down these illegal payments." Plaintiffs further allege that, upon information and belief, USDS and Treasury personnel are unlawfully exfiltrating identifying information from the BFS payment systems and redisclosing the information to individuals not employed at Treasury, and that USDS is moving to "stop approved payments to federal contractors, charities that provide social services, and other federal departments."

On January 20, 2025, Plaintiffs allege that Musk and USDS personnel entered OPM's headquarters and took control of the computer systems. According to Plaintiffs, at least six USDS agents were given "broad access to all personnel systems, including the EHRI system," giving them the ability to access databases that "store medical histories, personally identifiable information, workplace evaluations, and other private data.

Plaintiffs further allege that, on information and belief, the USDS personnel who have access to Treasury and OPM systems "lack training in applicable security safeguards for personal information, do not have relevant Treasury or OPM experience, may not have necessary security clearances, and may not be federal employees." As such, Plaintiffs contend that the Government Defendants' grant of systems access to the DOGE Defendants constitutes unlawful disclosure of personal data—including social security numbers and tax information—belonging to tens of millions of people stored in the BFS systems and the unlawful disclosure of personal data belonging to millions of federal employees stored in the EHRI system….

As an "alternative" theory of complaint, Plaintiff Doe 1 alleges that, as a career civil servant, OPM retains her personal information on EHRI, including her Social Security number, home address, and disciplinary record. Plaintiffs also allege that Doe 1 and many of EPIC's members have filed federal tax returns electronically within the last six years. As a result, the BFS systems contain extensive financial information about them, including statutorily protected return information. Plaintiffs therefore assert that their "sensitive, confidential, and personally identifiable information has been unlawfully accessed and endangered by DOGE." Plaintiffs further assert "[b]eyond the immediate harm of disclosure, Plaintiffs face substantially elevated risk of: data errors which could interfere with their paychecks or other employment benefits, purposeful withholding of payments to which they are legally entitled, and identity theft."

The Court notes that Defendants dispute the claim that USDS personnel have obtained access to these information systems. Instead, Defendants assert that

In response to lawful Executive Orders issued by President Trump, Treasury and OPM have assembled teams of the agencies' own employees, including detailees, to oversee implementation of the new Administration's policies to root out waste, fraud, and abuse across the federal government. Although these teams liaise with USDS—a component of the Executive Office of the President—it is the agencies' employees, and only those employees, who have access to the data systems containing the personal information upon which Plaintiffs premise their claims.

Defendants therefore contend that Plaintiffs' claims of unlawful access to the information systems by USDS personnel cannot be correct….

In their Motion, Plaintiffs argue that "[t]he longer Defendants are permitted unauthorized access to these sensitive systems, the more likely it is that they will access or further disclose Plaintiffs' individual data, and the longer Plaintiffs' data remains at a heightened risk of exposure or exfiltration by hostile actors." Plaintiffs further allege that Defendants "can easily and immediately misuse [personal identifying information] in violation of law by arbitrarily stopping payments through access to the BFS system, as they have publicly claimed to do," or by "bring[ing] adverse employment actions on the basis of information in the OPM system." Finally, Plaintiffs allege that there is a substantial risk of Plaintiffs suffering future identity theft because OPM's network is regularly subject to hacking attempts, and that these attempts are more likely to be successful as a result of Defendants' actions. The Court is unpersuaded.

Plaintiffs' fears of future harm are much too speculative and would require the Court to make several leaps in reasoning in order to warrant injunctive relief. For instance, Plaintiffs have not provided concrete evidence that Defendants are actively misusing or even attempting to misuse their sensitive data. The hypothetical scenarios that Defendants will withhold payments or bring adverse employment actions based on Plaintiffs' sensitive data are unsupported by the record before this Court. And to accept Plaintiffs' argument based on the exfiltration of their information by hostile actors, the Court would have to conclude that Defendants' conduct is causing an increased likelihood of hacking, that any resulting breach would target the specific systems containing Plaintiffs' information, that Plaintiffs' information would be specifically targeted, and that such a breach would lead to identity theft or other tangible harm, economic or otherwise.

This speculative chain of events is insufficient to establish irreparable harm, as Plaintiffs' claims are based on a series of possibilities, any one of which may never materialize. See Beck, 848 F.3d at 275 (referring to the plaintiffs' fear of identity theft as an "attenuated chain of possibilities" where the court had to "assume that the thief targeted the stolen items for the personal information they contained" and then assume that the thieves would "select, from thousands of others, the personal information of the named plaintiffs and attempt successfully to use that information to steal their identities"). "As the Supreme Court noted in Winter, the possibility of irreparable harm does not constitute a 'clear showing' that the plaintiff is entitled to relief."

Given the extraordinary nature of the remedy and the speculative, attenuated nature of the potential harm that Plaintiffs face, the Court cannot issue injunctive relief based on the current record before it….