In Re: U.S. Office of Personnel Management Data Security Breach LitigationREPLY to opposition to motion re MOTION to Dismiss the Consolidated Amended ComplaintD.D.C.August 3, 2016 UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA IN RE: U.S. OFFICE OF PERSONNEL MANAGEMENT DATA SECURITY BREACH LITIGATION ______________________________________ This Document Relates To: ALL CASES Misc. Action No. 15-1394 (ABJ) MDL Docket No. 2664 REPLY MEMORANDUM IN SUPPORT OF FEDERAL DEFENDANT’S MOTION TO DISMISS THE CONSOLIDATED AMENDED COMPLAINT Case 1:15-mc-01394-ABJ Document 87 Filed 08/03/16 Page 1 of 42 i TABLE OF CONTENTS PRELIMINARY STATEMENT .................................................................................................................... 1 ARGUMENT ..................................................................................................................................................... 3 I. THIS CASE SHOULD BE DISMISSED FOR LACK OF SUBJECT MATTER JURISDICTION BECAUSE PLAINTIFFS LACK CONSTITUTIONAL STANDING. ................................................................................ 3 A. Plaintiffs Lack Standing To Pursue Money Damages For Alleged Past Harms. ............................................................................................................... 3 1. Plaintiffs’ Alleged Past Harms Are Not Cognizable Injuries In Fact ............................................................................................................ 3 2. Plaintiffs’ Alleged Past Harms Are Not Fairly Traceable To The OPM Cybersecurity Incidents ..................................................................... 5 B. Plaintiffs Lack Standing To Pursue Declaratory And Injunctive Relief For Alleged Future Harms. ........................................................................................ 7 II. PLAINTIFFS FAIL TO MEET THE REQUIREMENTS OF THE PRIVACY ACT .................................................................................................................................... 9 A. Plaintiffs Fail To Specifically Plead Actual Damages. ....................................................... 9 1. Actual Damages Must Be Pled With Specificity Under Rule 9(g). ....................... 10 2. Fraudulent Financial Activity. .................................................................................... 11 3. Fraudulent Tax Returns .............................................................................................. 12 4. Time Spent .................................................................................................................... 14 5. Credit Monitoring And Credit Repair Services ........................................................ 14 B. Plaintiffs Fail To Plead Sufficient Facts Showing OPM Intentionally And Willfully Violated The Privacy Act. ................................................... 17 1. Plaintiffs Fail To Allege Sufficient Facts Showing That OPM Intentionally And Willfully Violated The Disclosure Provision Of The Privacy Act .................................................................................... 17 2. Plaintiffs Fail To Allege Sufficient Facts Showing That OPM Intentionally And Willfully Violated The Safeguards Provision of the Privacy Act....................................................................................... 19 Case 1:15-mc-01394-ABJ Document 87 Filed 08/03/16 Page 2 of 42 ii III. PLAINTIFFS FAIL TO MEET THE REQUIREMENTS OF THE LITTLE TUCKER ACT ........................................................................................................ 20 A. Plaintiffs Fail To Plausibly Allege The Elements Of A Contract With The United States. ..................................................................................................... 20 B. The Consumer Data Breach Cases Cited By Plaintiffs Are Inapposite. ....................... 22 IV. PLAINTIFFS FAIL TO MEET THE REQUIREMENTS OF THE ADMINISTRATIVE PROCEDURE ACT .................................................................................. 23 A. Plaintiffs’ APA Claims Are Precluded Because They Impermissibly Seek To Expand The Relief Available Under The Privacy Act ..................................... 23 B. OPM’s Compliance With FISMA Is Committed To Agency Discretion By Law And Thus Not Subject To Judicial Review Under The APA. ..................................................................................................... 26 C. Plaintiffs Have Confirmed That They Seek The Type Of Broad Programmatic Relief That Is Not Available Under The APA. ...................................... 28 V. THE COURT LACKS THE INHERENT AUTHORITY TO AWARD THE EQUITABLE REMEDIES REQUESTED IN THIS CASE. ........................................ 31 CONCLUSION ............................................................................................................................................... 32 Case 1:15-mc-01394-ABJ Document 87 Filed 08/03/16 Page 3 of 42 iii TABLE OF AUTHORITIES Cases *Bank of Nova Scotia v. United States, 487 U.S. 250 (1988) .................................................................................................................................... 31 Barela v. Shinseki, 584 F.3d 1379 (Fed. Cir. 2009) ................................................................................................................. 21 Beaven v. U.S. Dep’t of Justice, 622 F.3d 540 (6th Cir. 2010) .............................................................................................................. 17, 18 Beaven v. U.S. Dep’t of Justice, No. 03-cv-84-JBC, 2007 WL 1032301 (E.D. Ky. Mar. 30, 2007) ....................................................... 17 *Bowen v. Massachusetts, 487 U.S. 879 (1988) .................................................................................................................................... 23 *Browning v. Clinton, 292 F.3d 235 (D.C. Cir. 2002) .................................................................................................................. 11 *Carlisle v. United States, 517 U.S. 416 (1996) .................................................................................................................................... 31 Carlsen v. GameStop, Inc., 112 F. Supp. 3d 855 (D. Minn. 2015) ...................................................................................................... 22 *Cell Assocs., Inc., v. Nat’l Institutes of Health, 579 F.2d 1155 (9th Cir. 1978) ................................................................................................................... 24 Chamber of Commerce v. Reich, 74 F.3d 1322 (D.C. Cir. 1996) .................................................................................................................. 31 Chambliss v. Carefirst, Inc., No. 15-cv-2288, 2016 WL 3055299 (D. Md. May 27, 2016) ................................................................. 6 Chattler v. United States, 632 F.3d 1324 (Fed. Cir. 2011) ................................................................................................................. 21 *City of Los Angeles v. Lyons, 461 U.S. 95 (1983) ........................................................................................................................................ 7 Cobell v. Kempthorne, 455 F.3d 301 (D.C. Cir. 2006) .................................................................................................................. 27 Case 1:15-mc-01394-ABJ Document 87 Filed 08/03/16 Page 4 of 42 iv *Cobell v. Norton, 240 F.3d 1081 (D.C. Cir. 2001) ................................................................................................................ 29 Cody v. Cox, 509 F.3d 606 (D.C. Cir. 2007) .................................................................................................................. 28 Dearth v. Holder, 641 F.3d 499 (D.C. Cir. 2011) ............................................................................................................... 7, 8 Detroit Int’l Bridge Co. v. Gov’t of Canada, 133 F. Supp. 3d 70 (D.D.C. 2014) ............................................................................................................. 3 Dickson v. Secretary of Defense, 68 F.3d 1396 (D.C. Cir. 1995) .................................................................................................................. 28 Doe v. Chao, 540 U.S. 614 (2004) .................................................................................................................................... 25 Doe v. Stephens, 851 F.2d 14576 (D.C. Cir. 1988 ............................................................................................................... 25 *Edison v. Dep’t of the Army, 672 F.2d 840 (11th Cir. 1982) ................................................................................................................... 24 *FAA v. Cooper, 132 S. Ct. 1441 (2012) ......................................................................................................................... 10, 12 Fernandez v. Leidos, Inc., 127 F. Supp. 3d 1078 (E.D. Cal. 2015) .......................................................................................... 6, 8, 22 Floyd v. United States, 26 Cl. Ct. 889 (1992) .................................................................................................................................. 22 Floyd v. United States, 996 F.2d 1237 (Fed. Cir. 1993) ................................................................................................................. 22 Friends of The Earth, Bluewater Network Div. v. U.S. Dep’t of Interior, 478 F. Supp. 2d 11 (D.D.C. 2007) ........................................................................................................... 29 Galaria v. Nationwide Mut. Ins. Co., 998 F. Supp. 2d 646 (S.D. Ohio 2014) ...................................................................................................... 8 Garcia v. Vilsack, 563 F.3d 519 (D.C. Cir. 2009) ........................................................................................................... 23, 25 Case 1:15-mc-01394-ABJ Document 87 Filed 08/03/16 Page 5 of 42 v Girling Health Sys., Inc. v. United States, 22 Cl. Ct. 66 (1990) .................................................................................................................................... 21 Grocery Mfrs. Ass’n v. EPA, 693 F.3d 169 (D.C. Cir. 2012) .................................................................................................................... 5 Haase v. Sessions, 893 F.2d 370 (D.C. Cir. 1990) .................................................................................................................. 25 Halperin v. Kissinger, 542 F. Supp. 829 (D.D.C. 1982) ....................................................................................................... 10, 11 Harbert/Lummus Agrifuels Projects v. United States, 142 F.3d 1429 (Fed. Cir. 1998) ................................................................................................................. 21 Humane Soc’y of the U.S. v. Vilsack, 797 F.3d 4 (D.C. Cir. 2015) ................................................................................................................... 5, 7 In re Adobe Sys., Inc. Privacy Litig., 66 F. Supp. 3d 1197 (N.D. Cal. 2014) ....................................................................................................... 4 In re Anthem, Inc. Data Breach Litig., MDL No. 2617, 2016 WL 3029783 (N.D. Cal. May 27, 2016) ............................................................. 4 *In re Dep’t of Veterans Affairs (VA) Data Theft Litig., No. 06-0506, 2007 WL 7621261 (D.D.C. Nov. 16, 2007) ................................................................... 18 *In re Sci. Applications Int’l Corp. Bakup Tape Data Theft Litig. (“SAIC”) 45 F. Supp. 3d 14 (D.D.C. 2014) ......................................................................................... 5, 6, 8, 16, 22 In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F. Supp. 2d 942 (S.D. Cal. 2014) ........................................................................................................ 4 In re Zappos.com, Inc., 108 F. Supp. 3d 949 (D. Nev. 2015) .......................................................................................................... 8 In re Zappos.com, Inc., No. 3:12cv325, 2013 WL 4830497 (D. Nev. Sept. 9, 2013) ................................................................. 22 Indep. Petrol. Ass’n of Am. v. Babbitt, 235 F.3d 588 (D.C. Cir. 2001) .................................................................................................................. 29 Jerome Stevens Pharms., Inc. v. F.D.A., 402 F.3d 1249 (D.C. Cir. 2005) .................................................................................................................. 3 Case 1:15-mc-01394-ABJ Document 87 Filed 08/03/16 Page 6 of 42 vi *Kelley v. FBI, 67 F. Supp. 3d 240 (D.D.C. 2014) ...................................................................................................... 3, 24 Kowal v. MCI Commc’ns Corp., 16 F.3d 1271 (D.C. Cir. 1994) .................................................................................................................. 12 Lewert v. P.F. Chang's China Bistro, Inc., No. 14-3700, 2016 WL 1459226 (7th Cir. Apr. 14, 2016) ...................................................................... 4 Long Term Care Pharmacy All. v. Leavitt, 530 F. Supp. 2d 173 (D.D.C. 2008) ........................................................................................................... 7 Makowski v. United States, 27 F. Supp. 3d 901 (N.D. Ill. 2014) ......................................................................................................... 14 Match-E-Be-Nash-She-Wish Band of Pottawatomi Indians v. Patchak, 132 S. Ct. 2199 (2012) ................................................................................................................................ 24 Nat’l Ass’n of Home Builders v. E.P.A., 667 F.3d 6 (D.C. Cir. 2011) ........................................................................................................................ 9 Nw. Airlines, Inc. v. F.A.A., 795 F.2d 196 (D.C. Cir. 1986) .................................................................................................................... 7 Public Citizen Health Research Grp. v. Commissioner, Food & Drug Admin., 740 F. 2d 21 (D.C. Cir. 1984) ................................................................................................................... 29 Radack v. U.S. Dep’t of Justice, 402 F. Supp. 2d 99 (D.D.C. 2005) ........................................................................................................... 25 Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688 (7th Cir. 2015) .................................................................................................................. 4, 7 Sec’y of Labor v. Twentymile Coal Co., 456 F.3d 151 (D.C. Cir. 2006) .................................................................................................................. 26 Shell Oil Co. v. United States, 751 F.3d 1282 (Fed. Cir. 2014) ................................................................................................................. 21 Sierra Club v. Jackson, 648 F.3d 848 (D.C. Cir. 2011) .................................................................................................................. 26 Sierra Club v. Jewell, 764 F.3d 1 (D.C. Cir. 2014) ........................................................................................................................ 8 Case 1:15-mc-01394-ABJ Document 87 Filed 08/03/16 Page 7 of 42 vii Sierra Club v. Thomas, 828 F.2d 783 (D.C. Cir. 1987) .................................................................................................................. 29 Simon v. Eastern Ky. Welfare Rights Org., 426 U.S. 26 (1976) ........................................................................................................................................ 5 Speaker v. U.S. Dep’t of Health and Human Servs. Ctrs. for Disease Control & Prevention, 623 F.3d 1371 (11th Cir. 2010) ................................................................................................................ 14 Stout Road Assocs., Inc. v. United States, 80 Fed. Cl. 754 (2008) ................................................................................................................................ 22 Swanson Grp. Mfg LLC v. Jewell, 790 F.3d 235 (D.C. Cir. 2015) .................................................................................................................... 8 Sykes v. Dudas, 573 F. Supp. 2d 191 (D.D.C. 2008) ......................................................................................................... 12 Tolbert-Smith v. Chu, 714 F. Supp. 2d 37 (D.D.C. 2010) ........................................................................................................... 18 Trudeau v. FTC, 456 F.3d 178 (D.C. Cir. 2006) .................................................................................................................. 31 United States v. Sci. Applications Int’l Corp., 502 F. Supp. 2d 75 (D.D.C. 2007) ............................................................................................................. 3 United States v. Williams, 504 U.S. 36 (1992) ...................................................................................................................................... 31 Webster Eisenlohr, Inc. v. Kalodner, 145 F.2d 316 (3d Cir. 1944) ...................................................................................................................... 30 XP Vehicles, Inc. v. United States, 121 Fed. Cl. 770 (2015) ............................................................................................................................. 21 Statutes 40 U.S.C. § 11303 ............................................................................................................................................. 27 44 U.S.C. § 3553 ............................................................................................................................................... 27 44 U.S.C. § 3554 ............................................................................................................................................... 19 5 U.S.C. § 552a ................................................................................................................... 9, 12, 15, 16, 18, 23 5 U.S.C. § 701 ................................................................................................................................................... 26 Case 1:15-mc-01394-ABJ Document 87 Filed 08/03/16 Page 8 of 42 viii 5 U.S.C. § 704 ................................................................................................................................................... 23 Consolidated Appropriations Act of 2016, Pub. L. No. 114-113, 129 Stat. 2242 (2015) ............................................................................................ 16 Privacy Act of 1974, Pub. L. No. 93-579, 88 Stat. 1896 ............................................................................................................. 23 Rules Fed. R. Evid. 201(c) ........................................................................................................................................... 3 Fed. R. Civ. P. 9(g) .................................................................................................................................... 10, 12 Fed. R. Civ. P. 12(b)(6)...................................................................................................................................... 3 Regulations 48 C.F.R. § 1.602-1 .......................................................................................................................................... 22 Other Authorities S. Rep. No. 93-1183 (1974) ............................................................................................................................ 20 Legislative History of the Privacy Act of 1974 S. 3418 (Pub. L. No. 93-579) .......................................................................................................................... 20 Case 1:15-mc-01394-ABJ Document 87 Filed 08/03/16 Page 9 of 42 - 1 - PRELIMINARY STATEMENT In 2015, the Office of Personnel Management (“OPM”) was the target of a malicious and sophisticated third-party cyber intrusion which resulted in the theft of certain personally identifiable information (“PII”) from federal personnel files. Plaintiffs are 38 current, former, and prospective government employees or contractors whose PII was allegedly compromised in these cyber intrusions. Plaintiffs allege that they, like many other Americans who never worked for the federal government, have experienced various instances of identity theft over the past year and might experience similar instances in the future. But mere allegations of identity theft, untethered to this particular cyber intrusion, cannot establish the requisite harm necessary to obtain money damages or injunctive relief in federal court. Article III of the Constitution limits judicial review to concrete and particularized injuries that are fairly traceable to the defendant’s conduct and likely to be redressed by the requested relief. Plaintiffs’ allegations fail to satisfy these requirements. Additionally, to state a legal claim against the United States, that claim must fall within a specific wavier of sovereign immunity. These principles, applied here, require dismissal of this case. Plaintiffs lack standing under Article III to seek money damages because they have not pled facts plausibly showing that they have suffered injuries-in-fact, or that their alleged past injuries— which are quite disparate and range from unauthorized charges on certain Plaintiff’s credit cards to the filing of fraudulent tax returns in certain Plaintiff’s names—are fairly traceable to the particular cybersecurity incidents at issue here. Plaintiffs also fail to establish standing to seek injunctive relief. Plaintiffs ask the Court to enter a sweeping and unprecedented injunction that would require OPM, among other things, to implement an extensive data security plan and to provide credit monitoring services to Plaintiffs for their entire lives. But Plaintiffs fail to explain how they will be imminently injured unless the Court grants their requested injunction. Case 1:15-mc-01394-ABJ Document 87 Filed 08/03/16 Page 10 of 42 - 2 - Furthermore, even if a particular Plaintiff could establish standing, all claims alleged against OPM should be dismissed for failure to state a claim. Plaintiffs’ Privacy Act claims fail, most fundamentally, because not a single Plaintiff plausibly alleges that he or she has personally sustained monetary loss as a result of a Privacy Act violation. Plaintiffs’ pleading failure is striking because they alone have the information necessary to plead their own personal monetary losses. Plaintiffs’ breach-of-contract claims fare no better. A routine, single-sentence disclosure statement in the Standard Form (SF) 86 cannot create a binding contract between a prospective employee and the government with respect to data security obligations. Finally, Plaintiffs’ claims for injunctive relief under the Administrative Procedure Act (“APA”) fall short because the Privacy Act’s remedial scheme precludes Plaintiffs’ requested injunctive relief under the APA; a federal agency’s compliance with the Federal Information Security Modernization Act is committed to the discretion of multiple agencies by law (most notably the Office of Management and Budget); and Plaintiffs do not identify any discrete agency action that is reviewable under the APA. Case 1:15-mc-01394-ABJ Document 87 Filed 08/03/16 Page 11 of 42 - 3 - ARGUMENT I. THIS CASE SHOULD BE DISMISSED FOR LACK OF SUBJECT MATTER JURISDICTION BECAUSE PLAINTIFFS LACK CONSTITUTIONAL STANDING. A. Plaintiffs Lack Standing To Pursue Money Damages For Alleged Past Harms. 1. Plaintiffs’ alleged past harms are not cognizable injuries in fact. In its opening memorandum, 1 OPM explained that four of the six categories of past harms alleged in the Consolidated Amended Complaint fail to establish injury in fact under Article III. See OPM Mem. Supp. Mot. Dismiss CAC (“OPM Mem.”) 16-33 (ECF No. 72). In summary: (1) Plaintiffs’ allegations of past fraudulent financial activity are not actual and concrete injuries because Plaintiffs do not allege that the fraud caused personal financial loss; (2) Plaintiffs’ allegations that they face an increased risk of future harm fail to establish a “certainly impending” injury under Article III; (3) the time and money spent to protect against the future risk 1 Plaintiffs criticize OPM for citing a limited number of official government documents in its motion to dismiss. See Pls.’ Mem. Opp’n to Def.’s Mot. Dismiss CAC (“Pls.’ Mem.”) 6 n.1 (ECF No. 82). Such criticism is unfounded. First, OPM cited three documents that were directly referenced in the Consolidated Amended Complaint (“CAC”): two OPM announcements, OPM Mem. 7, 8, 22; CAC ¶¶ 138, 140, and the SF-86 form, OPM Mem. 23 n.14, 48; CAC ¶¶ 66-70. It is well established that “where the complaint incorporates documents by reference, those documents ‘become a part of the incorporating document just as if it were set out in full.’” Kelley v. FBI 67 F. Supp. 3d 240, 259 n.9 (D.D.C. 2014) (quoting United States v. Sci. Applications Int’l Corp., 502 F. Supp. 2d 75, 78 (D.D.C. 2007)). Second, OPM referred to several documents in the context of its argument that Plaintiffs lack Article III standing, and accordingly, this Court lacks jurisdiction. See OPM Mem. 7-8, 33 (OPM online fact sheet); id. at 21 (Bureau of Justice Statistics report); id. at 24 (IRS Inspector General Report); id. at 25, 26 (GAO reports). “[T]he district court may consider materials outside the pleadings in deciding whether to grant a motion to dismiss for lack of jurisdiction.” Jerome Stevens Pharms., Inc. v. F.D.A., 402 F.3d 1249, 1253 (D.C. Cir. 2005). Finally, OPM cited a White House fact sheet in the context of its APA arguments. See OPM Mem. 66 n.37. When deciding a motion to dismiss under Federal Rule of Civil Procedure 12(b)(6), “[j]udicial notice may be taken of public records and government documents available from reliable sources.” Detroit Int’l Bridge Co. v. Gov’t of Canada, 133 F. Supp. 3d 70, 85 (D.D.C. 2014); see also Fed. R. Evid. 201(c) (court may take judicial notice on request or on its own). Case 1:15-mc-01394-ABJ Document 87 Filed 08/03/16 Page 12 of 42 - 4 - of harm fails to establish injury in fact because the future harm being mitigated against is not itself imminent; and (4) the various forms of emotional distress alleged are insufficient because no Plaintiff alleges that his or her information will be imminently misused as a result of the cybersecurity incidents, let alone misused in the particular manner that is allegedly causing a particular form of stress. With respect to the other two categories of alleged injury—the filing of fraudulent tax returns and the misuse of a Social Security number (and the time spent addressing these alleged incidents)—OPM does not dispute, for purposes of this motion, that these allegations could qualify as an Article III injury. However, these two categories of injury still fail to establish standing because they lack a causal connection to the OPM cybersecurity incidents. See OPM Mem. 24-26. Indeed, all categories of alleged injury in the CAC fail to establish the causation prong of Article III standing.2 Plaintiffs argue in their opposition that certain of their alleged injuries—namely, the increased risk of identity theft and the time and money spent to protect against that future risk—are supported by a handful of data breach cases involving commercial entities, including retailers, restaurants, and insurance companies. See Pls.’ Mem. 13-19 (citing Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688 (7th Cir. 2015); Lewert v. P.F. Chang's China Bistro, Inc., No. 14-3700, 2016 WL 1459226 (7th Cir. Apr. 14, 2016); In re Adobe Sys., Inc. Privacy Litig., 66 F. Supp. 3d 1197 (N.D. Cal. 2014); In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F. Supp. 2d 942 (S.D. Cal. 2014); In re Anthem, Inc. Data Breach Litig., MDL No. 2617, 2016 WL 3029783 (N.D. Cal. May 27, 2016). But these cases are non-binding, in the clear minority of federal court decisions, and factually 2 OPM emphasizes that whether a particular category of injury satisfies the requirements of Article III is separate and distinct from whether an alleged injury meets the more stringent actual damage requirements of the Privacy Act. Thus, even if an alleged injury were deemed sufficient for standing purposes, it nonetheless would fail to establish actual damages under the Privacy Act. See infra Section II.A; OPM Mem. 37-42. Case 1:15-mc-01394-ABJ Document 87 Filed 08/03/16 Page 13 of 42 - 5 - distinguishable. Unlike this case, those decisions concerned the targeted theft of payment card information and factual allegations of widespread misuse of that same information. This case, in contrast, involves the theft of federal personnel records and allegations of disparate misuse not plausibly connected to the data that was stolen. This case, accordingly, is more akin to In re Science Applications Int’l Corp. Backup Tape Data Theft Litig. (“SAIC”), 45 F. Supp. 3d 14 (D.D.C. 2014), where it was unclear whether a third-party identity thief would target a particular Plaintiff’s information in a particular way in the future. See Id. at 25–26. 2. Plaintiffs’ Alleged Past Harms Are Not Fairly Traceable To The OPM Cybersecurity Incidents To properly establish causation for standing purposes, a plaintiff must demonstrate an “injury that fairly can be traced to the challenged action of the defendant, and not injury that results from the independent action of some third party not before the court.” Grocery Mfrs. Ass’n v. EPA, 693 F.3d 169, 176 (D.C. Cir. 2012) (citing Simon v. Eastern Ky. Welfare Rights Org., 426 U.S. 26, 41 (1976)); see also Humane Soc’y of the U.S. v. Vilsack, 797 F.3d 4, 8 (D.C. Cir. 2015) (explaining that plaintiff must plausibly plead causation for standing purposes at pleading stage). Plaintiffs’ theory of standing for pursuing money damages is based on two overarching, alleged facts: (1) that third-party cyber intruders stole Plaintiffs’ personal information from OPM’s systems, and (2) that Plaintiffs, like millions of other Americans, have been the victims or targets of various forms of identity theft, such as incurring false charges on their credit cards. See Pls.’ Mem. 23. But Plaintiffs provide no plausible basis to infer that these events are related. And without providing facts to support an inference of a causal relationship, their theory of standing collapses. In the data breach context, courts have repeatedly held that to satisfy the causation prong of standing, a plaintiff must, at a minimum, offer facts showing that the information allegedly stolen by third parties from the Defendant was the same type of information that was used to cause Plaintiffs’ alleged injuries, or otherwise explain how that information was used to commit malevolent acts that Case 1:15-mc-01394-ABJ Document 87 Filed 08/03/16 Page 14 of 42 - 6 - caused them injury. See, e.g., SAIC, 45 F. Supp. 3d at 31-32 (rejecting claims that plaintiffs were injured through unauthorized charges made to existing credit cards or debit cards or unauthorized withdrawals from existing bank accounts where plaintiffs failed to allege that “credit-card, debit- card, or bank-account information” was stolen and otherwise failed to proffer a “plausible explanation for how the thief would have acquired their banking information”); see also Fernandez v. Leidos, Inc., 127 F. Supp. 3d 1078, 1086 (E.D. Cal. 2015), appeal docketed, No. 15-17285 (9th Cir. Nov. 19, 2015); Chambliss v. Carefirst, Inc., No. 15-cv-2288, 2016 WL 3055299, at *5 (D. Md. May 27, 2016), appeal docketed, No. 16-1737 (4th Cir. July 5, 2016). This means that Plaintiffs cannot, for example, claim that they are the victims of credit card fraud without ever putting forth a plausible theory for what type of information allegedly included on the SF-86 could have been used by the third-party thief to commit the purported fraud. To allow them to do otherwise would be to vitiate the causation requirement. Here, Plaintiffs plead no facts that would support a causal relationship between the information compromised in the OPM cybersecurity incidents and the financial fraud Plaintiffs allegedly have suffered. Plaintiffs claim that fraudulent transactions were made on their credit cards, debit cards, or financial accounts after the cybersecurity incidents. But Plaintiffs do not allege in the CAC, nor do they argue in their opposition, that the credit card number, debit card number, or other particular financial account number that was allegedly misused was ever provided to OPM or compromised in the cybersecurity incidents. See Consolidated Am. Compl. (“CAC”) ¶¶ 13-50; Pls.’ Mem. 22-28. While the SF 86 asks certain questions about an applicant’s financial history, Plaintiffs offer no explanation for how this information—which ranges from gambling debts, unpaid loans or taxes, bankruptcies, judgments, liens, debts more than 120 days delinquent, and foreign financial interests—could be used to commit fraud on an active credit card or debit card. See Standard Form 86 (Revised December 2010), Questionnaire for National Security Positions, Section 26, U.S. Office of Case 1:15-mc-01394-ABJ Document 87 Filed 08/03/16 Page 15 of 42 - 7 - Personnel Management, https://www.opm.gov/forms/pdf_fill/sf86.pdf) (last visited August 3, 2016). Plaintiffs, accordingly, have failed to meet their burden of establishing a “plausible” causal connection between their alleged injury and OPM’s conduct, see Humane Soc’y of the U.S., 797 F.3d at 8, much less of presenting “substantial evidence of a causal relationship” between the third-party thieves and OPM that “leave[s] little doubt as to causation,” Long Term Care Pharmacy All. v. Leavitt, 530 F. Supp. 2d 173, 181 (D.D.C. 2008). See also Nw. Airlines, Inc. v. F.A.A., 795 F.2d 196, 203 (D.C. Cir. 1986) (“[W]here, as here, there is nothing but the bare intuition of a causal nexus, and that nexus is of the sort that has consistently been recognized by the Supreme Court as inadequate to establish standing, the simple assertion that causation exists will not do.” (emphasis added)). The Seventh Circuit’s decision in Remijas v. Neiman Marcus Group, 794 F.3d 688 (7th Cir. 2015), on which Plaintiffs primarily rely, does not support their causation theory. In Neiman Marcus, hackers targeted and stole the credit card numbers of department store customers, and shortly after the breach, the company learned that over 9,000 cards affected by the breach were used fraudulently. Id. at 690. In clear contrast to Neiman Marcus, this case does not involve the targeted theft of payment card information, nor allegations of rampant fraudulent charges on the very same card numbers that were stolen during the breach. Neiman Marcus demonstrates that, for plaintiffs to establish standing in data breach litigation, they must show a tight and plausible link between the information stolen and a widespread pattern of harm. Because such a link is lacking here, Neiman Marcus provides no support to Plaintiffs. B. Plaintiffs Lack Standing To Pursue Declaratory And Injunctive Relief For Alleged Future Harms. To establish standing for future injunctive or declaratory relief, past injuries alone are insufficient; instead, a plaintiff must demonstrate that there is a real and immediate threat that the alleged injury will be repeated in the absence of the requested injunctive relief being granted. City of Los Angeles v. Lyons, 461 U.S. 95, 105 (1983); see also Dearth v. Holder, 641 F.3d 499, 501 (D.C. Cir. Case 1:15-mc-01394-ABJ Document 87 Filed 08/03/16 Page 16 of 42 - 8 - 2011). In this Circuit, “[a] plaintiff must show a substantial probability of injury to establish imminent injury.” Sierra Club v. Jewell, 764 F.3d 1, 7 (D.C. Cir. 2014) (citation omitted). This requirement creates “a significantly more rigorous burden to establish standing” than that on parties seeking redress for past injuries. Swanson Grp. Mfg. LLC v. Jewell, 790 F.3d 235, 240 (D.C. Cir. 2015) (citation omitted). Satisfying that rigorous burden in a data breach case is difficult. In this case, at a minimum, Plaintiffs would have to show that: (1) a third-party wrongdoer in possession of a particular named Plaintiff’s personal information obtained that information as a result of the OPM cybersecurity incidents; (2) the wrongdoer imminently will identify and target the information of a particular named Plaintiff (out of a group of approximately 22 million); (3) the wrongdoer has the ability and desire to commit an act of malfeasance that would injure a particular named Plaintiff; (4) such an act will be taken in the immediate future and will be successful; and (5) the act will result in injury to a particular named Plaintiff.3 Courts have regularly held that this sort of attenuated causal chain is insufficient to establish standing. See SAIC, 45 F. Supp. 3d at 26; Fernandez, 127 F. Supp. 3d at 1088; In re Zappos.com, Inc., 108 F. Supp. 3d 949, 954–55 (D. Nev. 2015); Galaria v. Nationwide Mut. Ins. Co., 998 F. Supp. 2d 646, 657 (S.D. Ohio 2014). The particular injunctive relief sought by Plaintiffs, however, requires them to show even more. As Plaintiffs admit, see Pls.’ Mem. 30-31, because they seek an injunction requiring OPM to formulate, adopt, and implement a compliant data security plan, CAC 75, Prayer for Relief ¶ F, Plaintiffs must demonstrate a substantial risk that they will be injured as a result of another 3 Although Plaintiffs request injunctive relief on behalf of a broad class of current, former, and prospective government employees and contractors, to establish standing the named Plaintiffs themselves must show a probability that they will suffer a future injury that would be remedied by their proposed injunctive relief. Sierra Club, 764 F.3d at 6–7. Case 1:15-mc-01394-ABJ Document 87 Filed 08/03/16 Page 17 of 42 - 9 - extraordinary cyberattack on OPM’s data systems if those remedial measures are not taken.4 Even accepting, for purposes of this motion, Plaintiffs’ allegations that there are certain inadequacies in OPM’s data systems, Plaintiffs still fail to allege facts establishing that another cyberattack is imminent, that the attack will be successful in exfiltrating data, and that the attack is likely to result in injury to the named Plaintiffs. Indeed, OPM is not aware of any case (and Plaintiffs have cited no such case) where a plaintiff has successfully argued that he or she had standing to seek an injunction directed at a federal agency’s information security program on the theory that the program is allegedly inadequate, that a third-party cyberattacker might exploit that inadequacy at some point in the future, and that this cyberattack might result in injury to a particular plaintiff at some point in the future. Such speculation is simply insufficient to establish standing to seek injunctive relief.5 II. PLAINTIFFS FAIL TO MEET THE REQUIREMENTS OF THE PRIVACY ACT. A. Plaintiffs Fail To Specifically Plead Actual Damages. To state a claim for money damages under either the disclosure or safeguards provision of the Privacy Act, a plaintiff must allege “actual damages sustained by the individual as a result of” the alleged violation of the Act. 5 U.S.C. § 552a(g)(4)(A). In their opposition, Plaintiffs clarify that they are alleging four putative categories of actual damages (i.e. monetary losses): (1) fraudulent financial 4 Plaintiffs also seek lifetime identify theft and fraud protection services (including credit-monitoring services) for all current, former, and prospective federal government employees and contractors whose personal information was allegedly compromised as a result of the data breaches. CAC 75, Prayer for Relief ¶ E. This sort of relief, which Plaintiffs characterize as injunctive in nature, would still require Plaintiffs to demonstrate a substantial probability that they would suffer an imminent future injury—which, as explained, they have not done. 5 As Section I.B explains above, and as OPM explained in its opening memorandum, because no individual Plaintiff can establish standing for injunctive relief, AFGE cannot establish that “its members would otherwise have standing to sue in their own right.” Nat’l Ass’n of Home Builders v. E.P.A., 667 F.3d 6, 12 (D.C. Cir. 2011) (citation omitted). Therefore, AFGE’s claim for declaratory and injunctive relief (which is the only relief it seeks in this case, CAC ¶ 12) should be dismissed for lack of standing as well. Case 1:15-mc-01394-ABJ Document 87 Filed 08/03/16 Page 18 of 42 - 10 - activity on certain accounts, namely fraudulent charges made to existing credit or debit cards or the fraudulent opening of new accounts; (2) fraudulent tax returns filed in certain Plaintiffs’ names; (3) time spent addressing the alleged fraudulent financial activity and fraudulent tax returns; and (4) credit monitoring and credit repair services that certain Plaintiffs purchased or will purchase in the aftermath of the cybersecurity incidents.6 None of these allegations, however, is sufficient to establish actual damages proximately caused by a Privacy Act violation. 1. Actual Damages Must Be Pled With Specificity Under Rule 9(g). As an initial matter, the Supreme Court’s decision in FAA v. Cooper, 132 S. Ct. 1441 (2012), strongly supports the conclusion that actual damages under the Privacy Act must be pled with specificity under Federal Rule of Civil Procedure 9(g). See OPM Mem. 38-39 & n.26. In their opposition, Plaintiffs correctly observe that Cooper did not explicitly hold that Rule 9(g) applies to pleading actual damages under the Privacy Act. Pls.’ Mem. 33-34. But Plaintiffs ignore the fact that the Court’s reasoning—and in particular its conclusion that “actual damages” in the Privacy Act are a type of “special damages,” which must be “specially pleaded and proved”—directly supports the conclusion that Rule 9(g) applies. See Cooper, 132 S. Ct. at 1451-52. If actual damages are a type of special damages, as Cooper explicitly indicates, then the plain language of Rule 9(g) requires that these damages must be “specifically stated.” See Fed. R. Civ. P. 9(g) (“If an item of special damage is claimed it must be specifically stated.”). Plaintiffs also erroneously argue that they have satisfied Rule 9(g)’s heightened pleading standard because it “requires only that the complaint adequately notify both defendants and the Court as to the nature of the claimed damages.” Pls.’ Mem. 34 (citing Halperin v. Kissinger, 542 F. 6 Plaintiffs do not argue that the other harms alleged in the CAC would satisfy the element of actual damages in the Privacy Act. See Pls.’ Mem. 5 (summarizing alleged economic harms); id. at 33-34. Case 1:15-mc-01394-ABJ Document 87 Filed 08/03/16 Page 19 of 42 - 11 - Supp. 829, 832 (D.D.C. 1982)). But the D.C. Circuit has rejected the proposition that “pleading special damages has been relegated to mere notice pleading.” Browning v. Clinton, 292 F.3d 235, 246 (D.C. Cir. 2002). Instead, the Circuit has explained that Rule 9(g) requires a plaintiff to set forth “the precise nature of the losses as well as the way in which the special damages resulted from the [defendant’s allegedly illegal act].” Id. (citation omitted). Plaintiffs fail to meet this standard, and thus all their Privacy Act claims should be dismissed for failure to state a claim.7 2. Fraudulent Financial Activity Fifteen plaintiffs allege that fraudulent financial activity has occurred in their individual accounts after the cybersecurity incidents. See OPM Mem. 12 & n.6, 19. These allegations fail to establish actual damages because Plaintiffs never claim that any of the alleged fraud caused a particular Plaintiff actual monetary loss. Although Plaintiffs allege that unauthorized charges have been made on their credit or debit cards, and that they have spent time contacting their financial institution about reversing the charges, not a single Plaintiff alleges in the CAC or argues in the opposition that their financial institution has required him or her to pay for a fraudulent charge. CAC ¶¶ 13-50; Pls. Mem.7-13; OPM Mem. 39-40.8 Plaintiffs instead argue that considering whether a financial institution has required them to pay for a particular fraudulent charge is procedurally improper on a motion to dismiss under Rule 12(b)(6). See Pls.’ Mem. 10-11. But Plaintiffs misapprehend their pleading burden. Whether under 7 In the event the Court were to conclude that Rule 9(g) does not apply to pleading actual damages under the Privacy Act, Plaintiffs’ allegations of actual damages still do not satisfy the general pleading standards of Rule 8, because they fail to plead facts plausibly showing that they have sustained actual monetary loss as a result of a Privacy Act violation. 8 In addition, even if charges incurred only by the financial institution could constitute personal monetary loss (and they cannot), Plaintiffs fail to plead facts showing that the alleged financial fraud, which is quite disparate and varies significantly from one Plaintiff to the next, was proximately caused by a single data breach, let alone the OPM cybersecurity incidents. OPM Mem. 40-41. Case 1:15-mc-01394-ABJ Document 87 Filed 08/03/16 Page 20 of 42 - 12 - Rule 9(g) or Rule 8, Plaintiffs must plead facts showing that they have sustained actual damages under the Privacy Act. While it is true that the Court “must construe the Complaint in the plaintiff’s favor,” it “need not accept inferences drawn by the plaintiff[ ] if such inferences are unsupported by the facts set out in the complaint.” Sykes v. Dudas, 573 F. Supp. 2d 191, 198-99 (D.D.C. 2008) (citing Kowal v. MCI Commc’ns Corp., 16 F.3d 1271, 1276 (D.C. Cir. 1994)). Here, Plaintiffs cannot meet their burden of pleading personal monetary loss under the Privacy Act by merely alleging that they discovered fraudulent charges on their accounts and asked their financial institutions to reverse the charges. To the contrary, these allegations suggest that Plaintiffs’ financial institution investigated the fraud, reversed the charges, and covered any economic loss that may have occurred. Plaintiffs’ argument that they need not plead facts regarding whether their financial institution paid for a particular fraudulent charge also misapprehends the substantive requirements of the Privacy Act. The Privacy Act waives sovereign immunity for “actual damages sustained by the individual” as the result of an alleged violation of the Act. 5 U.S.C. § 552a(g)(4)(A) (emphasis added). The plain language of the Act, therefore, requires a factual showing that the individual plaintiff has personally sustained monetary loss, not that monetary loss is possible at some future point, and certainly not that the loss has been sustained by a third-party financial institution. Moreover, even if the phrase “sustained by the individual” in 5 U.S.C. § 552a(g)(4) were somehow ambiguous—and it is not—“[a]ny ambiguities in the statutory language are to be construed in favor of immunity, so that the Government’s consent to be sued is never enlarged beyond what a fair reading of the text requires.” Cooper, 132 S. Ct. at 1448 (citation omitted). 3. Fraudulent Tax Returns Seven Plaintiffs allege that an unidentified individual filed a fraudulent tax return in their name. OPM Mem. 12 n.7. Plaintiffs clarify in their opposition that they do not contend that the IRS has denied a tax refund due to the filing of a fraudulent return. Instead, Plaintiffs argue that Case 1:15-mc-01394-ABJ Document 87 Filed 08/03/16 Page 21 of 42 - 13 - “tax returns were fraudulently filed using Plaintiffs’ identities, causing them to incur costs and forgo possession of tax refund payments for months or years until the completion of the relevant tax authorities’ investigations.” Pls.’ Mem. 5. But the CAC does not contain any facts showing what “costs” Plaintiffs have allegedly incurred as a result of a fraudulent tax return. See CAC ¶¶ 14, 21, 24, 26, 28, 31, 32. Nor do Plaintiffs allege how the delay in receiving a tax return has resulted in personal monetary loss. See id. For instance, Plaintiffs do not allege that they are entitled to interest from the IRS on a particular tax refund due to the IRS’s processing delay (commonly referred to as “overpayment interest”), or that the IRS declined to pay such interest. See Internal Revenue Manual, Part 20, Penalty & Interest (Mar. 5, 2015), https://www.irs.gov/irm/part20/irm_20-002-004r.html (explaining procedure for obtaining overpayment interest on tax refund). And Plaintiffs certainly do not provide any calculations regarding the amount of overpayment interest that the IRS allegedly owes a particular plaintiff and that Plaintiffs are now asking OPM to pay for. All of this information—regarding Plaintiffs’ own tax refunds—is in Plaintiffs’ possession, and Plaintiffs need no discovery at all from OPM or KeyPoint to allege how a delayed tax refund has resulted in personal monetary loss. Plaintiffs nonetheless have failed to plead these facts, and thus have failed to show that they have sustained personal monetary loss as a result of a delayed tax return.9 9 Plaintiffs’ allegations of fraudulent tax returns also lack a causal connection to the OPM cybersecurity incidents, and thus Plaintiffs have failed to allege facts showing that the fraudulent returns were proximately caused by a Privacy Act violation. See OPM Mem. 40-41. Plaintiffs do not allege what information was necessary to file a particular return, let alone facts showing that a particular fraudulent tax return was filed using information that was stolen during the OPM cybersecurity incidents. Case 1:15-mc-01394-ABJ Document 87 Filed 08/03/16 Page 22 of 42 - 14 - 4. Time Spent Almost all of the thirty-eight individual Plaintiffs allege that they have expended time as the result of the cybersecurity incidents. OPM Mem. 12-13 & nn.6-11. Plaintiffs do not argue in their opposition that the expenditure of time itself constitutes actual damage under the Privacy Act. See Pls.’ Mem. 33-37. Instead, Plaintiffs confine their discussion of “lost-time” injuries to the Article III context. See id. at 8-10. Nonetheless, to the extent Plaintiffs seek to recover money damages for the time they have spent in the aftermath of the cybersecurity incidents, such allegations do not constitute actual damages under the Privacy Act. For a plaintiff to recover “lost time” damages under the Privacy Act, a plaintiff must specifically plead facts showing that the time expended resulted in pecuniary or monetary loss. See, e.g., Speaker v. U.S. Dep’t of Health and Human Servs. Ctrs. for Disease Control & Prevention, 623 F.3d 1371, 1383 (11th Cir. 2010) (holding that an allegation of “loss of prospective clients as an attorney” satisfied the “actual damages” requirement); Makowski v. United States, 27 F. Supp. 3d 901, 914 (N.D. Ill. 2014) (concluding that allegations of lost wages and lost prospective employment opportunities satisfies “actual damages” requirement). Here, Plaintiffs allege only that they have expended various amounts of time addressing what they allege to be the consequences of the cybersecurity incidents. Plaintiffs do not allege, however, that this expenditure of time has caused any type of personal financial loss—whether through lost wages, lost employment opportunities, or some other type of financial harm. Plaintiffs’ lost-time allegations, accordingly, fail to allege actual damages under the Privacy Act. 5. Credit Monitoring and Credit Repair Services Plaintiffs argue that they have sustained actual damages because they have incurred in the past or will incur in the future “out-of-pocket remediation costs.” Pls.’ Mem. 34-36. But neither Case 1:15-mc-01394-ABJ Document 87 Filed 08/03/16 Page 23 of 42 - 15 - remediation theory—whether based on past expenses or on possible future expenses—constitutes actual damages sustained by an individual as a result of a Privacy Act violation. Plaintiffs Jane Doe and Charlene Oliver cannot establish actual damages by alleging that they have paid for credit repair services to address past fraudulent incidents. See Pls.’ Mem. 35. Jane Doe alleges that she “paid approximately $198 to a credit repair law firm” to assist her with closing fraudulent accounts and removing them from her credit report, and that she “expended approximately $50 to obtain copies of her credit report” after fraudulent charges prevented her from obtaining access to her credit report. CAC ¶ 22. Similarly, Plaintiff Charlene Oliver alleges that she pays “$100 per month” to a “credit repair law firm” to assist her with addressing past fraudulent incidents regarding her electricity account. CAC ¶ 41. Assuming for purposes of this motion that Ms. Doe and Ms. Oliver spent their own money on these services, these allegations are still deficient because no facts indicate that the underlying fraud, which prompted the expenditures, was caused by the cybersecurity incidents. See OPM Mem. 21-23, 40-41. As such, the money they spent addressing this past fraud is not an actual damage proximately caused by a Privacy Act violation. Plaintiffs also cannot establish actual damages by alleging that they face the risk of identity theft that could necessitate the purchase of additional credit monitoring services or other remediation costs at an undetermined point in the future. All Plaintiffs appear to be pursuing this forward-looking, perpetual damage theory. See CAC 75, Prayer for Relief ¶ E (seeking as relief “lifetime identity theft and fraud protection services, including credit monitoring and identity theft insurance”). For at least two reasons, Plaintiffs’ allegations of future monitoring or remediation costs are not sufficient to state a money damages claim under the Privacy Act. First, the Privacy Act does not waive sovereign immunity for future monetary expenditures that a Plaintiff may decide to make on the basis of a future risk of identity theft. By its terms, the Privacy Act only allows for the recovery of “actual damages sustained by the individual.” 5 U.S.C. Case 1:15-mc-01394-ABJ Document 87 Filed 08/03/16 Page 24 of 42 - 16 - § 552a(g)(4)(A) (emphasis added). Thus, the Privacy Act only waives sovereign immunity for past monetary harms and not monetary expenditures that a plaintiff might decide to make in the future. Second, even if future monitoring services and future remediation costs could constitute out- of-pocket loss already sustained by an individual, Plaintiffs have failed to plead facts showing that these future costs are proximately caused by a past Privacy Act violation. As OPM explained in the context of Article III standing, Plaintiffs fail to plead facts showing that they face an imminent risk of harm, and thus any future measures they might take in response to that future harm do not constitute actual harms. See OPM Mem. 41-42. In addition, Plaintiffs cannot establish a causal link between the necessity of future expenditures and the cybersecurity incidents at OPM. The federal government has already provided a comprehensive suite of protective services to everyone affected by the OPM incidents, and Congress has extended those benefits for at least a decade (an extension Plaintiffs do not acknowledge or address in their opposition). See Consolidated Appropriations Act of 2016, Pub. L. No. 114-113, § 632, 129 Stat. 2242, 2470-71 (2015). As such, the potential need to purchase additional protective services will not arise until at least 2025. Plaintiffs may decide to spend money in 2025 on credit monitoring services, or they might not, but they cannot plausibly claim here that those hypothetical costs are caused by the cybersecurity incidents announced in April 2015.10 10 Plaintiffs also contend that the federal government’s decision to provide credit monitoring services shows that “Plaintiffs’ decision to incur similar costs can scarcely be deemed unreasonable.” See Pls.’ Mem. 36. But the fact that credit monitoring services were provided as a general prophylactic measure to individuals impacted by the cybersecurity incidents does not mean a particular individual faces a “certainly impending” risk of cognizable injury, which is necessary to establish standing under Article III. See SAIC, 45 F. Supp. 3d 14, 26 (D.D.C. 2014). Nor does the provision of credit monitoring services constitute a concession that any future identify theft would be causally related to this cybersecurity incident. Case 1:15-mc-01394-ABJ Document 87 Filed 08/03/16 Page 25 of 42 - 17 - Plaintiffs suggest, see Pls.’ Mem. 35, that their expansive conception of actual damages— which would require the United States to pay for credit monitoring and other protective services throughout their lifetimes—is supported by Beaven v. U.S. Dep’t of Justice, No. 03-cv-84-JBC, 2007 WL 1032301, at *14 (E.D. Ky. Mar. 30, 2007), aff’d in part, rev’d in part and remanded, 622 F.3d 540 (6th Cir. 2010). They are mistaken. As an initial matter, the government respectfully submits that Beaven was wrongfully decided in many respects, and thus this non-binding case should not be followed here. In addition, Beaven pre-dates the Supreme Court’s decision in Cooper, and thus does not reflect the current state of law with respect to interpreting the Privacy Act’s actual damages requirement. Finally, Beaven is distinguishable on its facts because it did not concern the situation here, where the United States has already provided the very protective services that Plaintiffs seek, and will continue to do so for at least a decade.11 B. Plaintiffs Fail To Plead Sufficient Facts Showing OPM Intentionally and Willfully Violated The Privacy Act. 1. Plaintiffs Fail To Allege Sufficient Facts Showing That OPM Intentionally And Willfully Violated The Disclosure Provision Of The Privacy Act. Plaintiffs allege that their records were stolen by third-party cyber intruders in a “sophisticated” and “malicious” attack on OPM’s information systems. See CAC ¶¶ 114-37. Because an illegal act by a third-party wrongdoer, over whom OPM had no control, simply cannot 11 Plaintiffs also suggest, in the context of Article III standing, that they should be able to sue OPM for the cost of future credit monitoring services under the Privacy Act because of the possibility that a particular Plaintiff might have paid for the services before learning of the federal government’s remedial offer, or because a particular Plaintiff might desire to purchase services that provide greater protection than the services offered by the federal government. But this argument is meritless. No individual Plaintiff alleges in the CAC that they purchased a particular service at a particular cost before receiving the federal government’s offer, and no Plaintiff alleges that he or she purchased monitoring services that provide greater protection than those already offered by the government free of charge. Case 1:15-mc-01394-ABJ Document 87 Filed 08/03/16 Page 26 of 42 - 18 - constitute an intentional or willful disclosure by OPM to another person or to another agency, Plaintiffs’ disclosure claim under 5 U.S.C. § 552a(b) should be dismissed. See In re Dep’t of Veterans Affairs (VA) Data Theft Litig., No. 06-0506, 2007 WL 7621261, at *6 (D.D.C. Nov. 16, 2007). Plaintiffs argue that their disclosure theory, like their actual damages theory, is supported by Beaven v. U.S. Dep’t of Justice, 622 F.3d 540 (6th Cir. 2010). As noted, Beaven was wrongly decided in many respects—including with respect to its interpretation of intentional or willful conduct under 5 U.S.C. § 552a(g)(4)—and is not controlling precedent in this case. In addition, Beaven is distinguishable on its facts. As relevant here, Beaven involved a Bureau of Prisons (“BOP”) employee who caused an affirmative disclosure of certain personal information to a particular inmate, by leaving the information in an improperly marked folder on a desk in an area accessible by prison inmates. Id. at 545-46. In determining whether the BOP employee acted in an intentional or willful fashion under 5 U.S.C. § 552a(g)(4), the court held that it could consider the employee’s “entire course of conduct” leading to the disclosure of information. Id. at 551. Unlike Beaven, this case does not concern a particular agency employee’s affirmative act of disclosing information to another particular individual or group of individuals. Instead, Plaintiffs allege that their records were stolen by third-party cyber intruders in a “sophisticated” and “malicious” attack on OPM’s information systems. Beaven is accordingly inapplicable here. Plaintiffs also cite Tolbert-Smith v. Chu, 714 F. Supp. 2d 37, 43 (D.D.C. 2010), as supporting their contention that OPM intentionally and willfully disclosed their records to a particular person. But in Tolbert-Smith, the plaintiff alleged that agency employees placed specific records relating to her disability on a server accessible to other employees and members of the public, and did so to retaliate against the plaintiff for filing an administrative complaint. Id. at 43. That case—concerning retaliatory disclosures of particular records—has no relevance here. Case 1:15-mc-01394-ABJ Document 87 Filed 08/03/16 Page 27 of 42 - 19 - 2. Plaintiffs Fail To Allege Sufficient Facts Showing That OPM Intentionally and Willfully Violated the Safeguards Provision of the Privacy Act. Plaintiffs’ assertion that OPM acted intentionally and willfully in failing to safeguard their personal information is based on their allegation that OPM negligently declined to implement data security directives issued by the OPM Office of Inspector General (“IG”)—which Plaintiffs incorrectly describe as “mandatory, not discretionary.” Pls.’ Mem. 39. As the IG reports cited by Plaintiffs make clear, however, the IG reports do not contain mandatory directives, but instead contain discretionary recommendations that require the agency to weigh the costs and benefits and technical feasibility of implementation. See, e.g., OPM OIG, Final Audit Report: Federal Information Security Management Act Audit FY 2015 (Nov. 10, 2015) at 8, https://www.opm.gov/our- inspector-general/reports/2015/federal-information-security-modernization-act-audit-fy-2015-final- audit-report-4a-ci-00-15-011.pdf. The IG reports, therefore, reflect the collaborative process through which the agency continuously identifies potential weaknesses and conducts a risk assessment to determine what actions should be taken to strengthen its security protocols. This collaborative process is consistent with the statutory directives of the Federal Information Security Modernization Act (“FISMA”). That statute provides agencies wide latitude to adopt “security protections” that are “commensurate with the risk and magnitude of the harm” that could result from an unauthorized system breach. 44 U.S.C. § 3554(a)(1)(A). It also expressly instructs that the agency’s security program must be based on “risk assessments” and must consider how to “cost-effectively reduce information security risks to an acceptable level.” Id. § 3554(b)(2) (emphasis added). This flexible approach recognizes that agencies need to weigh the effectiveness, operational impact, and technical feasibility of implementing tools in complex IT environments that contain a mix of legacy and modern systems, and must do so in light of budget constraints and constantly evolving threats. Case 1:15-mc-01394-ABJ Document 87 Filed 08/03/16 Page 28 of 42 - 20 - When it enacted the Privacy Act, Congress similarly recognized that agencies would be required to conduct difficult risk assessments in order to comply with the requirements of that statute. As explained by the Senate Committee responsible for that statute: The Committee recognizes the variety of technical security needs of the many different agency systems and files containing personal information as well as the cost and range of possible technological methods of meeting those needs. The Committee, therefore, has not required in this subsection or in this Act a general set of specific technical standards for security of systems. Rather, the agency is merely required to establish those administrative and technical safeguards which it determines appropriate and finds technologically feasible for the adequate protection of the confidentiality of the particular information it keeps against purloining, unauthorized access, and political pressures to yield the information improperly to persons with no formal need for it. S. Rep. No. 93-1183 (1974), reprinted in LEGISLATIVE HISTORY OF THE PRIVACY ACT OF 1974 S. 3418 (PUBLIC LAW 93-579). Consistent with this legislative history, the Privacy Act does not impose any rigid security requirements but relies on agencies to continuously weigh the costs and benefits of implementing particular data security measures. The Privacy Act requires intentional and willful misconduct, and Plaintiffs’ allegations do not create a plausible inference that OPM acted in such a manner. III. PLAINTIFFS FAIL TO MEET THE REQUIREMENTS OF THE LITTLE TUCKER ACT. A. Plaintiffs Fail To Plausibly Allege The Elements Of A Contract With The United States. Plaintiffs’ opposition makes clear that their breach-of-contract claim rests on a single sentence in the Standard Form (SF) 85, SF 85P, and SF 86 (collectively, the “Questionnaires”). Pls.’ Mem. 106. Specifically, Plaintiffs point to the following sentence in SF 86: “The information you provide is for the purpose of investigating you for a national security position, and the information will be protected from unauthorized disclosure.” Pls.’ Mem. 106. The inclusion of this sentence in the Questionnaires, however, cannot transform a disclosure statement, informing Plaintiffs that their Case 1:15-mc-01394-ABJ Document 87 Filed 08/03/16 Page 29 of 42 - 21 - information will be treated in accordance with federal law, into a binding contractual promise imposing specific and enforceable obligations on the government. Plaintiffs’ reading of the Questionnaires is wrong and contrary to a key tenet of contract interpretation: that a contract must be read in context and not as a series of unrelated and isolated provisions. See Shell Oil Co. v. United States, 751 F.3d 1282, 1293 (Fed. Cir. 2014); Barela v. Shinseki, 584 F.3d 1379, 1383 (Fed. Cir. 2009). The disclosure statement on which Plaintiffs rely to create a contractual obligation, titled “Disclosure of Information,” is replete with references to the Privacy Act and makes clear on its face that its purpose is to inform the applicant that his or her information will be treated in accordance with the Privacy Act. This type of notification statement, commonly found on government forms, does not create contractual obligation. See OPM Mem. 49-50. Indeed, the single sentence that Plaintiffs claim creates an independent contractual obligation merely notifies applicants that their information will be protected from “unauthorized disclosure,” a term of art used in the Privacy Act. Id. at 49. Additionally, Plaintiffs’ argument—that the Questionnaires create a contractual requirement for OPM to protect their data above and beyond the requirements of the Privacy Act—fails because Plaintiffs do not plausibly allege any of the requisite elements of a contract with the United States. See Harbert/Lummus Agrifuels Projects v. United States, 142 F.3d 1429, 1434 (Fed. Cir. 1998). First, there is no mutual intent to contract. The Questionnaires are standard government forms filled out as a prerequisite for government employment and are not subject to negotiation. Courts have routinely found that the government’s invitation to fill out a standard form as a prerequisite for employment is not an offer to contract. See, e.g., Chattler v. United States, 632 F.3d 1324 (Fed. Cir. 2011); XP Vehicles, Inc. v. United States, 121 Fed. Cl. 770, 785 (2015) (citing Girling Health Sys., Inc. v. United States, 22 Cl. Ct. 66, 71–72 (1990)). Second, Plaintiffs do not plead facts showing a bargained-for exchange, i.e., consideration. The Questionnaires specifically refer to the Privacy Act as the law Case 1:15-mc-01394-ABJ Document 87 Filed 08/03/16 Page 30 of 42 - 22 - governing disclosure and do not impose any other specific contractual obligation. OPM therefore undertook no obligation “beyond that encountered by the agency in the discharge of its every day responsibilities,” and thus the Questionnaires’ reference to confidentiality cannot constitute “consideration sufficient to support a return promise.” Floyd v. United States, 26 Cl. Ct. 889, 890, 891 (1992), aff'd, 996 F.2d 1237 (Fed. Cir. 1993). Finally, even if the Questionnaires purported to make commitments beyond the Privacy Act, they would be void for lack of actual authority. “Only government officials who possess a Contracting Officer’s warrant are authorized to bind the United States to a contract.” Stout Road Assocs., Inc. v. United States, 80 Fed. Cl. 754, 756 (2008) (citing 48 C.F.R. § 1.602-1). Here, Plaintiffs have alleged that they entered into a binding contract with OPM and that “agents and representatives of OPM had actual authority to act on behalf of OPM and to bind the United States.” CAC ¶ 191. But they never allege that any named Plaintiff had any particular dealing with anyone—such as a government contracting officer, see 48 C.F.R. § 1.602-1— who had authority to bind the United States. B. The Consumer Data Breach Cases Cited by Plaintiffs Are Inapposite. In their opposition, Plaintiffs cite several consumer data breach cases where a breach of contract claim survived a defendant’s motion to dismiss under the theory that an implied contract was created through the exchange of, and payment for, consumer goods. Pls.’ Mem. 105. These cases are by no means a comprehensive view of the law in this area, as many courts have held the opposite, including this Court.12 In any event, these cases are all inapposite to the present case, which does not involve the purchase of consumer goods, but rather involves prospective and 12 See SAIC, 45 F. Supp. 3d at 30 (“To the extent that [p]laintiffs claim that some indeterminate part of their premiums went toward paying for security measures, such a claim is too flimsy to support standing.”); In re Zappos.com, Inc., No. 3:12cv325, 2013 WL 4830497, at *3 (D. Nev. Sept. 9, 2013); Carlsen v. GameStop, Inc., 112 F. Supp. 3d 855, 862-63 (D. Minn. 2015); Fernandez, 127 F. Supp.3d at 1089, appealed, No. 15-2453 (8th Cir. argued Mar. 15, 2016). Case 1:15-mc-01394-ABJ Document 87 Filed 08/03/16 Page 31 of 42 - 23 - current government employees filling out a standard government form as a condition of employment. IV. PLAINTIFFS FAIL TO MEET THE REQUIREMENTS OF THE ADMINISTRATIVE PROCEDURE ACT. A. Plaintiffs’ APA Claims Are Precluded Because They Impermissibly Seek to Expand The Relief Available Under The Privacy Act. Plaintiffs impermissibly seek to expand the relief available under the Privacy Act by asserting APA claims arising from the same alleged agency conduct that they challenge under the Privacy Act. The APA provides for judicial review of agency action only where “there is no other adequate remedy in a court.” 5 U.S.C. § 704. The Supreme Court has held that this provision prohibits a plaintiff from seeking “additional judicial remedies [under the APA] in situations where the Congress has provided special and adequate review procedures.” Bowen v. Massachusetts, 487 U.S. 879, 903 (1988). Courts have regularly held that the Privacy Act provides such an adequate review procedure and dismissed APA claims predicated on alleged Privacy Act violations. See OPM Mem. 55-56 (collecting cases). This Court should do the same here, because Plaintiffs’ Privacy Act and APA claims both seek redress for OPM’s alleged failure to safeguard their personal information. While Plaintiffs concede that courts regularly dismiss APA claims predicated on alleged Privacy Act violations, they incorrectly contend that their APA claims should be treated differently and survive because they seek distinct forms of relief under the Privacy Act (monetary damages) and the APA (injunctive relief). See Pls.’ Mem. 47. This argument is contrary to binding precedent holding that a remedy is not inadequate simply because it does not offer relief identical to relief available under the APA, so long as it provides relief of the same genre. See Garcia v. Vilsack, 563 F.3d 519, 522 (D.C. Cir. 2009). Congress enacted the Privacy Act in order to regulate the collection, maintenance, use, and dissemination of personal information by federal agencies. See Privacy Act of 1974, Pub. L. No. 93-579, § 2(a)(5), 88 Stat. 1896 (codified at 5 U.S.C. § 552a). To achieve that Case 1:15-mc-01394-ABJ Document 87 Filed 08/03/16 Page 32 of 42 - 24 - purpose, among other things, the Privacy Act provides a remedial scheme to address the treatment of personal information by federal agencies—allowing plaintiffs to obtain monetary relief for particular violations and forms of injunctive relief for other violations. See Kelley v. FBI, 67 F. Supp. 3d 240, 252–53 (D.D.C. 2014). The fact that Plaintiffs have sought additional injunctive relief does not entitle them to bypass the more specific statutory scheme of the Privacy Act in favor of the more general scheme of the APA. Plaintiffs seek two types of additional injunctive relief. First, Plaintiffs seek an injunction requiring OPM to formulate, adopt, and implement what they deem a compliant data security plan. CAC 75, Prayer for Relief ¶ F. Although Plaintiffs assert that they are entitled to seek this broad injunctive relief under the APA because such relief is not available under the Privacy Act, that logic would permit Plaintiffs to expand the relief available to them whenever they were dissatisfied with the remedial limitations of a governing statute. The Privacy Act, as noted, already provides a remedial scheme to address an agency’s alleged failure to safeguard personal information. Plaintiffs may not use the APA to make an end-run around the limitations of that remedial scheme. See Cell Assocs., Inc., v. Nat’l Institutes of Health, 579 F.2d 1155, 1161–62 (9th Cir. 1978) (holding that equitable remedies for Privacy Act violations are limited to those specifically identified in that statute); Edison v. Dep’t of the Army, 672 F.2d 840, 846–47 (11th Cir. 1982) (same). “When Congress has dealt in particularity with a claim and has intended a specified remedy—including its exceptions—to be exclusive, that is the end of the matter; the APA does not undo the judgment.” Match-E-Be-Nash-She- Wish Band of Pottawatomi Indians v. Patchak, 132 S. Ct. 2199, 2205 (2012) (citation omitted). Second, Plaintiffs seek lifetime identity theft and fraud protection services for all current, former, and prospective federal government employees and contractors whose personal information was allegedly compromised as a result of the cybersecurity incidents. CAC 75, Prayer for Relief ¶ E. Plaintiffs have described this relief in injunctive, rather than monetary, terms. But this request Case 1:15-mc-01394-ABJ Document 87 Filed 08/03/16 Page 33 of 42 - 25 - plainly seeks compensation for injuries that resulted from Defendant’s alleged failure to safeguard Plaintiffs’ information. Because this injunctive relief is of the “same genre” as that sought by Plaintiff under the APA, Garcia, 563 F.3d at 522 (citation omitted), it does not provide a basis for their APA claims to proceed. The few cases that Plaintiffs rely upon to support their alleged entitlement to broad injunctive relief under the APA do not undermine these well-established principles. Plaintiffs rely heavily on Radack v. U.S. Dep’t of Justice, 402 F. Supp. 2d 99 (D.D.C. 2005)—the only decision in this district where a court held that the Privacy Act did not provide an adequate remedy precluding an APA claim arising from the same alleged grievance. This holding has not been followed by other courts and is contrary to other decisions in this district, many of which postdate Radack. See OPM Mem. 55-56 (collecting cases). The other cases cited by Plaintiffs either do not address whether the asserted APA claims were precluded by the Privacy Act, Doe v. Stephens, 851 F.2d 1457, 1465-66 (D.C. Cir. 1988), or address that issue only tangentially in dicta and without providing any detailed reasoning, Doe v. Chao, 540 U.S. 614, 619 n.1 (2004); Haase v. Sessions, 893 F.2d 370, 374 n.6 (D.C. Cir. 1990). None of these decisions, in other words, constitutes binding or persuasive authority regarding whether a plaintiff may seek redress under the APA for alleged grievances that are subject to the Privacy Act’s remedial scheme. Congress has provided a detailed remedial scheme addressing when an agency may be held liable for failing to adequately safeguard personal information and the forms of relief that are available to remedy that conduct. Plaintiffs should not be permitted to augment the monetary remedies and more limited injunctive remedies available under the Privacy Act with the broader injunctive relief available under the APA. Case 1:15-mc-01394-ABJ Document 87 Filed 08/03/16 Page 34 of 42 - 26 - B. OPM’s Compliance With FISMA Is Committed to Agency Discretion By Law And Thus Not Subject To Judicial Review Under The APA. Plaintiffs’ APA claim also should be dismissed because the agency actions at issue—the implementation of and compliance with FISMA and its associated regulations—is “committed to agency discretion by law” under 5 U.S.C. § 701(a)(2) and thus not subject to judicial review. See OPM Mem. 56-63. Plaintiffs argue that an agency’s compliance with FISMA is not committed to agency discretion by law because the statute imposes mandatory duties on various federal agencies and agency officials, including OPM and its employees, with respect to information security. See Pls.’ Mem. 50-55. Plaintiffs contend that “FISMA is not a statute that permits OPM to take whatever action it deems to be in the interest[s] of justice or in furtherance of data security” and instead “requires OPM to take definite steps to comply with specific standards to protect the records in its care.” Pls.’ Mem. 51 (emphasis in original). Plaintiffs are correct in observing—as OPM itself observed in its opening motion—that FISMA and its implementing regulations often use mandatory language in describing an agency’s information-security responsibilities. See Pls.’ Mem. 50-55; OPM Mem. 59-60. But select instances of mandatory language do not show that Congress intended for an agency’s FISMA compliance to be subject to judicial review. As the D.C. Circuit has explained, the use of mandatory language cannot be considered in isolation; instead, courts must consider the language and structure of the statute as a whole to determine whether Congress intended for the agency action at issue to be judicially reviewable. Sierra Club v. Jackson, 648 F.3d 848, 855 (D.C. Cir. 2011) (citing Sec’y of Labor v. Twentymile Coal Co., 456 F.3d 151, 156 (D.C. Cir. 2006)). Here, the language and structure of FISMA indicate that Congress did not intend to subject an agency’s FISMA compliance to judicial review. FISMA assigns exclusive responsibility for overseeing the management and security of information systems of civilian agencies to the Director Case 1:15-mc-01394-ABJ Document 87 Filed 08/03/16 Page 35 of 42 - 27 - of the Office of Management and Budget (“OMB”). See 44 U.S.C. § 3553(a); OPM Mem. 59-60. FISMA also requires the Secretary of Homeland Security to assist the OMB Director with overseeing agency information security policies and practices. See 44 U.S.C. § 3553(b). Congress, moreover, specifically considered the possibility that an agency might not comply with certain provisions of FISMA, and established accountability mechanisms for the Director of OMB to use to ensure compliance. See 44 U.S.C. § 3553(a)(5); 40 U.S.C. § 11303(b)(5)(A). For instance, Congress has authorized the OMB Director to “take any action that the Director considers appropriate, including an action involving the budgetary process or appropriations management process.” 40 U.S.C. § 11303(b)(5)(A). Additionally, the Director must review each agency’s security programs at least annually and approve or disapprove them. 44 U.S.C. § 3553(a)(5). Finally, the Director must report to Congress annually on the “effectiveness of information security policies and practices during the preceding year.” Id. § 3553(c). Plaintiffs make no attempt to address these critical FISMA provisions, see Pls.’ Mem. 50-51, all of which indicate that Congress did not intend for federal courts to review a federal agency’s information security program under FISMA. Instead, Congress created a multilayered statutory scheme whereby the Director of OMB, in consultation with the Director of Homeland Security, is responsible for overseeing compliance, initiating enforcement and accountability actions as necessary, and reporting annually to Congress on the effectiveness of an agency’s information security program. “Notably absent from FISMA is a role for the judicial branch.” Cobell v. Kempthorne, 455 F.3d 301, 314 (D.C. Cir. 2006). Plaintiffs’ citation to Homeland Security Presidential Directive 12 (“HSPD 12”), OMB Memorandum M-11-11, NIST Publication 201-2, and OMB Circular A-130 further confirms that the Director of OMB, in consultation with the Director of Homeland Security, has the exclusive responsibility for overseeing and enforcing an agency’s FISMA compliance, not the federal courts. Case 1:15-mc-01394-ABJ Document 87 Filed 08/03/16 Page 36 of 42 - 28 - Pls.’ Mem. 51-54. Indeed, HSPD 12 itself explicitly states that it is not enforceable in federal court against a federal agency or its officials. See HSPD 12, ¶ 7, https://www.dhs.gov/homeland-security- presidential-directive-12 (“This directive is intended only to improve the internal management of the executive branch of the Federal Government, and it is not intended to, and does not, create any right or benefit enforceable at law or in equity by any party against the United States, its departments, agencies, entities, officers, employees or agents, or any other person.”). And OMB Memorandum M-11-11 and NIST Publication 201-2 explain and implement HSPD 12. Because HSPD-12 is not enforceable in federal court, neither are these derivative materials. Finally, OMB Circular A-130, which provides policy guidance to the heads of agencies regarding information security, indicates that the OMB Director retains the discretion to utilize various measures “as the Director deems necessary” to ensure that an agency complies with the Circular’s requirements. Nothing in the Circular indicates that it is judicially enforceable. See https://www.whitehouse.gov/sites/default/files/omb/assets/omb/circulars/a130/a130trans4.pdf (Paragraph 10(a)). In sum, FISMA itself, along with the materials Plaintiffs rely on in their opposition, indicates that a federal agency’s implementation of FISMA is committed to agency discretion by law and not subject to judicial review under the APA.13 C. Plaintiffs Have Confirmed That They Seek The Type Of Broad Programmatic Relief That Is Not Available Under The APA. In addition to being committed to agency discretion, the operation of a data security system is not the type of discrete agency action that is subject to judicial review under the APA. As 13 Plaintiffs err by citing Cody v. Cox, 509 F.3d 606 (D.C. Cir. 2007) and Dickson v. Secretary of Defense, 68 F.3d 1396 (D.C. Cir. 1995), which they contend, without elaboration, “construed and enforced agency compliance with standards far less concrete than the above data security standards.” Pls.’ Mem. 53. Most fundamentally, these cases are inapposite because they do not address statutes where Congress expressly vested multiple agencies with the responsibility for overseeing and implementing a particular program across the entire Executive branch. Case 1:15-mc-01394-ABJ Document 87 Filed 08/03/16 Page 37 of 42 - 29 - explained, see OPM Mem. 64–66, courts are not permitted to enter general orders compelling compliance with broad statutory mandates because such judicial oversight over federal agency conduct is not permitted under the APA. Plaintiffs seek this type of an order here, CAC 75, Prayer for Relief ¶ F, and thus their APA claim should be dismissed. As an initial matter, the cases cited by Plaintiffs do not address the issue of whether they have challenged discrete agency action. Instead, all three of the cases cited by Plaintiffs—Sierra Club v. Thomas, 828 F.2d 783 (D.C. Cir. 1987); Public Citizen Health Research Grp. v. Commissioner, Food & Drug Admin., 740 F.2d 21 (D.C. Cir. 1984); Cobell v. Norton, 240 F.3d 1081 (D.C. Cir. 2001)—address whether agency inaction can constitute “final” agency action reviewable under the APA. The cases do not address whether the agency action allegedly withheld was sufficiently discrete to be judicially reviewable, which is the basis for OPM’s motion to dismiss. While discreteness and finality are both required before a court can review agency action under the APA, they are distinct requirements and thus the cases cited by Plaintiffs do not support their assertion that they have challenged discrete agency action (or inaction) reviewable by the Court. Plaintiffs’ factual allegations also fail to satisfy this discreteness requirement because they have not identified the particular agency actions that OPM was allegedly required by law to take. This failure warrants dismissal of Plaintiffs’ APA claims, even at the motion to dismiss phase. As explained by another court in this district: A sure sign that a complaint fails the “final agency action” requirement is when “it is not at all clear what agency action plaintiff purports to challenge.” A plaintiff must direct its attack against some particular ‘agency action’ that causes it harm,” because if a court does not limit its review to “discrete” agency actions, it risks embarking on the kind of wholesale, programmatic review of general agency conduct for which courts are ill-suited, and for which they lack authority. Friends of The Earth, Bluewater Network Div. v. U.S. Dep’t of Interior, 478 F. Supp. 2d 11, 25 (D.D.C. 2007) (citations omitted); see also Indep. Petrol. Ass’n of Am. v. Babbitt, 235 F.3d 588, 595 (D.C. Cir. 2001). Plaintiffs’ request that this Court issue an injunction requiring OPM “to formulate, adopt, Case 1:15-mc-01394-ABJ Document 87 Filed 08/03/16 Page 38 of 42 - 30 - and implement a data security plan” that is compliant with federal law is precisely the type of programmatic review for which courts are ill-suited. CAC 75, Prayer for Relief ¶ F. Plaintiffs’ APA claim, therefore, should be dismissed. The impermissibility of Plaintiffs’ APA claim is confirmed by their assertion that this Court should appoint “a special master to monitor OPM’s discharge of its mandatory statutory duties.” See Pls.’ Mem. 57. The appointment of a special master with “specialized expertise in data security” to monitor “OPM’s efforts to carry out its duties under FISMA,” see id., is precisely the type of judicial action that is not permitted under the APA because it would require the Court (or a special master working under its supervision) to substitute its own expert judgment for that of the agency.14 Indeed, none of the cases cited by Plaintiffs in support of their assertion that the Court should appoint a special master involved an APA challenge seeking judicial monitoring of a federal agency’s general implementation of a statutory mandate. Finally, Plaintiffs assert, in passing, that they have satisfied the APA’s discreteness requirement because they have alleged that “OPM operated multiple information systems without valid authorizations” and “failed to implement multi-factor authentication for systems access,” Pls.’ Mem. 56. But these allegations are insufficient to transform their broad programmatic challenge into a challenge seeking to compel discrete agency action. It is true that Plaintiffs have alleged that OPM’s data security system was inadequate for a variety of reasons. But Plaintiffs do not limit their challenge to any set of discrete agency actions that OPM allegedly took or is required to take. 14 Because the authority of a special master is no greater than that of the court, the appointment of a special master cannot expand the scope of judicial review of agency action under the APA. See Webster Eisenlohr, Inc. v. Kalodner, 145 F.2d 316, 319 (3d Cir. 1944) (“The master operates as an arm of the court. Surely he has no wider scope of activity than the court itself. If the court is limited in its judicial duties, to deciding the issues presented in the litigation before it, the master’s function can go no further than to aid in the court’s discharge of its duties.”). Case 1:15-mc-01394-ABJ Document 87 Filed 08/03/16 Page 39 of 42 - 31 - Instead, they cite these alleged failures in support of their argument that OPM’s data security system is generally inadequate and their broader request that this Court issue a broad injunction directing OPM to bring its data security systems into compliance with the law. This is not permitted under the APA. V. THE COURT LACKS THE INHERENT AUTHORITY TO AWARD THE EQUITABLE REMEDIES REQUESTED IN THIS CASE. Plaintiffs lastly argue that, even if their requested injunctive relief is unavailable under the APA, the Court may nonetheless order it pursuant to its inherent authority. Pls.’ Mem. 58-60. Plaintiffs are wrong. First, while it is true that the D.C. Circuit has held that the APA’s “waiver of sovereign immunity applies to any suit whether under the APA or not,” Trudeau v. FTC, 456 F.3d 178, 186 (D.C. Cir. 2006) (citing Chamber of Commerce v. Reich, 74 F.3d 1322, 1328 (D.C. Cir. 1996)), the Circuit still requires a plaintiff to state a valid cause of action for injunctive relief. See id. at 187- 188 (explaining that a cause of action is distinct from a waiver of sovereign immunity). Here, the only cause of action for injunctive relief that Plaintiffs identify in the CAC is the APA, and Plaintiffs lack standing to pursue this claim and have failed to state a valid APA claim. Second, a federal court cannot invoke its inherent authority to circumvent the limits of a particular statute or rule. See, e.g., Bank of Nova Scotia v. United States, 487 U.S. 250, 254 (1988) (“[I]t is well established that even a sensible and efficient use of the supervisory power . . . is invalid if it conflicts with constitutional or statutory provisions.”); United States v. Williams, 504 U.S. 36, 55 (1992); Carlisle v. United States, 517 U.S. 416, 426 (1996). Here, the APA provides a limited waiver of sovereign immunity for injunctive relief against the United States if certain requirements are met. Plaintiffs have failed to meet those requirements and thus injunctive relief is not available. Plaintiffs cannot circumvent those limits by invoking the Court’s inherent equitable authority. Case 1:15-mc-01394-ABJ Document 87 Filed 08/03/16 Page 40 of 42 - 32 - CONCLUSION For all the reasons stated above, and those articulated in OPM’s opening memorandum, OPM’s Motion to Dismiss the Consolidated Amended Complaint should be granted, and this action should be dismissed. Respectfully submitted, BENJAMIN C. MIZER Principal Deputy Assistant Attorney General ELIZABETH J. SHAPIRO Deputy Director, Federal Programs Branch /s/ Matthew A. Josephson MATTHEW A. JOSEPHSON ANDREW E. CARMICHAEL KIERAN G. GOSTIN JOSEPH BORSON Trial Attorneys U.S. Department of Justice Civil Division, Federal Programs Branch 20 Massachusetts Avenue, NW, Room 7304 Washington, DC 20530 Tel: (202) 514-9237 Email: Matthew.A.Josephson@usdoj.gov Dated: August 3, 2016 Counsel for Federal Defendant OPM Case 1:15-mc-01394-ABJ Document 87 Filed 08/03/16 Page 41 of 42 CERTIFICATE OF SERVICE I hereby certify that on August 3, 2016, I filed the above motion with the Court’s CM/ECF system, which will send notice of such filing to all parties. /s/ Matthew A. Josephson Matthew A. Josephson Case 1:15-mc-01394-ABJ Document 87 Filed 08/03/16 Page 42 of 42
