Share this @internewscast.com
Tesla and SpaceX CEO Elon Musk, on the left, and Republican presidential nominee former President Donald Trump, participate in a campaign event at the Butler Farm Show on Saturday, October 5, 2024, in Butler, Pennsylvania. (AP Photo/Alex Brandon).
On Thursday, a Manhattan federal court emphatically denied the Trump administration’s attempt to dismiss a lawsuit accusing the Department of Government Efficiency (DOGE) of being accountable for a significant data breach at the Office of Personnel Management (OPM).
In the case at hand, the American Federation of Government Employees (AFGE), other labor unions, and several former federal employees claim the OPM allowed “unrestricted, wholesale access to OPM systems and records to DOGE” and its representatives, which violated not only the federal Privacy Act but also the Administrative Procedure Act (APA).
On March 14, DOGE, its head Elon Musk, OPM, its embattled head Charles Ezell, and others filed a motion to dismiss the case.
In a 56-page opinion and order, U.S. District Judge Denise Cote, a Bill Clinton appointee, handed down a partial victory — dismissing some of the claims while allowing the lawsuit to proceed on others.
But even that partial victory for the government is effectively hollow.
“The defendants’ March 14, 2025 motion to dismiss under Rule 12(b)(6) is granted as to the complaint’s First and Second Claims, except insofar as they are a predicate to the complaint’s other claims,” the opinion and order concludes. “The defendants’ motion to dismiss under Rule 12(b)(1) is denied. The defendants’ motion to dismiss claims Three, Four, and Five under Rule 12(b)(6) is denied.”
In other words, while two stand-alone Privacy Act claims were technically dismissed, the court allowed the factual and legal arguments contained in those claims to move forward. Indeed, those facts and arguments form the basis of the remaining three claims.
And the judge highly credits the plaintiffs’ take on both.
“To begin with, the complaint plausibly pleads that the DOGE agents demanded immediate access to OPM records, were given that access, including ‘administrative’ control, and entered six OPM systems,” the judge writes. “It asserts as well, on information and belief, that the DOGE agents continue ‘to possess and use’ the plaintiffs’ confidential information.”
The opinion and order goes on like this, at length:
[The lawsuit] explains that OPM civil servants have been blocked from accessing [human resources] and other OPM systems, and that the DOGE team was given “read and write permissions” and “had moved sofa beds into the agency’s headquarters to continue their work around the clock.” Clearly, the complaint alleges more than a passive grant of access; it plausibly pleads that the DOGE agents actually exploited their access to review, possess, and use OPM records.
The judge was forced to remove the overarching claims from the case, however, because they requested a form of relief — an injunction — that the Privacy Act explicitly “does not allow courts to grant,” as the motion to dismiss pointed out in a corresponding legal memo.
On the other hand, Cote found, the APA does allow for the kind of injunctive relief the plaintiffs have requested.
“The defendants’ Kafkaesque argument to the contrary would deprive the plaintiffs of any recourse under the law,” the order reads.
In fact, the judge harshly rubbished the Trump administration’s primary argument that the plaintiffs lack standing to sue.
“The defendants do not identify any cases that support their crimped view of the law,” Cote continues. “Several courts have rejected it and found standing to exist when an unauthorized third party was granted access to a plaintiff’s legally protected data, due to the resulting harm’s resemblance to intrusion upon seclusion.”
Modern jurisprudence on Article III standing is widely understood by legal scholars as “conservative standing doctrine.” This judicial theory was created in two cases from the 1920s by conservative judges who sought to restrain the use and limits of constitutional redress. In other words, standing doctrine was created in order to limit citizens from suing the government over perceived violations of their rights.
While procedural in nature, as opposed to relying on underlying arguments in a dispute, standing arguments are fact-intensive.
Here, the judge found the facts alleged in the lawsuit “suffice to establish the plaintiffs’ standing to bring each of their claims.”
“The complaint describes harms that the plaintiffs fear they may suffer from the disclosure of OPM records to the DOGE agents,” the court observes. “These include an increased vulnerability of their personal data to cyberattacks, hacking, and identity theft. Disclosure of their identifying information could be detrimental to their health, safety, and financial security. The complaint also points to the possibility of retaliatory firing by the Trump administration. The complaint explains that an OPM data breach disclosed in 2015 affected over 22 million people and led to identity theft and fraud.”
As for the law, the judge found the lawsuit “adequately alleges that the individual plaintiffs and members of the plaintiff unions have experienced a concrete injury in fact that is analogous to the tort of intrusion on seclusion.”
The judge then applies the law to the facts, at length:
The complaint alleges concrete harms analogous to intrusion upon seclusion. The records at issue contain information about the deeply private affairs of the plaintiffs. The records include, for example, social security numbers, health history, financial disclosures, and information about family members. The complaint pleads that for some plaintiffs, disclosure of the simple fact that they are included in the records could compromise their highly sensitive government roles. The individual plaintiffs had every reason to expect that their OPM records would be carefully guarded and kept private and secure. That is in fact what the Privacy Act requires. The plaintiffs allege, however, that these records were disclosed to DOGE agents in a rushed and insecure manner that departed substantially from OPM’s normal practices. The complaint alleges that the DOGE agents were not vetted, were not required to obtain security clearances, and were not trained about OPM security protocols and duties before the records were disclosed to them. DOGE agents were even granted “administrative” access, enabling them to alter OPM records and obscure their own access to those records. As alleged, this intrusion upon the individual plaintiffs’ private affairs and confidential information was a substantial invasion of their privacy and would be highly offensive to a reasonable person.
“The complaint plausibly alleges that actions by OPM were not representative of its ordinary day-to-day operations but were, in sharp contrast to its normal procedures, illegal, rushed, and dangerous,” the order continues.
Love true crime? Sign up for our newsletter, The Law&Crime Docket, to get the latest real-life crime stories delivered right to your inbox.
The judge also weighed in on a non-statutory claim — an allegation that DOGE’s and OPM’s actions were ultra vires, or beyond their power.
Here, the judge was withering in her estimation.
“The complaint alleges a massive disclosure of the OPM records of tens of millions of Americans to unvetted and untrained individuals who had no legal right to access those records, in wholesale disregard of the Privacy Act,” Cote concludes. “It pleads that this intrusion was directed and controlled by the DOGE Defendants, including individuals in [the U.S. DOGE Service]. The DOGE Defendants have no statutory authority with respect to OPM records, such that these alleged actions were ‘blatantly lawless.’ The complaint adequately pleads that the DOGE Defendants ‘plainly and openly crossed a congressionally drawn line in the sand.””
