In the hacking world, a few of the most favored data breach targets include governmental agencies and militaries. Whether it is the challenge of hacking these presumably highly secure entities, or the thrill and notoriety associated with a successful hack, governments and militaries are constantly subjected to cyber threats. In particular, the United States government and military forces are not invulnerable to hacking, and cyber security attacks are made on countless government and military entities each and every day.

U.S. Military Data Breaches, Sailors’ Personal Information Exposed

The latest U.S. military data breach affects sailors in the U.S. Navy, according to an article on NavyTimes.com. A personal computer that was linked to a Navy contractor, Hewlett Packard Enterprises, and was used for supporting a reenlistment and career data was compromised in the security breach. Personal data belonging to more than 130,000 sailors was exposed in the hack. The Navy has requested that Hewlett Packard Enterprises provide credit monitoring services for the affected individuals.

U.S. Office of Personnel Management Hacked in 2015

The U.S. Office of Personnel Management (OPM) is the governmental entity through which nearly all federal government employees must be processed. In 2015 it was hacked. The OPM stores copious amounts of personal information about federal employees, both current and former, as well as personal information for federal contractors.

In the summer of 2015, OPM announced that it had been the target of a data security breach. OPM reported that the personal information of more than 21 million current and former government employees and contractors had been exposed. Names, birth dates, places of birth, addresses, Social Security numbers, and other personal information were exposed in the OPM breach.

A House Committee Report on Oversight and Government Reform entitled “The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation” detailed the results of Congress’s investigation into the OPM breach. The report found that OPM’s security systems were severely inadequate and that years of warnings about security deficiencies went unaddressed.

Legal Dimensions of Government Data Breaches

Government data breaches raise distinct legal questions that differ from breaches in the private sector. The legal framework governing federal agency cybersecurity obligations, the rights of affected government employees and contractors, and the liability limitations that apply to federal entities all shape how these breaches are handled.

Federal Statutory Obligations for Cybersecurity

Federal agencies are subject to the Federal Information Security Modernization Act (FISMA), 44 U.S.C. §§ 3551–3558, which requires each federal agency to develop, document, and implement an agency-wide information security program to protect the information and information systems that support the operations and assets of the agency. FISMA requires agencies to conduct periodic risk assessments, implement security controls consistent with National Institute of Standards and Technology (NIST) guidelines, perform security testing and evaluation, and report annually to the Office of Management and Budget (OMB) and to Congress on the effectiveness of their information security programs.

The OPM breach exposed the failure of FISMA’s implementation framework. OPM had received repeated warnings from the Government Accountability Office and the OPM Inspector General about the inadequacy of its cybersecurity measures in the years before the 2015 breach. The House committee report found that OPM had failed to implement basic security controls, had tolerated known vulnerabilities for years, and had not maintained adequate visibility into what systems it was operating or what data those systems contained. The breach was, in the committee’s assessment, entirely preventable.

The Federal Tort Claims Act and Sovereign Immunity

Federal employees and contractors whose personal information was exposed in the OPM breach faced an immediate legal obstacle: sovereign immunity. The United States government is generally immune from suit absent a specific waiver of that immunity. The Federal Tort Claims Act (FTCA), 28 U.S.C. §§ 1346(b), 2671–2680, waives sovereign immunity for certain tort claims, but the FTCA contains exceptions that frequently apply in data breach cases. The discretionary function exception, 28 U.S.C. § 2680(a), immunizes the government from claims based on the exercise of a discretionary function or duty, even if the discretion was abused. Courts have disagreed about whether a federal agency’s decision about how to implement cybersecurity measures falls within the discretionary function exception.

Class action lawsuits filed by OPM breach victims seeking damages for the exposure of their personal information were consolidated in federal court. In 2017, the U.S. District Court for the District of Columbia dismissed the consolidated cases, finding that the plaintiffs had not sufficiently alleged that the government’s cybersecurity failures fell outside the discretionary function exception and that the plaintiffs had not demonstrated standing to sue based on the increased risk of future harm from the exposed data. The case illustrated the significant legal barriers that government employees face in seeking compensation for data breaches caused by federal agency negligence.

Third-Party Contractor Liability

The Navy’s breach involving Hewlett Packard Enterprises illustrates a distinct legal pathway: claims against government contractors who fail to adequately protect government data. Government contractors who handle sensitive personal information are generally not protected by the federal government’s sovereign immunity. They can be sued under state tort law and, depending on the contractual terms, may face breach of contract claims as well.

Federal contracts for information technology services typically include cybersecurity requirements derived from NIST Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” A contractor that fails to implement the required controls and whose failure contributes to a breach faces exposure under both contract law and, potentially, the False Claims Act, 31 U.S.C. §§ 3729–3733, if the contractor certified compliance with cybersecurity requirements it did not actually meet. False Claims Act violations carry treble damages plus penalties of up to $27,894 per false claim as of current inflation adjustments.

Remedies Available to Affected Federal Employees

In the aftermath of the OPM breach, Congress authorized OPM to provide identity theft monitoring services to affected individuals. The OPM Cybersecurity Post-Employment Agency Transition (CPEAT) program provided affected individuals with identity theft insurance and monitoring for a period of years following the breach. These remediation programs provide important short-term relief but do not compensate affected individuals for the long-term risks associated with permanent data exposure — background investigation data, once exposed, cannot be recalled or rendered harmless by credit monitoring.

Affected federal employees and military personnel who suffered concrete financial harm resulting from the breach — such as fraudulent credit accounts, tax fraud, or other identity theft consequences — should consult with an attorney to explore whether viable claims exist against the responsible parties, including any private contractors involved in the breach.

The Broader Lesson: Contractor Security Practices Matter

Both the OPM and Navy breaches demonstrate a consistent pattern: government data is often most vulnerable not at the government agency itself, but through the private contractors and vendors who have authorized access to government systems. Contractors who handle sensitive government data bear significant cybersecurity obligations, and when they fail to meet those obligations, they face substantial legal exposure independent of the government’s own sovereign immunity protections.

Any business operating as a federal contractor that handles sensitive personal information should treat cybersecurity compliance as a contractual requirement with direct legal and financial consequences, not merely a technical recommendation. The legal and reputational costs of a government data breach involving contractor negligence can be severe.

Contact a Data Breach Attorney

If your organization handles government data or has been affected by a government data breach, the data breach attorneys at Revision Legal can advise on legal obligations, contractor cybersecurity requirements, and the options available to affected individuals. Contact us today.