Transition

OPM calls to dismiss email server lawsuit, issues missing privacy assessment

The federal HR agency claims it didn’t need to produce a privacy impact assessment for its mass email system because the system at hand doesn’t deal with public information — but it provided one anyway.

By Billy Mitchell

February 5, 2025

Listen to this article

0:00

This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.

The Theodore Roosevelt Federal Building headquarters of the U.S. Office of Personnel Management is seen on February 03, 2025 in Washington, DC. Elon Musk, tech billionaire and head of the Department of Government Efficiency (DOGE), and his aids have been given access to federal employee personal data and have allegedly locked out career civil servants from the OPM computer systems. (Photo by Kevin Dietsch/Getty Images)

The Office of Personnel Management has asked a federal judge to dismiss a lawsuit filed last week that alleges the HR agency bypassed federal law to stand up a new server to send mass emails to the federal workforce.

As part of its motion for dismissal, OPM submitted to the court a privacy impact assessment, which details how the system it is using to send email blasts to all federal employees regarding the Trump administration’s reduction in force efforts collects, hosts and disseminates information to federal employees.

The initial class action lawsuit — filed by a pair of pseudonymous federal employees Jan. 27 — accuses OPM, working with Elon Musk and his Department of Government Efficiency team, of setting up an unauthorized, commercial server to conduct the email blasts without providing a privacy impact assessment for it, as required by the 2002 E-Government Act. The lawsuit claims OPM used the server to send several test emails to workers across the government as well as the administration’s now infamous “Fork in the Road” email, in which it offered deferred resignations to slash the federal workforce, and several FAQ follow-ups.

In the motion to dismiss, Trump administration lawyers representing OPM argue that the plaintiffs’ allegations are unsubstantiated and that they misinterpreted the law. The defense claims that the E-Government Act requires privacy impact assessments only for systems that deal with public information, whereas OPM’s system deals with information limited to federal employees.

However, the initial test email from OPM was received by at least some people who aren’t executive branch employees. Multiple employees at the Library of Congress — which is a legislative branch agency and thus outside the direct scope of the Trump administration’s workforce actions — told FedScoop they received a test email from the OPM system. The Library of Congress did not respond to FedScoop’s questions on how much of its workforce received the email and if employees received any of the other messages.

Despite the claim that it isn’t required to do so, OPM has now, after the lawsuit was filed, issued a privacy impact assessment for the system, which it has submitted to the court and now publicly posted to its website. The OPM website also lists privacy assessments for several other systems that deal with information of only federal employees, such as the Enterprise Human Resources Integration Data Warehouse, which houses federal workforce management information.

In the assessment, the agency describes the mass email system — which it calls the Government-Wide Email System — as a platform “to enable widespread and simultaneous communication with federal government employees.”

“The GWES maintains only the names and government email addresses of federal government employees, as well as voluntary responses to mass emails,” the assessment explains.

Whereas the lawsuit contends that a new unauthorized commercial server was integrated into OPM’s IT infrastructure to send those email blasts, the PIA says: “The GWES system operates entirely on government computers and in Microsoft mailboxes. OPM uses this system to communicate with federal employees, a capacity which is within its statutory authority.”

Reports have questioned OPM’s ability to send email blasts to millions of federal employees with the IT infrastructure and services in place before the Trump administration took office without adding new systems or services. There are also reports that the Musk-led DOGE has locked employees out of OPM’s systems, limiting oversight of their operations.

Moreover, on questions of the system’s perceived insecurity posed in the lawsuit, OPM says that it mitigates security risks by limiting access to information in the GWES to “a handful of individuals within OPM, overseen by the Chief Information Officer.”

That CIO is Greg Hogan, who took over the role almost immediately after President Donald Trump’s inauguration. Melvin Brown II was serving in the CIO role but was removed after holding the position for about a week, following former CIO Guy Cavallo’s retirement from federal service. Little is known about Hogan in the federal IT space, and OPM did not provide additional information about his background upon his appointment to the role.

Parties in the case were scheduled to meet Wednesday for a status conference, but according to the docket, the plaintiffs’ counsel failed to appear because he “apparently assumed that the status conference would take place by Zoom,” according to the minutes.

The court has moved to now meet Thursday to address the plaintiffs’ motion for a temporary restraining order, filed Tuesday, to stop OPM’s operation of the mass email system.

This story was updated with additional information about non-executive branch employees in the Library of Congress receiving a test email from OPM’s mass email system.