Federal employees re-up lawsuit against OPM’s use of mass email server

The pair of federal employees suing the Office of Personnel Management for allegedly using an unauthorized server to send mass email blasts to the entire federal government renewed their case Friday, adding five additional plaintiffs to their party and claiming the system in question is holding the information of people outside the federal executive branch, among other things.

The amended complaint comes after U.S. District Court of D.C. Judge Randolph D. Moss last Thursday denied the pseudonymous plaintiffs and their legal counsel Kel McClanahan’s motion for a temporary restraining order that would’ve ordered OPM to stop the operation of the server while the lawsuit was active.

In their original complaint, the two federal workers accused OPM of sidestepping federal law by setting up an unauthorized, insecure server to send mass emails — including messages about the Trump administration’s deferred resignation program — to the entire federal workforce without conducting a privacy impact assessment, as required by law. 

After the lawsuit was filed, OPM issued a privacy impact assessment for its Government-Wide Email System (GWES), which it submitted to the court and publicly posted to its website, and called to dismiss the case. Despite issuing the assessment, OPM argued that it did not need to produce one because the system contained only the information of federal employees, which it said places it outside the scope of the law that requires PIAs.

But the “Jane Does” who brought the lawsuit disagree — people outside the scope of the federal government received the email and thus have reason to believe their information is being stored on OPM’s server, they argue.

Now, in the amended complaint, in addition to the two original federal employee plaintiffs — Jane Doe 1 and Jane Doe 2 — five more are listed pseudonymously, each with a broad description of their employment outside the federal executive branch. It’s that latter point that’s key; the latest complaint hinges on allegations that people outside the executive branch received the administration’s various email blasts from OPM, which the agency claims in its privacy assessment is not the case.

The newly listed plaintiffs are characterized in the lawsuit with roles associated with “a National Resources Conservation District,” a State of California program that partners with the federal government, the AmeriCorps-funded “Conservation Legacy Individual Placement” program, a State Department contractor and the Library of Congress. 

With the purported evidence that the email blasts reached non-executive branch employees and the system supporting them contains their sensitive personal information, the new complaint alleges that “OPM has not conducted a legally sufficient PIA for the GWES or any system which collects or maintains PII obtained from its use” as required by the E-Government Act of 2002, which governs the process.

It also claims that the agency acted in an “intentional and/or willful” manner to produce a privacy assessment that was not “legally sufficient … for the purpose of misleading this Court and arguing that the case is moot.”

On top of that, the plaintiffs allege that the two OPM representatives who signed the privacy assessment — Greg Hogan, a software engineer who is connected to driverless software startup Comma.ai and was named the agency’s CIO in January, and Riccardo Biasini, an engineer at Musk’s Boring Co. who was named a senior advisor to the OPM director — are special government employees and therefore not full-time federal employees. 

The lawsuit argues the review of the PIA by these alleged special government employees is not legally sufficient. OPM’s chief privacy officer has traditionally been the official to sign off on privacy impact assessments. 

A spokesperson for OPM did not answer FedScoop’s direct question on whether Hogan and Biasini are special government employees.

As in the initial complaint, the latest version asks the court to order an injunction prohibiting OPM’s use of the system and any further collection of information by it until a valid privacy assessment is conducted and published per the American Privacy Act and the E-Government Act of 2002. It also calls on OPM to delete any information it has collected prior to a valid PIA being produced and issued publicly.

Furthermore, the lawsuit alleges that OPM acted in an “intentional and/or willful” manner to produce a privacy assessment that was not “legally sufficient,” adding that “the publication of this purported PIA was done for pretextual reasons for the purpose of misleading this Court and arguing that the case is moot.”

OPM has been given until the end of Tuesday to file its response. According to the docket, the plaintiffs will then have a final opportunity to reply to the defense’s response before the parties meet for an in-person motion hearing Friday.