At Last, DOGE And Musk Are Finally Named In A Lawsuit, Albeit “Officially”
Given that there does not seem to have been a single thing Trump has done since entering office that has been legal, nor has his lackey Musk (or is it Trump that's the lackey...?), there is not a single thing that doesn't require litigation to challenge and enjoin. But we're starting to see the floodgates open as more and more aggrieved plaintiffs are able to get their lawsuits into court.
They are all worth watching. But the ones of particular relevance here are those that involve DOGE's lawless incursions into the nation's most sensitive computer systems. Each incursion that Musk and his minions have made into each computer system has caused, or portends to cause, any number of harms to any number of people. With these lawsuits the people are fighting back to try to at least stop, if not also remediate, all this harm. For instance, we've already written about how several states sued over DOGE's incursion into the Treasury department's systems (which was just one of the lawsuits brought over that incursion). Then this week came this lawsuit over the incursion of OPM's systems.
This lawsuit is especially notable for a few reasons. OPM is the Office of Personnel Management, or basically HR for federal workers, and its computer systems contain an incredible amount of sensitive information about millions of federal employees and contractors, past and present. From the complaint:
Defendant OPM maintains, under strict disclosure and accounting protocols prescribed by the Privacy Act of 1974, 5 U.S.C. 552a (the Privacy Act"), the highly sensitive personal and employment information of tens of millions of current and former federal employees, contractors, and job applicants. Those records include: identifying information like name, birthdate, home address and phone number, and social security number; demographic information like race/ethnicity, national origin, and disability; education and training information; employment information like work experience, union activities, salaries, performance, and demotions; personal health records and information regarding life insurance and health benefits; financial information like death-benefit designations and savings programs; classified-information nondisclosure agreements; and information concerning family members and other third parties referenced in background checks and health records. OPM also maintains information on employees in highly sensitive roles for whom even acknowledging their government employment may be problematic.
Letting all that information fall into the hands of people not lawfully permitted to it is a huge problem, and itself, as the lawsuit alleges, unlawful under the Privacy Act of 1974.
The crux of the matter, as we have been discussing, is that no one in DOGE is lawfully permitted to have access to it, and in many cases never could be.
Concerns about unauthorized parties seeking access to OPM data are exacerbated by the facts that DOGE agents have not received security clearance through a normal process, and that at least one of those agents has previously been fired from private employment in connection with disclosure of his employer's secrets (which means he would not have passed a normal security-clearance vetting).
And none of this is legal.
The Privacy Act strictly protects personal information from improper disclosure and misuse, including by barring disclosure to other agencies within the federal government and individuals who lack a lawful and legitimate need for it. OPM Defendants are not permitted to give access to that information to other persons or agencies unless granting that access fits within one of the Privacy Act's enumerated exceptions.
So one of the interesting and important things about this lawsuit is that it is calling foul on the sharing of the data with DOGE. But another aspect that is interesting and important is how.
This lawsuit names two sets of defendants. The first is the OPM department itself, as well as its acting director Charles Ezell, which are the OPM Defendants." But the second is the U.S. DOGE Service f/k/a Digital Service (USDS"), the unidentified Acting Director of USDS, the U.S. DOGE Service Temporary Organization a/k/a the Department of Government Efficiency" (DOGE"), and Elon Musk, in his capacity as director of the USDTSO," which are the DOGE Defendants." (In the description of the parties the complaint refers to him as the apparent" director, and one thing that stands to be salient in this case is that the fact that we aren't sure who is doing what, and under what authority, which is a big reason why everything that has happened is likely illegal.)
The lawsuit also brought five claims. The first two are against both sets of defendants for violations of the Privacy Act. In general they describe the various ways that OPM Defendants giving access to the DOGE Defendants, and the latter taking it, violated it. The third cause of action explains how it also violates the Administrative Procedure Act (ACA) as a vehicle for violating the Privacy Act. Then the fourth cause of action is just against the OPM Defendants for violating the ACA because it was arbitrary and capricious" to let DOGE have the access it did.
OPM Defendants failed to engage in reasoned decision-making when they implemented a system under which DOGE Defendants could access OPM's records for purposes other than those authorized by the Privacy Act. In particular, OPM Defendants failed to consider their legal obligations under federal law, the harm that their actions would cause to the objectives that those statutes sought to achieve, or the harm caused to Plaintiffs and their members.
But it is the fifth cause of action, for ultra vires" acts, against just the DOGE Defendants, that is the most intriguing. The term ultra vires" means beyond one's authority," and this claim calls out how no authority allowed DOGE to do what it has done to breach these systems.
DOGE is purely a creation of executive order; no statute directed or contemplated its existence. [Its] limited functions are to advise and assist the President; it is not empowered to perform any other functions. [It] has no authority in law to direct operations or decisions at government agencies. In directing and controlling the use and administration of Defendant OPM's systems, as alleged above, DOGE Defendants have breached secure government systems and caused the unlawful disclosure of the personal data of tens of millions of Americans. [But] DOGE Defendants may not take actions that are not authorized by law. [Yet no] law or other authority authorizes or permits DOGE Defendants to access or administer OPM systems.
And that by so breaching them DOGE has unlawfully caused harm.
Through such conduct, DOGE Defendants have engaged and continue to engage in ultra vires actions that violate federal laws and injure Plaintiffs and their members by violating their constitutional rights, exposing their private information, and increasing the risk of further disclosure of their information.
What is significant is that so far most, if not all, of the other lawsuits have focused on the President and agency head's own inability to grant the access to DOGE that it did. And this lawsuit does too. But what this lawsuit also does is point out how DOGE taking it was its own wrongful act for which it can be liable as well.
So far it seems like this lawsuit may be the first attempt to impose any sort of accountability on Musk or anyone connected with DOGE directly for their rampage through America's computer systems. And although it only-so far, at least-names them in their alleged official" capacity (to the extent that any exists), and it's not a CFAA claim-so far, at least-and it is limited to the incursion on just OPM's computer systems-so far, at least-it does directly call foul on the whole DOGE enterprise, seemingly for the first time, but presumably not the last.