Two federal employees have filed a lawsuit against the Office of Personnel Management (OPM), claiming the agency’s new email distribution system poses serious security and privacy risks. The plaintiffs, who remain anonymous, argue OPM has violated the E-Government Act of 2002 by implementing this communications system without conducting the required Privacy Impact Assessment (PIA).
The lawsuit, filed on January 27, 2025, alleges OPM created and tested the system aimed at delivering mass communications to federal employees without properly assessing how personal information would be managed and safeguarded. According to The Hill, the plaintiffs state, "OPM has not conducted a PIA for this unknown email server or any system which collects or maintains Personally Identifiable Information (PII)." The claim highlights concerns stemming from the agency’s history of data breaches, including the infamous 2015 incident where personal data from 22 million federal employees was compromised.
According to the complaint, the new system utilizes an on-premise server to facilitate email blasts across the federal workforce. On January 23, OPM initiated tests of its new mass communications capability, prompting employees to confirm receipt of emails by replying 'yes.' Many federal employees were startled to receive communications through OPM, as historically, direct correspondence typically came from authorized channels within their respective agencies.
Kel McClanahan, executive director of National Security Counselors, filed the lawsuit pro bono on behalf of the employees. He voiced serious concerns about the system’s configuration, describing it as "a treasure trove for hackers, or even just curiosity seekers." The rapid deployment of the system, according to the plaintiffs, raises alarms about inadequate security measures, compounding fears of potential breaches of sensitive employee information.
"People have a right to know where their information is being stored by the government and how well it’s being protected," McClanahan said, stressing the necessity of transparency around data security protocols.
The lawsuit argues OPM is unlawfully withholding necessary assessments to analyze how personally identifiable information will be collected, stored, and protected. The E-Government Act mandates such assessments are made public, barring exceptions for national security. The plaintiffs seek to block the use of the email system until OPM can demonstrate compliance with these privacy requirements.
One of the key allegations presented is the connection of the new email server to Amanda Scales, OPM’s Chief of Staff who previously worked for tech billionaire Elon Musk. Reports indicate the email system has been suggested to facilitate mass communications, potentially linked to upcoming personnel changes and reductions across the federal workforce.
Employees within the federal government also described the communications from OPM as suspicious, some even reporting these emails as phishing attempts. "Secure communications take time and coordination to plan and implement," the lawsuit states, emphasizing the inherent dangers of unencrypted emails, which are often targeted by hackers.
The plaintiffs assert their situation is compounded by the reality of heightened risk: "Plaintiffs stand to continue to be harmed by this...since they will face a reasonably foreseeable risk their information will be unlawfully obtained from these unknown systems," the lawsuit contends. They point to historical precedents, noting how the 2015 data breach at OPM led to significant repercussions for employees.
Following the announcement of the new system, other federal agencies are reportedly sending communications to employees about the OPM system, which the lawsuit argues is not being executed securely. The absence of transparency and the apparent rush to implement the system has led to mixed responses from employees, with several expressing distrust.
Despite the serious accusations, OPM has declined to comment on the specifics of the lawsuit or provide details on the communications system. The lack of communication from the agency only fuels speculation and concern among federal employees, many of whom feel left vulnerable by the agency’s actions.
These developments come during broader efforts by the Trump administration to overhaul federal efficiency and workforce operations, which some critics claim may jeopardize sensitive employee data through inadequate oversight and proper security measures. This lawsuit highlights the grave apprehensions federal workers have about personal data safety under the current administration.
McClanahan emphasizes the importance of a well-structured security approach: "If they’re going to set up this new system to collect all this information, they have to guarantee its security and transparency—there are no indications they've done any of this. This can’t be overlooked, especially after what happened previously with OPM."
The lawsuit has evidently sparked discussions on the proper handling of sensitive employee information and the requirements agencies must comply with under federal law. The federal workforce and the general public’s confidence in the government’s ability to protect their data hangs in the balance as this legal challenge progresses.