Searching over 5,500,000 cases.


searching
Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

In re U.S. Office of Personnel Management Data Security Breach Litigation

United States District Court, District of Columbia

September 19, 2017

IN RE U.S. OFFICE OF PERSONNEL MANAGEMENT DATA SECURITY BREACH LITIGATION This Document Relates To ALL CASES Misc. Action No. 15-1394 (ABJ)

          MEMORANDUM OPINION

          AMY BERMAN JACKSON UNITED STATES DISTRICT JUDGE

         INTRODUCTION

         In June of 2015, millions of unsuspecting federal employees sat down at their computers, opened up their email, and received some very disconcerting news.

I am writing to inform you that the U.S. Office of Personnel Management (OPM) recently became aware of a cybersecurity incident affecting its systems and data that may have exposed your personal information.

         Over time, OPM revealed that data breaches at the agency and at one of its contractors affected more than twenty-one million people, and that the stolen information included such sensitive data as names, birthdates, current and former addresses, and Social Security numbers. After those announcements, a number of plaintiffs filed separate lawsuits in courts across the country, and they were consolidated into two complaints in the multidistrict action assigned to this Court.

         The first complaint is a class action lawsuit filed by thirty-eight individuals and a union, the American Federation of Government Employees (“AFGE”). See Consolidated Amended Complaint [Dkt. # 63] (“CAC”). Plaintiffs allege that the breaches resulted from gross negligence on the part of officials entrusted with the responsibility of protecting the private details that job seekers submit to OPM in connection with the background investigations they are required to undergo. They have sued on behalf of the 21.5 million current and former federal employees, job applicants, contractors, and relatives whose information was compromised, and they seek statutory damages under the Privacy Act, contract damages under the Little Tucker Act, and declaratory and injunctive relief under the Administrative Procedure Act. These plaintiffs have also sued KeyPoint Government Solutions, a government contractor that performed background investigations for OPM. KeyPoint's computer systems were also breached, and plaintiffs seek damages from the company under multiple federal and state statutory and common law theories. Defendants have moved to dismiss the entire case on the grounds that plaintiffs lack standing to bring it, the claims are barred by sovereign immunity, and the factual allegations are not sufficient to state valid claims under any of the statutes or common law theories plaintiffs have invoked.

         The second complaint before the Court was filed by three individuals and the National Treasury Employees Union (“NTEU”). Am. Compl. [Dkt. # 75] (“NTEU Compl.”). These plaintiffs sued the OPM Acting Director only, and they claim that their constitutional right to informational privacy was violated. Defendant has moved to dismiss that case as well, on both standing grounds and the basis that the plaintiffs have failed to allege a constitutional violation that is recognized by the courts.

         The OPM breaches have been the subject of considerable public interest and multiple Congressional hearings and reports. The fact that the breaches occurred is not disputed, and the identities of the individuals whose information was compromised are known. There is no doubt that something bad happened, and many people are understandably chagrined and concerned. In these lawsuits, plaintiffs seek to demonstrate that the agency's failures were willful - that the defendants were on notice that hackers regularly targeted their systems, but they failed to design and maintain adequate safeguards. Plaintiffs also contend that their sensitive information remains subject to a continuing risk of additional exposure due to an ongoing failure to secure it.

         This opinion will not get into the merits of those contentions. At this stage of the proceedings, the Court is required to accept all of plaintiffs' factual assertions as true, and nothing that follows should be read as any indication of the Court's view of the strength of plaintiffs' troubling allegations.

         Before the parties can explore the facts, though, the Court is required to answer a foundational question: whether plaintiffs have set forth a cause of action that a court has the power to hear. The judiciary does not operate as a freestanding advisory board that can opine about the conduct of the executive branch as a general matter or oversee how it manages its internal operations. The Court's authority is derived from Article III of the U.S. Constitution, and a federal court may only consider live cases or controversies based on events that caused actual injuries or created real threats of imminent harm to the particular individuals who brought the case. In other words, before a court may proceed to the merits of any claim, the plaintiffs must demonstrate that they have constitutional “standing” to sue. Also, a court may not entertain an action against the United States if the government has not expressly waived its sovereign immunity, that is, unless it has given its consent to be sued in that particular situation. And once a plaintiff overcomes those hurdles, he or she must state a valid legal claim.

         This case implicates the constitutional limits on the Court's jurisdiction imposed by both the standing doctrine and the doctrine of sovereign immunity, and it involves unique factual circumstances. Neither the Supreme Court nor the U.S. Court of Appeals for the D.C. Circuit has held that the fact that a person's data was taken is enough by itself to create standing to sue; a plaintiff who claims an actual injury must be able to connect it to the defendant's actions, and a person who is pointing to a threat of future harm must show that the harm is certainly impending or that the risk is substantial. The fact that this is not just a data breach case, but that it is a data breach arising out of a particular sort of cyberattack against the United States, differentiates it from the majority of the legal precedent that arises in the context of retail establishments or other financial entities. Courts in those cases often make certain assumptions about the likelihood of future harm in order to find that the elements needed to initiate a case have been satisfied. Here, the usual assumptions about why the information was stolen and what is likely to be done with it in the future do not apply and cannot fill the gap. As for those plaintiffs who allege that they have already experienced an actual misuse of their credit card numbers or personal information, they cannot tie those disparate incidents to this breach. It may well be that the Supreme Court or the D.C. Circuit will someday announce that given the potential for harm inherent in any cyberattack, breach victims automatically have standing even if the harm has yet to materialize, and even if the purpose behind the breach and the nature of any future harm have yet to be discerned. But that has not happened yet, and the Court is not empowered to expand the limits of its own authority, so it cannot find that plaintiffs have standing based on this record.

         Even if the Court were inclined to anticipate that this is where the law is heading, the problem runs deeper than standing. The right to bring a claim for damages under the Privacy Act is expressly limited to those who can demonstrate that they have suffered actual economic harm as a result of the government's statutory violation. The law is clear that the statute does not create a cause of action for those who have been merely aggrieved by, or are even actively worried about, the fact that their information has been taken. Neither the Administrative Procedure Act nor the Little Tucker Act supplies a cause of action against the government to enforce its information security obligations, and no court has expressly recognized a right to data security arising under the Constitution.

         Therefore, defendants' motions to dismiss will be granted, and both cases will be dismissed in their entirety. The Court finds, applying the case law it is required to follow, that neither set of plaintiffs has pled sufficient facts to demonstrate that they have standing. Moreover, even if they had the right to enter the courthouse, they did not bring a claim with them that the Court can hear. Plaintiffs have failed to overcome the arguments that the federal defendants are immune from suit under the Privacy Act and the Administrative Procedure Act, and that KeyPoint is shielded by government contractor immunity, so the Court lacks subject matter jurisdiction to hear those claims. Moreover, the Court finds that plaintiffs have failed to state claims upon which relief can be granted. Plaintiffs seek damages for improper disclosure of information and for a failure to maintain adequate safeguards under the Privacy Act, but they have not alleged that private information was “disclosed, ” as opposed to stolen, and they have not alleged facts to show that their claimed injuries were the result of the agency's failures. Plaintiffs have not stated a claim for breach of contract under the Little Tucker Act since they have not shown that OPM entered into a contract with them or that any contract was breached, and they have not alleged any violation of the United States Constitution.

         TABLE OF CONTENTS

         FACTUAL BACKGROUND ......................................................................................................... 7

         I. The Data Breaches .............................................................................................................. 7

         II. The Targeted Systems and Compromised Information ...................................................... 8

         III. OPM's Knowledge of the Deficiencies and Response to the Breaches .............................. 9

         IV. Plaintiffs' Alleged Harm ................................................................................................. 111

         A. Actual Identity Theft or Credit Card Fraud ................................................................ 11

         B. Risk of Future Identity Theft and Other Harm Associated with that Risk ................. 12

         PROCEDURAL HISTORY .......................................................................................................... 12

         STANDARD OF REVIEW .......................................................................................................... 14

         I. Lack of Subject Matter Jurisdiction .................................................................................. 14

         II. Failure to State a Claim ..................................................................................................... 16

         ANALYSIS ................................................................................................................................... 17

         I. Plaintiffs Do Not Have Standing. . .................................................................................... 17

         A. Legal Framework ........................................................................................................ 18

         1. Individual Standing ......................................................................................... 18

         2. Organizational Standing .................................................................................. 19

         B. Plaintiffs have Failed to Show that They have Article III Standing ........................... 20

         1. Injury in Fact ................................................................................................... 21

         a. Theft of Private Information Without More .............................................. 21

         b. Actual Identity Theft or Fraudulent Credit Card Activity ......................... 32

         c. Future Identity Theft and Other Future Harms .......................................... 35

         2. Causation ......................................................................................................... 48

         II. Plaintiffs' Claims Cannot Proceed. . .................................................................................. 53 A.

         Claims Against OPM .................................................................................................. 53

         1. Plaintiffs' Privacy Act claims must be dismissed. . ......................................... 53

         a. All but two CAC plaintiffs fail to plead actual damages, and therefore the Court lacks subject matter jurisdiction to hear their claims. . ............................................................................................... 53

         b. The disclosure provision claim fails because OPM did not intentionally or willfully disclose plaintiffs' information within the meaning of the Act. . ............................................................................. 55

         c. While plaintiffs have alleged a willful violation of the safeguards provision of the Privacy Act, their claim fails because they do not allege sufficient facts to show that their injuries were “a result of” OPM's conduct. . .................. 56

         2. Plaintiffs fail to state a claim under the Little Tucker Act .............................. 58

         3. The Court lacks subject matter jurisdiction to hear plaintiffs' claim under the APA ........... 60

         4. The NTEU plaintiffs fail to state a constitutional claim. . ............................. 622

         B. Claims Against KeyPoint ............................................................................................ 67

         1. KeyPoint has derivative immunity because it was a government contractor. . ........................ 68

         2. Plaintiffs do not adequately identify a portion of KeyPoint's contract with OPM that KeyPoint breached. . .......... 69

         3. Even if KeyPoint acted negligently, it did not lose its sovereign immunity. . ............... 71

         C. Claims against both defendants for declaratory judgment and injunctive relief will be dismissed for lack of subject matter jurisdiction. . ......... 73

         CONCLUSION ............................................................................................................................. 73

         FACTUAL BACKGROUND

         Defendant OPM is a federal agency that handles portions of the federal employee recruitment process. CAC ¶ 52; NTEU Compl. ¶¶ 10-11.[1] Defendant KeyPoint Government Solutions is a private contractor that conducts background investigations and security clearance checks on behalf of OPM. CAC ¶ 53.

         I. The Data Breaches

         The CAC plaintiffs allege that four breaches occurred in 2013 and 2014.

• On November 1, 2013, hackers “infiltrated” OPM's systems and stole “security system documents and electronic manuals” about the agency's systems, although no individual personal information was stolen. CAC ¶ 125; see also CAC ¶ 3.
• About a month later, in about December 2013, KeyPoint experienced a breach. “[A]n unknown person or persons obtained the user log-in credentials of a KeyPoint employee, ” and the credentials were used to “steal the personnel records of tens of thousands of Department of Homeland Security employees” from KeyPoint's systems. CAC ¶ 4.
• On May 7, 2014, hackers used “stolen KeyPoint credentials” to access OPM's network and install malware, creating “a conduit through which data could be exfiltrated.” CAC ¶ 127. This breach “resulted in the theft of nearly 21.5 million background investigation records, ” which included “questionnaire forms containing highly sensitive personal, family, financial, medical, and associational information of Class members.” CAC ¶ 129; see also NTEU Compl. ¶ 19.
• Finally, “[n]o later than October 2014, ” hackers attacked “OPM systems maintained in an Interior Department shared-services data center.” CAC ¶ 131; see also NTEU Compl. ¶ 14. Hackers “use[d] the stolen KeyPoint credentials to access systems within OPM's network at will” and maintained access to OPM's network for “several months, ” removing “millions of personnel records, ” resulting in “the loss of approximately 4.2 million federal employees' personnel files.” CAC ¶¶ 131, 133.

         II. The Targeted Systems and Compromised Information

         The CAC plaintiffs allege that the nature and scope of the data breaches “indicate that the intrusion was sophisticated, malicious, and carried out to obtain sensitive data for improper use.” CAC ¶¶ 117, 128, 132. Both complaints allege that the cyberattacks removed data from OPM computer systems and databases, including OPM's Electronic Official Personnel Folder system and the Central Verification System. See CAC ¶¶ 64-65, 74, 130; NTEU Compl. ¶¶ 10-12 (describing relevant OPM systems).

         The Electronic Official Personnel Folder system stores personnel files of federal employees. CAC ¶¶ 74, 130. These files include “birth certificates, job performance reports, resumes, school transcripts, military service records, employment history and benefits, and job applications that contain Social Security numbers and birthdates.” CAC ¶ 74; NTEU Compl. ¶ 10.

         The Central Verification System “contains most background and security clearance check information, ” including information from the three forms - Standard Form (“SF”) 85, SF 85P, and SF 86 - that applicants for federal positions and security clearances must complete.[2] CAC ¶¶ 66, 69, 70. This system also contains information on security clearances, investigations, suitability determinations, background checks for those seeking access to federal facilities, and polygraph data. CAC ¶¶ 72, 73; NTEU Compl. ¶ 12.

         III. OPM's Knowledge of the Deficiencies and Response to the Breaches

         Both plaintiff groups allege that OPM “knew for several years” before the breaches that its “information security governance and management protocols contained material weaknesses that posed a significant threat to its systems.” CAC ¶ 90; NTEU Compl. at 3 (alleging OPM had been “on notice of serious flaws in its data system security”). The Consolidated Amended Complaint states that the OPM Inspector General's annual audits of cybersecurity from 2007 to the present “found that OPM's information security policies and practices suffered from material weaknesses” that “pose an immediate risk to the security of assets or operations.” CAC ¶¶ 81, 84, 86-88; NTEU Compl. at 3 (alleging the Inspector General's office had “identified numerous significant deficiencies, including deficiencies related to OPM's decentralized security governance structure, its failure to ensure that its information technology systems met applicable security standards, and its failure to ensure that adequate technical security controls were in place for all servers and databases”).

         After learning of the breaches, OPM issued a series of announcements to the public and affected individuals. With each revelation, the reported scope of the breach and the number of people affected increased.

         On April 27, 2015, OPM notified “more than 48, 000 federal employees that their personal information might have been exposed in the KeyPoint Breach.” CAC ¶ 120. On June 4, 2015, it announced that it had experienced a data breach that “resulted in the exposure and theft of the [government investigation information] of approximately 4.2 million current, former, and prospective federal employees and contractors.” CAC ¶ 138. On June 12, 2015, OPM acknowledged that the scope of breach was broader than previously disclosed and that “as many as 14 million current, former, and prospective federal employees and contractors” were affected. CAC ¶ 139. On July 9, 2015, OPM announced that the information “of approximately 21.5 million people had been exposed and stolen in the May 2014 breach, ” including the theft of 1.1 million fingerprints. CAC ¶ 140. Of the 21.5 million people affected, 19.7 million had undergone background checks. The other 1.8 million records concerned “mostly job applicants' spouses, children, and other cohabitants.” CAC ¶ 140. On September 23, 2015, OPM announced that not 1.1 million, but approximately 5.6 million, fingerprints had been stolen. CAC ¶ 141.

         The agency notified each individual whose private information had been compromised and offered free identity theft protection services at “a combined cost of approximately $154 million . . . for either 18 months or three years, depending on the amount and sensitivity of the compromised [information].” CAC ¶¶ 148, 150.

         IV. Plaintiffs' Alleged Harm

         The CAC plaintiffs allege that each of the thirty-eight named plaintiffs submitted sensitive personal information to the federal government that was compromised in the breaches. See CAC ¶¶ 10, 13-50; see also CAC ¶ 1. The NTEU plaintiffs allege that the three named plaintiffs and an unknown number of NTEU members were “identified by OPM as having been affected by the breaches.” NTEU Compl. ¶ 59. Plaintiffs assert that the data breaches occurred as a result of defendants' failure to secure their systems, CAC ¶ 1, and that all of the putative class members are subject to a continuing risk of additional exposure since that failure is ongoing. CAC ¶ 7. The complaints allege that plaintiffs have sustained and will continue to sustain “economic loss and other harm, ” CAC ¶ 163; that they have suffered “stress, ” CAC ¶¶ 13, 18, 19, 22-25, 28, 30-31, 35, 37, 42-44, 46, 50; or a loss to their “sense of security, ” NTEU Compl. ¶ 78; and that they face an increased risk of expending time and money dealing with such consequences as identity theft and fraud in the future. CAC ¶ 163.

         The complaints contain a range of allegations concerning the nature of the particular harm suffered by class members.

         A. Actual Identity Theft or Credit Card Fraud

         A number of plaintiffs allege that they have experienced actual identity theft or credit card fraud.

• Fourteen CAC plaintiffs and one of the three NTEU plaintiffs allege that at some point after they were informed of the breaches, they learned that unauthorized charges had been made to their existing credit card accounts or that fraudulent accounts were opened in their names. See CAC ¶¶ 13, 16, 19, 22, 28-31, 38, 39, 41, 45, 49, 50; NTEU Compl. ¶ 84.
• Four CAC plaintiffs allege that they experienced unauthorized credit inquiries. CAC ¶¶ 13, 14, 29, 31.
• Six CAC plaintiffs and one NTEU plaintiff allege that fraudulent tax returns were filed in their names. CAC ¶¶ 14, 21, 24, 28, 31, 32; NTEU Compl. ¶ 79.
• Four CAC plaintiffs allege that there was some other improper use of their own or a family member's Social Security number. CAC ¶¶ 14, 17, 41, 50.

         B. Risk of Future Identity Theft and Other Harm Associated with that Risk

         Both sets of plaintiffs claim that they have suffered harm as result of the breaches because they face an increased risk of identity theft in the future. CAC ¶¶ 7, 210; NTEU Compl. ¶ 92. Nearly all of the named CAC plaintiffs - thirty-four out of thirty-eight - allege that after learning about the breaches, they devoted some time and effort to preventing future identity theft. See, e.g., CAC ¶¶ 13-22, 25-34, 36-44, 46-50 (alleging that exposure to the breach caused plaintiffs to review their financial accounts or credit reports with greater frequency, or that they placed freezes on their credit). Of those plaintiffs, seven allege that they spent money to purchased credit monitoring and protection services or incurred other expenses to prevent future identity theft. See, e.g., CAC ¶¶ 17, 21, 25, 34, 41. And numerous plaintiffs allege that they “suffer stress” due to their concerns about future identity theft or a sense of vulnerability to some other harm. See CAC ¶¶ 18-19, 22-25, 28, 35, 37, 43-44 (expressing concerns for their safety or the safety of their family members); CAC ¶¶ 18-30, 43, 46 (expressing concern about an inability to obtain a security clearance in the future); CAC ¶¶ 19, 23-24, 42-44 (expressing fear about future identity theft); CAC ¶¶ 19, 31, 50 (alleging “stress resulting from concerns that her exposure to the Data Breaches will adversely affect her minor children's future”); see also NTEU Compl. ¶ 94 (expressing anxiety over the effect the data breaches will have on them, their families, friends, and other associates).

         PROCEDURAL HISTORY

         A number of lawsuits were filed around the country after the data breaches at OPM and KeyPoint were announced. The United States Judicial Panel on Multidistrict Litigation transferred all actions that were pending elsewhere to this Court for coordinated or consolidated proceedings pursuant to 28 U.S.C. § 1407 [Dkt. # 1], and plaintiffs filed two amended complaints, which are the operative documents in this matter. See Order (Dec. 15, 2015) [Dkt. # 19].

         The plaintiffs in the Consolidated Amended Complaint[3] assert that OPM violated the Privacy Act, the Little Tucker Act, and the Administrative Procedure Act (“APA”), and that KeyPoint is liable for negligence, negligent misrepresentation and concealment, invasion of privacy, breach of contract, and violations of the Fair Credit Reporting Act and various state statutes governing unfair and deceptive trade practices and data security. CAC ¶¶ 175-275. They seek declaratory and injunctive relief against both defendants. CAC at 75-76 (Prayer for Relief).

         OPM and KeyPoint each filed motions to dismiss the CAC, arguing that the Court lacks subject matter jurisdiction under Federal Rule of Civil Procedure 12(b)(1) because plaintiffs do not have standing and defendants are shielded by sovereign immunity, and that plaintiffs failed to state a claim under Rule 12(b)(6). See KeyPoint's Mot. to Dismiss CAC & Mem. of Law in Supp. [Dkt. # 70] (“KeyPoint Mem.”), Fed. Def.'s Mot. to Dismiss CAC and Mem. of P. & A. in Supp. [Dkt. # 72] (“OPM's Mem.”); Pls.' Consol. Opp. to Defs.' Mots. To Dismiss [Dkt. # 82] (“CAC Pls.' Opp.”); KeyPoint's Reply [Dkt. # 86]; Fed. Def.'s Reply [Dkt. # 87].

         The NTEU plaintiffs assert a single claim against the Acting Director of OPM, alleging that the agency violated their constitutional right to informational privacy. NTEU Compl. ¶¶ 95- 98. They seek declaratory and injunctive relief. NTEU Compl. at 34-35 (Request for Relief).

         OPM has moved to dismiss the NTEU complaint for lack of standing and for failure to state a claim.[4] See Fed. Defs.' Mot. to Dismiss NTEU Compl. [Dkt. # 81]; Mem. in Supp. [Dkt. # 81-1]; NTEU Pls.' Opp. to OPM's NTEU Mot. [Dkt. # 84] (“NTEU's Opp.”); Fed. Def.'s Reply Mem. in Supp. of Mot. to Dismiss [Dkt. # 91].[5]

         The Court heard oral argument on the motions, and the motions are fully briefed.

         STANDARD OF REVIEW

         In evaluating a motion to dismiss under either Rule 12(b)(1) or 12(b)(6), the Court must “treat the complaint's factual allegations as true . . . and must grant plaintiff ‘the benefit of all inferences that can be derived from the facts alleged.'” Sparrow v. United Air Lines, Inc., 216 F.3d 1111, 1113 (D.C. Cir. 2000) (internal citations omitted), quoting Schuler v. United States, 617 F.2d 605, 608 (D.C. Cir. 1979); see also Am. Nat'l Ins. Co. v. FDIC, 642 F.3d 1137, 1139 (D.C. Cir. 2011). Nevertheless, the Court need not accept inferences drawn by the plaintiff if those inferences are unsupported by facts alleged in the complaint, nor must the Court accept plaintiff's legal conclusions. Browning v. Clinton, 292 F.3d 235, 242 (D.C. Cir. 2002).

         I. Lack of Subject Matter Jurisdiction

         Under Rule 12(b)(1), the plaintiff bears the burden of establishing jurisdiction by a preponderance of the evidence. See Lujan v. Defs. of Wildlife, 504 U.S. 555, 561 (1992); Shekoyan v. Sibley Int'l Corp., 217 F.Supp.2d 59, 63 (D.D.C. 2002). Federal courts are courts of limited jurisdiction and the law presumes that “a cause lies outside this limited jurisdiction.” Kokkonen v. Guardian Life Ins. Co. of Am., 511 U.S. 375, 377 (1994); see also Gen. Motors Corp. v. EPA, 363 F.3d 442, 448 (D.C. Cir. 2004) (“As a court of limited jurisdiction, we begin, and end, with an examination of our jurisdiction.”). “[B]ecause subject-matter jurisdiction is ‘an Art[icle] III as well as a statutory requirement . . . no action of the parties can confer subject-matter jurisdiction upon a federal court.'” Akinseye v. District of Columbia, 339 F.3d 970, 971 (D.C. Cir. 2003), quoting Ins. Corp. of Ir., Ltd. v. Compagnie des Bauxites de Guinee, 456 U.S. 694, 702 (1982).

         When considering a motion to dismiss for lack of jurisdiction, unlike when deciding a motion to dismiss under Rule 12(b)(6), the court “is not limited to the allegations of the complaint.” Hohri v. United States, 782 F.2d 227, 241 (D.C. Cir. 1986), vacated on other grounds, 482 U.S. 64 (1987). Rather, “a court may consider such materials outside the pleadings as it deems appropriate to resolve the question [of] whether it has jurisdiction to hear the case.” Scolaro v. D.C. Bd. of Elections & Ethics, 104 F.Supp.2d 18, 22 (D.D.C. 2000), citing Herbert v. Nat'l Acad. of Scis., 974 F.2d 192, 197 (D.C. Cir. 1992); see also Jerome Stevens Pharm., Inc. v. FDA, 402 F.3d 1249, 1253 (D.C. Cir. 2005).

         Furthermore, when a government agency is the defendant, additional jurisdictional considerations apply. The United States is not amenable to suit in the federal courts absent an express waiver of sovereign immunity. Anderson v. Carter, 802 F.3d 4, 8 (D.C. Cir. 2015), citing United States v. Mitchell, 463 U.S. 206, 212 (1983). Sovereign immunity is “jurisdictional in nature.” Perry Capital LLC v. Mnuchin, 864 F.3d 591, 619 (D.C. Cir. 2017), quoting FDIC v. Meyer, 510 U.S. 471, 475 (1994). When it has not been waived, sovereign immunity shields the federal government, its agencies, and federal officials acting in their official capacities from suit. Meyer, 510 U.S. at 475 (the federal government and its agencies); Kentucky v. Graham, 473 U.S. 159, 166-67 (1985) (federal officials in their official capacities).

         II. Failure to State a Claim

         “To survive a [Rule 12(b)(6)] motion to dismiss, a complaint must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.'” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009), quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007). In Iqbal, the Supreme Court reiterated the two principles underlying its decision in Twombly: “First, the tenet that a court must accept as true all of the allegations contained in a complaint is inapplicable to legal conclusions, ” and “[s]econd, only a complaint that states a plausible claim for relief survives a motion to dismiss.” Id. at 678-79.

         A claim is facially plausible when the pleaded factual content “allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Id. at 678, citing Twombly, 550 U.S. at 556. “The plausibility standard is not akin to a ‘probability requirement, ' but it asks for more than a sheer possibility that a defendant has acted unlawfully.” Id., quoting Twombly, 550 U.S. at 556. A pleading must offer more than “labels and conclusions” or a “formulaic recitation of the elements of a cause of action, ” id., quoting Twombly, 550 U.S. at 555, and “[t]hreadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice.” Id., citing Twombly, 550 U.S. at 555.

         When considering a motion to dismiss under Rule 12(b)(6), the Court is bound to construe a complaint liberally in the plaintiff's favor, and it should grant the plaintiff “the benefit of all inferences that can be derived from the facts alleged.” Kowal v. MCI Commc'ns Corp., 16 F.3d 1271, 1276 (D.C. Cir. 1994). Nevertheless, the Court need not accept inferences drawn by the plaintiff if those inferences are unsupported by facts alleged in the complaint, nor must the Court accept plaintiff's legal conclusions. See id.; see also Browning, 292 F.3d at 242. In ruling upon a motion to dismiss for failure to state a claim, a court may ordinarily consider only “the facts alleged in the complaint, documents attached as exhibits or incorporated by reference in the complaint, and ...


Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.