A Federal judge in New York has granted a preliminary injunction after finding the Office of Personnel Management (OPM) broke privacy laws and failed to follow cybersecurity protocols when it allowed the Department of Government Efficiency (DOGE) to access its data systems.
“OPM violated the law and bypassed its established cybersecurity practices” when it shared data with DOGE, Judge Denise Cote of the U.S. District Court for the Southern District of New York wrote in a 99-page order on Monday. The order restricts how the agency that oversees Federal personnel can share data with DOGE.
The decision comes after Federal workers and union plaintiffs brought a suit against OPM for allowing DOGE employees who weren’t properly vetted or trained access to databases that stored personal data on millions of Americans, “including past, current, and aspiring federal employees.”
The move violated the Privacy Act and administrative procedure law, the suit alleged, asking the court to require that the information accessed be deleted.
Judge Cote wrote that she had found that “no credible need for this access had been demonstrated,” by the government.
“This was a breach of law and of trust,” wrote the judge in her order. “Tens of millions of Americans depend on the Government to safeguard records that reveal their most private and sensitive affairs.”
One argument from the defense included that such an order would prevent OPM from modernizing its IT systems, which Judge Cote said was uncontroversial and would not be targeted as part of the order. She added that OPM had failed to prove that “a modernization effort will not be hampered by compliance with the mandates of the Privacy Act or adherence to OPM’s established cybersecurity protocols.”
The judge further noted that the scope of the injunction would not hinder modernization efforts.
While that scope has not yet been set, Cote directed both parties to submit proposals for the injunction by noon on June 12, with details forthcoming in a separate order.
Cote further slammed OPM and DOGE for failing to acknowledge the potential harms and risks of providing access to databases containing personally identifiable information (PII).
“There has been no acknowledgement by the Government of past errors, nor any assurance that from this point on access will not be given to OPM systems containing PII to those who are not authorized to have access under the Privacy Act,” wrote Cote. “And where unnecessary and improper access is given, cybersecurity risks are magnified.”
The Electronic Frontier Foundation, a party that requested the injunction, called the order handed down “a victory for personal privacy,” in a news release following Judge Cote’s decision.