Mark Lemley, a Stanford Law School professor and intellectual property law expert, is among the lawyers who
filed a lawsuit in federal court against Elon Musk, DOGE, and the US Office of Personnel Management on behalf of government-employee unions and a group of current and former federal employees earlier this month. The suit claims that when OPM granted Musk’s DOGE project
access to sensitive employee information earlier this month, the agency violated the Privacy Act of 1974 and asks the US District Court for the Southern District of New York to declare DOGE’s access to such records illegal. Lemley is also currently at work on a related class-action lawsuit. We spoke with him on Monday.
What’s the background of this case?
Shortly after Trump took office, Elon Musk and DOGE, an entity with uncertain authority within the government, started sending people into various departments and demanding root access to their computer systems and access to all the files in those systems. One of the systems they accessed was the Office of Personnel Management, which has all of the personnel records for every current and former government employee, and that’s now upwards of 20 million people. So they have access to if you’ve ever been in the military, if you’ve ever worked for the government. They have access to your Social Security numbers, bank records, disability status, in some cases gender identity—a bunch of confidential information. That access pretty clearly violates the Privacy Act of 1974. The Privacy Act says that information about people, including government employees, can be used within the agency and can be disclosed outside the agency only in very specific and limited circumstances that the statute sets out. And there is no provision in that statute for giving access to a
19-year-old contractor who might or might not actually work for the government but certainly doesn’t work for the Office of Personnel Management. So we filed suit on behalf of unions representing government employees and a number of individuals to try to stop the unlawful disclosure of information to the DOGE team. And we will follow up with a lawsuit seeking damages on behalf of government employees. There’s a provision in the statute that allows a minimum of $1,000 in damages for anyone who has suffered any economic injury as a result of a violation of the Privacy Act.
You’re saying that just the fact that DOGE accessed the information is illegal?
Yes, the language of the Privacy Act makes it clear that if there’s an intentional violation, which this certainly is, there is a minimum of $1,000 in statutory damages. There is a Supreme Court case called
FAA v. Cooper , which— “reinterpreted” would be a generous term—the language of the statute, and said, Well, you can get a minimum of $1,000 of statutory damages, but only if you have suffered some economic injury. So, they refuse to say the invasion of privacy itself justifies the statutory damages, even though that’s quite clearly both what Congress intended and what Congress actually said. So I think the damages case is likely to be limited to anybody who has been injured or is out any money as a result of this. So that could be anything from, you went and got credit reporting because you were worried about the fact that 19-year-old computer hackers who’ve been
fired from their prior jobs for stealing data have access to your Social Security number and bank information, or something bad happened to you as a result of this disclosure. The most likely thing there is going to be people who are illegally fired by the government through one of these DOGE initiatives.
How does your upcoming class-action lawsuit tie into this case?
What we decided to do was to try to move first to try to stop the bleeding and to move as quickly as possible to seek an injunction. There are actually a couple of pending lawsuits in parallel: one in New York, one in Maryland, one in Virginia. The district court
this morning in Maryland just issued a temporary restraining order preventing the disclosure of the personnel data at OPM to DOGE employees. So that’s kind of what we’ve been aiming for with this first step, which is let’s try to stop the disclosure and use of this information. Then the idea is figuring out who’s actually been injured by this and how they’ve been injured. So we are in the process of collecting information about potential plaintiffs and putting together a lawsuit that would seek damages for the people who’ve been injured.
What is the status, then, of this first case?
Now that there’s already an order in place limiting what OPM can do, we may ask the district court instead to give us a quick round of discovery as to what exactly is going on, what they’ve done with the information, how it’s been used. Based on that, we may seek either more specific relief demanding that particular people be blocked from the system, or that the software itself be audited to make sure there aren’t backdoors built into the system.
What might discovery look like in this situation? It seems like DOGE is unlikely to keep the records they’re supposed to.
I mean, you may well be right that they are not keeping the records they are obligated to keep. If that’s true, that would itself also be a violation of the Privacy Act. It would also be the spoliation or destruction of evidence in a pending court case, and judges get very upset if it turns out that you’ve been sued and the first thing you do is go delete the paper trail that shows the potentially illegal things you did. So, you know, we will either find out what they’ve done, or we’ll find out that they have destroyed evidence to try to bury their tracks. Either of those things is going to put us in a position to have the court issue an effective order that restricts access to this information.
How are your two cases different from the many lawsuits that challenge the Trump administration’s actions?
There’s a lot going on right now and it is important that all of it get challenged, that they don’t just get away with it. But if we can make it clear that the Privacy Act applies to these people, that they’re not free to go into other agencies and just change the computer system, put in backdoors, get access to data, then hopefully that’s a precedent, not just for OPM, but all of the other agencies that are next in line to be targeted by DOGE.
To you, what’s so dangerous about DOGE having access to all of this personal information? Trump asked Musk to look for efficiencies, which he claims requires him to get access to employee data.
There are a number of problems. Part of the reason DOGE wanted access to all of this information was so they could send out a series of emails with
illegal offers and threats to fire government employees
if they don’t send in reports . None of those things are legal. But by bypassing the normal processes where government employees communicate with their supervisors, they’ve been able to use this information to generate all of those attacks. I think they are also using this information to, again, unlawfully fire employees, sometimes in a particularly stupid and ham-handed way. It seems pretty clear, for instance, that they just went through the employment records and found everyone labeled “probationary” across all government departments and
fired them . Maybe that’s because they thought if you were “on probation” that meant you were a bad performer. But that’s not, it turns out, what it means. It included not only everybody who had been at the job for less than two years, but also people who’d been on the job for decades, done a great job, and were in the process of receiving promotions, so they were on probationary status for their new promotion. And so we’ve seen cases where it turns out they fired the people in charge of maintaining the safety of our nuclear weapons and then didn’t know how to get them back. They fired a bunch of FAA safety inspectors as planes are crashing. And then the more systemic problem is, we have very limited and controlled access to this private information for a reason. When you let unauthorized people have access to it, when you let them take a copy of that information out of a secure system, when you let them potentially build back doors into that secure system, you make it easier for anyone else in the world to hack that system. So the risk is not just that Elon Musk and DOGE will misuse their access to this information to do illegal things. It’s also that they’ve made this information less secure for everybody else. Bruce Schneier, who’s a cybersecurity expert, called this
the worst hack of the United States government in history , because once these systems have been breached, there’s no way to know that they are secure again.
What’s at stake here?
The first month of the Trump administration has been a nonstop barrage of illegal and unconstitutional acts. And I think even a lot of people who supported him have been kind of shocked and appalled by the things that have been going on. There are very limited ways that people can fight back against that, particularly given that the Republicans who have a narrow majority in both houses of Congress have shown no inclination so far to try to stand up for the rule of law. So I think if, in fact, we’re to hold on to the rule of law and democracy in this country, it will come down to courts insisting that the government is not above the law and they have to comply. The key is that, if the courts can hold the line and say, We’re not going to allow you to do things that the law doesn’t permit, then maybe we have an opportunity to save the rule of law in this country.
This interview has been edited for length and clarity.
