Federal employee union lawsuit highlights federal cybersecurity and data protection gaps

Federal employee union lawsuit flags government data risk

When millions of federal employee records are concentrated in a handful of systems, the stakes for cybersecurity rise dramatically. That’s the backdrop of American Federation of Government Employees AFL-CIO v. United States Office of Management and Budget (OMB), a case filed in the Northern District of California. While framed as an employment and administrative law challenge, the heart of the dispute is about how sensitive government workforce data is collected, stored, and shared, and whether existing safeguards meet the letter and spirit of federal cybersecurity law.

The growing risk of centralized federal workforce data

The American Federation of Government Employees (AFGE) brought the case against the Office of Management and Budget and the Office of Personnel Management (OPM). The union argues that these agencies are centralizing massive pools of personally identifiable information (PII) — payroll, benefits, retirement, and healthcare data — without adequate statutory or procedural safeguards.

The concern is not a single breach, but rather systemic risk. By creating interlinked data systems for millions of workers, the government increases the likelihood that a compromise (whether through insider abuse, insecure storage, or external intrusion) could have catastrophic effects.

Allegations against OMB and OPM

AFGE’s suit claims that OMB and OPM:

• Failed to comply with statutory data protection and notice requirements while creating or modifying systems of records
• Concentrated sensitive employee data in a way that magnifies cyber risk
• Did not demonstrate compliance with frameworks like the Federal Information Security Modernization Act (FISMA), which requires agencies to implement, report, and audit security controls
• Left federal employees exposed to potential misuse of their PII, even absent of a breach, by not enforcing strict access controls such as multi-factor authentication and least-privilege policies

The union is effectively saying: poor cybersecurity governance isn’t just an administrative flaw; it’s a labor issue that harms employees whose data is at stake.

Why this matters for CISOs and federal security leaders

The case is a reminder that reasonable security safeguards aren’t optional. In practice, these safeguards map to frameworks like NIST CSF 2.0, CISA’s Cross-Sector Cybersecurity Performance Goals, and FISMA’s reporting requirements. For agencies handling sensitive workforce data, that means:

• Encrypting persistent identifiers at rest and in transit
• Enforcing multifactor authentication on systems with employee data
• Applying least-privilege access, with strong audit and logging
• Segmenting networks to contain lateral movement
• Implementing continuous monitoring with alerting and incident response playbooks

If these controls are weak or inconsistently applied, the concentration of federal workforce data becomes an irresistible target for malicious actors.

Lessons from the 2015 OPM breach

The 2015 OPM breach was a structural failure that exposed how fragile federal workforce data really was. GAO’s post-mortem found OPM improved some controls after the breach, but still needed stronger policies, contractor oversight, and technical safeguards. In plain terms, progress was uneven and too slow for the risk profile of the data.

Since then, the government has raised the bar on paper. There is a federal zero trust mandate that required concrete milestones by the end of FY 2024, including identity-centric access, strong device security, robust logging, and application-level defenses. The White House also issued an executive order to harden software supply chains, accelerate incident reporting, and modernize federal security.

In February 2025, GAO’s High-Risk List still flagged federal cybersecurity as a persistent problem area. Translation: agencies have guidance and deadlines, yet many still struggle to implement controls at scale and on time.

There have been operational push-pulls too. CISA’s binding directive on known exploited vulnerabilities forced agencies to fix actively abused flaws against a deadline, a practical step that reduced risk quickly. But mitigating vulnerabilities just once doesn’t address security holistically. Routine practices like consistent patching, asset inventory, and identity governance remain chronic weak points across large enterprises, and federal agencies are no exception.

The lesson of OPM is simple. Centralized, sensitive workforce data is a national security asset. When governance lags or controls are partial, the blast radius is massive. AFGE’s lawsuit lands in a world where the policy framework exists, but execution gaps remain. The court will not decide on Zero Trust, patch SLAs, or identity standards. It can, however, force accountability on how agencies structure, share, and protect employee data. That is the same weak seam the 2015 breach tore open.

A hardening checklist for federal data systems

For CISOs in the federal and public sector space, AFGE v. OMB is a nudge to recheck fundamentals. A focused one-week sprint could include:

• IT Operations: Verify encryption for all systems holding SSNs, payroll, or healthcare data. Rotate and centrally manage encryption keys.
• Identity & Access: Audit privileged accounts; remove standing admin rights and apply just-in-time administration.
• Monitoring: Review logs for anomalous access to employee data systems; ensure alerts feed into an incident response workflow.
• Compliance: Cross-check practices against FISMA and NIST guidance. Confirm incident notification timelines and vendor security requirements.
• Tabletop exercise: Run a 90-minute scenario simulating a large-scale employee data compromise. Capture remediation steps, owners, and timelines.

The bottom line: Workforce data is a national security asset

While AFGE v. OMB isn’t a breach case, it involves cybersecurity governance and challenges how the federal government manages the enormous risk of centralized employee data. For CISOs, whether in government or the private sector, the lesson is clear: treat sensitive workforce data with the same rigor as financial systems or classified intelligence.

FedRAMP-Ready Zero Trust with ThreatLocker

ThreatLocker has achieved FedRAMP for a special deployment of its suite of solutions operating in a government-only cloud.

Book a demo to learn more.

‍