Lawsuit accuses Trump administration of violating federal information security law
A lawsuit filed Monday against Trump administration officials and members of the Department of Government Efficiency (DOGE) focuses on the cybersecurity threats posed by the unprecedented access DOGE workers have to federal data systems.
The lawsuit filed by the Electronic Privacy Information Center and an anonymous federal worker alleges that DOGE has violated the Federal Information Security Modernization Act (FISMA), which requires agencies to deploy protections “commensurate with the risk and magnitude of the harm resulting from unauthorized access [or] use” of information systems.
National Institute of Standards and Technology (NIST) protocols also have been ignored by DOGE, the lawsuit contends. NIST publishes mandatory standards for federal agencies, directing them to provide “appropriate levels of information security according to a range of risk levels,” the lawsuit says, quoting the federal law laying out the NIST information security requirements..
The NIST standards mandate that federal agencies processing personally identifiable information adhere to established information security and privacy programs.
Calling DOGE’s access to information systems across federal agencies the “most consequential data breach in U.S. history,” the lawsuit seeks to stop the team's access and require it to delete data it has already obtained. DOGE is officially housed within the White House, but much of its work has been conducted in other areas of the executive branch.
DOGE workers have allegedly connected hard drives and at least one server to federal information systems, the lawsuit says.
“The use of unauthorized and unsecured information technology to access, view, store, or disseminate sensitive information creates increased vulnerability to illegal exfiltration by actors unaffiliated with the federal government or DOGE,” the lawsuit asserts.
Specifically, data at at the Office of Personnel Management (OPM) and the Treasury Department “are rich targets for cyberattacks both by criminals and by foreign adversaries.”
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.