Full opinion text
MEMORANDUM OPINION AMY BERMAN JACKSON, United States District Judge INTRODUCTION In June of 2016, millions of unsuspecting federal employees sat down at their computers, opened up their email, and received some very disconcerting news. I am writing to inform you that the U.S. Office of Personnel Management (OPM) recently became aware of a cybersecurity incident affecting its systems and data that may have exposed your personal information. Over time, OPM revealed that data breaches at the agency and at one of its contractors affected more than twenty-one million people, and that the stolen information included such sensitive data as names, birthdates, current and former addresses, and Social Security numbers. After those announcements, a number of plaintiffs filed separate lawsuits in courts across the country, and they were consolidated into two complaints in the multidistrict action assigned to this Court. The first complaint is: a class action lawsuit filed by thirty-eight individuals and a union, the American Federation of Government Employees (“AFGE”). See Consolidated ■ Amended Complaint [Dkt. # 63] (“CAC”). Plaintiffs allege that the breaches resulted from gross negligence on the part of officials entrusted with.the responsibility of protecting the private details that job seekers submit to OPM in connection with the background investigations they are required to undergo. They have sued on behalf of the 21.5 million current and former federal employees, job applicants, contractors, and relatives whose information was compromised, and they seek statutory damages under the Privacy Act, contract damages under the Little Tucker Act, and declaratory and injunctive relief under the Administrative Procedure Act, These plaintiffs have also sued KeyPoint Government Solutions, a government contractor that, performed background investigations for OPM. KeyPoint’s computer systems were also breached, and plaintiffs seek damages from the company under multiple federal and state statutory and common law theories. Defendants have moved to dismiss the entire case on the grounds - that plaintiffs lack standing to bring it, the claims are barred by sovereign immunity, and the factual allegations are not sufficient to state valid claims under any of the statutes or common law theories plaintiffs have invoked. The second complaint before the Court was filed by three individuals and the National Treasury Employees Union (“NTEU”). Ain. Compl.. ' [Dkt. #75] (“NTEU Compl.”). These plaintiffs sued the OPM Acting Director only, and they claim that their constitutional right to informational privacy was violated. Defendant has moved to dismiss that case as well, on both standing grounds and the basis that the plaintiffs have failed to allege a constitutional violation that is recognized by the courts. The OPM breaches have been the subject of considerable. public interest and multiple Congressional hearings and reports. The fact that the breaches occurred is not disputed, and the identities of the individuals whose information was compromised are known. There is no doubt that something bad happened, and many people are understandably chagrined and -concerned. In these lawsuits, plaintiffs seek to demonstrate that the agency’s failures were willful — that the defendants were on notice that hackers regularly targeted their systems, but they failed to design and maintain adequate safeguards. Plaintiffs also, contend that their sensitive information remains subject to a continuing risk of additional exposure due to an ongoing failure to secure it. This opinion will not get into the merits of those contentions. At this stage of the proceedings,-the Court is required to accept all of plaintiffs’ factual assertions as true, and nothing that follows should be read as any indication of the Court’s view of the strength of plaintiffs’ troubling ¿negations. Before the parties can explore the facts, though, the Court is required to answer a foundational question: whether plaintiffs have set forth a cause of action that a court has the power to hear. The judiciary does not operate as a freestanding advisory board that can opine about the conduct of the executive branch as a general matter or oversee how it manages its internal operations. The Court’s authority is derived from Article III of the U.S. Constitution, and a federal court may only consider live cases or controversies based on events that caused actual injuries or created real threats of imminent harm to the particular individuals who brought the case. In other words, before a court may proceed to the merits of any claim, the plaintiffs must demonstrate that they have constitutional “standing” to sue. Also, a court may not entertain an action against the United States if the government has not expressly waived its sovereign immunity, that is, unless it has given its consent to be sued in that particular situation. And once a plaintiff overcomes those hurdles, he or she must state a valid legal claim. This case implicates the constitutional limits on the Court’s jurisdiction' imposed by both the standing doctrine and the doctrine of sovereign immunity, and it involves unique factual circumstances. Neither the Supreme Court nor the • U.S. Court of Appeals for the D.C. Circuit has held that the fact that a person’s data was taken is enough by itself to create standing to sue; a plaintiff who claims an actual injury must be able to connect it to the defendant’s actions, and a person who is pointing to a threat' of future harm must show that the harm is certainly- impending or that the risk is substantial. The fact that -this is not just a data breach cases but that it is a data breach arising out of a particular sort of cyberattack against the United States, differentiates it from the majority of the legal precedent that arises in the context of retail establishments or other financial entities. Courts in those cases often make certain assumptions about the likelihood of future harm in order to find that the elements needed to initiate a case have been satisfied. Here, the usual assumptions about why the information was stolen and what is likely to be done with it in the future do not apply and cannot fill, the gap. As for those plaintiffs who allege that they have already experienced an actual misuse of their credit card numbers or personal information, they cannot tie those disparate incidents to this breach. It may well be that the Supreme Court or the D.C. Circuit will someday announce that given the potential for harm inherent in any cyberattack, breach victims automatically have standing even if the harm has yet to materialize, and even if the purpose behind the -breach and the nature of any future harm have yet to be discerned. But that has not happened yet, and the Court is not empowered to expand the limits of its own authority, so it cannot find that plaintiffs have standing based on this record. Even if the Court were inclined to anticipate that this is where the law is heading, the problem runs deeper than standing. The right to bring a claim for damages under the Privacy Act is expressly limited to those who can demonstrate that they have suffered actual economic harm as a result of the government’s statutory violation. The law is clear that the statute does not create a cause of action for those who have been merely aggrieved by, or are even actively worried about, the fact that their information has been taken. Neither the Administrative Procedure Act nor the Little Tucker Act supplies a cause of action against the government to enforce its information security obligations, and no court has expressly recognized a right to data security arising under the Constitution. Therefore, defendants’ motions to dismiss will be granted, and both cases will be dismissed in their entirety. The Court finds, applying the case law it is required to follow, that neither set of plaintiffs has pled sufficient facts to demonstrate that they have standing. Moreover, even if they had the right to enter the courthouse, they did not bring a claim with them that the Court can hear. Plaintiffs have failed to overcome the arguments that the federal defendants are immune from suit under the Privacy Act and the Administrative Procedure Act, and that KeyPoint is shielded by government contractor immunity, so the Court lacks subject matter jurisdiction to hear those claims. Moreover, the Court finds that plaintiffs have failed to state claims upon which relief can be granted. Plaintiffs seek damages for improper disclosure of information and for a failure to maintain adequate safeguards under the Privacy Act, but they have not alleged that private information was “disclosed,” as opposed to stolen, and they have not alleged facts to show that their claimed injuries were the result of the agency’s failures. Plaintiffs have not stated a claim for breach of contract under the Little Tucker Act since they have not shown that OPM entered into a contract with them or that any contract was breached, and they have not alleged any violation of the United States Constitution. TABLE OF CONTENTS FACTUAL BACKGROUND.. .11 I. The Data Breaches... 11 II. The Targeted Systems and Compromised Information... 12 III. OPM’s Knowledge of the Deficiencies and Response to the Breaches... 12 IV. Plaintiffs’ Alleged Harm... 13 A. Actual Identity Theft or Credit Card Fraud...14 B. Risk of Future Identity Theft and Other Harm Associated with that Risk... 14 PROCEDURAL HISTORY... 14 STANDARD OF REVIEW.. .15 I. Lack of Subject Matter Jurisdiction ... 16 II. Failure to State a Claim... 16 ANALYSIS... 17 I. Plaintiffs Do Not Have Standing. . .17 A. Legal Framework.. .18 1. Individual Standing.. .18 2. Organizational Standing.. .19 B. Plaintiffs have Failed to Show that They have Article III Standing... 19 1. Injury in Fact... 19 a. Theft of Private Information Without More... 19 b. Actual Identity Theft or Fraudulent Credit Card Activity.. .26 c. Future Identity Theft and Other Future Harms.. .28 2.Causation... 36 II. Plaintiffs’ Claims Cannot Proceed ... 39 A. Claims Against OPM... 39 1. Plaintiffs’ Privacy Act claims must be dismissed... 39 a. All but two CAC plaintiffs fail to plead actual damages, and therefore the Court lacks subject matter jurisdiction to hear their claims.. .39 b. The disclosure provision claim fails because OPM did not intentionally or willfully disclose plaintiffs’ information within the meaning of the Act.. .40 c. While plaintiffs have alleged a willful violation of the safeguards provision of the Privacy Act, their claim fails because they do not allege sufficient facts to show that their injuries were “a result of’ OPM’s conduct.. .40 2. Plaintiffs fail to state a claim under the Little Tucker Act... 42 3. The Court lacks subject matter jurisdiction to hear plaintiffs’ claim under the APA.. .43 4. The NTEU plaintiffs fail to state a constitutional claim.. .44 B. Claims Against KeyPoint... 47 1. KeyPoint has derivative immunity because it was a government contractor. . .48 2. Plaintiffs do not adequately identify a portion of KeyPoint’s contract with OPM that KeyPoint breached...48 3.Even if KeyPoint acted negligently, it did not lose its sovereign immunity. . .49 C.Claims against both defendants for declaratory judgment and injunctive relief will be dismissed for lack of subject matter jurisdiction... 50 CONCLUSION.. .51 FACTUAL BACKGROUND Defendant OPM is a federal agency that handles portions of the federal employee recruitment process. CAC ¶ 52; NTEU Compl. ¶¶ 10-11. Defendant KeyPoint Government Solutions is a private contractor that conducts background investigations and security clearance checks on behalf of OPM. CAC ¶ 53. I. . The Data Breaches The CAC plaintiffs allege that four breaches occurred in 2013 and 2014. • On November 1, 2013, hackers “infiltrated” OPM’s systems and stole “security system documents and electronic manuals” about the agency’s systems, although no individual personal information was stolen. CAC ¶ 125; see also CAC ¶ 3. • About a month later, in about December 2013, KeyPoint experienced a breach. “[A]n unknown person or persons obtained the user log-in credentials of a KeyPoint employee,” and the credentials were used to “steal the personnel records of tens of thousands of Department of Homeland Security employees” from KeyPoint’s systems. CAC ¶ 4. • On May 7,2014, hackers used “stolen KeyPoint credentials” to access OPM’s network and install malware, creating “a conduit through which data could be exfiltrated.” CAC ¶ 127. This breach “resulted in the theft of nearly 21.5 million background investigation records,” which included “questionnaire forms containing highly sensitive personal, family, financial, medical, and associational information of Class members.” CAC ¶ 129; see also NTEU Compl, ¶ 19. • Finally, “[n]o. later than October 2014,” hackers attacked “OPM systems maintained in an Interior Department shared-services data center.” 'CAC ¶ 131; 'see afeo‘NTEU Compl. ¶ 14. Hackers “use[d] the stolen KeyPoint credentials to access systems within OPM’s network at will” and maintained access to OPM’s network for • “several months,” removing, “millions of personnel records,” resulting in “the loss of approximately 4.2 million federal employees’ personnel files.” CAC ¶¶ 131,133. II. The Targeted Systems and Compromised Information The CAC plaintiffs allege that the nature and scope of the data breaches “indicate that the intrusion was sophisticated, malicious, and carried out to obtain sensitive data for improper use.” CAC ¶¶ 117, 128, 132. Both complaints allege that the cyberattacks removed data from OPM computer systems and databases, including OPM’s Electronic Official Personnel Folder system and the Central Verification System. See CAC ¶¶ 64-65, 74, 130; NTEU Compl. ¶¶ 10-12 (describing relevant OPM systems). The Electronic Official Personnel Folder system stores personnel files of. federal employees. CAC ¶¶74, 130. These files include “birth certificates, job performance reports, resumes, school transcripts, military service records, employment history and benefits, and job applications that contain Social Security numbers and birth-dates.” CAC ¶ 74; NTEU Compl. ¶10. The Central Verification System “contains most background and security clearance check information,” including information from the three forms — Standard Form (“SF”) 85, SF 85P, and SF 86 — that applicants for federal positions and security clearances must complete. CAC ¶¶ 66, 69, 70. This system also contains information on security clearances, investigations, suitability determinations, background checks for those seeking access’to federal facilities, and polygraph data. CAC ¶¶ 72, 73; NTEU Compl. ¶ 12. III. OPM’s Knowledge of the Deficiencies and Response to the Breaches Both plaintiff groups allege that OPM “knew for several years” before the breaches that its “information security governance and management protocols contained 'material weaknesses that posed a significant threat to its systems.” CAC ¶90; NTEU Compl. at 3 (alleging OPM had been “on notice of serious flaws in its data, system security”). The Consolidated Amended Complaint states that the OPM Inspector General’s annual audits of cy-bersecurity from . 2007 to the present “found that OPM’s information security policies and practices suffered from material weaknesses” that “pose an immediate risk to the security of assets or operations.” CAC ¶¶ 81,. 84, 86-88; NTEU Compl. at 3 (alleging the Inspector General’s office had “identified numerous significant deficiencies, including deficiencies related to OPM’s decentralized security governance structure, its failure to. ensure that its information technology systems met applicable .security standards, and its failure to ensure that adequate technical security controls were in place for all servers and databases”). After learning of the breaches, OPM issued a series of announcements to the public and affected individuals. With each revelation, the reported scope of the breach and the number of people affected increased. On April 27, 2015; OPM notified “more than 48,000 federal employees that their personal information might have been exposed in the KeyPoint Breach.” CAC ¶ 120. On June 4, 2015, it announced that it had experienced a data breach that “resulted in the exposure and theft of the [government investigation information] of approximately 4.2 million current, former, and prospective federal employees and contractors.” CAC ¶ 138. On June 12, 2015, OPM acknowledged that the scope of breach was broader than previously disclosed and that “as many as 14 million current, former, and prospective federal employees and contractors” were affected. CAC ¶ 139. On July 9, 2015, OPM announced that the information “of approximately 21.6 million people had been exposed and stolen in the May 2014 breach,” including the theft of 1.1 million fingerprints. CAC ¶ 140. Of the 21.5 million people affected, 19.7 million had undergone background checks. The other 1.8 million records concerned “mostly job applicants’ spouses, children, and other cohabitants.” CAC ¶ 140. On September 23, 2015, OPM announced that not 1.1 million, but approximately 5.6 million, fingerprints had been stolem CAC ¶ 141. The agency notified each individual whose private information had been compromised and offered free identity theft protection services at “a combined cost of approximately $154 million ... for either 18 months or three years, depending on the amount and sensitivity of the compromised [information].” CAC ¶¶ 148; 150. IV. Plaintiffs’ Alleged Harm The CAC plaintiffs allege that each of the thirty-eight named plaintiffs submitted sensitive personal information to the federal government that was compromised in the breaches. See CAC ¶¶ 10, 13-50; see also CAC ¶ 1. The NTEU plaintiffs allege that the three named plaintiffs and an unknown number of NTEU members were “identified by OPM as having been affected by the breaches.” NTEU Compl. ¶ 59. Plaintiffs assert that the data breaches occurred as á result of defendants’ failure to secure their systems, CAC ¶ 1, and that all of the putative class members are subject to a continuing risk of additional exposure since that failure is ongoing. CAC ¶ 7. The coniplaints allege that plaintiffs have sustained and will continue to sustain “economic loss and other harm,” CAC ¶ 163; that they have suffered “stress,” CAC ¶¶13, 18, 19, 22-25, 28, 30-31, 35, 37, 42-44, 46, 60; or a loss to their “sense of security,” NTEU Compl. ¶ 78; and that they face an increased risk of expending time and money dealing with such consequences as identity theft and fraud in the future. CAC ¶ 163. The complaints contain a range of allegations concerning the nature of the particular harm suffered by class members. A. Actual Identity Theft or Credit Card Fraud A number of plaintiffs allege that they have experienced actual identity theft or credit card fraud. • Fourteen CAC plaintiffs and one of the three NTEU plaintiffs allege that at some point after they were informed of the breaches, they learned that unauthorized charges had been made to their existing credit card accounts or that fraudulent accounts were opened in them names. See CAC ¶¶ 13, 16, 19, 22, 28-31, 38, 39, 41, 45, 49, 50; NTEU Compl. ¶ 84. • Four CAC plaintiffs allege that they experienced unauthorized credit inquiries. CAC ¶¶ 13,14, 29, 31. • Six CAC plaintiffs and one NTEU plaintiff allege that fraudulent tax returns were filed in their names. CAC ¶¶ 14, 21, 24, 28, 31, 32; NTEU Compl. ¶ 79. • Four CAC plaintiffs allege that there was some other improper use of their own or a family member’s Social Security number. CAC ¶¶ 14, 17, 41, 50. B. Risk of Future Identity Theft and Other Harm Associated with that Risk Both sets of plaintiffs claim that they have suffered harm as result of the breaches because they face an increased risk of identity theft in the future. CAC ¶¶ 7, 210; NTEU Compl. ¶ 92. Nearly all of the named CAC plaintiffs — thirty-four out of thirty-eight — allege that after learning about the breaches, they devoted some time and effort to preventing future identity theft. See, e.g., CAC ¶¶ 13-22, 25-34, 36-44, 46-50 (alleging that exposure to the breach caused plaintiffs to review their financial accounts or credit reports with greater frequency, or that they placed freezes on their credit). Of those plaintiffs, seven allege that they spent money to purchased credit monitoring and protection services or incurred other expenses to prevent future identity theft. See, e.g., CAC ¶¶ 17, 21, 25, 34, 41. And numerous plaintiffs allege that they “suffer stress” due to their concerns about future identity theft or a sense of vulnerability to some other harm. See CAC ¶¶ 18-19, 22-25, 28, 35, 37, 43-44 (expressing concerns for their safety or the safety of their family members); CAC ¶¶ 18-30, 43, 46 (expressing concern about an inability to obtain a security clearance in the future); CAC ¶¶ 19, 23-24, 42-44 (expressing fear about future identity theft); CAC ¶¶ 19, 31, 50 (alleging “stress resulting from concerns that her exposure to the Data Breaches will adversely affect her minor children’s future”); see also NTEU Compl. ¶ 94 (expressing anxiety over the effect the data breaches will have on them, their families, friends, and other associates). PROCEDURAL HISTORY A number of lawsuits were filed around the country after the data breaches at OPM and KeyPoint were announced. The United States Judicial Panel on Multidis-trict Litigation transferred all actions that were pending elsewhere to this Court for coordinated or consolidated proceedings pursuant to 28 U.S.C. § 1407 [Dkt. # 1], and plaintiffs filed two amended complaints, which are the operative documents in this matter. See Order (Dec. 15, 2015) [Dkt. # 19]. ' The plaintiffs in the Consolidated Amended Complaint assert that OPM violated the Privacy Act, the Little Tucker Act, and the Administrative Procedure Act (“APA”), and that KeyPoint is liable for negligence, negligent misrepresentation and concealment, invasion of privacy, breach of contract, and violations of the Fair Credit Reporting Act and various state statutes governing unfair and deceptive trade practices and data security. CAC ¶¶ 175-275. They seek declaratory and injunctive relief against both defendants. CAC at 75-76 (Prayer for Relief). OPM and KeyPoint each filed motions to dismiss the CAC, arguing that the Court lacks subject matter jurisdiction under Federal Rule of Civil Procedure 12(b)(1) because plaintiffs do not have standing and defendants are shielded by sovereign immunity, and that plaintiffs failed to state a claim under Rule 12(b)(6). See KeyPoint’s Mot. to Dismiss CAC & Mem. of Law in Supp. [Dkt. #70] (“KeyPoint Mem”), Fed. Def.’s Mot. to Dismiss CAC and Mem. of P. & A. in Supp. [Dkt. #72] (“OPM’s Mem.”); Pis.’ Consol. Opp. to Defs.’ Mots. To Dismiss [Dkt. # 82] (“CAC Pis.’ Opp.”); KeyPoint’s Reply [Dkt. # 86]; Fed. Def.’s Reply [Dkt. # 87]. The NTEU plaintiffs assert a single claim against the Acting Director of OPM, alleging that the agency violated their constitutional right to informational privacy. NTEU Compl. ¶¶ 95-98. They seek declaratory and injunctive relief. NTEU Compl. at 34-85 (Request for Relief). OPM has moved to dismiss the NTEU complaint for lack of standing and for failure to state a claim. See Fed. Defs.’ Mot. to Dismiss NTEU Compl. [Dkt. #81]; Mem: in Supp. [Dkt. # 81-1]; NTEU Pis.’ Opp. to OPM’s NTEU Mot. [Dkt. #84] (“NTEU’s Opp.”); Fed. Def.’s Reply Mem. in Supp. of Mot) to Dismiss [Dkt. # 91]. The Court heard oral argument on the motions, and the motions are fully briefed. STANDARD OF REVIEW In evaluating a motion to dismiss under either Rule 12(b)(1) or 12(b)(6), the Court must “treat the complaint’s factual allegations as true ... .and must grant plaintiff ‘the benefit of all inferences that can be derived from the facts alleged.’” Sparrow v. United Air Lines, Inc., 216 F.3d 1111, 1113 (D.C. Cir. 2000) (internal citations omitted), quoting Schuler v. Unit ed States, 617 F.2d 605, 608 (D.C. Cir. 1979); see also Am. Nat’l Ins. Co. v. FDIC, 642 F.3d 1137, 1139 (D.C. Cir. 2011). Nevertheless, the Court need not accept inferences drawn by the plaintiff if those inferences are unsupported by facts alleged in, the complaint, nor must the Court accept plaintiffs legal conclusions. Browning v. Clinton, 292 F.3d 235, 242 (D.C. Cir. 2002). I. Lack of Subject Matter Jurisdiction Under Rule 12(b)(1), the plaintiff bears the burden of establishing jurisdiction by a preponderance of the evidence. See Lujan v. Defs. of Wildlife, 504 U.S. 555, 561, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992); Shekoyan v. Sibley Int'l Corp., 217 F.Supp.2d 59, 63 (D.D.C. 2002). Federal courts are courts of limited jurisdiction and the law presumes that “a cause lies outside this limited jurisdiction.” Kokkonen v. Guardian Life Ins. Co. of Am., 511 U.S. 375, 377, 114 S.Ct. 1673, 128 L.Ed.2d 391 (1994); see also Gen. Motors Corp. v. EPA, 363 F.3d 442, 448 (D.C. Cir. 2004) (“As a court of limited jurisdiction, we begin, and end, with an examination of our jurisdiction.”). “[B]ecause subject-matter jurisdiction is ‘an' Art[icle] III as well as a statutory requirement ... no action of the parties can confer subject-matter jurisdiction upon .a federal court.’ ” Akinseye v. District of Columbia, 339 F.3d 970, 971 (D.C. Cir. 2003), quoting Ins. Corp. of Ir., Ltd. v. Compagnie des Bauxites de Guinee, 456 U.S. 694, 702, 102 S.Ct. 2099, 72 L.Ed.2d 492 (1982). When considering a motion to dismiss for lack of jurisdiction, unlike when deciding a motion to dismiss under Rule 12(b)(6), the court “is not limited to the allegations of the complaint.” Hohri v. United States, 782 F.2d 227, 241 (D.C. Cir. 1986), vacated on other grounds, 482 U.S. 64, 107 S.Ct. 2246, 96 L.Ed.2d 51 (1987). Rather, “a court may consider such materials outside the pleadings as it deems appropriate to resolve the question [of] whether it. has jurisdiction to hear the case.” Scolaro v. D.C. Bd. of Elections & Ethics, 104 F.Supp.2d 18, 22 (D.D.C. 2000), citing Herbert v. Nat’l Acad. of Scis., 974 F.2d 192, 197 (D.C. Cir. 1992); see also Jerome Stevens Pharm., Inc. v. FDA, 402 F.3d 1249, 1253 (D.C. Cir. 2005). Furthermore, when a government agency is the defendant, additional jurisdictional considerations apply. The United States is not amenable to suit in the federal courts absent an express waiver of sovereign immunity. Anderson v. Carter, 802 F.3d 4, 8 (D.C. Cir. 2015), citing United States v. Mitchell, 463 U.S. 206, 212, 103 S.Ct. 2961, 77 L.Ed.2d 580 (1983). Sovereign immunity is “jurisdictional in nature.” Perry Capital LLC v. Mnuchin, 864 F.3d 591, 619 (D.C. Cir. 2017), quoting FDIC v. Meyer, 510 U.S. 471, 475, 114 S.Ct. 996, 127 L.Ed.2d 308 (1994). When it has not been waived, sovereign immunity shields the federal government, its agencies, and federal officials acting in their official capacities from suit. Meyer, 510 U.S. at 475, 114 S.Ct. 996 (the federal government and its agencies); Kentucky v. Graham, 473 U.S. 159, 166-67, 105 S.Ct. 3099, 87 L.Ed.2d 114 (1985) (federal officials in their official capacities). II. Failure to State a Claim “To survive a [Rule 12(b)(6) ] motion to dismiss, a complaint must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.’ ” Ashcroft v. Iqbal, 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009), quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007). In Iqbal, the Supreme Court reiterated the two principles underlying its decision in Twombly. “First, the tenet that a court must accept as true all of the allegations contained in a complaint is inapplicable to legal conclusions,” and “[s]econd, only a complaint that states a plausible claim for relief survives a motion to dismiss.” Id. at 678-79, 129 S.Ct. 1937. A claim is facially plausible when the pleaded factual content “allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Id. at 678, 129 S.Ct. 1937, citing Twombly, 550 U.S. at 556, 127 S.Ct. 1955. “The plausibility standard is not akin to a ‘probability requirement,’ but it asks for more than a sheer possibility that a defendant has acted unlawfully.” Id., quoting Twombly, 550 U.S. at 556, 127 S.Ct. 1955. A pleading must offer more than “labels and conclusions” or a “formulaic recitation of the elements of a cause of action,” id., quoting Twombly, 550 U.S. at 555, 127 S.Ct. 1955, and “[t]hreadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice.” Id., citing Twombly, 550 U.S. at 555, 127 S.Ct. 1955. When considering a motion , to dismiss under Rule 12(b)(6), the Court.is bound to construe a complaint liberally in the plaintiffs favor, and it should grant the plaintiff “the benefit of all inferences that can be derived from the facts alleged.” Kowal v. MCI Commc’ns Corp., 16 F.3d 1271, 1276 (D.C. Cir. 1994). Nevertheless, the Court need not accept inferences drawn by the plaintiff if those inferences are unsupported by facts alleged in the complaint, nor must the Court accept plaintiffs legal conclusions. See id.; see also Browning, 292 F.3d at 242. In ruling upon a motion to dismiss for failure to state a claim, a court may ordinarily consider only “the facts alleged in the complaint, documents attached as exhibits or incorporated by reference. in the complaint, and matters about which the Court may take judicial notice.” Gustave-Schmidt v. Chao, 226 F.Supp.2d 191, 196 (D.D.C. 2002), citing EEOC v. St. Francis Xavier Parochial Sch., 117 F.3d 621, 624-25 (D.C. Cir. 1997). ANALYSIS Defendants seek to dismiss both complaints for lack of subject matter jurisdiction on the grounds that plaintiffs lack standing and that there has not been a valid waiver of sovereign immunity, and they have also moved to dismiss for failure to state a claim. Courts must determine whether they have jurisdiction to hear a case before considering whether plaintiffs have failed to state a claim. Hancock v. Urban Outfitters, 830 F.3d 511, 513 (D.C. Cir. 2016) (“Federal courts cannot address the merits of a case until jurisdiction — the power to decide — is established”) Accordingly, the Court will address .the issue of plaintiffs’ standing first.. I.. Plaintiffs Do Not Have Standing. “To state a case or controversy under Article III, a plaintiff must establish standing.” Ariz. Christian Sch. Tuition Org. v. Winn, 563 U.S. 125, 133, 131 S.Ct. 1436, 179 L.Ed.2d 523 (2011), citing Allen v. Wright, 468 U.S. 737, 751, 104 S.Ct. 3315, 82 L.Ed.2d 556 (1984); see also Lujan, 504 U.S. at 560, 112 S.Ct. 2130. Standing is a necessary predicate to any exercise of federal jurisdiction; if it is lacking, then the dispute is not a proper case or controversy under Article III, and federal courts, have no subject matter jurisdiction to decide the case. Dominguez v. UAL Corp., 666 F.3d 1359, 1361 (D.C. Cir. 2012). Plaintiffs must demonstrate standing for each claim they assert. DaimlerChrysler Corp. v. Cuno, 547 U.S. 332, 352, 126 S.Ct. 1854, 164 L.Ed.2d 589 (2006) (holding that “our standing cases confirm that a plaintiff must demonstrate standing for each claim he seeks to press”); see also Friends of the Earth, Inc. v. Laidlaw Envtl. Servs., 528 U.S. 167, 185, 120 S.Ct. 693, 145 L.Ed.2d 610 (2000). And each plaintiff must demonstrate standing, including in a putative class action. See Lujan, 504 U.S. at 563, 112 S.Ct. 2130 (“The ‘injury in fact’ test ... requires that the party seeking review be himself among the injured.”), quoting Sierra Club v. Morton, 405 U.S. 727, 734, 92 S.Ct. 1361, 31 L.Ed.2d 636 (1972); see also Warth v. Seldin, 422 U.S. 490, 502, 95 S.Ct. 2197, 45 L.Ed.2d 343 (1975) (named plaintiffs in a putative class action “must allege and show that they personally have been injured, not that injury has been suffered by other, unidentified members of the class to which they belong and which they purport to represent”). The party invoking federal jurisdiction bears the burden of establishing standing. Lujan, 504 U.S. at 561, 112 S.Ct. 2130. When reviewing the standing question, the Court must be “careful not to decide the questions on the merits for or against the plaintiff, and must therefore assume that on the merits the plaintiffs would be successful in their claims.” In re Navy Chaplaincy, 534 F.3d 756, 760 (D.C. Cir. 2008), quoting City of Waukesha v. EPA, 320 F.3d 228, 235 (D.C. Cir. 2003). A. Legal Framework To establish constitutional standing, plaintiffs must show that (1) they have suffered an “injury in fact,” (2) the injury is “fairly ... trace[able] to the challenged action of the defendant,” and (3) it is “‘likely,’ as opposed to merely ‘speculative,’that the injury will be ‘redressed by a favorable decision.’” Lujan, 504 U.S. at 560-61, 112 S.Ct. 2130 (citations omitted); see also Friends of the Earth, Inc., 528 U.S. at 180-81, 120 S.Ct. 693. 1. Individual Standing Individual plaintiffs must satisfy all three of the Lujan elements. To allege the first element, injury in fact, plaintiffs must demonstrate that they “suffered ‘an invasion of a legally protected interest’ that is ‘concrete and particularized’ and ‘actual or imminent, not conjectural or hypothetical.’” Spokeo, Inc. v. Robins, — U.S. -, 136 S.Ct. 1540, 1548, 194 L.Ed.2d 635 (2016), quoting Lujan, 504 U.S. at 560, 112 S.Ct. 2130. To be “concrete,” the injury “must actually exist,” meaning that it is real, and not abstract, although concreteness is “not ... necessarily synonymous with ‘tangible.’ ” Id. at 1548-49. And to be “particularized,” the injury must affect a plaintiff “in a personal and individual way.” Id. at 1548, quoting Lujan, 504 U.S. at 560 n.1, 112 S.Ct. 2130. Further, the injury must be “actual,” or it must be “imminent” — that is, the “threatened injury must be certainly impending to constitute injury in fact.” Clapper v. Amnesty Int’l USA, 568 U.S. 398, 410, 133 S.Ct. 1138, 185 L.Ed.2d 264 (2013); see also Pub. Citizen, Inc. v. Nat’l Highway Traffic Safety Admin., 489 F.3d 1279, 1293 (D.C. Cir. 2007) (the injury must be “certainly impending and immediate — not remote, speculative, conjectural, or hypothetical”). Or, as the D.C. Circuit has recently pointed out, the Supreme Court has “also noted that in some cases it has ‘found standing based on a substantial risk that the harm will occur.’ ” Attias v. CareFirst, Inc., 865 F.3d 620, 626 (D.C. Cir. 2017), quoting Clapper, 568 U.S. at 414 n.5, 133 S.Ct. 1138. To establish the second element, and show that an injury is “fairly traceable” to a defendant’s action, a plaintiff must allege a causal connection between the alleged injury and the defendant’s conduct at issue. Ctr. for Law & Educ. v. Dep’t of Educ., 396 F.3d 1152, 1157 (D.C. Cir. 2005). The alleged harm cannot be “the result of the independent action of some third party not before the court.” Food & Water Watch v. EPA, 5 F.Supp.3d 62, 73 (D.D.C. 2013), quoting Lujan, 504 U.S. at 560-61, 112 S.Ct. 2130. “But Article III standing does not require that the defendant be the most immediate cause, or even a proximate cause, of the plaintiffs’ injuries; it requires only that those injuries be ‘fairly traceable’ to the defendant.” Attias, 865 F.3d at 629. Finally, to be “redressable,” the alleged injury must be one that a court order in favor of the plaintiff would be “likely” to address the harm. Lujan, 504 U.S. at 560-61, 112 S.Ct. 2130. 2. Organizational Standing The standing requirements that apply to individuals also apply to organizations, such as the two unions that are plaintiffs: AFGE and NTEU. Nat’l Treasury Emps. Union v. United States, 101 F.3d 1423, 1427 (D.C. Cir. 1996), citing Havens Realty Corp. v. Coleman, 455 U.S. 363, 378, 102 S.Ct. 1114, 71 L.Ed.2d 214 (1982). Organizations may assert standing on their own behalf under certain circumstances, or they may seek representational standing on behalf of their members. Nat’l Ass’n of Home Builders v. EPA, 667 F.3d 6, 12 (D.C. Cir. 2011). To assert organizational standing, an organization must allege “such a ‘personal stake’ in the outcome of the controversy as to warrant the invocation of federal-court jurisdiction,” and must show “concrete and demonstrable injury to the organization’s activities — with [a] consequent drain on the organization’s resources — constituting] ... more than simply a setback to the organization’s abstract social interests.” Nat'l Taxpayers Union, Inc. v. United States, 68 F.3d 1428, 1433 (D.C. Cir. 1995) (alterations in original), quoting Havens Realty, 455 U.S. at 378-79, 102 S.Ct. 1114. To assert representational standing on behalf of its members, an organization must show that “(a) its members would otherwise have standing to sue in their own right; (b) the interests it seeks to protect are germane to the organization’s purpose; and (c) neither the claim asserted nor the relief requested requires the participation of individual members in the lawsuit.” Nat’l Ass’n of Home Builders, 667 F.3d at 12, quoting Ass’n of Flight Attendants-CWA v. U.S. Dep’t of Transp., 564 F.3d 462, 464 (D.C. Cir. 2009). B. Plaintiffs have Failed to Show that They have Article III Standing Plaintiffs allege that some of them have incurred actual out-of-pocket expenses, that others have expended time and effort, and that others have experienced emotional distress or may be subject to identity theft or some other harm in the future. Plaintiffs also contend that all of them have suffered the injury of the breach itself. The Court is not persuaded that the factual allegations in the complaints are sufficient to establish constitutional standing. 1. Injury in Fact a. Theft of Private Information Without More At oral argument, counsel for the CAC plaintiffs took to the lectern to advocate a new basis for standing that had not been set forth in any prior consolidated pleading: that the release or theft of private information — as opposed to any actual or even threatened misuse of that information — is itself the injury in fact for standing purposes in a Privacy Act case. Hr’g Tr. [Dkt. # 98] at 26-28 (“I don’t think you get. to the question 'of imminence because we’re not talking about a risk of future injury; the injury happened; .... [Wje’re not premising the Court’s Article III standing on a risk of future injury, we’re premising it on an injury that has 'occurred and has been recognized at common law.”). In other words, if your personal information was included in the material accessed in a data breach, you automatically have standing to bring an action predicated on a violation of the Privacy Act. See NTE-U Compl. ¶ 76 (alleging that harm “occurred the moment that [plaintiffs’] inherently personal information .,. was taken by unauthorized intruders from OPM’s databases”). While one could make a compelling argument that this would be an appropriate principle to adopt in data breach cases given the volume, sensitivity, -and vulnerability of computerized private- infoiv mation, .the - Court is not .writing a .law review article. Therefore, it cannot ignore the fact that, neither the Supreme Court nor the D.C. Circuit has embraced this categorical- approach to standing to date. In the absence.of authority to support plaintiffs’, proposal, it is not up to the Court to .expand the constitutional limitar tions. on its jurisdiction-on.its .own initiative, particularly when considerations of sovereign immunity and separation of powers concerns are also involved. See Spokeo, 136 S.Ct. at 1547 (the standing doctrine developed “to ensure that federal courts do not exceed their authority as it has been traditionally understood”). Therefore, the Court believes that it is constrained to find that plaintiffs cannot predicate standing on the basis of the breach alone. . At the hearing, plaintiffs pointed to Doe v. Chao, 540 U.S. 614, 124 S.Ct. 1204, 157 L.Ed.2d 1122 (2004), as support -.for the notion that, “the- release itself is the injury.” Hr’g Tr. at 32. But the case does not stand for that proposition. - In Doe, the Supreme Court held that a plaintiff must suffer actual damages to bring a claim under Privacy Act. Id. at 616, 124 S.Ct. 1204. In the course of the opinion,, the Court noted that the petitioner had argued against that interpretation; he pointed out that in subsection (g)(1) of the statute, Congress expressly granted any individual who suffered -an “adverse effect” as a result of an agency’s failure to comply with the Act the right to sue that agency without any further limitation. Id. at 624, 124 S.Ct. 1204. In responding to that argument, the Court stated: [T]he reference in § 552a(g)(l)(D) to ‘adverse effect’ acts as a term of art identifying a potential plaintiff who satisfies the injury-in-fact and causation requirements of Article III standing, and who may consequently-bring a civil action without suffering dismissal for want of standing to sue. That is, an individual subjected to an adverse effect has injury enough to open the courthouse door, but without more has no cause-of action for damages under the Privacy Act. Id. at 624-25, 124 S.Ct. 1204. That discussion does not necessarily mean that anyone whose information .was included in a data breach automatically “has injury enough to open the courthouse door;” the statutory reference to an adverse “effect” seems to imply that there is a need for individualized consequences beyond the mere fact that a release took place, and Doe himself alleged that ‘ he suffered from emotional distress. See id. at 617-18, 124 S.Ct. 1204. And the Court in Doe did not purport to answer the question of whether the release of private information alone is an “adverse effect.” Plaintiffs also insisted that this issue was “specifically considered” in In re Department of Veterans Affairs Data Theft Litigation, No. 06-0506, 2007 WL 7621261 (D.D.C. Nov. 16, 2007) (“VA Data Theft Litig,”). Hr’g Tr. at 27 (“[T]he Court said yes, that’s an adverse effect, that-gives rise to Article III standing,”); see also Hr’g Tr, at 27-28 (“[Tjhe injury occurs, at that moment. And this is a precise issue that the Court looked at in the' VA Laptops case.”). It is true that the VA Data Theft opinion denied a motion to dismiss for lack of subject matter jurisdiction. But the court in that case did not consider at any point whether a release, of data in and of itself constitutes an injury that would give rise to standing. The VA plaintiffs did not rely on the fact of the breach as the foundation for their suit; they specifically alleged that they had suffered pecuniary and emotional harm as a result of the theft, including the cost of credit reports and credit monitoring services, and mental anguish. VA Data Theft Litig., 2007 WL 7621261, at *3. The government moved to dismiss on the grounds that these allegations of harm were not tied to any particular plaintiff and that they were insufficiently detailed. Id, The court simply found the general allegations of monetary harm to be sufficient,, and it did not predicate its decision on the mere fact that the data had gone missing. Id. At the hearing, plaintiffs appeared to be drawing on the concepts underlying the Supreme Court’s decision in Spokeo when they maintained that they had standing simply because they were the victims of a Privacy Act violation: As I understand the Privacy Act, it’s really codifying common law privacy protection principles .... [T]his isn’t like a procedural violation case because the harm has occurred upon the release, and the reason is that the underlying claim is rooted in the common law protection of privacy principles. And so it was recognized at common law that if your private information was made public or there was an intrusion on your right to seclusion, the injury occurs at that moment. Hr’g Tr. at 26-28; see Spokeo, 136 S.Ct. at 1549. Plaintiffs acknowledged that Spokeo requires a would-be plaintiff to make a showing of harm, Hr’g Tr. at 28, but they maintained that the showing had been made in this case because it is inherent in the nature of the allegations. [I]t does cause harm .... [T]he harm is recognized at common law. So it’s not like a situation — let’s say it’s a Truth in Lending Act claim and' you have the right so some disclosure ... [and] it never had any impact on you whatsoever. That’s Spokeo. This is different. This is a common law right to the protection of your private facts. That right is infringed at the point when the release occurs. And the causation issue doesn’t enter in .... Hr’g Tr. at 28-29. What plaintiffs are suggesting, then, is that the challenged action that makes the defendant liable — in this case, a failure to prevent a breach — is also the harm: the loss of the data is the whole story. But adopting that approach would collapse the standing analysis in data breach cases entirely, answering both of the injury-in-fact inquiries — is the harm actual or imminent and is it concrete and particularized? — and the causation and redressability inquiries — is the injury fairly traceable to the defendant’s unlawful action and would the relief sought cure the harm? — with a single allegation: my data was involved. Adopting such a tautological approach would effectively eliminate the requirement to establish the elements of Article III standing in data breach cases brought against the government, and while the Supreme Court may be headed in that direction, it has not arrived there yet. A close reading of the majority opinion in the Spokeo case reveals that the Court did not relax traditional standing requirements — if anything, Spokeo reaffirmed the constitutional underpinnings of the doctrine — and it stopped short of the theory plaintiffs advance here. The holding addresses only one prong of the standing analysis — concreteness—and it left critical aspects of even that issue open for further development. While the Court opined that a violation of a statute enacted to protect rights that have traditionally been recognized in our courts could give rise to a concrete injury without more in some circumstances, it cautioned that it would not do so in all circumstances. And disappointing commentators everywhere, it left the delineation of the boundary for another day. Since isolated phrases from the opinion can point in different directions when lifted out of context, it is necessary to review the opinion of the Court in some detail. But the message to be gleaned from that analysis is that the holding underscored that an injury in fact predicated on a statutory violation — even a violation of a statute intended to protect a traditionally recognized personal right — must carry with it a risk of “real harm.” Spokeo, 136 S.Ct. at 1549. Spokeo is a firm that conducts searches of computerized databases to supply visitors to its website with information about the people they identify. Spokeo, 136 S.Ct. at 1544. The plaintiff, Robins, became aware that personal information that had been disseminated about him — including his age, marital status, and employment— was incorrect, and he instituted a class action against the company for violating the Fair Credit Reporting Act. Id. at 1546. The district court dismissed the action on the grounds that Robins had failed to allege the necessary injury in fact, but the Ninth Circuit reversed, finding that the allegation that Robins’s own statutory rights had been violated was sufficient. Id. The Supreme Court sent the case backi complaining that the Ninth Circuit had considered only the “particularized” portion of the requirement that an injury be “concrete and particularized,” and it called for the missing half of the review. Id. at 1549. The Spokeo analysis begins by reciting the holding in Lujan that “the ‘irreducible constitutional' minimum’ of standing consists of three elements”: injury in fact, traceability, and redressability, id. at 1547, quoting Lujan, 504 U.S. at 560, 112 S.Ct. 2130, and that a plaintiff must allege facts demonstrating each. Id., citing Warth, 422 U.S. at 518, 95 S.Ct. 2197. The Court reiterated that “[ijnjury in fact is a constitutional requirement, and ‘it is settled that Congress cannot erase Article Ill’s standing requirements by statutorily granting the right to sue to a plaintiff who would not otherwise have standing.’ ” Id. at 1547-48, quoting Raines v. Byrd, 521 U.S. 811, 820 n.3, 117 S.Ct. 2312, 138 L.Ed.2d 849 (1997). The Court listed the multiple components of the injury-in-fact element, but it went on to discuss just the particularization and concreteness requirements. Id. at 1548-50. The Court repeated that “for an injury to be ‘particularized,’ it must affect the plaintiff in a ‘personal and individual way.’” Id. at 1548, quoting Lujan, 504 U.S. at 560 n.1, 112 S.Ct. 2130. But it emphasized that particularization is “not sufficient. An injury in fact must also be ‘concrete.’” Id. (“We have made it clear time and time again that in injury in fact must be both concrete and particularized.”). The opinion went on to explain that while the injury must be “ (de facto,’ that is, it must actually exist,” and that it must be “‘real’ and not ‘abstract,’” it is not necessary that the injury be tangible to be concrete. Id. at 1548-49 (“[W]e have confirmed in many of our previous cases that intangible injuries can nevertheless be concrete.”). • How would one go about identifying an intangible harm that constitutes a concrete injury in fact? Writing for the Court, Justice Alito explained that “both history and the judgment of Congress play important roles.” Id. at 1549. [I]t is instructive to consider whether an alleged intangible harm has a close relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit in English or American courts. In addition, because Congress is well-positioned to identify intangible harms that meet minimum Article III requirements, its judgment is also instructive and important. Id. (citations omitted). At the same time, the opinion cautioned that “Congress’ role in identifying and elevating intangible harms does not mean that a plaintiff automatically satisfies the injury-in-fact requirement whenever a statute grants a person ‘a statutory right and purports to authorize that person to sue to vindicate that right.” Id. (emphasis added). Article III standing requires a concrete injury even in the context of a statutory violation. For that reason, Robins could not, for example, allege a bare procedural violation, divorced from any concrete harm and satisfy the injury-in-fact requirement .... Id. Turning back to the other hand, Justice Alito went on: This does not mean, however, that the risk of real harm cannot satisfy the requirement of concreteness. For example, the law has long permitted recovery by certain tort victims even if their harms may be difficult to prove or measure.Just as the common law permitted suit in such instances, the violation of a procedural right granted by statute cán be sufficient in some circumstances to constitute injury in fact. In other words, a plaintiff in such a case need not allege any additional harm beyond the . one Congress has identified. Id. (emphasis added) (emphasis and citations omitted). Applying all of those general principles to the case before him, Justice Alito derived two conclusions: that Congress clearly intended to prevent the harm that had béfallen Robins, i.e., the dissemination of false information, when it enacted the provisions that were alleged to have been violated, but that Robins could not meet the requirements of Article III standing simply by alleging a “bare procedural violation.” Id. Since it was possible that a violation of one of the statute’s procedural requirements could result in no harm, the case was remanded to the Ninth Circuit to address “whether the particular procedural violations alleged ... entail a degree of risk sufficient to meet the concreteness requirement.” Id. at 1550. According to plaintiffs, their allegation of a statutory violation supplies a basis for standing since they suffered the harm of an intangible violation of their privacy — a harm traditionally recognized at common law that Congress specifically intended to protect when it enacted the statute in question. Hr’g Tr. at 28-29. But that is exactly what the Supreme Court found to be insufficient in Spokeo without a further showing that real harm, albeit even intangible harm, would necessarily follow. And the opinion was specifically limited to a consideration of the “concrete and particularized” element of an injury in fact; the Supreme Court did not hold that once a plaintiff has alleged an injury to a traditionally recognized intangible right that satisfies the concreteness requirement, there is no longer any need to establish that the harm is actual or imminent, or to satisfy the traceability or redressability requirements. This reading of Spokeo is consistent with the Circuit precedent that the Court is bound to follow; the Court of Appeals emphasized in Hancock v. Urban Outfitters that Spokeo did not alter the standing requirements. “Spokeo held that plaintiffs must have suffered an actual (or imminent) injury that is both particularized and ‘concrete ,,. even in the context of a statutory violation’ .... For that reason, a plaintiff cannot ‘allege a bare procedural violation, divorced from any concrete harm, and satisfy the injury-in-fact requirement of Article III.’ ” Hancock, 830 F.3d at 514, quoting Spokeo, 136 S.Ct. at 1549. In Hancock, there was no question that each of the plaintiffs was personally involved: each had been asked to provide her zip code during the course of a credit card transaction, and that information was entered into the retailer’s sales register. Id. at 512. But the Court was clear that the allegation of a violation of the District of Columbia’s Consumer Protection Act was not enough to create an injury in fact absent any allegation of a concrete consequence: The Supreme Court has been clear that the legislature “cannot erase Article Ill’s standing requirements by statutorily granting the right to sue to a plaintiff who would not otherwise have standing” ...; Instead, an asserted injury to even a statutorily conferred right “must actually exist,” and must have “affect[ed] the plaintiff in a personal and individual way.” Id. at 514, quoting Spokeo, 136 S.Ct. at 1547-48 (citations omitted); see also Attias, 865 F.3d at 626-27 (Court of Appeals relied on the sufficiency of allegations of. future identity theft, and not the fact of the release of the data alone, as the basis for finding standing). Plaintiffs seemed to 'find support in Justice Thomas’s concurring opinion in Spok-eo, Hr’g Tr. at 28, but Justice Thomas did not address the precise situation before the Court either. In agreeing with the decision to remand, he differentiated between a suit brought by an individual to vindicate a private right, and a suit seeking to vindicate a public right — a demand that a federal agency “follow the law.” Spokeo, 136 S.Ct. at 1552 (Thomas, J., concurring). He said that' in the second instance, there needs to be some personal impact on the plaintiff, and given separation of powers concerns, Congress cannot simply authorize private plaintiffs to enforce public rights without meeting all of the constitutionally based requirements. Id. But he differentiated that situation from a suit like the one in Spokeo in which a private plaintiff was seeking to enforce his own private rights against a private party: “[i]f Congress has created a private duty owed personally to Robins to protect his information, then the violation of the legal duty suffices for Article III injury in fact.” Id. at 1554 (Thomas, J., concurring). Neither alternative quite mirrors the situation of a private plaintiff suing a federal defendant to vindicate a private right.. But more important, even if one assumes that the principles' reviewed by the Justices would' apply equally to cases against the government, the Spokeo discussion arose in the context of a statute that creates a private right' of action for a statutory violation without the need for a showing of harm. See id. at 1553 (Thomas, J, concurring) (“Congress can create new private rights and authorize private plaintiffs to sue based simply on the violation of those private rights.. A plaintiff seeking to vindicate a statutorily created private right need not allege actual harm beyond the invasion of that private right.”) (emphasis added) (citation omitted); see also id. at 1549 (“[T]he violation of a procedural right granted by statúte can be sufficient in some circumstances to constitute injury in fact .... [A] plaintiff in such a case need not allege any additional harm beyond the one Congress has identified.”) (first emphasis in original, second emphasis added). The Privacy Act is not that sort of statute. Congress carefully limited the remedies that would be available in a Privacy Act case, and it specifically added the requirement of a showing of actual harm beyond the statutory violation and its impact on one’s privacy before the government would be required to answer in Court. So even if the Court were inclined to read the tea leaves and predict that the Supreme Court will eventually find that the bare allegation that a plaintiff was a victim of a data breach, without more, is enough to create standing to sue under the Privacy Act given the privacy rights involved, the victory for plaintiffs would be a hollow one. Because notwithstanding any invasion of privacy, before the Court may pierce the shield of sovereign immunity and exercise jurisdiction, it must consider still whether the complaint plausibly alleges that the named plaintiffs suffered the actual damages necessary to require the government to submit to a Privacy Act claim, and as set forth further below, it does not. And finally, even if the Court were to find that there is standing to sue under the Privacy Act because Congress authorized plaintiffs to sue to vindicate their private rights in that Act, that would only confer standing to bring the Privacy Act claim. Contrary to plaintiffs’ suggestion, see Hr’g Tr. at 30, it would not open the door for plaintiffs to advance the APA claims based on OPM’s violation of the Federal Information Security Management Act (“FIS-MA”). See Cuno, 547 U.S. at 352, 126 S.Ct. 1854; Friends of the Earth, 528 U.S. at 185, 120 S.Ct. 693. Congress did not establish a private right to sue under FISMA, and there is no basis to conclude that the statutory regime protecting all systems and records across the federal government was specifically intended to vindicate individual rights that are grounded in our history or tradition. For all of these reasons, in the Court’s view, standing in this case must rise or fall on the sufficiency of the allegations of actual or future harm set forth in the complaint, and it is necessary to undertake that analysis. b. Actual Identity Theft or Fraudulent Credit Card Activity Twenty plaintiffs allege that they have already experienced identity theft or have been the victims of financial fraud. They describe unauthorized charges made to existing accounts or accounts fraudulently opened in their names, unauthorized inquiries made concerning their credit, fraudulent tax returns filed in their names, or other improper uses of their credit card or Social Security numbers. CAC ¶¶ 13,14, 16, 17, 19, 21, 24, 26, 28-32, 38, 39, 41, 45, 49, 50; NTEU Compl. ¶¶ 80-84. For example: • Plaintiff “King-Myers provided sensitive information to the federal government and received notice from OPM that such information has been compromised in the Data Breaches. In May 2015, King-Myers learned t