Left: Elon Musk flashes his T-shirt that reads “DOGE” to the media as he walks on South Lawn of the White House, in Washington, Sunday, March 9, 2025 (AP Photo/Jose Luis Magana). Right: President Donald Trump pauses as he speaks in the Oval Office of the White House, Tuesday, May 20, 2025, in Washington (AP Photo/Alex Brandon).
Though billionaire Elon Musk left his role in the Trump administration as a special government employee, and publicly feuded with President Donald Trump after he did so, he remains the face of — and a defendant in — litigation over sweeping actions taken by the Department of Government Efficiency (DOGE), apparently in connection with its information technology (IT) modernization efforts.
On Monday, a federal judge at the U.S. District Court for the Southern District of New York counted the ways that the Office of Personnel Management (OPM) ran roughshod over the safeguards of the Privacy Act to hastily hand DOGE agents administrative access to systems containing “personal information of tens of millions of Americans” — access these agents did not need and, in several cases, weren’t adequately trained or vetted to handle.
U.S. District Judge Denise Cote, a Bill Clinton appointee, began by noting that there was a massive cybersecurity breach at OPM as recently as 2015, sparking congressional investigation and resulting in a 2016 House Report outlining best mitigation practices moving forward.
Against this backdrop, coupled with the language of the Privacy Act and the Administrative Procedure Act (APA), Cote sided with plaintiffs AFL-CIO and the American Federation of Government Employees in granting a preliminary injunction, citing the Trump administration’s “illegal activities.”
The judge explained that DOGE and OPM’s IT modernization project is actually “laudable” and not the issue at hand. The problem, instead, was the Trump administration playing fast and loose by granting access to systems containing “confidential PII,” or personally identifiable information surrounding plaintiffs’ “most sensitive private affairs” — such as “social security numbers, health care information, banking information, and information about family members.”
“To be sure, the issue here is not whether OPM IT systems should be modernized. That is an entirely laudable goal and the plaintiffs do not suggest otherwise,” the judge wrote. “Indeed, the Government has been engaged in IT modernization efforts for years. But, as the plaintiffs’ experts have explained, IT modernization does not necessarily require access to confidential PII.”
Even if a group of DOGE agents with access to the systems didn’t actually review PII, the damage was done, Cote said.
“The plaintiffs do not have to make that showing to establish their standing, or even a likelihood of success on the merits. It is the intrusion and not the misuse of the data that constitutes the violation,” the judge said. “Granting improper access to legally protected data is sufficient to demonstrate a harm resembling intrusion upon seclusion, and no further use or review of the data is necessary.”
“The plaintiffs have shown a likelihood of proving at trial that those OPM records were ‘disclosed’ to individuals affiliated with DOGE who were not OPM employees or did not have a need for the records in the performance of their duties at OPM,” Cote added later.
The judge further said there’s “clear evidence” several anonymous DOGE agents “did not need access to the records disclosed to them, much less the administrative access that they were given.”
Calling an OPM IT upgrade through DOGE engineering “laudable” and “uncontroversial” in itself, Cote nonetheless slammed “hasty and chaotic disclosures of OPM systems” and concluded it was “especially unlikely that any DOGE agents ever needed administrative access to any OPM systems.”
The judge said this was a “gross departure from [OPM’s] obligations under the Privacy Act as well as its longstanding cybersecurity practices,” in service of a “rushed” attempt to implement President Trump’s policies.
Writing that “security training was an afterthought” for three of five DOGE engineers with access to systems, Cote said DOGE defendants “were likely participants in many of the illegal activities described in this Opinion.”
After finding that the plaintiffs showed “irreparable harm exists,” Cote criticized the Trump administration for declining to say that “mistakes were made”:
The Government could have acknowledged that in its rush to accomplish a new President’s agenda mistakes were made and established, important protocols were overlooked. It has not. The Government has defended this lawsuit by repeatedly invoking a mantra that it adhered to all established procedures and safeguards. It did not. Without a full-throated recognition that the law and established cybersecurity procedures must be followed, the risk of irreparable harm will continue to exist.
The judge separately ordered the plaintiffs and defendants to “meet and confer regarding the terms” and scope of the injunction and to submit follow-up “proposal(s)” by Thursday at noon.
Read the opinion and order here.
