When It Comes To DOGE, The Hack Is The Harm And Why There Is Harm

This post was written on Saturday before news broke that Elon Musk had commanded every single federal employee—including those in the judiciary!—to send a “five things I did last week” email to [email protected]. But even that episode, where Musk and DOGE once again flexed power they don’t lawfully have, and in contact with computer systems and data that they don’t lawfully have access to, just serves as yet one more example of the issues this post was written to discuss.

This post talks about a few things: (1) a small but important win that New York got on Friday, when a court again recognized that what DOGE has been allowed to do at the Treasury department is nuts (and basically illegal), and (2) some issues that are emerging when it comes to demonstrating the standing needed to sue for all the destruction being wreaked across the Executive Branch, why more courts need to recognize that they are not issues that should be derailing these cases, and why all these cases are still, at their core, about Musk and DOGE’s unlawful intrusion into the nation’s most sensitive computer systems.

First the New York case: on Friday the court in New York v. Trump turned the TRO that had been limiting what DOGE could do in the Treasury department into a preliminary injunction. In doing so the court found that the plaintiff states, led by New York, had shown a likelihood of success on their claim that the Treasury department was “arbitrary and capricious” in letting DOGE tear through its systems (and thus violated the APA):

Based upon the factual record developed to date, the Court finds that Plaintiffs will more likely than not succeed in establishing that the agency’s processes for permitting the Treasury DOGE Team access to critical BFS payment systems, with full knowledge of the serious risks that access entailed, was arbitrary and capricious. While it appears that the career staff at BFS did their best to develop what mitigation strategies they could, the inexplicable urgency and time constraints under which they operated all but ensured that the launch of the Treasury DOGE Team was chaotic and haphazard. […] The record is silent as to what vetting or security clearance process [Krause and Elez] went through prior to their appointment. […] The Treasury DOGE Team started its work almost immediately, even though it did not yet have either the HR specialist or the attorney that the E.O. mandated should be members of the team. This left career staff with almost no time to develop their mitigation measures. Within days of [Elez’s] appointment, and apparently after receiving minimal, if any, training regarding the handling of sensitive government information (beyond being instructed to maintain the information on his BFS laptop), Elez was given full access to system source codes. […] Even now, weeks after his departure, the Treasury Department is still reviewing his logs to determine what precisely he accessed and what he did with his access. The Treasury Department also could not confirm whether or not Elez emailed PII or other confidential information to officials outside the Treasury Department.

And then there is the question of under what authority anyone from DOGE had any access at all:

It is also unclear from this record whether the agency established clear reporting lines for the Treasury DOGE Team. Although they are nominally agency employees who sit within the Treasury chain of command, it is notable that they also take instructions from officials at USDS/DOGE. How this works in practice, and the uncertainty this creates as to their status as Treasury employees, calls into question their authority to access Treasury record systems.

So with this new injunction the Treasury department has now basically been ordered to run its department as the law requires, including in how the law requires restricting computer access to certain personnel and only after they have been onboarded properly and with the appropriate vetting. And from the outset that means no one connected with DOGE qualifies:

[The] United States Department of the Treasury and the Secretary of the Treasury are restrained from granting access to any Treasury Department payment record, payment systems, or any other data systems maintained by the Treasury Department containing personally identifiable information and/or confidential financial information of payees to any employee, officer or contractor employed or affiliated with the United States DOGE Service, DOGE, or the DOGE Team established at the Treasury Department, pending further Order of this Court[.]

If the Treasury department wants to give them access, then it’s going to have to do what the law requires before they can, and the court is going to make sure it does:

[B]y Monday, March 24, 2025, the United States Department of the Treasury shall submit a report to this Court: (i) certifying that the Treasury DOGE Team members have been provided with all training that is typically required of individuals granted access to BFS payment systems, including training regarding the federal laws, regulations, and policies governing the handling of personally identifiable information, tax return information, and sensitive financial data, and maintaining the integrity and security of Treasury data and technology, and attesting that any future Treasury DOGE Team member will be provided with this same training prior to being granted access to BFS systems; (ii) certifying the vetting and security clearances processes that members of the Treasury DOGE Team have undergone, and how that vetting process compares with the processes undergone by career employees who have previously been granted access to the BFS payment systems; (iii) describing the mitigation procedures that have been developed to minimize any threats resulting from increased access by members of the Treasury DOGE Team to BFS payment systems; (iv) setting forth the legal authority pursuant to which each DOGE Team member was employed by or detailed to the Treasury Department; and (v) explaining the reporting chains that govern the relationship between the DOGE Team members, USDS/DOGE, and Treasury leadership (with reference, if applicable, to any Memorandum of Understanding setting forth that relationship).

This injunction is a pretty good, albeit narrow, result. It’s good because it gets the job done: it gets DOGE out of the Treasury department, at least in the dangerous, unaccountable way it had been. And it’s good because it is yet more judicial recognition of how dangerous and unaccountable DOGE has been, and in a way that law was unlikely to allow.

The injunction is narrow, however, because the court also rejected most of the claims the plaintiff states had brought, and also many of their claims of standing. And while this rejection doesn’t matter here—in some cases the rejection was probably reasonable, and in any case one claim did stick sufficiently, which was all that was needed—some of the analytical issues that this court struggled with are also tripping up other courts, especially when it comes to them finding the standing needed to give plaintiffs the injunctive relief they need.

All of this litigation we are seeing is something of a jigsaw puzzle, one whose picture is slowly coming together, with lots of different pieces, including a variety of plaintiffs, a variety of claims, and a variety of defendants, and even types of defendants. For instance, we’ve been tracking when Musk and DOGE themselves started to be directly named as defendants, partly because we want them to ultimately be held directly liable for the damage they are causing, but also partly because, for any lawsuit seeking to remediate (or enjoin) a harm, the argument for who was supposed to stop the harm, and why, is different depending on who the defendant is. For instance, it is different to sue an agency and its head for what the agency has done wrong (ex: allowing DOGE to mess with its systems, because it was beyond their own power to allow it) than it is to sue Musk or DOGE for what they are doing wrong (ex: messing with those systems).

In some cases, like AFGE v. OPM, we are seeing a hybrid, and it’s starting to seem like the hybrid approach may be the way to go forward in most cases because it covers both bases and paints a more complete picture of what is going wrong and why injunctive relief is necessary to stop it, and proper to award.  Not every court has been convinced, like in AFGE v. Trump, one of the earliest cases to be filed, and one challenging DOGE’s efforts to destroy USAID. Although a TRO was initially granted, and it provided some interim relief, it was only temporary. Last week the court dissolved it and declined to grant a preliminary injunction to keep the agency from trying to fire their own workforce. In declining to grant the sought injunction a significant part of the reasoning was that terminations are normally properly adjudicated via specialized agencies that Congress has established, and that job loss itself wasn’t “irreparable” enough.

But the upshot of this decision is that the court has basically thrust the unions and their employee members into a Kafkaesque nightmare where employees need to be fired first, at which point they will then need to take their claims for wrongful termination (presumably one-at-a-time, instead of collectively as a union), to a different agency tasked with arbitrating federal employment disputes (and which Musk and DOGE have already started to dismantle) to try to get their jobs back. Only then, after this avenue has been exhausted, do USAID employees have any chance to get back to Article III courts to address any of the unconstitutional illegality underpinning the firings and destruction of their agencies in the first place.

Which can’t possibly be the right result, because it would effectively leave them without a remedy for their wrongful termination. The problem is, the statutory scheme that the courts are pointing to, which Congress created to shunt employment disputes to, only makes sense in the context of normal agency operations, which cannot lawfully include dismembering themselves without Congressional authorization. And it certainly cannot include dismembering themselves at the direction of an entirely unlawful power like DOGE or Musk, because of course there were also laws designed to prevent this illegal situation from ever arising. (See for instance recognition by the court in AFL-CIO v. Department of Labor that DOGE may be an improperly-formed agency given the Economy Act of 1932).

What is happeing now if far beyond any sort of HR dispute; it’s the lawless dismantling of government agencies Congress established by law, of which there are myriad consequences, only some of which are experienced in terms of employment.  But the goal of all these lawsuits is not just to save the jobs, as in this case, or data privacy, as in others, but to restrain the lawlessness that is causing any of these things (and so much more) to be lost. And addressing that lawlessness is absolutely the purview of the courts—in fact, because they are not Article III courts it may even be inappropriate for these other employment-related agencies to try to address it themselves. These employment-related agencies may ordinarily be able to help employees keep their jobs when an individual firing may be beyond what the law would allow an agency to do, but they can’t fix the real problem that is causing the firings here, at the behest, if not also directly at the hands, of people with no lawful authority to compel them. And it would lead to a bizarre result if Musk and DOGE, as people acting so far beyond the bounds of lawful authority, could then be protected by an actual law now preventing them from being held accountable for it.

In the USAID example, the real problem is not that this agency has suddenly, and independently, decided to destroy itself but that its destruction is clearly being directed by Musk and DOGE, who have no lawful power to do so. They have openly, and repeatedly, bragged about putting the agency into the “woodchipper.” And, as the court in New Mexico v. Musk observed, Musk and his DOGE minions seem to be the supervisory authority governing every contract cancellation, funding freeze, and firing at any agency they have been involved with.

In light of this increasing judicial recognition, Musk and DOGE should from now on probably be named in just about every lawsuit brought to challenge what is happening in the Executive Branch, even if the agency and its real officials are also named, because it appears to be Musk and DOGE’s ultra vires behavior that is at the root of all the harm accruing. It also seems important to name them given all the vagueness and inconsistencies in the government’s declarations about their behavior and what authority it now claims to have behind it, which courts are starting to call out as we also saw in New Mexico. With these declarations it seems like the Trump administration has apparently begun to retroactively try to dot some of the i’s they should have had dotted before Musk and DOGE started acting so radically, like properly hire and vet staff that gets to access Treasury’s computer systems. But it does seem like these efforts are too little too late: even in the case of the Treasury department, discussed above, even if the agency now properly hires all the DOGErs, unaccountable DOGE personnel had still been mucking about in those computer systems for way too long without those formalities being satisfied, and in doing so creating exactly the sort of problems that those formalities were supposed to forestall.  Just as they have in every other agency they’ve invaded.

And ultimately it seems like pretty much all the resulting harm being sued over—contract cancellations, funding freezes, or firings—originates from Musk and DOGE’s incursions into the agencies’ computer systems. Which is important to explain to courts, for several reasons.

One is with respect to an issue that has started to come up in some of these lawsuits, addressing how a case called TransUnion applies. TransUnion is a case about “standing.” In general people can only sue when they have standing, or, in other words, an actual (or very likely) injury that is redressable if the court were to give them the relief they want from this particular defendant. So one thing the Trump administration has been trying to do to dismiss all these lawsuits is argue that the plaintiffs bringing them don’t have the standing needed to demand the injunctions they are demanding. And one argument they’ve used in some of the cases addressing the privacy harms resulting from DOGE running rampant through these systems, is that the plaintiffs don’t have the standing that TransUnion says they need to have to complain about the privacy harm DOGE’s actions may have caused.

In TransUnion the Supreme Court wouldn’t let concerns that impermissible data access might lead to harm give the plaintiffs standing to sue for the data breach itself because the possible harm was just too hypothetical. So what the Trump administration is arguing, and come courts, like in EPIC v. OPM, are accepting, is that any worry about data DOGE may have exfiltrated potentially falling into the wrong hands is worry about a harm too hypothetical to entitle anyone to sue over it. In other words, “Yeah, the bad guys might get your data, but they might not, so no standing for you.”

But what this argument misses is that DOGE itself are the bad guys! The bad guys already got the data! Their unauthorized access to it was the exfiltration! The fact that yet more bad guys may also get the data is beyond the point. DOGE’s penetration into these secure systems, gaining access to data that was supposed to be protected against unauthorized access, for all the reasons that it needed to be kept secure from unauthorized access, is why all the people who are now suffering a consequence from that unauthorized access—including their sudden loss of agency employment, without the authorization of Congress—should now have standing to sue to stop that harm.

Because it was only because of that access that such consequences are accruing. Through their unauthorized access to all these agency systems Musk and DOGE got the visibility they needed to be able to direct all the contract cancellations, funding freezes, and firings that they have already directed or yet plan to. We know there is this connection between their destructive demands and the access to these systems they’ve had because they have essentially publicly claimed as much, and because they would not have needed to demand access to these systems in the first place if they could have done their damage to the agencies without it. Even to the extent that agency officials may now seek to launder DOGE’s unconstitutionally destructive demands (like to fire the majority of agency personnel) by implementing them under their own auspices, such ratification of these inherently unconstitutional plans is irretrievably tainted by DOGE’s interference, which was enabled by their illicit intrusion into these agencies’ protected computer systems. That unlawful intrusion was the predicate act from which all the subsequent harms have flowed, and any lawsuits challenging any of this resulting harm probably needs to make that reality prominently clear—and before an Article III court that should be ready to stop it.