The Trump administration has illegally accessed federal employees” private data in an equally unlawful effort to dismantle the Consumer Financial Protection Bureau (CFPB), a lawsuit filed Monday alleges.

During the nearly seven months of his second term, the 45th and 47th president made no secret of his disdain for the CFPB – an agency widely considered the brainchild of Sen. Elizabeth Warren. In February, Trump said his plan was for the CFPB to be “totally eliminated” because “number one, it was a bad group of people running it, but it was also a waste.” That same month, while still a special employee leading the Department of Government Efficiency (DOGE), Elon Musk posted “CFPB RIP” on his personal X, formerly Twitter, account.

But the attacks on the agency have not only been rhetorical.

The CFPB’s Acting Director Russell Vought has told the agency’s employees to close up shop and, in one agency-wide email, to cease doing “any work tasks.” In another email, he directed certain CFPB staff to, instead, support “DOGE members with requests.”

Now, a labor union representing federal employees across dozens of agencies and departments says the CFPB director’s accommodations to DOGE have gone way too far afield and have revealed sensitive employee information in violation of numerous federal laws.

“CFPB has a statutory responsibility to protect the information that it collects and maintains about its employees from unlawful disclosure to third parties,” the lawsuit reads. “The Bureau has acted contrary to law and regulation by granting DOGE and its members access to the records that the Bureau collects and maintains about every CFPB employee.”

In their 26-page amended complaint, the National Treasury Employees Union (NTEU) alleges Vought granted DOGE and its agents “unauthorized and unfettered” access to employees’ personally identifiable information (PII) in violation of the federal Privacy Act, the Administrative Procedure Act (APA), and internal CFPB regulations.

To hear the plaintiffs tell it, disclosure of such information is specifically governed by the Privacy Act. Here, the lawsuit describes something like a cross-referencing of rules and laws.

And, to be clear, this is an argument about massive reams of data.

“At the Office of Personnel Management (OPM), a DOGE team sought and obtained access to federal employee personnel information. DOGE team members have access to a massive database called Enterprise Human Resources Integration, which contains dates of birth, Social Security numbers, appraisals, home addresses, pay grades and length of service of government workers,” the lawsuit explains.

Essentially, whenever the CFPB wants to make changes – or grant access to – these wholesale databases, their internal rules require what is called a “system of records” alteration. But the Privacy Act itself requires a “System of Records Notice” when such an action occurs. The act also requires the CFPB to file a pre-notice statement in the Federal Register 30 days before the action.

Under federal law, the pre-notice filing is mandatory to “provide an opportunity for interested persons to submit written data, views, or arguments to the agency.”

In the present litigation, which was actually initiated in February, the plaintiffs argued the last such notice filed in September 2024 did not grant CFPB or DOGE access to PII data. Earlier this month, however, the Trump administration issued a new notice.

The plaintiffs allege the new notice, while enumerating 16 separate “routine uses” for employee data – including “categories of users and the purposes of such uses” – is still insufficient.

At heart, the plaintiffs say there are very few reasons the agency’s management is allowed to share sensitive information about the agency’s staff – and all such reasons are in the CFPB’s internal rules. Those “narrow” disclosure reasons “do not include disclosure for purposes of dismantling CFPB,” according to the lawsuit.

The plaintiffs go on to say that, despite efforts to paper over their earlier disclosures with new bureaucratic language, the government has still failed to justify granting DOGE “unauthorized” access to such data.

“CFPB has not, and indeed cannot, show that disclosure of employee information to DOGE falls within a statutory exception to the Privacy Act,” the lawsuit argues. “Nor can CFPB show that disclosure of employee information is permissible under the ‘routine use’ exception to the Privacy Act. “

The NTEU explains, at length:

CFPB has failed to demonstrate how the disclosure of specific and highly sensitive employee information, including Social Security numbers, personal addresses, biographic and demographic data, health-related information, employment background information, and information related to employee family members, dependents, beneficiaries, and other emergency contacts, to DOGE members comports with the intended use of that employee information.

Moreover, even if disclosure of employee information to DOGE could be defined as a “routine use”, none of the permissible routine uses listed in CFPB’s Employee Administrative Records System of Records Notice allow for the disclosure of such employee information to DOGE or its members.

The lawsuit has been assigned to U.S. District Judge Richard J. Leon, a George W. Bush appointee known for his expressive writing style and dogged criticisms of what he views as governmental overreach.