Feathers v. On Q Financial LLC
2:24-cv-00811
D. Ariz.
Jun 26, 2025

Background

  • Plaintiffs brought a consolidated class action over a data breach at On Q Financial, a mortgage lender, targeting the exposure of personally identifiable information (PII) of over 211,000 individuals.
  • Defendant ConnectWise LLC provided remote access software (ScreenConnect) to On Q Financial, whose vulnerability allegedly enabled hackers to steal PII.
  • Hackers exploited the vulnerability before a patch was installed, and a ransomware group published stolen PII on the dark web.
  • Plaintiffs were not direct customers of ConnectWise but claimed their PII was compromised due to ConnectWise’s alleged failure to secure its software.
  • ConnectWise moved to dismiss claims against it under Rules 12(b)(1) (lack of subject matter jurisdiction) and 12(b)(6) (failure to state a claim).
  • The court’s decision focused on standing, traceability, duty, breach, damages, and leave to amend.

Issues

Issue Plaintiff's Argument Defendant's Argument Held
Article III Standing (Injury) Plaintiffs suffered privacy invasion, risk of ID theft, lost time, lost PII value No concrete harm; damages speculative Standing adequately alleged for injury (privacy, risk, time)
Traceability Injury was due to ConnectWise’s vulnerable software Harm not caused by ConnectWise; PII managed by On Q Financial Causation sufficiently alleged at pleading stage
Redressability (Declaratory Relief) Injunctive relief would reduce repeat harm, require security measures ConnectWise does not maintain PII; relief wouldn’t redress injury Relief not redressable; declaratory claim dismissed
Negligence (Duty & Damages) State/federal statutes, public policy, and industry standards create duty; alleged various damages No special relationship, no statutory or policy duty, or control over PII; damages are speculative No duty under Arizona law; damages not cognizable; negligence claim dismissed

Key Cases Cited

  • Lujan v. Defs. of Wildlife, 504 U.S. 555 (articulates Article III standing requirements)
  • Bell Atl. Corp. v. Twombly, 550 U.S. 544 (pleading standard for plausibility)
  • Ashcroft v. Iqbal, 556 U.S. 662 (sufficiency of factual allegations in pleadings)
  • TransUnion LLC v. Ramirez, 594 U.S. 413 (intangible harms like privacy violation can establish standing)
  • Krottner v. Starbucks Corp., 628 F.3d 1139 (risk of identity theft from data breach can be concrete injury)
  • Gipson v. Kasey, 150 P.3d 228 (negligence elements under Arizona law)
  • Arbaugh v. Y&H Corp., 546 U.S. 500 (courts' duty to assess subject-matter jurisdiction)
  • Spokeo, Inc. v. Robins, 578 U.S. 330 (concreteness and particularization in injury for standing)
  • Cetacean Cmty. v. Bush, 386 F.3d 1169 (standing is prerequisite to federal jurisdiction)
Read the full case