Case Information
WO
IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF ARIZONA Jack Feathers, et al., No. CV-24-00811-PHX-SMB
Plaintiff, ORDER
v.
On Q Financial LLC, et al.,
Defendants.
Pending before the Court is Defendant ConnectWise, LLC’s (“ConnectWise”) Motion to Dismiss (Doc. 35) Plaintiffs Jack Feathers, Barbara Squier, Brian Eitemiller, and Isaiah Castellaw’s (collectively, “Plaintiffs”) Consolidated Class Action Complaint (the “Complaint”) (Doc. 20) pursuant to Federal Rules of Civil Procedure 12(b)(1) and (6). Plaintiffs filed a Response (Doc. 39), and ConnectWise filed a Reply (Doc. 42). After considering the parties arguments and the relevant case law, the Court will grant the Motion.
I. BACKGROUND
This is a data breach case in which hackers accessed and exfiltrated personally identifiable information (“PII”) from the customer databases of Defendant On Q Financial, LLC (“On Q Financial”), a mortgage lender. (Doc. 20 ¶¶ 3, 31, 40.) On Q Financial collected and maintained named Plaintiffs and the approximate 211,000 class members’ PII, which included social security numbers and other sensitive health information. ( ¶¶ 7, 9.) Plaintiffs Feather, Eitemiller, and Castellaw are not On Q Financial customers but allege they provided PII to On Q Financial. ( Id. ¶¶ 164, 189, 203.) Prior to receiving the Notice Letter, Plaintiff Squier was neither familiar with On Q Financial nor with how the company obtained her PII. ( Id. ¶ 176.)
ConnectWise is an IT management software and technology provider that contracted with On Q Financial. ( Id. ¶¶ 3, 175; Doc. 35 at 10.) ConnectWise developed and provided to On Q Financial a remote access software program called ScreenConnect. (Doc. 20 ¶¶ 3, 4, 32, 40.) ScreenConnect is a computer program that allows a user to access and perform actions on another person’s computer from a different location. ( Id. ¶ 40.)
On February 13, 2024, an independent security researcher notified ConnectWise that an issue with its ScreenConnect program could allow unauthorized actors to access the software. ( Id. ¶ 59.) ConnectWise thereafter developed a patch for ScreenConnect clients. ( ) Prior to On Q Financial installing the patch, malicious actors had already exploited the vulnerability. ( ) A ransomware group, Bianlian, claimed responsibility for the On Q Financial breach (the “Data Breach”) and posted Plaintiffs’ PII on the dark web. (Doc. 20 ¶ 47–50.)
On or about March 29, 2024, On Q Financial sent Plaintiffs a Notice of Data Security Incident letter (the “Notice Letter”), which stated:
What Happened? On February 20, 2024 On Q Financial received a notification from ConnectWise, a software and IT management provider, regarding a vulnerability involving its product ScreenConnect, which is a software program On Q Financial used for remote access to computers in our network. In response to the notification received from ConnectWise, we immediately patched and upgraded the application and began an investigation. The investigation revealed some suspicious activity through the Screen Connect application. On Q Financial engaged a computer forensics investigation firm to conduct an independent investigation into what happened and determine whether personal information may have been accessed or acquired without authorization. Our investigation confirmed that the ConnectWise vulnerability has been successfully patched and the On Q Financial computer network is secure. However, on March 14, 2023, the investigation determined that the ConnectWise vulnerability permitted an unknown individual to gain access to our computer network and the personal information of some of our clients was exfiltrated from our network. Please note that at this time we are not aware of any evidence that any of our clients’ personal information has been misused, and out of an abundance of caution, we are notifying all of our clients whose personal information has potentially been impacted. What Information was Involved? The information that may have been affected in connection with this incident includes your name and Social Security number.
( )
Specific to the instant Motion, Plaintiffs allege that ConnectWise failed to take reasonable steps to ensure that Plaintiffs’ PII remained secure. ( See id. ¶¶ 39, 58, 269.) Plaintiffs allege various types of actual and future damages, including (i) invasion of privacy; (ii) theft of their PII; (iii) lost or diminished value of their PII; (iv) lost time and opportunity costs associated with attempting to mitigate the actual consequences of the Data Breach; (v) loss of benefit of the bargain; (vi) statutory damages; and (ix) the continued and increased risk to their PII, which remains exposed and subject to further exposure if Defendants fail to take adequate remedial measures. ( See id. ¶¶ 11, 127, 162, 168, 181, 194, 208.)
II. LEGAL STANDARD
A. Rule 12(b)(1)
Rule 12(b)(1) of the Federal Rules of Civil Procedure provides that a defendant may move to dismiss an action for “lack of subject-matter jurisdiction.” Courts “have an independent obligation to determine whether subject-matter jurisdiction exists.” Arbaugh v. Y&H Corp. , 546 U.S. 500, 514 (2006); see also Fed. R. Civ. P. 12(h)(3) (“If the court determines at any time that it lacks subject-matter jurisdiction, the court must dismiss the action.”). “Under Rule 12(b)(1), a defendant may challenge the plaintiff's jurisdictional allegations in one of two ways. A ‘facial’ attack accepts the truth of the plaintiff's allegations but asserts that they are insufficient on their face to invoke federal jurisdiction.” Leite v. Crane Co. , 749 F.3d 1117, 1121 (9th Cir. 2014) (citation omitted). “A ‘factual’ attack, by contrast, contests the truth of the plaintiff’s factual allegations, usually by introducing evidence outside the pleadings.” Regardless, however, plaintiff bears the burden of establishing that subject-matter jurisdiction exists. Kokkonen v. Guardian Life Ins. Co. of Am. , 511 U.S. 375, 377 (1994).
B. Rule 12(b)(6)
To survive a Rule 12(b)(6) motion for failure to state a claim, a complaint must meet the requirements of Rule 8(a)(2). Rule 8(a)(2) requires a “short and plain statement of the claim showing that the pleader is entitled to relief,” so that the defendant has “fair notice of what the . . . claim is and the grounds upon which it rests.” Bell Atl. Corp. v. Twombly , 550 U.S. 544, 555 (2007) (quoting Conley v. Gibson , 355 U.S. 41, 47 (1957)). This exists if the pleader sets forth “factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Ashcroft v. Iqbal , 556 U.S. 662, 678 (2009). “Threadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice.”
Dismissal under Rule 12(b)(6) “can be based on the lack of a cognizable legal theory or the absence of sufficient facts alleged under a cognizable legal theory.” Balistreri v. Pacifica Police Dep’t , 901 F.2d 696, 699 (9th Cir. 1988). A complaint that sets forth a cognizable legal theory will survive a motion to dismiss if it contains sufficient factual matter, which, if accepted as true, states a claim to relief that is “plausible on its face.” Iqbal , 556 U.S. at 678 (quoting Twombly , 550 U.S. at 570). Plausibility does not equal “probability,” but requires “more than a sheer possibility that a defendant has acted unlawfully.” Id. “Where a complaint pleads facts that are ‘merely consistent with’ a defendant’s liability, it ‘stops short of the line between possibility and plausibility.’” (quoting Twombly , 550 U.S. at 557).
In ruling on a Rule 12(b)(6) motion to dismiss, the well-pled factual allegations are taken as true and construed in the light most favorable to the nonmoving party. Cousins v. Lockyer , 568 F.3d 1063, 1067 (9th Cir. 2009). However, legal conclusions couched as factual allegations are not given a presumption of truthfulness, and “conclusory allegations of law and unwarranted inferences are not sufficient to defeat a motion to dismiss.” Pareto v. FDIC , 139 F.3d 696, 699 (9th Cir. 1998). A court ordinarily may not consider evidence outside the pleadings in ruling on a Rule 12(b)(6) motion to dismiss. See United States v. Ritchie , 342 F.3d 903, 907 (9th Cir. 2003). “A court may, however, consider materials— documents attached to the complaint, documents incorporated by reference in the complaint, or matters of judicial notice—without converting the motion to dismiss into a motion for summary judgment.” Id. at 908.
III. DISCUSSION
A. Standing
1. Legal standard
To bring a justiciable lawsuit into federal court, Article III of the Constitution requires that a plaintiff have “the core component of standing.” Lujan v. Defs. of Wildlife , 504 U.S. 555, 560 (1992). To establish Article III standing, an injury must be “concrete, particularized, and actual or imminent; fairly traceable to the challenged action; and redressable by a favorable ruling.” Clapper v. Amnesty Int’l USA , 568 U.S. 398, 409 (2013) (citation omitted). A “speculative chain of possibilities” cannot establish an actual or imminent injury in fact. Clapper , 568 U.S. at 414 (2013). “A suit brought by a plaintiff without Article III standing is not a ‘case or controversy,’ and an Article III federal court therefore lacks subject matter jurisdiction over the suit. In that event, the suit should be dismissed under Rule 12(b)(1).” Cetacean Cmty. v. Bush , 386 F.3d 1169, 1174 (9th Cir. 2004) (internal citations omitted).
ConnectWise launches a facial and limited factual attack on Plaintiffs’ ability to establish Article III standing. A facial attack “asserts that the allegations contained in a complaint are insufficient on their face to invoke federal jurisdiction.” Safe Air for Everyone v. Meyer , 373 F.3d 1035, 1039 (9th Cir. 2004). In this circumstance, the Court will accept Plaintiffs’ allegations as true and draws all reasonable inferences in their favor, then “determine[] whether the allegations are sufficient as a legal matter to invoke the court’s jurisdiction.” Leite , 749 F.3d at 1121 (9th Cir. 2014). “A ‘factual’ attack, by contrast, contests the truth of the [Plaintiffs’] factual allegations, usually by introducing evidence outside the pleadings.” It therefore follows that a facial attack confines a court’s inquiry to the allegations in the complaint, while a factual attack permits the court to look beyond the complaint. See Savage v. Glendale Union High Sch., Dist. No. 205 , 343 F.3d 1036, 1039 n.2 (9th Cir. 2004).
/// 2. Injury-In-Fact
The parties’ arguments on standing are rather straightforward. In short, ConnectWise argues that Plaintiffs fail to establish injury or traceability for any of their claims. (Doc. 35 at 12–13.) With respect to redressability, however, ConnectWise seemingly attacks only Plaintiffs’ claim for declaratory relief (Count VI), positing that the sought after judgment could not redress the alleged injuries because ConnectWise does not manage or maintain Plaintiffs’ PII. ( ) In response, Plaintiffs contend that they satisfy the Article III standing requirements. ( See Doc. 39 at 9–14.)
To establish an injury in fact, “a plaintiff must show that he or she suffered an invasion of a legally protected interest that is concrete and particularized and actual or imminent, not conjectural or hypothetical.” Spokeo, Inc. v. Robins , 578 U.S. 330, 339–40 (2016) (citation and quotation marks omitted). A “concrete” and “particularized” injury must be “real,” not “abstract.” Griffey v. Magellan Health Inc. , 562 F. Supp. 3d 34, 43 (D. Ariz. 2021). The injury must also “affect the plaintiff in a personal and individual way.” Lujan , 504 U.S. at 560 n.1. To be “actual or imminent,” a threatened injury must be “certainly impending”—“allegations of possible future injury are not sufficient.” Clapper , 568 U.S. at 409 (citation modified).
In the class action context, named plaintiffs “must allege and show that they personally have been injured, not that injury has been suffered by other, unidentified members of the class to which they belong.” Spokeo , 578 U.S. at 338 n.6. Moreover, “it is axiomatic that a plaintiff can satisfy Article III injury-in-fact requirement but, ultimately, fall short of satisfying the cognizable injury requirement for, say, a negligence claim.” Griffey v. , 562 F. Supp. 3d at 43.
Plaintiffs assert that their (a) privacy losses; (b) risk of identity theft; and (c) losses of time are concrete actual injuries; and (d) the loss in PII value is a concrete injury that establishes standing. (Doc. 39 at 10–11.) [1]
a. Privacy Losses
Plaintiffs allege that Feathers, Squier, Eitemiller, and Castellaw’s PII have been publicly disclosed on the dark web. ( See Doc. 20 ¶¶ 127, 166, 171, 178, 180, 193, 207.) This disclosure, Plaintiffs claim, amounts to an invasion of privacy that establishes an injury-in-fact. ( ¶ 20; Doc. 39 at 11.)
The Court finds that the theft and disclosure of Plaintiffs’ PII is a concrete, intangible harm that establishes injury-in-fact for Article III standing. See TransUnion LLC v. Ramirez , 594 U.S. 413, 424 (2021). In TransUnion , the United States Supreme Court examined “[w]hat makes a harm concrete for purposes of Article III.” 594 U.S. at 424. The Court discussed its past focus on “traditional tangible harms,” like physical or monetary harms, id. at 425, before finding that “[v]arious intangible harms can also be concrete . . . [including] disclosure of private information.” Following TransUnion , courts in this circuit have found that theft of PII establishes a concrete injury because it signifies an invasion of a plaintiff’s privacy interest. See, e.g. , Wynne v. Audi of Am. , Case No. 21-cv-08518-DMR, 2022 WL 2916341, at *4 (N.D. Cal. July 25, 2022).
Plaintiffs’ allegations suffice to establish the theft and public disclosure of their PII, including their social security numbers, is an injury-in-fact for standing purposes. ( See Doc. 20 ¶¶ 127, 166, 171, 178, 180, 193, 207.) Therefore, Plaintiffs’ alleged privacy losses satisfy the injury-in-fact requirement for Article III standing. [2]
b. Risk of Identity Theft Plaintiffs allege that the theft and publication of their PII on the dark web, which is still available for download, exposes them to a lifelong risk of identity theft and fraud. (Doc. 20 ¶ 6, 9–11, 15–17.)
While alleging a risk of injury, i.e., a future injury, is generally inadequate if it presents a mere possibility of harm, see Clapper , 568 U.S. at 409, allegations of a risk of future identity theft have been found adequate to sufficiently allege an injury-in-fact, see 28 [2] Cir. 2020). Though Plaintiffs need only one viable basis for standing, the Court will afford each purported injury some discussion. See In re Zappos.com, Inc. (“ Zappos II ”), 888 F.3d
1020, 1030 n.15 (citing Douglas County v. Babbit , 48 F.3d 1495, 1500 (9th Cir. 1995)). Zappos II , 888 F.3d at 1027–29.
Plaintiffs Squier, Eitemiller, and Castellaw have alleged that their PII was stolen and disseminated on the dark web. (Doc. 20 ¶¶ 180, 193, 207.) Their information is still available for download. ( Id. ¶ 6.) All Plaintiffs have also experienced fraudulent credit card charges and unauthorized credit activity since the Data Breach, which tends to show that they may be at risk for identify theft. ( ¶ 168, 181, 194, 208.) It follows, then, that Plaintiffs allegations show a credible threat of real and imminent harm stemming from the theft and publication of their PII. Cf. Krottner v. Starbucks Corp. , 628 F.3d 1139, 1143 (9th Cir. 2010) (finding that the theft of a laptop containing unencrypted personal data established an injury in fact where that information may be used in the future to harm the plaintiff); Greenstein v. Noblr Reciprocal Exch. , 585 F. Supp. 3d 1220, 1227 (N.D. Cal. 2022) (finding injury-in-fact where the plaintiff alleged that he may suffer future harm after his social security number was posted on the dark web); Griffey , 562 F. Supp. 3d at 46. [3]
c. Loss of Time Plaintiffs allege that they have spent, and will continue to spend, time monitoring financial accounts and credit reports in the wake of the Data Breach. (Doc. 20 ¶¶ 145, 167–168, 179–181, 192–194, 206–208.) Plaintiffs assert that “mitigation injuries”—time spent monitoring for theft after breach—are injuries-in-fact. (Doc. 39 at 11–12 (citing Medoff v. Minka Lighting, LLC , No. 2:22-CV-08885-SVW-PVC, 2023 WL 4291973, at *5 (C.D. Cal. May 8, 2023)).)
Medoff recognized that, after TransUnion , some circuits found “harms that result as a consequence of a plaintiff’s knowledge of a substantial risk of identity theft, including time and money spent responding to a data breach or emotion distress[,] can satisfy concreteness.” Medoff , 2023 WL 4291973, at *4 (first citing Clemens v. ExeucPharm Inc. , 48 F.4th 146, 156 (3d Cir. 2022) (“If the plaintiff’s knowledge of the substantial risk of identity theft causes him to presently experience emotional distress or spend money on mitigation measures like credit monitoring services, the plaintiff has alleged a concrete injury.”); then citing In re Equifax Inc. Customer Data Sec. Breach Litig , 999 F.3d 1247, 1262–63 (11th Cir. 2021) (“[A]ny assertion of wasted time and effort necessarily rises or falls along with this Court’s determination of whether the risk posed . . . is itself a concrete harm.” (quoting Muransky v. Godiva Chocolatier, Inc. , 979 F.3d 917, 924 (11th Cir. 2020))). To be sure, however, Medoff reaffirmed the common principle that these type of harms “can only qualify as concrete injuries in fact when they are based on a risk that is either ‘certainly impending’ or ‘substantial.’” 2023 WL 4291973, at *5 (quoting I.C. v. Zynga, Inc. , 600 F. Supp. 3d 1034, 1052 (N.D. Cal. 2022)).
The relevant allegations here are that Plaintiffs have spent, and will continue to spend, time monitoring financial accounts and credit reports in the wake of the Data Breach. (Doc. 20 ¶¶ 145, 167–168, 179–181, 192–194, 206–208.) Also important are allegations that Plaintiffs experienced fraudulent credit card charges and unauthorized credit activity since the Data Breach. ( ¶ 168, 181, 194, 208.) Together, these allegations show a type of mitigation harm that informs the “certainly impending” and “substantial” nature of harm required establish injury-in-fact. Medoff , 2023 WL 4291973, at *5; see also In re Banner Health Data Breach Litig. , No. CV-16-02696-PHX-SRB, 2017 WL 6763548, at *8 (D. Ariz. Dec. 20, 2017) (“A person whose legally protected interests have been endangered by the tortious conduct of another is entitled to recover for expenditures reasonably made or harm suffered in a reasonable effort to avert the harm threatened.” (citation omitted)).
ConnectWise cites two cases from this Court to support its assertion that Plaintiffs’ expenses should not establish injury-in-fact because any future harm is speculative. (Doc. 35 at 14 (citing Dearing v. Magellan Health Inc. , No. 2:20-CV-00747-PHX-SPL, 2020 WL 7041059, at *3 (D. Ariz. Sept. 3, 2020); Travis v. Assured Imaging LLC , No. CV-20- 00390-TUC-JCH, 2021 WL 1862446, at *9 (D. Ariz. May 10, 2021)).) Both cases are distinguishable because neither involved allegations that plaintiff’s PII was even stolen. Dearing , 2020 WL 7041059, at *3; Travis , 2021 WL 1862446, at *9. In both cases, the Court therefore found that each plaintiff’s harms were too speculative and therefore insufficient to establish injury-in-fact. Dearing , 2020 WL 7041059, at *3; Travis , 2021 WL 1862446, at *9. Here, however, Plaintiffs have alleged theft, explained the potential for future use, highlighted attempted fraudulent charges to their credit cards, and set out their mitigation efforts in enough detail for the Court to find an injury-in-fact.
d. Loss of Value of Plaintiffs’ PII ConnectWise argues that Plaintiffs have failed to allege the existence of a legitimate marketplace for their PII and thus do not sufficiently allege the diminution of value as an injury. (Doc. 35 at 26.) In response, Plaintiffs simply maintain that the loss of value in their PII is a cognizable injury. ( See Doc. 39 at 12.)
The Court tends to agree with Plaintiffs that their allegations sufficiently evidence an injury for standing purposes. Some courts in this Circuit have found that the loss of value of PII may constitute injury where plaintiffs allege disclosure, a legitimate market for PII, sale of the PII, and loss of value as a result. See, e.g. , In re Anthem, Inc. Data Breach Litigation (“ Anthem II ”), 2016 WL 3029783, at *14–15 (N.D. Cal. May 17, 2016); “ In re Yahoo! Inc. Customer Data Sec. Breach Litig. (“ Yahoo ”), 16-MD-02752-LHK, 2017 WL 3727318, at *13 (N.D. Cal. Aug. 30, 2017). While others found that such injury does not satisfy the injury requirement. See In re Zappos.com, Inc. (“ Zappos I ”), 108 F. Supp. 3d 949, 954 (D. Nev. 2015); Travis v. Assured Imaging LLC , No. CV-20-00390-TUC-JCH, 2021 WL 1862446, at *9 (D. Ariz. May 10, 2021).
The operative pleadings in both Zappos I and Travis , however, were woefully deficient regarding allegations of the loss in value. For example, the Travis plaintiffs alleged that they “suffer[ed] a loss of value” of their PII and that the asking price of the thieves was “$50 and up.” 2021 WL 1862446, at *9. The plaintiffs did not enhance those facts with allegations explaining how the data breach resulted in the decrease in value of their PII or that they could not sell their PII because of the data breach. Id. Here, however, the Complaint alleges several price points for PII, provides detailed factual allegations regarding the market for PII, and explains how hackers misappropriate and damage the value of stolen PII. ( See Doc. 20 ¶¶ 84–86, 149–159); but see Griffey v. , 562 F. Supp. 3d at 46 (declining to find the “dark web” as a legitimate market). [4]
At bottom, Plaintiffs have alleged enough factual material to establish an injury-in- fact based upon the diminished value of their PII.
3. Traceability
ConnectWise asserts that Plaintiffs fails to establish any alleged injuries that are traceable to it. (Doc. 35 at 15.) Specifically, ConnectWise asserts that any injuries are the result of the lack of measures imposed to protect their PII that On Q Financial held and managed, and not the result of ConnectWise’s ScreenConnect technology. ( Id. at 15–16.)
In response, Plaintiffs assert that ConnectWise’s provision of ScreenCapture, the vehicle through which the Data Breach was affected, to On Q Financial shows that the injuries can be traced to ConnectWise (Doc. 39 at 12–13.) Further, Plaintiffs argue that ConnectWise did not need to control the stolen PII to impute liability onto the company. ( See Doc. 13 (citing Accellion, Inc., Data Breach Litig. , 713 F. Supp. 3d 623, 635 (N.D. Cal. 2024)).)
“[P]laintiffs must establish a ‘line of causation’ between defendants’ action and their alleged harm that is more than ‘attenuated.’” Maya v. Centex Corp. , 658 F.3d 1060, 1070 (9th Cir. 2011) (quoting Allen v. Wright , 468 U.S. 737, 757 (1984)). Although “a causation chain does not fail simply because it has several ‘links,’ provided those links are ‘not hypothetical or tenuous’ and remain ‘plausib[le].’” (quoting Nat’l Audubon Soc., Inc. v. Davis , 307 F.3d 835, 849 (9th Cir. 2002)). “Where a chain of causation ‘involves numerous third parties’ whose ‘independent decisions’ collectively have a ‘significant effect’ on plaintiffs’ injuries, the Supreme Court and [the Ninth Circuit] have found the causal chain too weak to support standing at the pleading stage.” at 1070 (quoting Allen , 468 U.S. at 759). The “fairly traceable” requirement “ensures that there is a genuine nexus between a plaintiff's injury and a defendant's alleged illegal conduct.” Friends of the Earth, Inc. v. Gaston Copper Recycling Corp. , 204 F.3d 149, 160 (4th Cir. 2000).
“[W]hat matters is not the ‘length of the chain of causation,’ but rather the ‘plausibility of the links that comprise the chain.’” Mendia v. Garcia , 768 F.3d 1009, 1012–13 (9th Cir. 2014) (quoting Davis , 307 F.3d at 849). Thus, a plaintiff’s injury is “‘fairly traceable’ when there is a ‘substantial likelihood’ that the defendant’s conduct caused the harm.” Baton v. Ledger SAS , 740 F. Supp. 3d 847, 879 (N.D. Cal. 2024) (quoting NRDC v. Texaco Ref. & Mktg., Inc. , 2 F.3d 493, 505 (3d Cir. 1993)). A plaintiff’s allegation must simply show that defendant’s acts caused or contributes to the kinds of injury alleged, which renders the “fairly traceable” standard lower than that of pleading tort causation. See id.
ConnectWise relies on Anderson v. Kimpton Hotel & Restaurant Group, LLC , No. 19-CV-01860, 2019 WL 3753308, at *1 (N.D. Cal. Aug. 8, 2019), to assert that Plaintiffs have failed to establish traceability. In Anderson , the defendant hotel contracted with a reservation service provider, Sabre. Id. The hotel suffered a data breach in which hackers accessed the Sabre system and absconded with plaintiffs PII. Anderson and several other plaintiffs thereafter sued the hotel. The court explained that plaintiffs failed to establish traceability because the complaint contained only conclusory allegations of the hotel’s failure to institute reasonable security measures to protect PII. at *4.
ConnectWise claims that the Anderson court “determined that, since Sabre and not [the hotel] had the data breach, the plaintiffs’ allegations that [the hotel] failed to maintain reasonable security procedures were not traceable to their alleged injuries.” (Doc. 35 at 15.) Not so. There, the court’s found no traceability due to the conclusory nature of the plaintiffs’ allegations and did not offer a substantive analysis of traceability in light of the hotel and Sabre’s relationship. See Anderson 2019 WL 3753308, at *4. Anderson , therefore, is not helpful in deciding traceability in this case.
Plaintiffs offered authority fares no better. They claim that in Accellion, Inc., Data Breach Litig. , 713 F. Supp. 3d 623, 635 (N.D. Cal. 2024), the court rejected the argument that companies not in control of PII are not subject to liability. ( See Doc. 39 at 13.) Confusingly, the Accellion court did not discuss standing whatsoever. See 713 F. Supp. 3d at 635. In fact, the section of that case Plaintiffs cite to concerns the scope of duty in a data breach cases under California negligence law. See id. Therefore, the Court does not agree with Plaintiffs conclusion that, for standing purposes, Accellion found “upstream companies in a data breach [action] may be liable for security breaches.” (Doc. 39 at 13.)
Inapposite case law aside, Plaintiffs’ allegations demonstrate that both On Q Financial and ConnectWise are allegedly at fault for the injuries related to the Data Breach. (Doc. 20 ¶¶ 3–4, 56–65.) The allegations produce the following syllogism: ConnectWise provided On Q Financial, the holder of the PII, an unsecure version of ScreenCapture. ( Id. ) Malicious actors used the ScreenCapture vulnerabilities to steal Plaintiffs’ PII from On Q Financial. ( Id. ) And Plaintiffs suffered injuries because of ConnectWise’s faulty software. ( ) Put simply, but for the ScreenConnect vulnerability, Plaintiffs’ PII would not have been stolen.
Plaintiffs’ allegations establish a “line of causation” between ConnectWise’s failure to securely implement its ScreenCapture software among its vendors, including On Q Financial, and the alleged injuries in this case. See Maya , 658 F.3d at 1070. Therefore, Plaintiffs sufficiently allege that their injuries are fairly traceable to the challenged conduct—“[ConnectWise’s] failure to prevent the breach.” Zappos II , 888 F.3d at 1029. [5]
/// 4. Redressability
The traceability and redressability components for standing overlap and are “two facets of a single causation requirement.” Washington Env’t Council v. Bellon , 732 F.3d 1131, 1146 (9th Cir. 2013). They are distinct, however, in that traceability examines a causal link between the misconduct and injury, “whereas redressability analyzes the connection between the alleged injury and requested relief.” Redressability is satisfied so long as the requested remedy “would amount to a significant increase in the likelihood that the plaintiff would obtain relief that directly redresses the injury suffered.” Renee v. Duncan , 686 F.3d 1002, 1013 (9th Cir. 2012). When a pleading seeks forward-looking relief, like here, Plaintiffs “must face a ‘real and immediate threat of repeated injury.’” Murthy v. Missouri , 603 U.S. 43, 58 (2024) (quoting O’Shea v. Littleton , 414 U.S. 488, 496 (1974)).
ConnectWise argues that because the Complaint does not allege that ConnectWise maintains the Plaintiffs’ PII, declaratory judgment against it would not redress any of the alleged injuries. (Doc. 35 at 17.) Further, ConnectWise argues that Plaintiffs fail to establish that their injuries are repeatable with respect to ConnectWise. ( )
In response, Plaintiffs argue that its declaratory relief claim would require ConnectWise to employ adequate security protocols consistent with law, industry, and government regulatory standards, so that its software cannot be exploited again. (Doc. 39 at 13 (citing Doc. 20 ¶ 306).) Plaintiffs also contend that redressability here is satisfied because “the requested remedy would amount to a significant increase in the likelihood that [Plaintiffs] would obtain relief that directly redresses the injury suffered.” (Doc. 39 at 13–14 (quoting Mi Familia Vota v. Hobbs , 608 F. Supp. 3d 827, 857 (D. Ariz. 2022) (internal quotation marks omitted)).)
Plaintiffs ask the Court to enter judgment declaring: “Defendants owes [sic] a legal duty to secure the PII of Plaintiffs and Class Members;” “Defendants continues [sic] to breach this legal duty by failing to employ reasonable measures to secure consumers’ PII;” and “Defendants’ ongoing breaches of its legal duty continue to cause Plaintiffs harm.” (Doc. 20 ¶ 305.) Additionally, Plaintiffs request injunctive relief that would require Defendants to “employ adequate security protocols consistent with law, industry, and government regulatory standards to protect consumers’ PII.” ( ¶ 306.)
Plaintiffs’ requested relief has nothing to do with ConnectWise, as it is directed at those “Defendants,” i.e., On Q Financial, who possess and maintain Plaintiffs’ PII. ( See id ¶¶ 301–306.) Therefore, declaratory judgment against ConnectWise would not redress any of the Plaintiffs’ alleged injuries. A further impediment to redressability is the fact that ConnectWise issued the patch to On Q Financial, who then implemented the update to fix the ScreenConnect vulnerability. ( See Doc. 20 ¶ 40.) Thus, Plaintiffs seek forward- looking relief, and they must face a real and immediate threat of repeated injury. Murthy , 603 U.S. at 58. Plaintiffs do not credibly allege any immediate risk of additional injury pertaining to the ScreenConnect program or ConnectWise’s speculative future failure to distribute a safe product. ( See generally id. ) In essence, ConnectWise has foreclosed the future possibility that the ScreenConnect vulnerability will be used to exfiltrate Plaintiffs’ PII from On Q Financial servers.
At bottom, Plaintiffs have not shown that declaratory judgment entered against ConnectWise would redress any alleged injury. As a result, Plaintiffs lack standing to bring a declaratory judgment claim against ConnectWise, and the Court will therefore dismiss the claim as asserted against ConnectWise.
B. Negligence
Before evaluating the merits of Plaintiffs’ negligence claim, a few preliminaries: Because Plaintiffs failed to establish that they have standing to bring their declaratory judgment claim, the Court will not analyze the merits of that claim here. Sinochem Int’l Co. v. Malaysia Int'l Shipping Corp. , 549 U.S. 422, 430-31 (2007) (“[A] federal court generally may not rule on the merits of a case without first determining that it has [subject matter] jurisdiction.”). Next, Plaintiffs state that they “are no longer advancing a negligence per se claim.” (Doc. 39 at 23.) Therefore, Plaintiffs’ negligence per se claim (Count II) will be dismissed with prejudice.
To establish a claim for negligence under Arizona law, “a plaintiff must prove four elements: (1) a duty requiring the defendant to conform to a certain standard of care; (2) a breach by the defendant of that standard; (3) a causal connection between the defendant’s conduct and the resulting injury; and (4) actual damages.” Gipson v. Kasey , 150 P.3d 228, 230 (Ariz. 2007). Whether a duty exists is a matter of law and “[t]he other elements, including breach and causation, are factual issues usually decided by the jury.” Id.
1. Choice of Law
To begin, Plaintiffs contend that “[t]his Court is not limited to Arizona law” at this stage in the litigation and that “this Court should consider each named Party’s state law in resolving ConnectWise’s Motion.” (Doc. 36 at 14.) Plaintiffs do not, however, engage in a meaningful choice of law analysis, putting the onus on the Court to do so. ( See id. )
To set the stage, Plaintiffs Eitemiller and Castellaw, as well as Defendant On Q Financial, are residents of Arizona. ( See Doc. 20 ¶¶ 27–29.) Plaintiff Feathers is a California resident, ( Id. ¶ 25), and Plaintiff Squier is a Florida resident, ( Id. ¶ 26). ConnectWise is incorporated in Delaware and headquartered in Florida. ( ¶ 30.)
A federal court sitting in diversity must apply the forum state’s choice of law rules to determine the controlling law. Patton v. Cox , 276 F.3d 493, 495 (9th Cir. 2002). “The starting point of any examination as to whether Plaintiff has stated a claim is to determine (and support by way of sufficient analysis) the applicable substantive state law—whether that is Arizona law . . . or some other law—or show there is no meaningful difference.” Feins v. Goldwater Bank , No. CV-22-00932-PHX-JJT, 2022 WL 17552440, at *2 (D. Ariz. Dec. 9, 2022). “The determination must be made through analysis on a claim-by- claim basis, and the parties cannot simply stipulate to the applicable state law without showing it is the appropriate one under the applicable choice of law rules.” (internal citations omitted). [6]
With respect to negligence claims, “Arizona courts apply the principles of the Restatement (Second) of Conflict of Laws (1971) [(“Restatement”)] to determine the controlling law for multistate torts.” Bates v. Super. Ct. of Ariz. , 749 P.2d 1367, 1369 (Ariz. 1988). Restatement § 6 provides the following factors to determine the applicable rule of law:
(a) the needs of the interstate and international systems, (b) the relevant policies of the forum, (c) the relevant policies of other interested states and the relative interests of those states in the determination of the particular issue,
(d) the protection of justified expectations, (e) the basic policies underlying the particular field of law,
(f) certainty, predictability and uniformity of result, and (g) ease in the determination and application of the law to be applied.
Restatement (Second) of Conflict of Laws § 6(2) (1971).
Section 145 provides further guidance for the application of the § 6 factors to tort issues, specifically that courts are to resolve such issues under the law of the state having the most significant relationship to both the occurrence and the parties. Id. § 145. The relevant contacts include: “1. The place where the injury occurred; 2. The place where the conduct causing the injury occurred; 3. The domicile, residence, nationality, place of incorporation and place of business of the parties 4. The place where the relationship, if any between the parties is centered.” Bates , 749 P.2d at 1370. “The inquiry is qualitative, not quantitative. The court must evaluate the contacts ‘according to their relative importance with respect to the particular issue.’” (first citing Ambrose v. Illinois-California Express Inc. , 729 P.2d 331, 334 (Ariz. Ct. App. 1986); then citing Restatement § 145(2)).
The key parts of a negligence claim in Arizona, Florida, and California require the same elements: duty, breach, causation, and damages. See Gipson , 150 P.3d at 230 (Arizona); Vasilenko v. Grace Family Church , 404 P.3 1196, 1198 (Cal. 2017) (California); Gariety v. Grant Thornton, LLP , 368 F.3d 356, 370 (4th Cir. 2004). Put another way, ConnectWise’s concern is noted, and is better addressed if and when Plaintiffs move to certify the putative class.
Virgilio v. Ryland Grp., Inc. , 680 F.3d 1329, 1339 (11th Cir. 2012) (Florida). Additionally, the Complaint makes clear that the place where the alleged injury occurred, the place where the conduct causing injury occurred, and the place where the relationship between all parties is centered is in Arizona. ( See Doc. 20 ¶¶ 23–24 (“[T]he acts and omissions giving rise to Plaintiffs’ claims occurred in and emanated from [Arizona].”).) Truly, the only contacts that this case has to California and Florida is that some named Plaintiffs reside there. At this early stage, the allegations point to the application of Arizona law to Plaintiffs’ negligence claim. The Court will apply Arizona law to the extent possible and will use out-of-state sources as persuasive authority absence on-point Arizona law. Cf. Feins , 2022 WL 17552440, at *4.
2. Duty and Breach
ConnectWise argues that it does not owe Plaintiffs a duty because it did not obtain, collect, maintain, store, or control their PII. (Doc. 35 at 18–19.) ConnectWise further asserts that finding a duty to exist in this case would establish an overbroad requirement that technology application developers protect all information that their customers independently collect and maintain. ( Id. at 19.)
In response, Plaintiffs argue that Arizona Revised Statutes § 12-681 and § 44-1373 establish a duty of care that ConnectWise owed to Plaintiffs in this case. (Doc. 39 at 16.) Further, Plaintiffs contend that their allegations make clear that ScreenConnect created an “unreasonable risk of harm,” which creates a duty under Arizona law. ( (citing Gipson , 150 P.3d at 233).) Finally, Plaintiffs argue that Arizona common law created a public policy duty for ConnectWise to prevent its product ScreenConnect from creating an unreasonable risk of harm to Plaintiffs. ( (citing Ontiveros v. Borak , 667 P.2d 200, 209 (Ariz. 1983)).)
In Arizona, a duty may be based on either recognized common-law “special relationships”—relationships created by “contract, familial relationship, or joint undertaking”—or on relationships created by “public policy . ” Cal-Am Props. Inc. v. Edais Eng’g Inc. , 509 P.3d 386, 389 (Ariz. 2022); Quiroz v. ALCOA Inc. , 416 P.3d 824, 830 (Ariz. 2018). Special relationships giving rise to a duty ordinarily require a “preexisting, recognized relationship between the parties.” Cal-Am Properties , 509 P.3d at 390. Although in limited circumstances a joint undertaking may create a relationship between two parties not in privity with each other, a defendant in that type of third-party arrangement must have undertaken conduct “directly with or for a plaintiff.” Id. Arizona has explicitly declined to recognize special relationships created by foreseeability, that is, where it is foreseeable that a defendant’s conduct would impact the victim. ; see also Gipson 150 P.3d at 231 (foreseeability of conduct does not create a duty).
Plaintiffs allege that duty exists “to use reasonable means to secure and safeguard their computer property—and [Plaintiffs’] PII held within it—to prevent disclosure of the information.” (Doc. 20 ¶ 237.) Absent from the Complaint, however, are any allegations that ConnectWise possessed, maintained, stored, controlled, or affected any transfer of Plaintiffs’ PII. ( See generally id. ) Additionally, the Complaint lacks allegations of a contract between ConnectWise and Plaintiffs, that those parties know each other, or that ConnectWise undertook conduct directly with or for Plaintiffs. ( ) Plaintiffs were not ConnectWise’s customers, and not all were even On Q Financial’s customers. Cf. See Quinalty v. FocusIT LLC , No. CV-23-00207-PHX-KML, 2024 WL 5223587, at *4–5 (D. Ariz. Dec. 26, 2025) (finding no special relationship existed where the plaintiffs were not the customers of the defendant information technology company). Certainty, the omission of these critical facts precludes the existence of a duty on ConnectWise to “secure and safeguard [its] computer property” or to protect and “prevent disclosure” of Plaintiffs’ PII. (Doc. 20 ¶ 237.) Put simply, there is no special relationship between ConnectWise and Plaintiffs, either directly or through a third-party arrangement, that would support the existence of a duty under these facts. See Cal-Am Properties , 509 P.3d at 390.
Plaintiffs also assert, for the first time, in their Response brief that ConnectWise owed it a duty under Arizona Revised Statutes § 12-681 and § 44-1373. ( See Doc. 39 at 16.) While district courts are not precluded from considering arguments raised for the first time in a responsive brief, cf. Freeman v. Clay Cnty. Bd. of Comm’rs , 706 F. Supp. 3d 873, 886 (D.S.D. 2023), on a 12(b)(6) motion, the Court generally focuses on what the plaintiff has written in the complaint, Ctr. for Biological Diversity v. United States Forest Serv. , 746 F. Supp. 3d 749, 755 (D. Ariz. 2024). The Complaint does not allege that ConnectWise owed Plaintiffs a duty under either Arizona statute. ( See generally Doc. 20.) Though it does allege that all Defendants owe Plaintiffs a duty under unnamed “other applicable standards,” this conclusory remark is not enough to implicate every law under the sun, including § 12-681 and § 44-1373. ( See id. ¶¶ 240–42 247.) Therefore, the Court rejects Plaintiffs argument that § 12-681 and § 44-1373 create a duty because it has not been alleged in the Complaint. [7]
Arizona also recognizes that public policy derived from both state and federal statute and common law may create a duty to third parties with whom no direct relationship exists. Cal-Am Properties , 509 P.3d at 390. The “declaration of ‘public policy’” is a primarily a legislative function, Quiroz , 416 P.3d at 830, and administrative regulations designed to protect the public from economic harm are not a source of duty, Cal-Am Properties , 509 P.3d at 391. In the absence of statutory guidance, a duty “should be so thoroughly established as a state of public mind, so united and so definite and fixed that its existence is not subject to any substantial doubt.” Quiroz , 416 P.3d at 830. And a plaintiff alleging a public-policy duty must (1) be “within the class of persons to be protected by the statute,” and (2) have suffered the type of harm the statute “sought to protect against.” at 829.
Plaintiffs seemingly offer two sources of public policy that create a duty in this case. First, Plaintiffs contend that Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45, creates a duty. (Doc. 20 ¶ 238.) That statute provides: “[u]nfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.” 15 U.S.C. § 45(a)(1). Plaintiffs specifically contend that “the unfair practice of failing to use reasonable measures to protect confidential data” gave rise to their claim. (Doc. 20 ¶ 238.) Second, Plaintiffs allege a myriad of industry standards from the Federal Bureau of Investigation, Secret Service, Federal Trade Commission, NIST Cybersecurity Framework Version 2.0, and the Center for Internet Security’s Critical Security Controls support a duty based on public policy. (Doc. 20 ¶¶ 75, 100, 123–25, 247.) Both § 45 and the supposed industry standards are alleged to apply to “protect the personal consumer information that they keep,” “properly dispose of personal information that is no longer needed,” “encrypt information stored on computer networks,” monitor the security of one’s network, “limit access to sensitive data PII,” “require complex passwords,” “multi-factor authentication,” and “backup data and limiting which employees can access sensitive data.” ( ¶¶ 100, 103, 123, 247.)
This Court has recently held that § 45 does not create a private right of action, but instead allows the Federal Trade Commission to initiate enforcement proceedings “in the interest of the public.” Quinalty , 2024 WL 5223587, at *5 (quoting Lee v. PHH Mortg. , No. CV-24-00057-TUC-SHR, 2024 WL 4364139, at *5 (D. Ariz. Sept. 30, 2024)). The Court also held that citations to guidelines without further factual enhancement about how they amount to industry standards that are also recognized as a duty under Arizona law would not suffice. Id.
As this Court recently discussed, § 45 cannot establish a private right of action for Plaintiffs to sue ConnectWise. Quinalty , 2024 WL 5223587, at *5. Second, while the Complaint attempts to explain how § 45 and the various guidelines are standards for industry, they do not constitute a duty under Arizona law. See Quinalty , 2024 WL 5223587, at *5; Cal-Am Properties , 509 P.3d at 391. And, even if such standards could establish duty, they pertain to organizations that collect, possess, maintain, store, use, or control sensitive data like PII, which Plaintiffs do not allege ConnectWise has done. [8] ( See generally Doc. 20.) [9]
Therefore, Plaintiffs have failed to allege that ConnectWise owed them a cognizable duty under Arizona law. As a result, their negligence claim fails and must be dismissed.
3. Damages
Plaintiffs assert that they properly alleged five types of damages: (1) lost time and opportunity costs; (2) emotional distress; (3) diminution of value; (4) future monitoring costs; and (5) future risk of fraud. (Doc. 39 at 22–23; Doc. 20.) Plaintiffs do not allege that they have suffered from identity theft because of the Data Breach. ( See generally Doc. 20.) Plaintiffs Squier, Eitemiller, and Castellaw allege that they have suffered fraudulent credit card charges since the Data Breach, but do not specifically allege that they were a result of the breach. ( ¶¶ 181, 194, 208.)
Negligence damages must be actual and appreciable, non-speculative, and unlike the injury sufficient for standing, more than merely the threat of future harm. CDT, Inc. v. Addison, Roberts & Ludwig , 7 P.3d 979, 982–83 (Ariz. Ct. App. 2000). Therefore, Plaintiffs’ claimed damages for lost time and opportunity costs is insufficient to state the damages element of a negligence claim. See Quinalty , 2024 WL 5223587, at *5 (rejecting the same); Griffey , 562 F. Supp. 3d at 45 (finding that lost time alone is not a cognizable form of damages); Johnson v. Yuma Reg’l Med. Ctr. , No. CV-22-01061-PHX-SMB, 2024 WL 4803881, at *5 (D. Ariz. Nov. 15, 2024) (“[G]eneral allegations of lost time are not cognizable injuries.”); Bozek v. Ariz. Lab. Force Inc. , No. CV-24-00210-PHX-SMB, 2025 WL 264174, at *5 (D. Ariz. Jan. 22, 2025) (same). Similar, Plaintiffs’ claimed damages related to future monitoring costs and future risk of fraud without a concurrent showing of present harm have been rejected by this Court on several occasions. See, e.g. , Bozek , 2025 WL 264174, at *5 (finding allegations of increased risk of fraud and identity theft data” under § 45 and failed to do so. (Doc. 20 ¶ 238.) As discussed, however, § 45 does not provide a private right of action or constitute a duty under Arizona law. [9] Plaintiffs attempt to rely on foreign law to salvage their claim under § 45. (Doc. 39 at 15 (citing In re Cap. One Consumer Data Sec. Breach Litig. ¸488 F. Supp. 3d 374, 407 (E.D.V.A. 2020)).) That case, however, analyzed § 45 under New York law as it related to a negligence per se claim. See In re Cap. One , 488 F. Supp. 3d at 407. Therefore, that court’s analysis has no bearing on the issues before the Court in this case. “speculative damages of a future harm that has yet to occur” and as such “not cognizable”). [10]
While the diminished value of PII can be a cognizable injury, Plaintiffs must sufficiently allege a “robust market” for the PII and a deprivation of their ability to sell personal data on that market. See Svenson v. Google Inc. , No. 13-cv-04080-BLF- 2015 WL 1503429, at *5 (N.D. Cal. Apr 1, 2015) (citing In re Facebook Privacy Litig. , 572 F. App’x 494 (9th Cir. 2014)). Though allegations of the sale of Plaintiffs’ PII on the dark web was enough to satisfy Article III standing, the Court echoes Griffey by declining to find that the “dark web,” a seemingly illegal market in which ransomware groups sell PII, (Doc. 20 ¶ 47–70), serves as a “robust” or “legitimate” market for the purposes of damages. Griffey , 562 F. Supp. at 46; see also Quinalty , 2024 WL 5223587, at *5 (finding that the “black market” is not a legitimate market).
Each named Plaintiff alleges that the Data Breach caused them to suffer “fear, anxiety, and stress.” (Doc. 20 ¶¶ 172, 185, 199, 212.) The rule in Arizona is that “there can be no recovery for mental disturbance unless physical injury, illness or other physical consequence accompany it, or physical harm develops as a result of the plaintiff’s emotional distress.” Johnson , 2024 WL 4803881, at *5; see also Amari v. Scottsdale Healthcare Hosps. , No. 1 CA-CV 17-0443, 2018 WL 2928040, at *4 (Ariz. Ct. App. June 12, 2018) (“[E]motional distress damages are recoverable absent impact if the emotional distress manifests itself physically or results in long-term physical illness or mental disturbance.”). Plaintiffs have not alleged that they experienced physical injury, illness, or other physically manifested harm as a result of the fear, anxiety, and stress of the Data Breach. ( See generally Doc. 20.) Thus, Plaintiffs allegations of emotional distress fail to state a claim for damages.
At bottom, Plaintiffs have failed to plead any cognizable form of damages for their negligence claim against ConnectWise.
4. Causation
ConnectWise argues that Plaintiffs’ alleged injuries are not fairly traceable because several intervening factors preclude the required proximate cause showing. (Doc. 35 at 23.) ConnectWise mainly focuses on Plaintiffs’ provision of their PII to On Q Financial, and not ConnectWise, as well as ConnectWise’s warning to On Q Financial about the ScreenConnect vulnerability. ( at 23–24.) Plaintiffs respond that they have pleaded a connection between ConnectWise’s vulnerable software and the ability of hackers to use it to steal their PII during the Data Breach. (Doc. 39 at 18–19; see also Doc. 20 ¶¶ 40, 56, 59–61.) Plaintiffs are correct. Cf. Griffey , 562 F. Supp. 3d at 45. This fact, however, is inconsequential as Plaintiffs fail to allege a cognizable duty or injury.
IV. LEAVE TO AMEND
Federal Rule of Civil Procedure 15(a) requires that leave to amend be “freely give[n] when justice so requires.” Leave to amend should not be denied unless “the proposed amendment either lacks merit or would not serve any purpose because to grant it would be futile in saving the plaintiff's suit.” Universal Mortg. Co. v. Prudential Ins. Co. , 799 F.2d 458, 459 (9th Cir. 1986). Therefore, “a district court should grant leave to amend even if no request to amend the pleading was made, unless it determines that the pleading could not possibly be cured by the allegation of other facts.” Lopez v. Smith , 203 F.3d 1122, 1127 (9th Cir. 2000) (cleaned up).
Although Plaintiffs have not requested leave to amend, it would not prejudice ConnectWise if such leave is granted. While it is not abundantly clear to the Court how Plaintiffs might ameliorate the deficiencies of their negligence and declaratory relief claims as they pertain to ConnectWise, leave to amend will be granted. As Plaintiffs have abandoned their negligence per se claim, no leave will be granted to reassert that claim in any fashion.
///
V. CONCLUSION
Accordingly,
IT IS HEREBY ORDERED granting Defendant ConnectWise’s Motion to Dismiss (Doc. 35).
IT IS FURTHER ORDERED dismissing Plaintiffs’ negligence and declaratory relief claims as to ConnectWise without prejudice and dismissing the negligence per se claim with prejudice.
IT IS FURTHER ORDERED giving Plaintiffs leave to amend their Complaint (Doc. 20). Plaintiffs shall have thirty (30) days from the date of this Order to file a Second Amended Complaint if they so choose.
Dated this 26th day of June, 2025.
[1] While not argued, Plaintiffs allege that they have suffered “fear, anxiety, and stress” because of the Data Breach. (Doc. 20 ¶¶ 172, 185, 199, 212.) The Ninth Circuit has found allegations of emotional distress to be enough to satisfy the injury-in-fact requirement for Article III standing. See Goz v. Allied Collection Servs., Inc. , 812 F. App’x 544, 545 (9th
[3] ConnectWise contends, however, that the allegations of future risk of identity theft are 27 deficient because Plaintiffs do not allege that they, or others, did not widely disseminate their social security numbers. (Doc. 35 at 14.) The Court is not convinced that the absence of alleged facts that Plaintiffs did not freely distribute their own PII prevent finding an 28 injury-in-fact based on the existing allegations of future risk of theft.
[4] Like in Travis and Zappos I , however, Plaintiffs here do not allege that they attempted to sell their PII and were “rebuffed because of a lower price-point attributable to the security breach.” Travis , 2021 WL 1862446, at *9 . The Court does not believe such allegations to be a factual predicate to finding injury, as allegations of the attempts to sell Plaintiffs’ PII on the dark web in this case sufficient because there is a “substantial risk that the harm will occur.” See Zappos II , 888 F.3d at 1025.
[5] ConnectWise asserts it was On Q Financial’s responsibility to patch ScreenConnect to 23 ameliorate the vulnerability, and therefore, ConnectWise cannot be responsible for the injuries. ( at 16.) Further, ConnectWise takes issue with the dates as alleged in the Complaint, asserting that “any discovery would establish that the correct date” the company warned On Q Financial was February 19, 2024, two days before the Data Breach occurred on February 21. (Doc. 35 at 16.) This argument seemingly confuses the dates, as ConnectWise provides a data breach notification from the Office of the Maine Attorney General listing the date of breach as February 21, but the letter sent to On Q Financial’s 24 25 26 customers suggests that the breach had to occur prior to February 20. (Doc. 20 ¶ 40 27 (explaining that On Q Financial received a notification from ConnectWise on February 20, 2024, and immediately patched the ScreenCapture software, but not quick enough to have prevented the malicious actors from stealing PII).) Regardless, Plaintiffs’ allegations are 28 sufficient to show traceability.
[6] ConnectWise posits that “[i]f each Plaintiffs’ own state law applies, then a nationwide class does not appear certifiable.” (Doc. reply at 10 n.5.) This is a putative class action, meaning that if this case proceeds to class certification, Plaintiffs have the burden under Federal Rule of Civil Procedure 23 to conduct a choice of law analysis for each surviving claim. At that stage, Plaintiffs must show that common questions of law predominate and “cannot meet this burden when the various laws have not been identified and compared.”
[7] Even if Plaintiffs pleaded that § 12-681 and § 44-1373 created a duty, the Complaint lacks the factual enhancement that these statutes would require to assert duty. For example, § 12-681 concerns negligence predicated on product manufacturer liability, which Plaintiffs have not asserted in the Complaint. ( See generally Doc. 20.) It is also unlikely that Plaintiffs could assert such a claim given that this is not a product liability case. Further, § 44-1373 prohibits an entity from “[i]ntentionally communicat[ing] or otherwise mak[ing] an individual’s social security number available to the general public.” There are no allegations that ConnectWise engaged in such conduct. ( See generally Doc. 20.)
[8] The Complaint rarely delineates between the acts of ConnectWise or On Q Financial, and thus the Court struggles to understand which Defendant undertook certain alleged actions. ( See id. ¶¶ 109, 238.) At best, the Court understands the allegations to be that both Defendants “had a duty to employ reasonable security measures . . . to protect confidential
[10] While Plaintiffs offer several cases to support their lost time and opportunity damages, not one applies Arizona negligence law. See Anthem II , 2016 WL 3029783, at *14–15; In re Experian Data Breach Litigation , No. SACV 15-1592 AG (DFMx), 2016 WL 7973595, at *5 (C.D. Cal. Dec. 29, 2016); In re Solara Med. Supplies, LLC Customer Data Sec. Breach Litig. , No. 3:19-cv-2284-H-KSC, 2020 WL 2214152, at *4 (S.D. Cal. May 7, 2020); Stasi v. Inmediata Health Grp. Corp. , 501 F. Supp. 3d 898, 918 (S.D. Cal. 2020); Huynh v. Quora, Inc. , 508 F. Supp. 3d 633, 650 (N.D. Cal. 2020). This authority is 28 therefore inapposite at this juncture.