1 U.S. F D IL IS E T D R I I N C T T H C E O URT EASTERN DISTRICT OF WASHINGTON Dec 18, 2025 2 SEAN F. MCAVOY, CLERK 3 4 5 UNITED STATES DISTRICT COURT EASTERN DISTRICT OF WASHINGTON 6
7 CHASE BARNES, on behalf of himself individually and all others NO. 2:25-CV-0081-TOR 8 similarly situated ORDER ON DEFENDANT’S 9 Plaintiff, MOTION TO DISMISS
10 v.
11 KEY TRONIC CORPORATION,
12 Defendant. 13 BEFORE THE COURT are Defendant’s Motion to Dismiss Plaintiff’s First 14 Amended Complaint (ECF No. 17). This matter was submitted for consideration 15 without oral argument. The Court has reviewed the record and files herein and is 16 fully informed. For the reasons discussed below, Defendant’s Motion to Dismiss 17 Plaintiff’s First Amended Complaint (ECF No. 17) is DENIED in part. 18 BACKGROUND 19 Plaintiff filed this lawsuit on behalf of himself and similarly situated 20 individuals. ECF No. 1. This case arises from a data breach in which the 1 personally identifiable information (“PII”) of Defendant’s employees, including 2 Plaintiff, was compromised. ECF No. 14 at 2. The Black Basta ransomware group
3 took credit for the data breach alleging that they stole over 500 GB of data. ECF 4 No. 14 at 2. The data breach occurred on May 6, 2024. ECF No. 14 at 2. The 5 information included Plaintiff’s full name and Social Security number. ECF No.
6 14 at 2. However, every employee must provide Defendant with their address, 7 phone number, birthdate, Social Security number, and driver’s license number. 8 ECF No. 14 at 7. 9 Plaintiff claims this breach was a result of Defendant’s failure to employ
10 “adequate and reasonable cyber-security procedures and protocols.” ECF No. 14 11 at 3. Furthermore, Plaintiff alleges that Defendant failed to inform Plaintiff and 12 other similarly situated individuals that their information was subject to
13 unauthorized access without specifying what information was accessed. Id. 14 Plaintiff’s Amended Complaint alleges negligence and breach of implied contract. 15 ECF No. 14 at 47-52. 16 Previously, Defendant filed a Motion to Dismiss, and the Court granted this
17 motion in part. ECF Nos. 10; 13. The Court dismissed Plaintiff’s negligence 18 claim for failure to state a claim because Plaintiff did not allege an actual injury. 19 ECF No. 13 at 9-13. However, the Court retained the breach of implied contract
20 claim. ECF No. 13 at 15. The Court granted Defendant’s Motion to Dismiss with 1 leave for Plaintiff to amend his complaint. ECF No. 13. Subsequently, Plaintiff 2 filed First Amended Complaint. ECF No. 14. Plaintiff’s Amended Complaint
3 alleges negligence and breach of implied contract. ECF No. 14 at 47-52. 4 On October 3, 2025, Defendant filed another Motion to Dismiss arguing that 5 Plaintiff still does not allege a concrete injury or causation for his negligence
6 claim. ECF No. 17. Defendant does not argue any deficiencies with Plaintiff’s 7 breach of implied contract claim. ECF No. 17. 8 DISCUSSION 9 For a plaintiff to survive a motion to dismiss under Rule 12(b)(6), “a
10 complaint must contain sufficient factual matter, accepted as true, ‘to state a claim 11 to relief that is plausible on its face.’” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) 12 (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). This requires
13 more than a simple “formulaic recitation of a cause of action’s elements.” 14 Twombly, 550 U.S. at 545. This also requires facts to support legal conclusions 15 beyond simply stating conclusory legal statements. Iqbal, 556 U.S. at 663; 16 Twombly, 550 U.S. at 555 (citing Papasan v. Allain, 478 U.S. 265, 286 (1986))
17 (stating that for a motion to dismiss, courts are not obligated to accept alleged legal 18 conclusions as true factual allegations); Kwan v. SanMedica Int'l, 854 F.3d 1088, 19 1096 (9th Cir. 2017) (stating legal conclusions must be supported by factual
20 allegations). However, a court must construe facts in the light most favorable to 1 the opposing party of the motion and a court must take the allegations of the non- 2 moving party as true. Twombly, 550 U.S. at 556.
3 In addition, a plaintiff must “nudge[] their claims across the line from 4 conceivable to plausible” otherwise plaintiff’s complaint shall be dismissed. 5 Twombly, 550 U.S. at 570. In other words, the “plausibility standard requires more
6 than 'a sheer possibility that a defendant has acted unlawfully’ but ‘is not akin to a 7 probability standard.’” Kwan v. SanMedica Int'l, 854 F.3d 1088, 1096 (9th Cir. 8 2017) (quoting Turner v. City & Cnty. of San Francisco, 788 F.3d 1206, 1210 (9th 9 Cir. 2015)). Furthermore, when there are two possible explanations, “[s]omething
10 more is needed, such as facts tending to exclude the possibility that the alternative 11 explanation is true, in order to render plaintiffs' allegations plausible.” Eclectic 12 Props. E., LLC v. Marcus & Millichap Co., 751 F.3d 990, 996–97 (9th Cir. 2014)
13 (quoting In re Century Aluminum Co. Sec. Litig., 729 F.3d 1104, 1108 (9th Cir. 14 2013)) (citations omitted). 15 In Levitt v. Yelp! Inc., 765 F.3d 1123, 1135 (9th Cir. 2014), the court 16 realized the difficulties in the plausibility standard and created a two-step process
17 that mirror other rules. Id. Step one requires the complaint to not only recite the 18 elements of the cause of action but provide sufficient allegations to provide fair 19 notice to the opposing party. Id. Step two states “the factual allegations that are
20 taken as true must plausibly suggest an entitlement to relief, such that it is not 1 unfair to require the opposing party to be subjected to the expense of discovery and 2 continued litigation.” Levitt v. Yelp! Inc., 765 F.3d 1123, 1135 (9th Cir. 2014).
3 A. Injury 4 Negligence requires evidence of four elements, duty, breach, causation and 5 injury. Reyes v. Yakima Health Dist., 191 Wash. 2d 79, 89 (2018). Injury is one of
6 the required elements to prove negligence. Nunley v. Chelan-Douglas Health 7 Dist., 32 Wash. App. 2d 700, 716 (2024). “The mere danger of future harm, 8 unaccompanied by present damage, will not support a negligence action.” Gazija 9 v. Nicholas Jerns Co., 86 Wash. 2d 215, 219 (1975).
10 Plaintiff adds paragraphs 112-115 to the Amended Complaint. ECF No. 18 11 at 5. Plaintiff alleges that he took proactive measures such as registering and 12 paying monthly subscriptions for credit monitoring and identity theft protection
13 services. ECF No. 14 at 37. He also received alerts from both Google and Apple 14 that his PII was on the dark web. ECF No. 14 at 37. To mitigate these alerts, 15 Plaintiff increased his security by changing passwords and enabling multi- 16 authentication. Id. Continuing, Plaintiff received “a substantial increase in spam
17 communications” and “numerous email notifications regarding unauthorized login 18 attempts to his accounts.” ECF No 14 at 37-38.
Free access — add to your briefcase to read the full text and ask questions with AI
1 U.S. F D IL IS E T D R I I N C T T H C E O URT EASTERN DISTRICT OF WASHINGTON Dec 18, 2025 2 SEAN F. MCAVOY, CLERK 3 4 5 UNITED STATES DISTRICT COURT EASTERN DISTRICT OF WASHINGTON 6
7 CHASE BARNES, on behalf of himself individually and all others NO. 2:25-CV-0081-TOR 8 similarly situated ORDER ON DEFENDANT’S 9 Plaintiff, MOTION TO DISMISS
10 v.
11 KEY TRONIC CORPORATION,
12 Defendant. 13 BEFORE THE COURT are Defendant’s Motion to Dismiss Plaintiff’s First 14 Amended Complaint (ECF No. 17). This matter was submitted for consideration 15 without oral argument. The Court has reviewed the record and files herein and is 16 fully informed. For the reasons discussed below, Defendant’s Motion to Dismiss 17 Plaintiff’s First Amended Complaint (ECF No. 17) is DENIED in part. 18 BACKGROUND 19 Plaintiff filed this lawsuit on behalf of himself and similarly situated 20 individuals. ECF No. 1. This case arises from a data breach in which the 1 personally identifiable information (“PII”) of Defendant’s employees, including 2 Plaintiff, was compromised. ECF No. 14 at 2. The Black Basta ransomware group
3 took credit for the data breach alleging that they stole over 500 GB of data. ECF 4 No. 14 at 2. The data breach occurred on May 6, 2024. ECF No. 14 at 2. The 5 information included Plaintiff’s full name and Social Security number. ECF No.
6 14 at 2. However, every employee must provide Defendant with their address, 7 phone number, birthdate, Social Security number, and driver’s license number. 8 ECF No. 14 at 7. 9 Plaintiff claims this breach was a result of Defendant’s failure to employ
10 “adequate and reasonable cyber-security procedures and protocols.” ECF No. 14 11 at 3. Furthermore, Plaintiff alleges that Defendant failed to inform Plaintiff and 12 other similarly situated individuals that their information was subject to
13 unauthorized access without specifying what information was accessed. Id. 14 Plaintiff’s Amended Complaint alleges negligence and breach of implied contract. 15 ECF No. 14 at 47-52. 16 Previously, Defendant filed a Motion to Dismiss, and the Court granted this
17 motion in part. ECF Nos. 10; 13. The Court dismissed Plaintiff’s negligence 18 claim for failure to state a claim because Plaintiff did not allege an actual injury. 19 ECF No. 13 at 9-13. However, the Court retained the breach of implied contract
20 claim. ECF No. 13 at 15. The Court granted Defendant’s Motion to Dismiss with 1 leave for Plaintiff to amend his complaint. ECF No. 13. Subsequently, Plaintiff 2 filed First Amended Complaint. ECF No. 14. Plaintiff’s Amended Complaint
3 alleges negligence and breach of implied contract. ECF No. 14 at 47-52. 4 On October 3, 2025, Defendant filed another Motion to Dismiss arguing that 5 Plaintiff still does not allege a concrete injury or causation for his negligence
6 claim. ECF No. 17. Defendant does not argue any deficiencies with Plaintiff’s 7 breach of implied contract claim. ECF No. 17. 8 DISCUSSION 9 For a plaintiff to survive a motion to dismiss under Rule 12(b)(6), “a
10 complaint must contain sufficient factual matter, accepted as true, ‘to state a claim 11 to relief that is plausible on its face.’” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) 12 (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). This requires
13 more than a simple “formulaic recitation of a cause of action’s elements.” 14 Twombly, 550 U.S. at 545. This also requires facts to support legal conclusions 15 beyond simply stating conclusory legal statements. Iqbal, 556 U.S. at 663; 16 Twombly, 550 U.S. at 555 (citing Papasan v. Allain, 478 U.S. 265, 286 (1986))
17 (stating that for a motion to dismiss, courts are not obligated to accept alleged legal 18 conclusions as true factual allegations); Kwan v. SanMedica Int'l, 854 F.3d 1088, 19 1096 (9th Cir. 2017) (stating legal conclusions must be supported by factual
20 allegations). However, a court must construe facts in the light most favorable to 1 the opposing party of the motion and a court must take the allegations of the non- 2 moving party as true. Twombly, 550 U.S. at 556.
3 In addition, a plaintiff must “nudge[] their claims across the line from 4 conceivable to plausible” otherwise plaintiff’s complaint shall be dismissed. 5 Twombly, 550 U.S. at 570. In other words, the “plausibility standard requires more
6 than 'a sheer possibility that a defendant has acted unlawfully’ but ‘is not akin to a 7 probability standard.’” Kwan v. SanMedica Int'l, 854 F.3d 1088, 1096 (9th Cir. 8 2017) (quoting Turner v. City & Cnty. of San Francisco, 788 F.3d 1206, 1210 (9th 9 Cir. 2015)). Furthermore, when there are two possible explanations, “[s]omething
10 more is needed, such as facts tending to exclude the possibility that the alternative 11 explanation is true, in order to render plaintiffs' allegations plausible.” Eclectic 12 Props. E., LLC v. Marcus & Millichap Co., 751 F.3d 990, 996–97 (9th Cir. 2014)
13 (quoting In re Century Aluminum Co. Sec. Litig., 729 F.3d 1104, 1108 (9th Cir. 14 2013)) (citations omitted). 15 In Levitt v. Yelp! Inc., 765 F.3d 1123, 1135 (9th Cir. 2014), the court 16 realized the difficulties in the plausibility standard and created a two-step process
17 that mirror other rules. Id. Step one requires the complaint to not only recite the 18 elements of the cause of action but provide sufficient allegations to provide fair 19 notice to the opposing party. Id. Step two states “the factual allegations that are
20 taken as true must plausibly suggest an entitlement to relief, such that it is not 1 unfair to require the opposing party to be subjected to the expense of discovery and 2 continued litigation.” Levitt v. Yelp! Inc., 765 F.3d 1123, 1135 (9th Cir. 2014).
3 A. Injury 4 Negligence requires evidence of four elements, duty, breach, causation and 5 injury. Reyes v. Yakima Health Dist., 191 Wash. 2d 79, 89 (2018). Injury is one of
6 the required elements to prove negligence. Nunley v. Chelan-Douglas Health 7 Dist., 32 Wash. App. 2d 700, 716 (2024). “The mere danger of future harm, 8 unaccompanied by present damage, will not support a negligence action.” Gazija 9 v. Nicholas Jerns Co., 86 Wash. 2d 215, 219 (1975).
10 Plaintiff adds paragraphs 112-115 to the Amended Complaint. ECF No. 18 11 at 5. Plaintiff alleges that he took proactive measures such as registering and 12 paying monthly subscriptions for credit monitoring and identity theft protection
13 services. ECF No. 14 at 37. He also received alerts from both Google and Apple 14 that his PII was on the dark web. ECF No. 14 at 37. To mitigate these alerts, 15 Plaintiff increased his security by changing passwords and enabling multi- 16 authentication. Id. Continuing, Plaintiff received “a substantial increase in spam
17 communications” and “numerous email notifications regarding unauthorized login 18 attempts to his accounts.” ECF No 14 at 37-38. Lastly, Plaintiff alleges that he 19 received notifications of an attempt to access his banking account and credit
20 inquiries that he never authorized. ECF No. 14 at 36. Plaintiff alleges that all 1 these actions support the allegation that his PII is being used and that this amounts 2 to cognizable injury. ECF No. 18 at 5-6.
3 Defendant argues that Plaintiff does not argue a cognizable injury. ECF No. 4 17 at 7. With the additional four new paragraphs, Defendant states that Plaintiff’s 5 Amended Complaint still does not allege an actual injury from the data breach.
6 ECF No. 11 at 8. This is because there must be facts to support the actual misuse 7 of the alleged stolen PII. ECF No. 17 at 7. Moreover, Defendant states that 8 Plaintiff does not allege facts that can be reasonably believed to be attributable to 9 the alleged data leak. ECF No. 11 at 3-5.
10 As was discussed previously in this Court’s previous Order for dismissal, the 11 federal district courts and Washington state courts disagree on this topic. ECF No. 12 13 at 10. A Washington State Court of Appeals decided that a loss of value in PII
13 can result in a cognizable harm. Nunley v. Chelan-Douglas Health Dist., 32 Wash. 14 App. 2d 700 (2024) (holding a loss in value of PII and PHI is a cognizable current 15 harm to support a negligence claim). 16 However, some federal district courts took a different method and require a
17 more concrete harm such as injuries exhibiting that the PII was stolen and misused 18 beyond loose links between harms and allegations. ECF No. 13 at 10 (citing 19 Leonard v. McMenamins Inc., No. C22-0094-KKE 2024 WL 4188974, at *6
20 (W.D. Wash. Sept. 13, 2024) appeal dismissed, No. 24-6333, 2025 WL 2948625 1 (9th Cir. May 12, 2025); Nienaber v. Overlake Hosp. Med. Ctr., 2:23-CV-01159- 2 TL, 2025 WL 692097, at *7 (W.D. Wash. Mar. 4, 2025). For example, in
3 Leonard, the court required two elements to be shown to allege facts that “PII has 4 diminished in value: (1) the existence of a market for the PII, and (2) an 5 impairment of Plaintiffs’ ability to participate in that market.” Leonard, 2024 WL
6 4188974, at *8 (citation omitted). However, the court was careful to not allege that 7 this theory is cognizable under Washington Law. Id. Additionally, this district 8 court case was regarding summary judgment rather than a motion to dismiss. Id. 9 This Court will follow its previous Order and consider whether Plaintiff
10 alleged an actual injury that fits within Nunley and federal district courts within our 11 circuit. ECF No. 13. Among other things, Nunley focuses on diminution in value. 12 Nunley, 32 Wash. App. 2d at 721-22. Leonard starts the analysis with determining
13 whether there were facts to allege actual misuse before determining whether there 14 was diminution in value. Leonard, 2024 WL 4188974, at *7-8. However, it seems 15 clear in both cases that they focus on facts to support an actual misuse of data that 16 leads to a diminution in value. As this Court’s previous Order stated, Leonard
17 analyzed whether a financial loss existed, whereas Nunley analyzed whether a 18 property loss existed. Nunley, 32 Wash. App. 2d 700 at 721-22; Leonard, 2024 19 WL 4188974, at *7-8.
20 First, Plaintiff taking protective measures and paying out of pocket costs for 1 subscription services alone does not amount to a cognizable injury. As discussed 2 in the Court’s previous Order, these are not cognizable harms. This alleged harm
3 appears to follow the theories of anxiety around his PII and expenses for mitigation 4 efforts. Nevertheless, with sufficient facts of a concrete injury, these mitigation 5 efforts to prevent further loss could amount to an injury if these efforts are
6 reasonable and necessary. Jaeger v. Cleaver Const., Inc., 148 Wash. App. 698, 7 714–15 (2009) (“Courts allow a wide latitude of discretion to the person who, by 8 another's wrong, has been forced into a predicament where he is faced with a 9 probability of injury or loss.”) (citing Labriola v. Pollard Group, Inc., 152 Wash.
10 2d 828, 840) (citation omitted); Griffey v. Magellan Health Inc., 562 F. Supp. 3d 11 34, 47 (D. Ariz. 2021) (citing In re Sony Gaming Networks & Customer Data Sec. 12 Breach Litig., 996 F. Supp. 2d 942, 970 (S.D. Cal.), order corrected, No.
13 11MD2258 AJB (MDD), 2014 WL 12603117 (S.D. Cal. Feb. 10, 2014)). 14 Second, alerts and notifications that his PII was on the dark web results in a 15 concrete harm under Nunley. ECF No. 14 at 37; Nunley, 32 Wash. App. 2d at 725. 16 However, normal protection procedures such has changing passwords and enabling
17 multi-authentication does not result in a cognizable injury. ECF No. 14 at 37. In 18 Nunley, a plaintiff claimed that they received a notification that her Social Security 19 number was found on the dark web and that an unfamiliar business license was
20 opened in her name. Nunley, 32 Wash. App. 2d at 725. Nunley recognizes this as 1 a concrete injury. Nunley, 32 Wash. App. 2d at 725. Furthermore, the changing of 2 passwords and enabling multi-authentication does not in itself result in an injury.
3 These appear to be simple protection efforts not outside normal practices. 4 Third, an increase in spam communication can result in a cognizable injury. 5 In Nunley, the Court recognized that plaintiffs received additional spam calls as
6 support that they lost value in their PII and PHI. Nunley, 32 Wash. App. 2d at 725. 7 However, in Leonard, the Court decided that spam messages that tried to entice the 8 plaintiff to click a link was not connected to the breach. Leonard, 2024 WL 9 4188974, at *7. The court concluded that these messages alone were not
10 actionable. However, in Nunley, the spam allegation was in combination with 11 other injuries. Nunley, 32 Wash. App. 2d at 725. The Court found it was a 12 cognizable injury. Id. Following the same idea, the Court finds that alone spam
13 communications are not enough unless in combination with other injuries or with 14 an apparent connection to the breach. 15 Lastly, notifications that an attempt to access his banking account does not 16 amount to a cognizable injury. An attempt does not amount to an actual harm for
17 misuse or diminution of value. Access such as unauthorized withdraws, opening 18 banking or business accounts, use of banking or credit cards, would amount to a 19 current cognizable injury because they show actual misuse of the data. These
20 would show actual misuse or financial loss. Under the same idea, notifications 1 about possible access for any other person is not an injury, this is not an injury 2 either.
3 Nonetheless, unauthorized credit inquires amounts to a current cognizable 4 injury because it shows actual misuse of the data. Krefting v. Kaye-Smith Enters. 5 Inc., No. 2:23-CV-220, 2023 WL 4846850, at *1 (W.D. Wash. July 28, 2023)
6 (holding that harms such as fraudulently opening an account, attempts to change a 7 home address and an unauthorized credit inquiry showed an actual misuse of PII 8 and supported a concrete harm). However, the Court recognizes this argument was 9 for standing, the Court agrees and finds that unauthorized credit inquiries allege an
10 actual harm. Unauthorized credit inquiries can cause harm to his credit. For the 11 same reasons, the Court finds that this is a cognizable injury to survive dismissal. 12 Plaintiff argues that the court in Krefting excluded the allegation regarding
13 unauthorized credit inquiries when determining concrete harms. Krefting, 2023 14 WL 4846850, at *1. However, the Krefting court explained the plaintiff’s 15 allegations and then stated that it disagreed with the defendant’s argument that 16 those allegations did not amount to a concrete harm. Id. Defendant’s exclusion
17 argument is merely an attempt to rely on a technicality in its favor. 18 For the Court to find for a financial injury, under Leonard, Plaintiff needs to 19 allege facts to support two elements for his alleged injury of diminution of value to
20 show a financial loss. Plaintiff must show “: (1) the existence of a market for the 1 PII, and (2) an impairment of Plaintiffs’ ability to participate in that market.” 2 Leonard v. McMenamins Inc., 2024 WL 4188974, at *8 (W.D. Wash. Sept. 13,
3 2024) (citing Griffey v. Magellan Health Inc., 562 F. Supp. 3d 34, 45 (D. Ariz. 4 2021)). However, the parties’ both do not appear to argue that Plaintiff is alleging 5 a financial injury. Moreover, in Griffey, the Court refused to recognize illegal
6 markets, such as the “dark web,” as a legitimate market in which individuals may 7 sell their information. Griffey, 562 F. Supp. 3d at 45. Here, Plaintiff alleges that 8 stolen PII is high value for criminal on the “dark web.” ECF No. 14 at 18; 31. For 9 those reasons, Plaintiff does not allege an existence of a market for the PII or an
10 impairment of Plaintiffs’ ability to participate in that market. Plaintiff does not 11 allege this type of financial injury. 12 Following the Court’s previous Order, Plaintiff alleges an injury that fits
13 within Krefting and Nunley showing a diminution in value. Krefting, 2023 WL 14 4846850, at *1; Nunley, 32 Wash. App. 2d at 725. 15 B. Causation 16 Proximate cause requires two elements. N.L. v. Bethel Sch. Dist., 186 Wash.
17 2d 422, 436–37 (2016). These are cause in fact and legal cause. Id. Cause in fact 18 means that “but for” the breach then the consequences would not have occurred. 19 Bethel Sch. Dist., 186 Wash. 2d at 437. In other words, there must be a connection
20 between the act and the injury. Bethel Sch. Dist., 186 Wash. 2d at 437. However, 1 this is typically a question up to the jury. Id. 2 On the other hand, “[l]egal cause ‘is grounded in policy determinations as to
3 how far the consequences of a defendant's acts should extend.’” Bethel Sch. Dist., 4 186 Wash. 2d at 437 (quoting Crowe v. Gaston, 134 Wash. 2d 509 at 518 (1998)). 5 In other words, this element decides whether the causation is too extenuated and
6 uses factors such as “considerations of logic, common sense, justice, policy, and 7 precedent.” Bethel Sch. Dist., 186 Wash. 2d at 437 (quoting Lowman v. Wilbur, 8 178 Wash. 2d 165, 169 (2013)) (internal quotation marks omitted). 9 Defendant argues that Plaintiff does not allege facts sufficient to make a
10 reasonable inference that Defendant was the cause of the alleged injuries. ECF No. 11 17 at 3-4. Defendant alleges that Plaintiff does not show facts to support that 12 Defendant’s negligence or breach of duty caused the alleged injuries. ECF No. 17
13 at 3-4. 14 Plaintiff alleged that the mitigation efforts such as subscription and 15 protective services as an injury. As was previously discussed, with an alleged 16 concrete injury, and facts supporting the reasonability and necessity of the
17 mitigation, these efforts could be caused by the misuse of data and diminution in 18 value. However, as Defendant stated, changing passwords and authentication 19 programs does not reasonably connect to the leak of Social Security numbers or
20 names. ECF No. 17 at 3-4. In Nunley, the alleged leak of PII resulted from a data 1 breach at a medical facility where the plaintiff was a patient, after which she 2 received spam calls related to medical services. Nunley v. Chelan-Douglas Health
3 Dist., 32 Wash. App. 2d 700, 706 (2024). It is unclear how Defendant’s leak of 4 Plaintiff’s Social Security number and name led to insecurities and leaks of his 5 passwords. While the Court is not stating this is impossible, it does not pass to a
6 level of reasonable or plausible. 7 Plaintiff alleges a substantial increase after the breach and to show an 8 inference that this data leak caused an increase in these communications. ECF No. 9 14 at 38. Specifically, he alleges unwanted email, text, and calls. ECF No. 14 at
10 38. However, there is concern because while Defendant had his phone number and 11 email, Plaintiff does not allege that information was obtained in the breach. ECF 12 Nos. 14 at 2; 7. Regardless, Plaintiff still alleges a reasonable connection between
13 the data leak of his name and Social Security number, the notification that his PII 14 is on the dark web, and the influx of spam communications after the breach. These 15 are reasonable connections because of a data breach of PII. 16 Additionally, Plaintiff’s unauthorized credit inquiry after the leak of
17 Plaintiff’s PII including his name and Social Security number is reasonable. With 18 Plaintiff’s alleged efforts to keep his PII safe and the unauthorized inquiry after the 19 data breach, it is plausible and reasonable for the link to be from the data breach.
20 Johnson v. Yuma Reg'l Med. Ctr., 769 F. Supp. 3d 936, 954 (D. Ariz. 2024) (recognizing that in an unpublished Ninth Circuit case, “a plaintiff pleaded that he actively took steps to protect his information and there were no other known thefts of his information, the plaintiff had adequately created a logical relationship 4|| between the theft of a computer and identity theft.’’) (citing Stollenwerk v. Tri-W. 5|| Health Care All., 254 F. App'x 664, 668 (9th Cir. 2007)). 6 Therefore, for this stage in litigation, Plaintiff provides sufficient facts to 7|| allege an actual injury and reasonable connection for causation for a negligence 8 || claim. However, as addressed, not all alleged injuries are sufficient as a concrete injury for negligence. 10}} ACCORDINGLY, IT IS HEREBY ORDERED: 11 Defendant’s Motion to Dismiss Plaintiff’s First Amended Complaint 12 (ECF No. 17) is DENIED in part. The Court retains Plaintiff's claims 13 for negligence and breach of implied contract. 14 The District Court Executive is directed to enter this Order and furnish copies to counsel. 16 DATED December 18, 2025.
18 Sane THOMAS O. RICE