1 WO 2 3 4 5 6 IN THE UNITED STATES DISTRICT COURT 7 FOR THE DISTRICT OF ARIZONA
9 Jack Feathers, et al., No. CV-24-00811-PHX-SMB
10 Plaintiff, ORDER
11 v.
12 On Q Financial LLC, et al.,
13 Defendants. 14 15 Pending before the Court is Defendant ConnectWise, LLC’s (“ConnectWise”) 16 Motion to Dismiss (Doc. 35) Plaintiffs Jack Feathers, Barbara Squier, Brian Eitemiller, and 17 Isaiah Castellaw’s (collectively, “Plaintiffs”) Consolidated Class Action Complaint (the 18 “Complaint”) (Doc. 20) pursuant to Federal Rules of Civil Procedure 12(b)(1) and (6). 19 Plaintiffs filed a Response (Doc. 39), and ConnectWise filed a Reply (Doc. 42). After 20 considering the parties arguments and the relevant case law, the Court will grant the 21 Motion. 22 I. BACKGROUND 23 This is a data breach case in which hackers accessed and exfiltrated personally 24 identifiable information (“PII”) from the customer databases of Defendant On Q Financial, 25 LLC (“On Q Financial”), a mortgage lender. (Doc. 20 ¶¶ 3, 31, 40.) On Q Financial 26 collected and maintained named Plaintiffs and the approximate 211,000 class members’ 27 PII, which included social security numbers and other sensitive health information. (Id. 28 ¶¶ 7, 9.) Plaintiffs Feather, Eitemiller, and Castellaw are not On Q Financial customers 1 but allege they provided PII to On Q Financial. (Id. ¶¶ 164, 189, 203.) Prior to receiving 2 the Notice Letter, Plaintiff Squier was neither familiar with On Q Financial nor with how 3 the company obtained her PII. (Id. ¶ 176.) 4 ConnectWise is an IT management software and technology provider that 5 contracted with On Q Financial. (Id. ¶¶ 3, 175; Doc. 35 at 10.) ConnectWise developed 6 and provided to On Q Financial a remote access software program called ScreenConnect. 7 (Doc. 20 ¶¶ 3, 4, 32, 40.) ScreenConnect is a computer program that allows a user to access 8 and perform actions on another person’s computer from a different location. (Id. ¶ 40.) 9 On February 13, 2024, an independent security researcher notified ConnectWise 10 that an issue with its ScreenConnect program could allow unauthorized actors to access the 11 software. (Id. ¶ 59.) ConnectWise thereafter developed a patch for ScreenConnect clients. 12 (Id.) Prior to On Q Financial installing the patch, malicious actors had already exploited 13 the vulnerability. (Id.) A ransomware group, Bianlian, claimed responsibility for the On 14 Q Financial breach (the “Data Breach”) and posted Plaintiffs’ PII on the dark web. (Doc. 15 20 ¶ 47–50.) 16 On or about March 29, 2024, On Q Financial sent Plaintiffs a Notice of Data 17 Security Incident letter (the “Notice Letter”), which stated: 18 What Happened? On February 20, 2024 On Q Financial received a notification from ConnectWise, a software and IT management provider, 19 regarding a vulnerability involving its product ScreenConnect, which is a software program On Q Financial used for remote access to computers in our 20 network. In response to the notification received from ConnectWise, we immediately patched and upgraded the application and began an 21 investigation. The investigation revealed some suspicious activity through the Screen Connect application. On Q Financial engaged a computer 22 forensics investigation firm to conduct an independent investigation into what happened and determine whether personal information may have been 23 accessed or acquired without authorization. Our investigation confirmed that the ConnectWise vulnerability has been successfully patched and the On Q 24 Financial computer network is secure. However, on March 14, 2023, the investigation determined that the ConnectWise vulnerability permitted an 25 unknown individual to gain access to our computer network and the personal information of some of our clients was exfiltrated from our network. Please 26 note that at this time we are not aware of any evidence that any of our clients’ personal information has been misused, and out of an abundance of caution, 27 we are notifying all of our clients whose personal information has potentially been impacted. 28 What Information was Involved? The information that may have been affected in connection with this incident includes your name and Social 1 Security number. 2 (Id.) 3 Specific to the instant Motion, Plaintiffs allege that ConnectWise failed to take 4 reasonable steps to ensure that Plaintiffs’ PII remained secure. (See id. ¶¶ 39, 58, 269.) 5 Plaintiffs allege various types of actual and future damages, including (i) invasion of 6 privacy; (ii) theft of their PII; (iii) lost or diminished value of their PII; (iv) lost time and 7 opportunity costs associated with attempting to mitigate the actual consequences of the 8 Data Breach; (v) loss of benefit of the bargain; (vi) statutory damages; and (ix) the 9 continued and increased risk to their PII, which remains exposed and subject to further 10 exposure if Defendants fail to take adequate remedial measures. (See id. ¶¶ 11, 127, 162, 11 168, 181, 194, 208.) 12 II. LEGAL STANDARD 13 A. Rule 12(b)(1) 14 Rule 12(b)(1) of the Federal Rules of Civil Procedure provides that a defendant may 15 move to dismiss an action for “lack of subject-matter jurisdiction.” Courts “have an 16 independent obligation to determine whether subject-matter jurisdiction exists.” Arbaugh 17 v. Y&H Corp., 546 U.S. 500, 514 (2006); see also Fed. R. Civ. P. 12(h)(3) (“If the court 18 determines at any time that it lacks subject-matter jurisdiction, the court must dismiss the 19 action.”). “Under Rule 12(b)(1), a defendant may challenge the plaintiff's jurisdictional 20 allegations in one of two ways. A ‘facial’ attack accepts the truth of the plaintiff's 21 allegations but asserts that they are insufficient on their face to invoke federal jurisdiction.” 22 Leite v. Crane Co., 749 F.3d 1117, 1121 (9th Cir. 2014) (citation omitted). “A ‘factual’ 23 attack, by contrast, contests the truth of the plaintiff’s factual allegations, usually by 24 introducing evidence outside the pleadings.” Id. Regardless, however, plaintiff bears the 25 burden of establishing that subject-matter jurisdiction exists. Kokkonen v. Guardian Life 26 Ins. Co. of Am., 511 U.S. 375, 377 (1994). 27 B. Rule 12(b)(6) 28 To survive a Rule 12(b)(6) motion for failure to state a claim, a complaint must meet 1 the requirements of Rule 8(a)(2). Rule 8(a)(2) requires a “short and plain statement of the 2 claim showing that the pleader is entitled to relief,” so that the defendant has “fair notice 3 of what the . . . claim is and the grounds upon which it rests.” Bell Atl. Corp. v. Twombly, 4 550 U.S. 544, 555 (2007) (quoting Conley v. Gibson, 355 U.S. 41, 47 (1957)). This exists 5 if the pleader sets forth “factual content that allows the court to draw the reasonable 6 inference that the defendant is liable for the misconduct alleged.” Ashcroft v. Iqbal, 556 7 U.S. 662, 678 (2009). “Threadbare recitals of the elements of a cause of action, supported 8 by mere conclusory statements, do not suffice.” Id. 9 Dismissal under Rule 12(b)(6) “can be based on the lack of a cognizable legal theory 10 or the absence of sufficient facts alleged under a cognizable legal theory.” Balistreri v. 11 Pacifica Police Dep’t, 901 F.2d 696, 699 (9th Cir. 1988). A complaint that sets forth a 12 cognizable legal theory will survive a motion to dismiss if it contains sufficient factual 13 matter, which, if accepted as true, states a claim to relief that is “plausible on its face.” 14 Iqbal, 556 U.S. at 678 (quoting Twombly, 550 U.S. at 570). Plausibility does not equal 15 “probability,” but requires “more than a sheer possibility that a defendant has acted 16 unlawfully.” Id. “Where a complaint pleads facts that are ‘merely consistent with’ a 17 defendant’s liability, it ‘stops short of the line between possibility and plausibility.’” Id. 18 (quoting Twombly, 550 U.S. at 557). 19 In ruling on a Rule 12(b)(6) motion to dismiss, the well-pled factual allegations are 20 taken as true and construed in the light most favorable to the nonmoving party. Cousins v. 21 Lockyer, 568 F.3d 1063, 1067 (9th Cir. 2009). However, legal conclusions couched as 22 factual allegations are not given a presumption of truthfulness, and “conclusory allegations 23 of law and unwarranted inferences are not sufficient to defeat a motion to dismiss.” Pareto 24 v. FDIC, 139 F.3d 696, 699 (9th Cir. 1998). A court ordinarily may not consider evidence 25 outside the pleadings in ruling on a Rule 12(b)(6) motion to dismiss. See United States v. 26 Ritchie, 342 F.3d 903, 907 (9th Cir. 2003). “A court may, however, consider materials— 27 documents attached to the complaint, documents incorporated by reference in the 28 complaint, or matters of judicial notice—without converting the motion to dismiss into a 1 motion for summary judgment.” Id. at 908. 2 III. DISCUSSION 3 A. Standing 4 1. Legal standard 5 To bring a justiciable lawsuit into federal court, Article III of the Constitution 6 requires that a plaintiff have “the core component of standing.” Lujan v. Defs. of Wildlife, 7 504 U.S. 555, 560 (1992). To establish Article III standing, an injury must be “concrete, 8 particularized, and actual or imminent; fairly traceable to the challenged action; and 9 redressable by a favorable ruling.” Clapper v. Amnesty Int’l USA, 568 U.S. 398, 409 (2013) 10 (citation omitted). A “speculative chain of possibilities” cannot establish an actual or 11 imminent injury in fact. Clapper, 568 U.S. at 414 (2013). “A suit brought by a plaintiff 12 without Article III standing is not a ‘case or controversy,’ and an Article III federal court 13 therefore lacks subject matter jurisdiction over the suit. In that event, the suit should be 14 dismissed under Rule 12(b)(1).” Cetacean Cmty. v. Bush, 386 F.3d 1169, 1174 (9th Cir. 15 2004) (internal citations omitted). 16 ConnectWise launches a facial and limited factual attack on Plaintiffs’ ability to 17 establish Article III standing. A facial attack “asserts that the allegations contained in a 18 complaint are insufficient on their face to invoke federal jurisdiction.” Safe Air for 19 Everyone v. Meyer, 373 F.3d 1035, 1039 (9th Cir. 2004). In this circumstance, the Court 20 will accept Plaintiffs’ allegations as true and draws all reasonable inferences in their favor, 21 then “determine[] whether the allegations are sufficient as a legal matter to invoke the 22 court’s jurisdiction.” Leite, 749 F.3d at 1121 (9th Cir. 2014). “A ‘factual’ attack, by 23 contrast, contests the truth of the [Plaintiffs’] factual allegations, usually by introducing 24 evidence outside the pleadings.” Id. It therefore follows that a facial attack confines a 25 court’s inquiry to the allegations in the complaint, while a factual attack permits the court 26 to look beyond the complaint. See Savage v. Glendale Union High Sch., Dist. No. 205, 27 343 F.3d 1036, 1039 n.2 (9th Cir. 2004). 28 /// 1 2. Injury-In-Fact 2 The parties’ arguments on standing are rather straightforward. In short, 3 ConnectWise argues that Plaintiffs fail to establish injury or traceability for any of their 4 claims. (Doc. 35 at 12–13.) With respect to redressability, however, ConnectWise 5 seemingly attacks only Plaintiffs’ claim for declaratory relief (Count VI), positing that the 6 sought after judgment could not redress the alleged injuries because ConnectWise does not 7 manage or maintain Plaintiffs’ PII. (Id.) In response, Plaintiffs contend that they satisfy 8 the Article III standing requirements. (See Doc. 39 at 9–14.) 9 To establish an injury in fact, “a plaintiff must show that he or she suffered an 10 invasion of a legally protected interest that is concrete and particularized and actual or 11 imminent, not conjectural or hypothetical.” Spokeo, Inc. v. Robins, 578 U.S. 330, 339–40 12 (2016) (citation and quotation marks omitted). A “concrete” and “particularized” injury 13 must be “real,” not “abstract.” Griffey v. Magellan Health Inc., 562 F. Supp. 3d 34, 43 (D. 14 Ariz. 2021). The injury must also “affect the plaintiff in a personal and individual way.” 15 Lujan, 504 U.S. at 560 n.1. To be “actual or imminent,” a threatened injury must be 16 “certainly impending”—“allegations of possible future injury are not sufficient.” Clapper, 17 568 U.S. at 409 (citation modified). 18 In the class action context, named plaintiffs “must allege and show that they 19 personally have been injured, not that injury has been suffered by other, unidentified 20 members of the class to which they belong.” Spokeo, 578 U.S. at 338 n.6. Moreover, “it 21 is axiomatic that a plaintiff can satisfy Article III injury-in-fact requirement but, ultimately, 22 fall short of satisfying the cognizable injury requirement for, say, a negligence claim.” 23 Griffey v., 562 F. Supp. 3d at 43. 24 Plaintiffs assert that their (a) privacy losses; (b) risk of identity theft; and (c) losses 25 of time are concrete actual injuries; and (d) the loss in PII value is a concrete injury that 26 establishes standing. (Doc. 39 at 10–11.)1
27 1 While not argued, Plaintiffs allege that they have suffered “fear, anxiety, and stress” because of the Data Breach. (Doc. 20 ¶¶ 172, 185, 199, 212.) The Ninth Circuit has found 28 allegations of emotional distress to be enough to satisfy the injury-in-fact requirement for Article III standing. See Goz v. Allied Collection Servs., Inc., 812 F. App’x 544, 545 (9th 1 a. Privacy Losses 2 Plaintiffs allege that Feathers, Squier, Eitemiller, and Castellaw’s PII have been 3 publicly disclosed on the dark web. (See Doc. 20 ¶¶ 127, 166, 171, 178, 180, 193, 207.) 4 This disclosure, Plaintiffs claim, amounts to an invasion of privacy that establishes an 5 injury-in-fact. (Id. ¶ 20; Doc. 39 at 11.) 6 The Court finds that the theft and disclosure of Plaintiffs’ PII is a concrete, 7 intangible harm that establishes injury-in-fact for Article III standing. See TransUnion 8 LLC v. Ramirez, 594 U.S. 413, 424 (2021). In TransUnion, the United States Supreme 9 Court examined “[w]hat makes a harm concrete for purposes of Article III.” 594 U.S. 10 at 424. The Court discussed its past focus on “traditional tangible harms,” like physical or 11 monetary harms, id. at 425, before finding that “[v]arious intangible harms can also be 12 concrete . . . [including] disclosure of private information.” Id. Following TransUnion, 13 courts in this circuit have found that theft of PII establishes a concrete injury because it 14 signifies an invasion of a plaintiff’s privacy interest. See, e.g., Wynne v. Audi of Am., Case 15 No. 21-cv-08518-DMR, 2022 WL 2916341, at *4 (N.D. Cal. July 25, 2022). 16 Plaintiffs’ allegations suffice to establish the theft and public disclosure of their PII, 17 including their social security numbers, is an injury-in-fact for standing purposes. (See Doc. 18 20 ¶¶ 127, 166, 171, 178, 180, 193, 207.) Therefore, Plaintiffs’ alleged privacy losses 19 satisfy the injury-in-fact requirement for Article III standing.2 20 b. Risk of Identity Theft 21 Plaintiffs allege that the theft and publication of their PII on the dark web, which is 22 still available for download, exposes them to a lifelong risk of identity theft and fraud. 23 (Doc. 20 ¶ 6, 9–11, 15–17.) 24 While alleging a risk of injury, i.e., a future injury, is generally inadequate if it 25 presents a mere possibility of harm, see Clapper, 568 U.S. at 409, allegations of a risk of 26 future identity theft have been found adequate to sufficiently allege an injury-in-fact, see
27 Cir. 2020). 2 Though Plaintiffs need only one viable basis for standing, the Court will afford each 28 purported injury some discussion. See In re Zappos.com, Inc. (“Zappos II”), 888 F.3d 1020, 1030 n.15 (citing Douglas County v. Babbit, 48 F.3d 1495, 1500 (9th Cir. 1995)). 1 Zappos II, 888 F.3d at 1027–29. 2 Plaintiffs Squier, Eitemiller, and Castellaw have alleged that their PII was stolen 3 and disseminated on the dark web. (Doc. 20 ¶¶ 180, 193, 207.) Their information is still 4 available for download. (Id. ¶ 6.) All Plaintiffs have also experienced fraudulent credit 5 card charges and unauthorized credit activity since the Data Breach, which tends to show 6 that they may be at risk for identify theft. (Id. ¶ 168, 181, 194, 208.) It follows, then, that 7 Plaintiffs allegations show a credible threat of real and imminent harm stemming from the 8 theft and publication of their PII. Cf. Krottner v. Starbucks Corp., 628 F.3d 1139, 1143 9 (9th Cir. 2010) (finding that the theft of a laptop containing unencrypted personal data 10 established an injury in fact where that information may be used in the future to harm the 11 plaintiff); Greenstein v. Noblr Reciprocal Exch., 585 F. Supp. 3d 1220, 1227 (N.D. Cal. 12 2022) (finding injury-in-fact where the plaintiff alleged that he may suffer future harm after 13 his social security number was posted on the dark web); Griffey, 562 F. Supp. 3d at 46.3 14 c. Loss of Time 15 Plaintiffs allege that they have spent, and will continue to spend, time monitoring 16 financial accounts and credit reports in the wake of the Data Breach. (Doc. 20 ¶¶ 145, 17 167–168, 179–181, 192–194, 206–208.) Plaintiffs assert that “mitigation injuries”—time 18 spent monitoring for theft after breach—are injuries-in-fact. (Doc. 39 at 11–12 (citing 19 Medoff v. Minka Lighting, LLC, No. 2:22-CV-08885-SVW-PVC, 2023 WL 4291973, at *5 20 (C.D. Cal. May 8, 2023)).) 21 Medoff recognized that, after TransUnion, some circuits found “harms that result as 22 a consequence of a plaintiff’s knowledge of a substantial risk of identity theft, including 23 time and money spent responding to a data breach or emotion distress[,] can satisfy 24 concreteness.” Medoff, 2023 WL 4291973, at *4 (first citing Clemens v. ExeucPharm Inc., 25 48 F.4th 146, 156 (3d Cir. 2022) (“If the plaintiff’s knowledge of the substantial risk of 26 3 ConnectWise contends, however, that the allegations of future risk of identity theft are 27 deficient because Plaintiffs do not allege that they, or others, did not widely disseminate their social security numbers. (Doc. 35 at 14.) The Court is not convinced that the absence 28 of alleged facts that Plaintiffs did not freely distribute their own PII prevent finding an injury-in-fact based on the existing allegations of future risk of theft. 1 identity theft causes him to presently experience emotional distress or spend money on 2 mitigation measures like credit monitoring services, the plaintiff has alleged a concrete 3 injury.”); then citing In re Equifax Inc. Customer Data Sec. Breach Litig, 999 F.3d 1247, 4 1262–63 (11th Cir. 2021) (“[A]ny assertion of wasted time and effort necessarily rises or 5 falls along with this Court’s determination of whether the risk posed . . . is itself a concrete 6 harm.” (quoting Muransky v. Godiva Chocolatier, Inc., 979 F.3d 917, 924 (11th Cir. 7 2020))). To be sure, however, Medoff reaffirmed the common principle that these type of 8 harms “can only qualify as concrete injuries in fact when they are based on a risk that is 9 either ‘certainly impending’ or ‘substantial.’” 2023 WL 4291973, at *5 (quoting I.C. v. 10 Zynga, Inc., 600 F. Supp. 3d 1034, 1052 (N.D. Cal. 2022)). 11 The relevant allegations here are that Plaintiffs have spent, and will continue to 12 spend, time monitoring financial accounts and credit reports in the wake of the Data 13 Breach. (Doc. 20 ¶¶ 145, 167–168, 179–181, 192–194, 206–208.) Also important are 14 allegations that Plaintiffs experienced fraudulent credit card charges and unauthorized 15 credit activity since the Data Breach. (Id. ¶ 168, 181, 194, 208.) Together, these 16 allegations show a type of mitigation harm that informs the “certainly impending” and 17 “substantial” nature of harm required establish injury-in-fact. Medoff, 2023 WL 4291973, 18 at *5; see also In re Banner Health Data Breach Litig., No. CV-16-02696-PHX-SRB, 2017 19 WL 6763548, at *8 (D. Ariz. Dec. 20, 2017) (“A person whose legally protected interests 20 have been endangered by the tortious conduct of another is entitled to recover for 21 expenditures reasonably made or harm suffered in a reasonable effort to avert the harm 22 threatened.” (citation omitted)). 23 ConnectWise cites two cases from this Court to support its assertion that Plaintiffs’ 24 expenses should not establish injury-in-fact because any future harm is speculative. (Doc. 25 35 at 14 (citing Dearing v. Magellan Health Inc., No. 2:20-CV-00747-PHX-SPL, 2020 26 WL 7041059, at *3 (D. Ariz. Sept. 3, 2020); Travis v. Assured Imaging LLC, No. CV-20- 27 00390-TUC-JCH, 2021 WL 1862446, at *9 (D. Ariz. May 10, 2021)).) Both cases are 28 distinguishable because neither involved allegations that plaintiff’s PII was even stolen. 1 Dearing, 2020 WL 7041059, at *3; Travis, 2021 WL 1862446, at *9. In both cases, the 2 Court therefore found that each plaintiff’s harms were too speculative and therefore 3 insufficient to establish injury-in-fact. Dearing, 2020 WL 7041059, at *3; Travis, 2021 4 WL 1862446, at *9. Here, however, Plaintiffs have alleged theft, explained the potential 5 for future use, highlighted attempted fraudulent charges to their credit cards, and set out 6 their mitigation efforts in enough detail for the Court to find an injury-in-fact. 7 d. Loss of Value of Plaintiffs’ PII 8 ConnectWise argues that Plaintiffs have failed to allege the existence of a legitimate 9 marketplace for their PII and thus do not sufficiently allege the diminution of value as an 10 injury. (Doc. 35 at 26.) In response, Plaintiffs simply maintain that the loss of value in 11 their PII is a cognizable injury. (See Doc. 39 at 12.) 12 The Court tends to agree with Plaintiffs that their allegations sufficiently evidence 13 an injury for standing purposes. Some courts in this Circuit have found that the loss of 14 value of PII may constitute injury where plaintiffs allege disclosure, a legitimate market 15 for PII, sale of the PII, and loss of value as a result. See, e.g., In re Anthem, Inc. Data 16 Breach Litigation (“Anthem II”), 2016 WL 3029783, at *14–15 (N.D. Cal. May 17, 2016); 17 “In re Yahoo! Inc. Customer Data Sec. Breach Litig. (“Yahoo”), 16-MD-02752-LHK, 2017 18 WL 3727318, at *13 (N.D. Cal. Aug. 30, 2017). While others found that such injury does 19 not satisfy the injury requirement. See In re Zappos.com, Inc. (“Zappos I”), 108 F. Supp. 20 3d 949, 954 (D. Nev. 2015); Travis v. Assured Imaging LLC, No. CV-20-00390-TUC-JCH, 21 2021 WL 1862446, at *9 (D. Ariz. May 10, 2021). 22 The operative pleadings in both Zappos I and Travis, however, were woefully 23 deficient regarding allegations of the loss in value. For example, the Travis plaintiffs 24 alleged that they “suffer[ed] a loss of value” of their PII and that the asking price of the 25 thieves was “$50 and up.” 2021 WL 1862446, at *9. The plaintiffs did not enhance those 26 facts with allegations explaining how the data breach resulted in the decrease in value of 27 their PII or that they could not sell their PII because of the data breach. Id. Here, however, 28 the Complaint alleges several price points for PII, provides detailed factual allegations 1 regarding the market for PII, and explains how hackers misappropriate and damage the 2 value of stolen PII. (See Doc. 20 ¶¶ 84–86, 149–159); but see Griffey v., 562 F. Supp. 3d 3 at 46 (declining to find the “dark web” as a legitimate market).4 4 At bottom, Plaintiffs have alleged enough factual material to establish an injury-in- 5 fact based upon the diminished value of their PII. 6 3. Traceability 7 ConnectWise asserts that Plaintiffs fails to establish any alleged injuries that are 8 traceable to it. (Doc. 35 at 15.) Specifically, ConnectWise asserts that any injuries are the 9 result of the lack of measures imposed to protect their PII that On Q Financial held and 10 managed, and not the result of ConnectWise’s ScreenConnect technology. (Id. at 15–16.) 11 In response, Plaintiffs assert that ConnectWise’s provision of ScreenCapture, the 12 vehicle through which the Data Breach was affected, to On Q Financial shows that the 13 injuries can be traced to ConnectWise (Doc. 39 at 12–13.) Further, Plaintiffs argue that 14 ConnectWise did not need to control the stolen PII to impute liability onto the company. 15 (See Doc. 13 (citing Accellion, Inc., Data Breach Litig., 713 F. Supp. 3d 623, 635 (N.D. 16 Cal. 2024)).) 17 “[P]laintiffs must establish a ‘line of causation’ between defendants’ action and their 18 alleged harm that is more than ‘attenuated.’” Maya v. Centex Corp., 658 F.3d 1060, 1070 19 (9th Cir. 2011) (quoting Allen v. Wright, 468 U.S. 737, 757 (1984)). Although “a causation 20 chain does not fail simply because it has several ‘links,’ provided those links are ‘not 21 hypothetical or tenuous’ and remain ‘plausib[le].’” Id. (quoting Nat’l Audubon Soc., Inc. 22 v. Davis, 307 F.3d 835, 849 (9th Cir. 2002)). “Where a chain of causation ‘involves 23 numerous third parties’ whose ‘independent decisions’ collectively have a ‘significant 24 effect’ on plaintiffs’ injuries, the Supreme Court and [the Ninth Circuit] have found the 25 causal chain too weak to support standing at the pleading stage.” Id. at 1070 (quoting Allen,
26 4 Like in Travis and Zappos I, however, Plaintiffs here do not allege that they attempted to sell their PII and were “rebuffed because of a lower price-point attributable to the 27 security breach.” Travis, 2021 WL 1862446, at *9. The Court does not believe such allegations to be a factual predicate to finding injury, as allegations of the attempts to sell 28 Plaintiffs’ PII on the dark web in this case sufficient because there is a “substantial risk that the harm will occur.” See Zappos II, 888 F.3d at 1025. 1 468 U.S. at 759). The “fairly traceable” requirement “ensures that there is a genuine nexus 2 between a plaintiff's injury and a defendant's alleged illegal conduct.” Friends of the Earth, 3 Inc. v. Gaston Copper Recycling Corp., 204 F.3d 149, 160 (4th Cir. 2000). 4 “[W]hat matters is not the ‘length of the chain of causation,’ but rather the 5 ‘plausibility of the links that comprise the chain.’” Mendia v. Garcia, 768 F.3d 1009, 6 1012–13 (9th Cir. 2014) (quoting Davis, 307 F.3d at 849). Thus, a plaintiff’s injury is 7 “‘fairly traceable’ when there is a ‘substantial likelihood’ that the defendant’s conduct 8 caused the harm.” Baton v. Ledger SAS, 740 F. Supp. 3d 847, 879 (N.D. Cal. 2024) 9 (quoting NRDC v. Texaco Ref. & Mktg., Inc., 2 F.3d 493, 505 (3d Cir. 1993)). A plaintiff’s 10 allegation must simply show that defendant’s acts caused or contributes to the kinds of 11 injury alleged, which renders the “fairly traceable” standard lower than that of pleading 12 tort causation. See id. 13 ConnectWise relies on Anderson v. Kimpton Hotel & Restaurant Group, LLC, No. 14 19-CV-01860, 2019 WL 3753308, at *1 (N.D. Cal. Aug. 8, 2019), to assert that Plaintiffs 15 have failed to establish traceability. In Anderson, the defendant hotel contracted with a 16 reservation service provider, Sabre. Id. The hotel suffered a data breach in which hackers 17 accessed the Sabre system and absconded with plaintiffs PII. Id. Anderson and several 18 other plaintiffs thereafter sued the hotel. The court explained that plaintiffs failed to 19 establish traceability because the complaint contained only conclusory allegations of the 20 hotel’s failure to institute reasonable security measures to protect PII. Id. at *4. 21 ConnectWise claims that the Anderson court “determined that, since Sabre and not 22 [the hotel] had the data breach, the plaintiffs’ allegations that [the hotel] failed to maintain 23 reasonable security procedures were not traceable to their alleged injuries.” (Doc. 35 24 at 15.) Not so. There, the court’s found no traceability due to the conclusory nature of the 25 plaintiffs’ allegations and did not offer a substantive analysis of traceability in light of the 26 hotel and Sabre’s relationship. See Anderson 2019 WL 3753308, at *4. Anderson, 27 therefore, is not helpful in deciding traceability in this case. 28 Plaintiffs offered authority fares no better. They claim that in Accellion, Inc., Data 1 Breach Litig., 713 F. Supp. 3d 623, 635 (N.D. Cal. 2024), the court rejected the argument 2 that companies not in control of PII are not subject to liability. (See Doc. 39 at 13.) 3 Confusingly, the Accellion court did not discuss standing whatsoever. See 713 F. Supp. 3d 4 at 635. In fact, the section of that case Plaintiffs cite to concerns the scope of duty in a data 5 breach cases under California negligence law. See id. Therefore, the Court does not agree 6 with Plaintiffs conclusion that, for standing purposes, Accellion found “upstream 7 companies in a data breach [action] may be liable for security breaches.” (Doc. 39 at 13.) 8 Inapposite case law aside, Plaintiffs’ allegations demonstrate that both On Q 9 Financial and ConnectWise are allegedly at fault for the injuries related to the Data Breach. 10 (Doc. 20 ¶¶ 3–4, 56–65.) The allegations produce the following syllogism: ConnectWise 11 provided On Q Financial, the holder of the PII, an unsecure version of ScreenCapture. (Id.) 12 Malicious actors used the ScreenCapture vulnerabilities to steal Plaintiffs’ PII from On Q 13 Financial. (Id.) And Plaintiffs suffered injuries because of ConnectWise’s faulty software. 14 (Id.) Put simply, but for the ScreenConnect vulnerability, Plaintiffs’ PII would not have 15 been stolen. 16 Plaintiffs’ allegations establish a “line of causation” between ConnectWise’s failure 17 to securely implement its ScreenCapture software among its vendors, including On Q 18 Financial, and the alleged injuries in this case. See Maya, 658 F.3d at 1070. Therefore, 19 Plaintiffs sufficiently allege that their injuries are fairly traceable to the challenged 20 conduct—“[ConnectWise’s] failure to prevent the breach.” Zappos II, 888 F.3d at 1029.5 21 /// 22 5 ConnectWise asserts it was On Q Financial’s responsibility to patch ScreenConnect to 23 ameliorate the vulnerability, and therefore, ConnectWise cannot be responsible for the injuries. (Id. at 16.) Further, ConnectWise takes issue with the dates as alleged in the 24 Complaint, asserting that “any discovery would establish that the correct date” the company warned On Q Financial was February 19, 2024, two days before the Data Breach 25 occurred on February 21. (Doc. 35 at 16.) This argument seemingly confuses the dates, as ConnectWise provides a data breach notification from the Office of the Maine Attorney 26 General listing the date of breach as February 21, but the letter sent to On Q Financial’s customers suggests that the breach had to occur prior to February 20. (Doc. 20 ¶ 40 27 (explaining that On Q Financial received a notification from ConnectWise on February 20, 2024, and immediately patched the ScreenCapture software, but not quick enough to have 28 prevented the malicious actors from stealing PII).) Regardless, Plaintiffs’ allegations are sufficient to show traceability. 1 4. Redressability 2 The traceability and redressability components for standing overlap and are “two 3 facets of a single causation requirement.” Washington Env’t Council v. Bellon, 732 F.3d 4 1131, 1146 (9th Cir. 2013). They are distinct, however, in that traceability examines a 5 causal link between the misconduct and injury, “whereas redressability analyzes the 6 connection between the alleged injury and requested relief.” Id. Redressability is satisfied 7 so long as the requested remedy “would amount to a significant increase in the likelihood 8 that the plaintiff would obtain relief that directly redresses the injury suffered.” Renee v. 9 Duncan, 686 F.3d 1002, 1013 (9th Cir. 2012). When a pleading seeks forward-looking 10 relief, like here, Plaintiffs “must face a ‘real and immediate threat of repeated injury.’” 11 Murthy v. Missouri, 603 U.S. 43, 58 (2024) (quoting O’Shea v. Littleton, 414 U.S. 488, 12 496 (1974)). 13 ConnectWise argues that because the Complaint does not allege that ConnectWise 14 maintains the Plaintiffs’ PII, declaratory judgment against it would not redress any of the 15 alleged injuries. (Doc. 35 at 17.) Further, ConnectWise argues that Plaintiffs fail to 16 establish that their injuries are repeatable with respect to ConnectWise. (Id.) 17 In response, Plaintiffs argue that its declaratory relief claim would require 18 ConnectWise to employ adequate security protocols consistent with law, industry, and 19 government regulatory standards, so that its software cannot be exploited again. (Doc. 39 20 at 13 (citing Doc. 20 ¶ 306).) Plaintiffs also contend that redressability here is satisfied 21 because “the requested remedy would amount to a significant increase in the likelihood 22 that [Plaintiffs] would obtain relief that directly redresses the injury suffered.” (Doc. 39 23 at 13–14 (quoting Mi Familia Vota v. Hobbs, 608 F. Supp. 3d 827, 857 (D. Ariz. 2022) 24 (internal quotation marks omitted)).) 25 Plaintiffs ask the Court to enter judgment declaring: “Defendants owes [sic] a legal 26 duty to secure the PII of Plaintiffs and Class Members;” “Defendants continues [sic] to 27 breach this legal duty by failing to employ reasonable measures to secure consumers’ PII;” 28 and “Defendants’ ongoing breaches of its legal duty continue to cause Plaintiffs harm.” 1 (Doc. 20 ¶ 305.) Additionally, Plaintiffs request injunctive relief that would require 2 Defendants to “employ adequate security protocols consistent with law, industry, and 3 government regulatory standards to protect consumers’ PII.” (Id. ¶ 306.) 4 Plaintiffs’ requested relief has nothing to do with ConnectWise, as it is directed at 5 those “Defendants,” i.e., On Q Financial, who possess and maintain Plaintiffs’ PII. (See id 6 ¶¶ 301–306.) Therefore, declaratory judgment against ConnectWise would not redress any 7 of the Plaintiffs’ alleged injuries. A further impediment to redressability is the fact that 8 ConnectWise issued the patch to On Q Financial, who then implemented the update to fix 9 the ScreenConnect vulnerability. (See Doc. 20 ¶ 40.) Thus, Plaintiffs seek forward- 10 looking relief, and they must face a real and immediate threat of repeated injury. Murthy, 11 603 U.S. at 58. Plaintiffs do not credibly allege any immediate risk of additional injury 12 pertaining to the ScreenConnect program or ConnectWise’s speculative future failure to 13 distribute a safe product. (See generally id.) In essence, ConnectWise has foreclosed the 14 future possibility that the ScreenConnect vulnerability will be used to exfiltrate Plaintiffs’ 15 PII from On Q Financial servers. 16 At bottom, Plaintiffs have not shown that declaratory judgment entered against 17 ConnectWise would redress any alleged injury. As a result, Plaintiffs lack standing to bring 18 a declaratory judgment claim against ConnectWise, and the Court will therefore dismiss 19 the claim as asserted against ConnectWise. 20 B. Negligence 21 Before evaluating the merits of Plaintiffs’ negligence claim, a few preliminaries: 22 Because Plaintiffs failed to establish that they have standing to bring their declaratory 23 judgment claim, the Court will not analyze the merits of that claim here. Sinochem Int’l 24 Co. v. Malaysia Int'l Shipping Corp., 549 U.S. 422, 430-31 (2007) (“[A] federal court 25 generally may not rule on the merits of a case without first determining that it has [subject 26 matter] jurisdiction.”). Next, Plaintiffs state that they “are no longer advancing a 27 negligence per se claim.” (Doc. 39 at 23.) Therefore, Plaintiffs’ negligence per se claim 28 (Count II) will be dismissed with prejudice. 1 To establish a claim for negligence under Arizona law, “a plaintiff must prove four 2 elements: (1) a duty requiring the defendant to conform to a certain standard of care; (2) a 3 breach by the defendant of that standard; (3) a causal connection between the defendant’s 4 conduct and the resulting injury; and (4) actual damages.” Gipson v. Kasey, 150 P.3d 228, 5 230 (Ariz. 2007). Whether a duty exists is a matter of law and “[t]he other elements, 6 including breach and causation, are factual issues usually decided by the jury.” Id. 7 1. Choice of Law 8 To begin, Plaintiffs contend that “[t]his Court is not limited to Arizona law” at this 9 stage in the litigation and that “this Court should consider each named Party’s state law in 10 resolving ConnectWise’s Motion.” (Doc. 36 at 14.) Plaintiffs do not, however, engage in 11 a meaningful choice of law analysis, putting the onus on the Court to do so. (See id.) 12 To set the stage, Plaintiffs Eitemiller and Castellaw, as well as Defendant On Q 13 Financial, are residents of Arizona. (See Doc. 20 ¶¶ 27–29.) Plaintiff Feathers is a 14 California resident, (Id. ¶ 25), and Plaintiff Squier is a Florida resident, (Id. ¶ 26). 15 ConnectWise is incorporated in Delaware and headquartered in Florida. (Id. ¶ 30.) 16 A federal court sitting in diversity must apply the forum state’s choice of law rules 17 to determine the controlling law. Patton v. Cox, 276 F.3d 493, 495 (9th Cir. 2002). “The 18 starting point of any examination as to whether Plaintiff has stated a claim is to determine 19 (and support by way of sufficient analysis) the applicable substantive state law—whether 20 that is Arizona law . . . or some other law—or show there is no meaningful difference.” 21 Feins v. Goldwater Bank, No. CV-22-00932-PHX-JJT, 2022 WL 17552440, at *2 (D. 22 Ariz. Dec. 9, 2022). “The determination must be made through analysis on a claim-by- 23 claim basis, and the parties cannot simply stipulate to the applicable state law without 24 showing it is the appropriate one under the applicable choice of law rules.” Id. (internal 25 citations omitted).6
26 6 ConnectWise posits that “[i]f each Plaintiffs’ own state law applies, then a nationwide class does not appear certifiable.” (Doc. reply at 10 n.5.) This is a putative class action, 27 meaning that if this case proceeds to class certification, Plaintiffs have the burden under Federal Rule of Civil Procedure 23 to conduct a choice of law analysis for each surviving 28 claim. At that stage, Plaintiffs must show that common questions of law predominate and “cannot meet this burden when the various laws have not been identified and compared.” 1 With respect to negligence claims, “Arizona courts apply the principles of the 2 Restatement (Second) of Conflict of Laws (1971) [(“Restatement”)] to determine the 3 controlling law for multistate torts.” Bates v. Super. Ct. of Ariz., 749 P.2d 1367, 1369 4 (Ariz. 1988). Restatement § 6 provides the following factors to determine the applicable 5 rule of law: 6 (a) the needs of the interstate and international systems, (b) the relevant policies of the forum, 7 (c) the relevant policies of other interested states and the relative interests of 8 those states in the determination of the particular issue, (d) the protection of justified expectations, 9 (e) the basic policies underlying the particular field of law, 10 (f) certainty, predictability and uniformity of result, and 11 (g) ease in the determination and application of the law to be applied. 12 Restatement (Second) of Conflict of Laws § 6(2) (1971). 13 Section 145 provides further guidance for the application of the § 6 factors to tort 14 issues, specifically that courts are to resolve such issues under the law of the state having 15 the most significant relationship to both the occurrence and the parties. Id. § 145. The 16 relevant contacts include: “1. The place where the injury occurred; 2. The place where the 17 conduct causing the injury occurred; 3. The domicile, residence, nationality, place of 18 incorporation and place of business of the parties 4. The place where the relationship, if 19 any between the parties is centered.” Bates, 749 P.2d at 1370. “The inquiry is qualitative, 20 not quantitative. The court must evaluate the contacts ‘according to their relative 21 importance with respect to the particular issue.’” Id. (first citing Ambrose v. 22 Illinois-California Express Inc., 729 P.2d 331, 334 (Ariz. Ct. App. 1986); then citing 23 Restatement § 145(2)). 24 The key parts of a negligence claim in Arizona, Florida, and California require the 25 same elements: duty, breach, causation, and damages. See Gipson, 150 P.3d at 230 26 (Arizona); Vasilenko v. Grace Family Church, 404 P.3 1196, 1198 (Cal. 2017) (California); 27 Gariety v. Grant Thornton, LLP, 368 F.3d 356, 370 (4th Cir. 2004). Put another way, 28 ConnectWise’s concern is noted, and is better addressed if and when Plaintiffs move to certify the putative class. 1 Virgilio v. Ryland Grp., Inc., 680 F.3d 1329, 1339 (11th Cir. 2012) (Florida). Additionally, 2 the Complaint makes clear that the place where the alleged injury occurred, the place where 3 the conduct causing injury occurred, and the place where the relationship between all 4 parties is centered is in Arizona. (See Doc. 20 ¶¶ 23–24 (“[T]he acts and omissions giving 5 rise to Plaintiffs’ claims occurred in and emanated from [Arizona].”).) Truly, the only 6 contacts that this case has to California and Florida is that some named Plaintiffs reside 7 there. At this early stage, the allegations point to the application of Arizona law to 8 Plaintiffs’ negligence claim. The Court will apply Arizona law to the extent possible and 9 will use out-of-state sources as persuasive authority absence on-point Arizona law. Cf. 10 Feins, 2022 WL 17552440, at *4. 11 2. Duty and Breach 12 ConnectWise argues that it does not owe Plaintiffs a duty because it did not obtain, 13 collect, maintain, store, or control their PII. (Doc. 35 at 18–19.) ConnectWise further 14 asserts that finding a duty to exist in this case would establish an overbroad requirement 15 that technology application developers protect all information that their customers 16 independently collect and maintain. (Id. at 19.) 17 In response, Plaintiffs argue that Arizona Revised Statutes § 12-681 and § 44-1373 18 establish a duty of care that ConnectWise owed to Plaintiffs in this case. (Doc. 39 at 16.) 19 Further, Plaintiffs contend that their allegations make clear that ScreenConnect created an 20 “unreasonable risk of harm,” which creates a duty under Arizona law. (Id. (citing Gipson, 21 150 P.3d at 233).) Finally, Plaintiffs argue that Arizona common law created a public 22 policy duty for ConnectWise to prevent its product ScreenConnect from creating an 23 unreasonable risk of harm to Plaintiffs. (Id. (citing Ontiveros v. Borak, 667 P.2d 200, 209 24 (Ariz. 1983)).) 25 In Arizona, a duty may be based on either recognized common-law “special 26 relationships”—relationships created by “contract, familial relationship, or joint 27 undertaking”—or on relationships created by “public policy.” Cal-Am Props. Inc. v. Edais 28 Eng’g Inc., 509 P.3d 386, 389 (Ariz. 2022); Quiroz v. ALCOA Inc., 416 P.3d 824, 830 1 (Ariz. 2018). Special relationships giving rise to a duty ordinarily require a “preexisting, 2 recognized relationship between the parties.” Cal-Am Properties, 509 P.3d at 390. 3 Although in limited circumstances a joint undertaking may create a relationship between 4 two parties not in privity with each other, a defendant in that type of third-party 5 arrangement must have undertaken conduct “directly with or for a plaintiff.” Id. Arizona 6 has explicitly declined to recognize special relationships created by foreseeability, that is, 7 where it is foreseeable that a defendant’s conduct would impact the victim. Id.; see also 8 Gipson 150 P.3d at 231 (foreseeability of conduct does not create a duty). 9 Plaintiffs allege that duty exists “to use reasonable means to secure and safeguard 10 their computer property—and [Plaintiffs’] PII held within it—to prevent disclosure of the 11 information.” (Doc. 20 ¶ 237.) Absent from the Complaint, however, are any allegations 12 that ConnectWise possessed, maintained, stored, controlled, or affected any transfer of 13 Plaintiffs’ PII. (See generally id.) Additionally, the Complaint lacks allegations of a 14 contract between ConnectWise and Plaintiffs, that those parties know each other, or that 15 ConnectWise undertook conduct directly with or for Plaintiffs. (Id.) Plaintiffs were not 16 ConnectWise’s customers, and not all were even On Q Financial’s customers. Cf. See 17 Quinalty v. FocusIT LLC, No. CV-23-00207-PHX-KML, 2024 WL 5223587, at *4–5 (D. 18 Ariz. Dec. 26, 2025) (finding no special relationship existed where the plaintiffs were not 19 the customers of the defendant information technology company). Certainty, the omission 20 of these critical facts precludes the existence of a duty on ConnectWise to “secure and 21 safeguard [its] computer property” or to protect and “prevent disclosure” of Plaintiffs’ PII. 22 (Doc. 20 ¶ 237.) Put simply, there is no special relationship between ConnectWise and 23 Plaintiffs, either directly or through a third-party arrangement, that would support the 24 existence of a duty under these facts. See Cal-Am Properties, 509 P.3d at 390. 25 Plaintiffs also assert, for the first time, in their Response brief that ConnectWise 26 owed it a duty under Arizona Revised Statutes § 12-681 and § 44-1373. (See Doc. 39 27 at 16.) While district courts are not precluded from considering arguments raised for the 28 first time in a responsive brief, cf. Freeman v. Clay Cnty. Bd. of Comm’rs, 706 F. Supp. 3d 1 873, 886 (D.S.D. 2023), on a 12(b)(6) motion, the Court generally focuses on what the 2 plaintiff has written in the complaint, Ctr. for Biological Diversity v. United States Forest 3 Serv., 746 F. Supp. 3d 749, 755 (D. Ariz. 2024). The Complaint does not allege that 4 ConnectWise owed Plaintiffs a duty under either Arizona statute. (See generally Doc. 20.) 5 Though it does allege that all Defendants owe Plaintiffs a duty under unnamed “other 6 applicable standards,” this conclusory remark is not enough to implicate every law under 7 the sun, including § 12-681 and § 44-1373. (See id. ¶¶ 240–42 247.) Therefore, the Court 8 rejects Plaintiffs argument that § 12-681 and § 44-1373 create a duty because it has not 9 been alleged in the Complaint.7 10 Arizona also recognizes that public policy derived from both state and federal 11 statute and common law may create a duty to third parties with whom no direct relationship 12 exists. Cal-Am Properties, 509 P.3d at 390. The “declaration of ‘public policy’” is a 13 primarily a legislative function, Quiroz, 416 P.3d at 830, and administrative regulations 14 designed to protect the public from economic harm are not a source of duty, Cal-Am 15 Properties, 509 P.3d at 391. In the absence of statutory guidance, a duty “should be so 16 thoroughly established as a state of public mind, so united and so definite and fixed that its 17 existence is not subject to any substantial doubt.” Quiroz, 416 P.3d at 830. And a plaintiff 18 alleging a public-policy duty must (1) be “within the class of persons to be protected by 19 the statute,” and (2) have suffered the type of harm the statute “sought to protect against.” 20 Id. at 829. 21 Plaintiffs seemingly offer two sources of public policy that create a duty in this case. 22 First, Plaintiffs contend that Section 5 of the Federal Trade Commission Act, 15 U.S.C. 23 § 45, creates a duty. (Doc. 20 ¶ 238.) That statute provides: “[u]nfair methods of 24 competition in or affecting commerce, and unfair or deceptive acts or practices in or
25 7 Even if Plaintiffs pleaded that § 12-681 and § 44-1373 created a duty, the Complaint lacks the factual enhancement that these statutes would require to assert duty. For example, 26 § 12-681 concerns negligence predicated on product manufacturer liability, which Plaintiffs have not asserted in the Complaint. (See generally Doc. 20.) It is also unlikely 27 that Plaintiffs could assert such a claim given that this is not a product liability case. Further, § 44-1373 prohibits an entity from “[i]ntentionally communicat[ing] or otherwise 28 mak[ing] an individual’s social security number available to the general public.” There are no allegations that ConnectWise engaged in such conduct. (See generally Doc. 20.) 1 affecting commerce, are hereby declared unlawful.” 15 U.S.C. § 45(a)(1). Plaintiffs 2 specifically contend that “the unfair practice of failing to use reasonable measures to 3 protect confidential data” gave rise to their claim. (Doc. 20 ¶ 238.) Second, Plaintiffs allege 4 a myriad of industry standards from the Federal Bureau of Investigation, Secret Service, 5 Federal Trade Commission, NIST Cybersecurity Framework Version 2.0, and the Center 6 for Internet Security’s Critical Security Controls support a duty based on public policy. 7 (Doc. 20 ¶¶ 75, 100, 123–25, 247.) Both § 45 and the supposed industry standards are 8 alleged to apply to “protect the personal consumer information that they keep,” “properly 9 dispose of personal information that is no longer needed,” “encrypt information stored on 10 computer networks,” monitor the security of one’s network, “limit access to sensitive data 11 PII,” “require complex passwords,” “multi-factor authentication,” and “backup data and 12 limiting which employees can access sensitive data.” (Id. ¶¶ 100, 103, 123, 247.) 13 This Court has recently held that § 45 does not create a private right of action, but 14 instead allows the Federal Trade Commission to initiate enforcement proceedings “in the 15 interest of the public.” Quinalty, 2024 WL 5223587, at *5 (quoting Lee v. PHH Mortg., 16 No. CV-24-00057-TUC-SHR, 2024 WL 4364139, at *5 (D. Ariz. Sept. 30, 2024)). The 17 Court also held that citations to guidelines without further factual enhancement about how 18 they amount to industry standards that are also recognized as a duty under Arizona law 19 would not suffice. Id. 20 As this Court recently discussed, § 45 cannot establish a private right of action for 21 Plaintiffs to sue ConnectWise. Quinalty, 2024 WL 5223587, at *5. Second, while the 22 Complaint attempts to explain how § 45 and the various guidelines are standards for 23 industry, they do not constitute a duty under Arizona law. See Quinalty, 2024 WL 24 5223587, at *5; Cal-Am Properties, 509 P.3d at 391. And, even if such standards could 25 establish duty, they pertain to organizations that collect, possess, maintain, store, use, or 26 control sensitive data like PII, which Plaintiffs do not allege ConnectWise has done.8 (See
27 8 The Complaint rarely delineates between the acts of ConnectWise or On Q Financial, and thus the Court struggles to understand which Defendant undertook certain alleged actions. 28 (See id. ¶¶ 109, 238.) At best, the Court understands the allegations to be that both Defendants “had a duty to employ reasonable security measures . . . to protect confidential 1 generally Doc. 20.)9 2 Therefore, Plaintiffs have failed to allege that ConnectWise owed them a cognizable 3 duty under Arizona law. As a result, their negligence claim fails and must be dismissed. 4 3. Damages 5 Plaintiffs assert that they properly alleged five types of damages: (1) lost time and 6 opportunity costs; (2) emotional distress; (3) diminution of value; (4) future monitoring 7 costs; and (5) future risk of fraud. (Doc. 39 at 22–23; Doc. 20.) Plaintiffs do not allege 8 that they have suffered from identity theft because of the Data Breach. (See generally Doc. 9 20.) Plaintiffs Squier, Eitemiller, and Castellaw allege that they have suffered fraudulent 10 credit card charges since the Data Breach, but do not specifically allege that they were a 11 result of the breach. (Id. ¶¶ 181, 194, 208.) 12 Negligence damages must be actual and appreciable, non-speculative, and unlike 13 the injury sufficient for standing, more than merely the threat of future harm. CDT, Inc. v. 14 Addison, Roberts & Ludwig, 7 P.3d 979, 982–83 (Ariz. Ct. App. 2000). Therefore, 15 Plaintiffs’ claimed damages for lost time and opportunity costs is insufficient to state the 16 damages element of a negligence claim. See Quinalty, 2024 WL 5223587, at *5 (rejecting 17 the same); Griffey, 562 F. Supp. 3d at 45 (finding that lost time alone is not a cognizable 18 form of damages); Johnson v. Yuma Reg’l Med. Ctr., No. CV-22-01061-PHX-SMB, 2024 19 WL 4803881, at *5 (D. Ariz. Nov. 15, 2024) (“[G]eneral allegations of lost time are not 20 cognizable injuries.”); Bozek v. Ariz. Lab. Force Inc., No. CV-24-00210-PHX-SMB, 2025 21 WL 264174, at *5 (D. Ariz. Jan. 22, 2025) (same). Similar, Plaintiffs’ claimed damages 22 related to future monitoring costs and future risk of fraud without a concurrent showing of 23 present harm have been rejected by this Court on several occasions. See, e.g., Bozek, 2025 24 WL 264174, at *5 (finding allegations of increased risk of fraud and identity theft
25 data” under § 45 and failed to do so. (Doc. 20 ¶ 238.) As discussed, however, § 45 does not provide a private right of action or constitute a duty under Arizona law. 26 9 Plaintiffs attempt to rely on foreign law to salvage their claim under § 45. (Doc. 39 at 15 (citing In re Cap. One Consumer Data Sec. Breach Litig.¸488 F. Supp. 3d 374, 407 27 (E.D.V.A. 2020)).) That case, however, analyzed § 45 under New York law as it related to a negligence per se claim. See In re Cap. One, 488 F. Supp. 3d at 407. Therefore, that 28 court’s analysis has no bearing on the issues before the Court in this case. 1 “speculative damages of a future harm that has yet to occur” and as such “not 2 cognizable”).10 3 While the diminished value of PII can be a cognizable injury, Plaintiffs must 4 sufficiently allege a “robust market” for the PII and a deprivation of their ability to sell 5 personal data on that market. See Svenson v. Google Inc., No. 13-cv-04080-BLF- 2015 6 WL 1503429, at *5 (N.D. Cal. Apr 1, 2015) (citing In re Facebook Privacy Litig., 572 F. 7 App’x 494 (9th Cir. 2014)). Though allegations of the sale of Plaintiffs’ PII on the dark 8 web was enough to satisfy Article III standing, the Court echoes Griffey by declining to 9 find that the “dark web,” a seemingly illegal market in which ransomware groups sell PII, 10 (Doc. 20 ¶ 47–70), serves as a “robust” or “legitimate” market for the purposes of damages. 11 Griffey, 562 F. Supp. at 46; see also Quinalty, 2024 WL 5223587, at *5 (finding that the 12 “black market” is not a legitimate market). 13 Each named Plaintiff alleges that the Data Breach caused them to suffer “fear, 14 anxiety, and stress.” (Doc. 20 ¶¶ 172, 185, 199, 212.) The rule in Arizona is that “there 15 can be no recovery for mental disturbance unless physical injury, illness or other physical 16 consequence accompany it, or physical harm develops as a result of the plaintiff’s 17 emotional distress.” Johnson, 2024 WL 4803881, at *5; see also Amari v. Scottsdale 18 Healthcare Hosps., No. 1 CA-CV 17-0443, 2018 WL 2928040, at *4 (Ariz. Ct. App. June 19 12, 2018) (“[E]motional distress damages are recoverable absent impact if the emotional 20 distress manifests itself physically or results in long-term physical illness or mental 21 disturbance.”). Plaintiffs have not alleged that they experienced physical injury, illness, or 22 other physically manifested harm as a result of the fear, anxiety, and stress of the Data 23 Breach. (See generally Doc. 20.) Thus, Plaintiffs allegations of emotional distress fail to 24 state a claim for damages.
25 10 While Plaintiffs offer several cases to support their lost time and opportunity damages, not one applies Arizona negligence law. See Anthem II, 2016 WL 3029783, at *14–15; In 26 re Experian Data Breach Litigation, No. SACV 15-1592 AG (DFMx), 2016 WL 7973595, at *5 (C.D. Cal. Dec. 29, 2016); In re Solara Med. Supplies, LLC Customer Data Sec. 27 Breach Litig., No. 3:19-cv-2284-H-KSC, 2020 WL 2214152, at *4 (S.D. Cal. May 7, 2020); Stasi v. Inmediata Health Grp. Corp., 501 F. Supp. 3d 898, 918 (S.D. Cal. 2020); 28 Huynh v. Quora, Inc., 508 F. Supp. 3d 633, 650 (N.D. Cal. 2020). This authority is therefore inapposite at this juncture. 1 At bottom, Plaintiffs have failed to plead any cognizable form of damages for their 2 negligence claim against ConnectWise. 3 4. Causation 4 ConnectWise argues that Plaintiffs’ alleged injuries are not fairly traceable because 5 several intervening factors preclude the required proximate cause showing. (Doc. 35 6 at 23.) ConnectWise mainly focuses on Plaintiffs’ provision of their PII to On Q Financial, 7 and not ConnectWise, as well as ConnectWise’s warning to On Q Financial about the 8 ScreenConnect vulnerability. (Id. at 23–24.) Plaintiffs respond that they have pleaded a 9 connection between ConnectWise’s vulnerable software and the ability of hackers to use it 10 to steal their PII during the Data Breach. (Doc. 39 at 18–19; see also Doc. 20 ¶¶ 40, 56, 11 59–61.) Plaintiffs are correct. Cf. Griffey, 562 F. Supp. 3d at 45. This fact, however, is 12 inconsequential as Plaintiffs fail to allege a cognizable duty or injury. 13 IV. LEAVE TO AMEND 14 Federal Rule of Civil Procedure 15(a) requires that leave to amend be “freely give[n] 15 when justice so requires.” Leave to amend should not be denied unless “the proposed 16 amendment either lacks merit or would not serve any purpose because to grant it would be 17 futile in saving the plaintiff's suit.” Universal Mortg. Co. v. Prudential Ins. Co., 799 F.2d 18 458, 459 (9th Cir. 1986). Therefore, “a district court should grant leave to amend even if 19 no request to amend the pleading was made, unless it determines that the pleading could 20 not possibly be cured by the allegation of other facts.” Lopez v. Smith, 203 F.3d 1122, 21 1127 (9th Cir. 2000) (cleaned up). 22 Although Plaintiffs have not requested leave to amend, it would not prejudice 23 ConnectWise if such leave is granted. While it is not abundantly clear to the Court how 24 Plaintiffs might ameliorate the deficiencies of their negligence and declaratory relief claims 25 as they pertain to ConnectWise, leave to amend will be granted. As Plaintiffs have 26 abandoned their negligence per se claim, no leave will be granted to reassert that claim in 27 any fashion. 28 /// 2\| V. CONCLUSION 3 Accordingly, 4 ITIS HEREBY ORDERED granting Defendant ConnectWise’s Motion to || Dismiss (Doc. 35). 6 IT IS FURTHER ORDERED dismissing Plaintiffs’ negligence and declaratory 7\| relief claims as to ConnectWise without prejudice and dismissing the negligence per se 8 || claim with prejudice. 9 IT IS FURTHER ORDERED giving Plaintiffs leave to amend their Complaint (Doc. 20). Plaintiffs shall have thirty (30) days from the date of this Order to file a Second 11 || Amended Complaint if they so choose. 12 Dated this 26th day of June, 2025. 13 Se . ~P 14 SO
1 soarapig Susan 6 Brpoyich 16 17 18 19 20 21 22 23 24 25 26 27 28
-25-