The opinion of the court was delivered by: James F. Holderman, Chief Judge:
MEMORANDUM OPINION AND ORDER
On July 7, 2010, plaintiffs Farmers Insurance Exchange, Mid-Century Insurance Company, and Illinois Farmers Insurance Company (collectively "Farmers") filed a four-count complaint in the United States District Court for the Central District of California against defendants The Auto Club Group d/b/a/ AAA Chicago, Auto Club Insurance Association, and MemberSelect Insurance Company (collectively "Auto Club"), alleging violations of the Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. § 1030(a)(2)(C) and (a)(4) (Counts I and II), the California Comprehensive Computer Data Access and Fraud Act ("CCDAFA"), California Penal Code § 502 (Count III), and the California Uniform Trade Secrets Act, Cal. Civ. Code § 3426, et seq. (Count IV). (Dkt. No. 11 ("1st Am. Compl.").) On February 23, 2011, in response to Auto Club's motion to dismiss for lack of personal jurisdiction, District Judge Consuelo B. Marshall ordered the case transferred to the Northern District of Illinois.
Now pending before this court is Auto Club's "Motion to Dismiss Counts I, II and III of Plaintiffs' First Amended Complaint Pursuant to Federal Rule of Civil Procedure 12(b)(6)." (Dkt. No. 57 ("Auto Club's Mot.").) For the reasons stated below, Auto Club's motion is granted. Counts I, II, and III are dismissed without prejudice. The court also sua sponte dismisses Count IV without prejudice. Farmers is granted leave to file a Second Amended Complaint consistent with this order and the relevant underlying facts on or before November 3, 2011, should it desire to do so. Auto Club's answer is due on or before November 23, 2011.
For purposes of the pending motion to dismiss, the court accepts as true the following facts as set forth in Farmers' First Amended Complaint. See Adkins v. VIM Recycling, Inc., 644 F.3d 483, 493 (7th Cir. 2011).
Farmers is in the business of selling insurance products. (1st Am. Compl. ¶¶ 4-6, 11.)
Specifically, Farmers sells automobile, homeowners, and commercial insurance to customers through the use of independent contractor agents. (Id. ¶ 11.) Plaintiffs Farmers Insurance Exchange and Mid-Century Insurance Company each have their principle places of business in Los Angeles, California, while Illinois Farmers Insurance Company has its principal place of business in Aurora, Illinois. (Id. ¶¶ 4-6.)
Like Farmers, defendant The Auto Club Group is also in the business of selling insurance products. (Id. ¶ 7.) The Auto Club Group, headquartered in Dearborn, Michigan, does business under the assumed names AAA Chicago, AAA Travel Agency, Chicago Motor Club, AAA Auto Club Group, and Road Service, Inc., and sells insurance products to residents of Illinois, Indiana, Iowa, Michigan, Minnesota, Nebraska, North Dakota, and Wisconsin. (Id.) Defendants The Auto Club Insurance Association and MemberSelect Insurance Company are both in the business of underwriting insurance products, and sell their products through The Auto Club Group. (Id. ¶¶ 8-9.) The Auto Club Insurance Association and MemberSelect Insurance Company also have their principal places of business in Dearborn, Michigan. (Id.)
In the course of its business, Farmers maintains certain confidential information about its policyholders, including their names, addresses, telephone numbers, Social Security numbers, drivers license numbers, and financial information. (Id. ¶ 14.) Farmers also maintains confidential information about its specific policies, including premium amounts, policy expiration dates, details of the insureds' property, and claims histories. (Id. ¶¶ 13-14.)
To maintain the confidentiality of this policyholder information, Farmers uses a "password protected Internet portal" known as the "Agency Dashboard." (Id. ¶ 15.) The Agency Dashboard "allows Farmers' employees and independent contractor agents to track information about and provide services to Farmers' policyholders" by accessing databases that contain Farmers' confidential policyholder information, as well as Farmers' "underwriting practices, guidelines, communications, training information, and . . . rating systems." (Id.) Reports generated from the information stored in the databases are also used "for marketing, servicing, and managing the agency." (Id. ¶ 16.) Farmers' computer servers are physically located in Los Angeles, California, but are accessible throughout the United States. (Id. ¶ 17.)
Farmers requires all authorized users to sign-in to the Agency Dashboard using an individually authorized login name and password, and the Agency Dashboard itself includes a "prominent message" on the login screen notifying users that they are accessing proprietary and confidential information. (Id. ¶ 22.) Farmers also requires its insurance agents to agree that they will use Farmers' confidential policyholder information "only in the course of their agency with Farmers" and "to promise not to disclose Farmers' Confidential Policyholder Information to third parties or to use it in any way detrimental to Farmers." (Id. ¶ 20.) Copies of Farmers's procedures regarding access to and preservation of its databases are also accessible through the Agency Dashboard. (Id.)
Beginning "no later than 2007," certain Farmers agents supplied Auto Club with "login names and passwords that would permit Auto Club personnel to directly access" Farmers' confidential policyholder information. (Id. ¶ 25.) These agents also printed Farmers' confidential policyholder information and gave hard copies of this information to Auto Club. (Id.) Auto Club then "accessed, reviewed, transmitted, and/or printed" Farmers' confidential policyholder information without authorization, copied this information into Auto Club's own computer system, created and disseminated spreadsheets containing Farmers' confidential policyholder information, and used this information "to generate quotations for insurance policies in competition with Farmers and without having to generate customer contacts, build loyalty, and gather information on its own." (Id. ¶¶ 25-32.)
In response to Auto Club's illegal actions, Farmers "was required to send breach notification letters to thousands of policyholders." (Id. ¶ 34.) Farmers claims damages in the form of costs associated with "identifying and ascertaining the extent of Auto Club's unauthorized access to and acquisition of Farmers' Confidential Policyholder Information," as well as fees and expenses incurred in the course of "determining and complying with customer security breach notification obligations as required by the laws of the States in which the affected customers reside." (Id. ¶ 34.) Farmers also claims "lost present and future business and revenue from its policyholders," as well as damage to its reputation. (Id. ¶¶ 34-35.)
To avoid dismissal under Federal Rule of Civil Procedure 12(b)(6), the factual allegations of a complaint must "raise a right to relief above the speculative level" such that the plaintiff's claim is "plausible on its face." Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555, 570 (2007). In this regard, a "formulaic recitation of the elements of a cause of action will not do." Id. at 555. Rather, the plaintiff must include "enough detail to give the defendant fair notice of what the claim is and the grounds upon which it rests, and, through his allegations, show that it is plausible, rather than merely speculative, that he is entitled to relief." Reger Dev., LLC v. Nat'l City Bank, 592 F.3d 759, 764 (7th Cir. 2010) (quoting Tamayo v. Blagojevich, 526 F.3d 1074, 1081 (7th Cir. 2008)). If the allegations of a complaint "fail[ ] to state a claim upon which relief can be granted," the complaint will be dismissed. Fed. R. Civ. P. 12(b)(6). When addressing a motion to dismiss, the court must accept the factual allegations set forth in the complaint as true and draw all reasonable inferences in favor of the plaintiff. Adkins, 644 F.3d at 493.
1. Farmers' CFAA Claims (Counts I and II)
The CFAA provisions at issue in this case prohibit "intentionally access[ing] a computer without authorization or exceed[ing] authorized access, . . . thereby obtain[ing] information from any protected computer," 18 U.S.C. § 1030(a)(2)(C) (Count I), and "knowingly and with intent to defraud, access[ing] a protected computer without authorization, or exceed[ing] authorized access, and by means of such conduct further[ing] the intended fraud and obtain[ing] anything of value, unless the object of the fraud and the thing obtained consists only of ...