• United States




Stopping trade secret theft in your organization, part 2

May 23, 20173 mins
CybercrimeIT LeadershipLegal

A brief primer on trade secret law for security professionals.

08 lawsuit
Credit: Thinkstock

In Part I of this series, I defined “trade secrets” and the risk of trade secret theft. In this post, I will give a primer on trade secret law, for security professionals. Since I am not a lawyer, the post is not meant as legal advice. My experience does include 16 years of work as an expert witness in security and intellectual property cases.

Trade secret law has again hit the headlines with the Waymo vs. Uber case (the most recent headline is here). Cyber technology is rarely the cause of trade secret theft, but often these days is an enabler. In this matter, a Waymo engineer is accused of downloading 9.7 GB of trade secret files while employed at Waymo, and then making use of them after joining Uber. You can read the details here.  Waymo’s complaint is based on both federal and state laws.

The first trade secret laws in the US arose out of common law in the 19th century. One of the first cases, Peabody v. Norfolk (1868), involved a machinist leaving one textile manufacturer for a competitor – both firms were in Massachusetts. Trade secret statutes then evolved out of these intra-state disputes. Today, virtually all states have adopted the UTSA, Uniform Trade Secrets Act, as statutory law prohibiting trade secret theft.  Plaintiffs generally seek relief against misappropriators in the state court system.  You don’t steal a trade secret like you would steal a car. Damages can include:  monetary damages, unjust enrichment, punitive damages and injunctive relief. The statute of limitations is three years.

The Defend Trade Secrets Act (DTSA) is a new federal law passed in May, 2016. Congress gave potential victims the chance to litigate directly in Federal court.  Waymo is taking advantage of the DSTA. For willful and malicious trade secret misappropriation, the DTSA permits recovery of attorney’s fees and triple punitive damages.

There are other venues that trade secret plaintiffs may use. The ITC (International Trade Commission) hears cases related to imported products potentially infringing trade secrets held by domestic manufacturers. It’s known for relatively rapid resolution of cases. Recently, Jawbone claimed trade secret theft by Fitbit and unsuccessfully attempted to block Fitbit’s product imports from Asia.

Finally, the Economic Espionage Act (EEA) provides criminal penalties for trade secret theft. These cases are tried in Federal courts, by US Attorneys. A recent example is the case of Sergey Aleynikov, former Goldman Sachs programmer, who allegedly stole trading software from his employer. After six years of litigation and $7M of legal fees, he was ultimately vindicated in this matter.

If your organization depends on trade secrets for its business, you will want to become familiar with and track the types of breaches that are going on in your industry.  Unfortunately there is no single source for this information. Three good sources include:

  1. Brooklyn Law School Trade Secrets Institute (TSI)
  2. PacerPro 
  3. U.S. DOJ Intellectual Property Task Force (IPTF)

The TSI reports on many trade secret theft cases, doing a fairly good job of coverage.  PacerPro is a subscription based service that provides access to records of federal cases in litigation. The DOJ IPTF site provides press releases on all types of federal IP theft matters.

Next, in Part III, I will analyze the root causes in 10 trade secret theft cases.


Dr. Frederick Scholl is a thought leader in information security. His professional experience includes semiconductor researcher and engineer, start-up cofounder, and academic professor and leader.

He has both security practitioner experience and credentials as an educator. He consults on security governance, risk management and compliance issues.

Dr. Scholl started and leads Quinnipiac’s MS Cybersecurity program. This online degree program is focused on career changers who have a strong business and IT background, but little or no cybersecurity experience. The program emphasizes software security, cloud security, risk management and resilient systems.

The opinions expressed in this blog are those of Frederick Scholl and do not necessarily represent those of IDG Communications Inc. or its parent, subsidiary or affiliated companies.