The threat comes from both directions. External hackers and foreign actors do target companies, but CMU SEI/CERT research analyzing 103 insider IP theft cases found that former employees and trusted business partners together accounted for a significant share of confirmed cases — and fewer than 6% of those cases were even detected by software tools alone.
Speed and precision matter here. The wrong response in the first 48 hours can permanently destroy evidence and eliminate your legal options. This guide covers how to recognize theft, what to do immediately, how forensic investigations work, and how to build a case that holds up in court.
TL;DR
- Don't power on suspect devices or attempt self-recovery — you'll destroy evidence
- Physically secure all affected devices and document chain of custody immediately
- Engage a certified digital forensic examiner before any analysis starts
- Involve an attorney early to structure the investigation under attorney-client privilege
- Report suspected criminal conduct to your local FBI field office and the IPR Center (1-866-IPR-2060)
Recognizing the Signs of Trade Secret Theft
Behavioral Red Flags to Watch For
Most trade secret theft doesn't look like a heist. It looks like a normal Tuesday — until you pull the logs.
Common warning signs include:
- Forwarding work emails to personal accounts in the days before resignation
- Uploading batches of files to Dropbox, Google Drive, or OneDrive from a company device
- Creating ZIP archives of sensitive directories
- Bulk-printing confidential documents or client data
- Unusual USB activity, especially large data transfers
- Accessing internal systems outside normal hours — late nights, weekends, or just before a departure date
- Mass deletion of files shortly before or after submitting a resignation
None of these behaviors is automatically conclusive. But each is a documented precursor to data exfiltration, and any combination warrants a closer look.
The Insider Threat Reality
External intrusions get the headlines, but the CMU SEI/CERT dataset tells a different story: over 17% of IP theft cases with a known relationship involved trusted business partners, and software tools alone detected fewer than 6% of cases. Human reporting — exit interviews, manager observations, peer tips — caught more cases than technology did.
Perimeter defenses won't catch a departing employee who legitimately has access to everything they're taking. Detecting that requires watching internal behavior: file access patterns, cloud sync activity, USB connections, and anomalous after-hours logins tracked over time.
Vendors and joint venture partners carry similar risk. Once a business relationship dissolves, any proprietary information shared under NDA becomes a liability if the other party retains or uses it. Vendor offboarding warrants the same structured review you'd apply to a departing employee.
What to Do in the First 48 Hours
The Single Most Important Rule
Do not power on suspect devices. Do not plug in USB drives. Do not let IT attempt to "check what's on there."
SWGDE's best practices for digital evidence collection are direct on this point: if a device is already powered off, leave it off. Turning it on can overwrite timestamps, alter metadata, and modify the very artifacts a forensic examiner needs to reconstruct what happened. Evidence compromised this way may be challenged — or excluded — in litigation.
Physical Containment
Move quickly on these steps:
- Identify and inventory all devices associated with the suspected employee — laptop, work phone, USB drives, external hard drives, any company-issued tablets
- Power them off if they're running (after consulting a forensic examiner about volatile data considerations)
- Secure them physically in a locked cabinet, evidence bag, or restricted access room
- Document chain of custody — record who took custody, when, and everyone who has had access since
Account-Level Containment
While physical containment is underway, take these steps in parallel:
- Revoke access to company email, shared drives, VPN, and all internal systems
- Change shared passwords and service credentials the employee had access to
- Back up encryption keys before removing devices from any management systems
- Place a legal hold on the employee's email account — do not allow it to be purged or recycled
- Disable cloud sync on company-managed accounts to prevent ongoing exfiltration
Preserve Logs Before Anything Changes
Instruct IT to export — without modifying — the following, covering at minimum the past three to six months:
- Email server access logs
- VPN connection records
- File access and activity logs
- Cloud storage sync logs
- USB device connection history
These logs establish the timeline. Once system changes are made or retention periods lapse, the records are unrecoverable.
Engage an Attorney Immediately
Structuring your investigation under attorney-client privilege from the start protects your findings from adversarial discovery. Internal communications about the investigation — who is suspected, what was found — should route through counsel, not through standard company email. Waiting until you have more information before involving counsel is a common mistake — and one that can permanently compromise your evidentiary position.
Conducting a Forensic Investigation the Right Way
Why Certified Examiners Matter
A forensic investigation begins with one non-negotiable step: a certified examiner creates a forensic image — a bit-for-bit copy — of the suspect device before any analysis occurs. The original device is then set aside. All examination happens on the copy.
This matters because it preserves the original state of evidence, allows the process to be independently verified, and produces findings that are defensible in court. NIST IR 8387 on digital evidence preservation frames the entire preservation process around maintaining data integrity from the moment of collection — any deviation creates a vulnerability that opposing counsel will exploit.
Having your internal IT team attempt recovery instead is a serious mistake. They may be technically capable, but they lack the forensic training, write-blocking procedures, and chain-of-custody documentation that courts expect.
What a Forensic Examiner Investigates
In a trade secret case, a qualified examiner will analyze:
- USB and external device history — which drives were connected, when, and what was transferred
- Cloud storage activity — uploads to Dropbox, Google Drive, OneDrive, or iCloud from company devices
- Email and webmail access — forwarding rules, sent attachments, personal webmail use on company systems
- File creation, modification, and deletion timestamps — the sequence of actions reveals intent
- ZIP and archive activity — compressing files before transfer is a classic exfiltration method
- Browser history and searches — what the employee was looking for and when
- Deleted file recovery — forensic tools can often recover files deleted in an attempt to cover tracks
Timestamps and metadata reconstruct exactly when each action occurred, on which account, and in what sequence — building a precise timeline of exfiltration activity.
Mobile Device Forensics: The Overlooked Component
Personal phones are regularly used to photograph screens, text files to personal accounts, or access company cloud services. They hold evidence that never appears on a company laptop.
Mobile forensics requires separate expertise and tools. Prudential Associates' team holds Cellebrite Certified Physical Analyst, Cellebrite Certified Operator, Certified Mobile Forensics Examiner (CMFE), and GIAC Advanced Smartphone Forensics (GASF) credentials — the certifications specifically designed for extracting and analyzing data from smartphones in a forensically sound manner.
Obtain device PIN codes before an employee completes offboarding. Without them, access to a locked personal device — even with legal authority — becomes significantly more complicated.
Prudential Associates' Forensic Capabilities
Prudential Associates' examiners hold CFCE, CCFE, CDFE, EnCE, and ACE certifications for computer forensics, combined with the full Cellebrite suite for mobile devices. The team includes former FBI special agents and law enforcement veterans with direct investigative experience — not just technical examiners. Their examiners have testified in state and federal courts, authored affidavits, and assisted counsel in crafting legal strategy.
Building Your Legal Case for Trade Secret Misappropriation
The Three Legal Requirements
Under the Defend Trade Secrets Act (18 U.S.C. § 1839), a valid trade secret claim requires proving three things:
- The information derives independent economic value from not being generally known or readily ascertainable
- The owner took reasonable measures to keep it secret — NDAs, access controls, confidentiality policies, restricted systems
- The information was misappropriated — taken, used, or disclosed without authorization
Courts scrutinize the second element closely. If your company emailed the formula to 50 employees with no confidentiality marking, never required NDAs, and stored it on an open server, a trade secret claim becomes nearly impossible to win, regardless of the theft itself.
Available Legal Remedies
The DTSA provides civil plaintiffs with meaningful tools:
- Injunctions preventing continued use or disclosure
- Actual damages for losses caused by misappropriation
- Unjust enrichment damages for gains the defendant made at your expense
- Exemplary damages up to 2x for willful and malicious misappropriation
- Attorney's fees in cases involving bad faith
- Ex parte seizure: available only in extraordinary circumstances where standard injunctive relief is inadequate and immediate irreparable harm is certain
State laws based on the Uniform Trade Secrets Act run parallel to the DTSA and plaintiffs can generally plead them alongside federal claims.
Strategic Decisions
Knowing your remedies is only part of the picture. Three questions your attorney will address early shape how aggressively you can pursue them:
- Who to name as defendants — the former employee, their new employer, or both. If the new employer is benefiting from your stolen information, they're a viable target.
- Forum selection — arbitration clauses or forum-selection provisions in employment agreements may affect where the case can be filed.
- Criminal referral: economic espionage under 18 U.S.C. § 1831 carries penalties up to 15 years imprisonment and fines up to $5 million for foreign-government-connected theft. Commercial trade secret theft under § 1832 carries up to 10 years. Criminal prosecution and civil action are not mutually exclusive; pursue both tracks in parallel.
Reporting Trade Secret Theft to Law Enforcement
When and How to Contact the FBI
Report to your local FBI field office as soon as you have reasonable grounds to believe theft has occurred. The DOJ's Criminal Division, Computer Crime and Intellectual Property Section (CCIPS) directs trade secret and economic espionage cases to the FBI — not to other agencies.
Two FBI divisions handle these cases differently:
- Criminal Investigative Division — handles domestic, commercially motivated trade secret theft
- Counterintelligence Division — handles cases with suspected foreign government involvement or state-sponsored economic espionage
For cases involving organized theft or international actors, also file with the IPR Center at iprcenter.gov or call 1-866-IPR-2060. The IPR Center coordinates across multiple federal agencies and accepts referrals directly.
What Criminal Prosecution Can and Cannot Do
Filing a criminal report is the right first step — but understanding what each legal track delivers helps you plan the full response.
A successful criminal prosecution can result in imprisonment, significant fines, and court-ordered forfeiture. It won't automatically suppress every copy of the stolen information or restore your competitive position. That's where civil action fills the gap:
- Criminal track — punishes the offender through imprisonment, fines, and forfeiture
- Civil track — gets you injunctions to stop ongoing use and damages to compensate for losses
Pursue both tracks at the same time. Waiting for a criminal case to resolve before filing civilly costs you time and leverage.
Frequently Asked Questions
How do you prove trade secret theft?
You must show the information qualifies as a trade secret, that reasonable secrecy measures were in place, and that the defendant acquired or used it without authorization. Digital forensic evidence, access logs, file transfer records, and communications showing intent are the primary proof sources.
What are the three requirements for a trade secret?
The information must meet all three criteria:
- Has independent economic value from not being generally known
- Is not readily ascertainable through legitimate means
- Is actively protected by reasonable measures — NDAs, restricted access, confidentiality agreements
What are the most common trade secret violations?
The most common violations involve departing employees taking files, client lists, or formulas to a competitor. Vendors or joint venture partners misusing shared information after the relationship ends is another frequent pattern. External cyber intrusions targeting proprietary databases or source code round out the top three.
What is the penalty for stealing trade secrets?
Under the Economic Espionage Act, commercial theft carries up to 10 years imprisonment; foreign-government-benefit theft can reach 15 years and $5 million in individual fines. Civil remedies include injunctions, compensatory damages, up to 2x exemplary damages, and attorney's fees for willful misappropriation.
Can you be sued for trade secret theft?
Yes — both individuals and companies face civil liability under the DTSA or state trade secret laws. Individuals can also face criminal prosecution under the Economic Espionage Act if they knowingly stole secrets for another party's economic benefit.
Does protecting a trade secret require registration?
No. Unlike patents or trademarks, trade secrets require no government filing or registration fee. Protection exists automatically as long as the information meets the legal requirements and is actively kept secret through reasonable measures.
