The Victim Everyone Forgets

When a company discovers it has been breached, a familiar machine springs to life, and it is pointed almost entirely at one thing: personal data. Incident-response teams race to count affected individuals. Privacy counsel calculates notification deadlines across dozens of states. Communications drafts the letters, the attorneys general are alerted, credit monitoring is arranged, a forensics firm is retained, and everyone braces for the consumer class action that now arrives as reliably as the breach itself. This is rational. The patchwork of state breach-notification statutes, the California Consumer Privacy Act, HIPAA, the SEC's cyber-disclosure rules, and the rest have spent two decades training organizations to treat a breach as, fundamentally, a privacy event.

But that training has a blind spot, and the blind spot can cost a company far more than the privacy exposure that gets all the attention. The same intrusion that scooped up a database of email addresses may also have walked off with the one thing the company can never replace, recreate, or insure away: the proprietary business information that is its actual competitive advantage.

Consider Meridian Robotics, a fictional manufacturer of industrial automation systems. One Monday morning its security team finds that an intruder has been living inside the network for the better part of a month. The response machine fires up in privacy mode, because the breach touched a database of customer contacts and there are notification letters to send. But buried in the same intrusion is something the privacy checklist never thinks to ask about: the attacker also exfiltrated the engineering files describing Meridian's proprietary servo-calibration process—the single capability that lets its robots place a component within a fraction of a millimeter, the product of six years and tens of millions of dollars of research, and the only reason a Fortune 500 line buyer chooses Meridian over a cheaper competitor. The leaked customer contacts will generate some regulatory correspondence and a manageable class action. The calibration process, if it reaches a rival in Shenzhen or Stuttgart, can erase Meridian's market advantage permanently. Worse, a clumsy response to the breach can forfeit the very legal protection Meridian would need to stop the bleeding.

Meridian is not an outlier, and the numbers say so. The FBI's Internet Crime Complaint Center ties billions of dollars in annual losses to business email compromise and corporate data theft, and the Commission on the Theft of American Intellectual Property has estimated that trade secret theft alone costs the U.S. economy somewhere between $225 billion and $600 billion a year—a range so wide precisely because so much of the loss is invisible until a competitor surfaces with a suspiciously familiar product. Verizon's annual Data Breach Investigations Report consistently finds that a meaningful slice of intrusions target proprietary information rather than, or in addition to, personal data. Yet most incident-response plans treat intellectual property as an afterthought, if they treat it at all.

This article is about closing that gap—about building the muscle to recognize, in the first chaotic hours of a breach, that the company may be losing something the privacy checklist will never flag. We will follow Meridian from the moment of discovery through litigation, and along the way we will work through the doctrine that makes the stakes so high: why post-breach conduct can preserve or destroy trade secret status, how to tell a trade-secret hunt from a bulk-data sweep, what remedies the Defend Trade Secrets Act puts on the table and how to keep them open, how to document forensics for a courtroom rather than a regulator, how to avoid the privilege traps that have turned forensic reports into discovery gifts for plaintiffs, and how the insurance you bought may or may not respond. For the foundational program that makes any of this possible, our guide on building a trade secret protection program from scratch is the natural starting point, and for the distributed-work dimension that multiplies the attack surface, see trade secrets in the age of remote work and cloud computing.

Why a Breach Can Cost You the Secret Itself

To see why incident response and trade secret law are entangled—why the response is part of the asset's legal survival—you have to understand what makes information a trade secret in the first place.

Under the Defend Trade Secrets Act of 2016 (DTSA), codified at 18 U.S.C. §§ 1836–1839, and the Uniform Trade Secrets Act adopted in some form by every state except New York, information qualifies for protection only if three things are true. First, it must be the kind of information the statute covers—and the DTSA's definition is sweeping, reaching "all forms and types of financial, business, scientific, technical, economic, or engineering information," whether tangible or intangible and however stored. 18 U.S.C. § 1839(3). Second, the information must derive independent economic value, actual or potential, from not being generally known to, or readily ascertainable by, others who could profit from its disclosure or use. And third—this is the one that does most of the work in litigation—the owner must have taken "reasonable measures to keep such information secret." § 1839(3)(A).

That third element is where cybersecurity and trade secret law fuse. The reasonableness of a company's protective measures is not a box that gets checked once at creation; it is a factual question that a court revisits at the moment of dispute, weighing the company's actual security practices against the value and vulnerability of the information. A company that left its crown jewels on an open file share, accessible to every employee and protected by nothing but a shared password taped to a monitor, may discover that its "secret" was never legally a trade secret at all—and that the elaborate misappropriation lawsuit it wants to bring collapses at the threshold. The point recurs across the case law: courts will deny trade secret status where the claimant cannot show it actually treated the information as secret. Our overview of the broader doctrine, protection of trade secrets, develops the three-element framework in full; the takeaway for present purposes is narrower and sharper: security and legal protection are the same question asked twice.

The crucial, underappreciated corollary is that the reasonable-measures inquiry does not freeze at the instant of the breach. Post-breach conduct becomes part of the analysis. Trade secret status does not automatically evaporate the moment information is stolen—courts have long recognized that even diligently guarded secrets can be taken, and that a single breach does not retroactively prove the protection was unreasonable. The law does not demand perfect security, only reasonable security, and a sophisticated nation-state intrusion can defeat reasonable security. But what the company does next speaks volumes about whether it genuinely regarded the information as a secret worth protecting. Prompt, visible, aggressive action to contain the intrusion, identify exactly what was exposed, limit further dissemination, and pursue legal remedies demonstrates the continuing commitment to secrecy the statute requires. Delay, indifference, or a response that diligently solves the privacy problem while ignoring the stolen process altogether can hand a future defendant precisely the evidence it needs to argue that the company never really valued the information's confidentiality.

Picture the two paths open to Meridian. On the first, Meridian identifies the calibration-file theft within hours, contains the intrusion, works to attribute it, moves to prevent further spread, papers a litigation hold, and engages counsel to pursue available remedies. A court later assessing a trade secret claim is likely to find that Meridian maintained reasonable measures throughout—the breach was a wound, not a forfeiture. On the second path, Meridian discovers the identical theft, pours every available hour into customer notification and class-action defense, and takes no IP-protective step for three weeks. A court may read that response as a failure to treat the calibration process as the secret Meridian now insists it is, and the inattention that followed the breach becomes a weapon in the defendant's hands. Same theft, opposite outcomes, decided not by the intrusion but by the response to it.

Spotting the Trade-Secret Breach Hiding Inside the Privacy Breach

The first problem is recognition, and it is harder than it sounds. Standard breach forensics is engineered to answer privacy questions—what personal information was accessed, how many individuals were affected, how the attacker got in and how long they stayed—because those are the questions that drive notification timelines and regulatory exposure. Trade secret protection requires a different and largely orthogonal set of questions that rarely appear in an off-the-shelf playbook: What proprietary business information was accessed or taken? How competitively sensitive is it? Who would benefit from possessing it? And how can further dissemination be stopped before the value is gone?

The gap is widened by organizational silos that map almost perfectly onto the blind spot. The security team running the forensic investigation often does not know which files are trade secrets and which are routine. The legal department may not see the forensic findings until they have been distilled into a notification-focused summary. And the business units that actually own the secrets—R&D, engineering, sales operations—are frequently not in the incident-response room at all. Without deliberate integration, the theft of Meridian's calibration files can sit unrecognized in a forensic log for weeks, until long after anything useful could have been done about it.

Mapping the crown jewels before the breach

The antidote begins before any breach, with an inventory that security professionals call "crown jewels mapping"—a living catalogue of the organization's most competitively sensitive information. This is not the same as a data map built for privacy compliance, which catalogues personal information by category and jurisdiction; a crown-jewels inventory catalogues value. For each crown jewel, a good inventory captures five things:

  • What it is. This requires input from R&D, engineering, sales, operations, and finance, because no central team knows the full portfolio. The calibration process belongs on the list; so might a pricing model, a customer-acquisition algorithm, a supplier list assembled over a decade, or a manufacturing tolerance that took years to dial in.
  • Where it lives. Which systems, repositories, file shares, and cloud buckets—so that when forensics identifies a compromised server, the inventory instantly reveals whether a secret was sitting on it.
  • How sensitive it is. A tiered classification so that the loss of core process documentation triggers more urgent attention than the loss of a stale prospect list.
  • Who is authorized to touch it. So that anomalous access stands out against a known baseline and an insider's bulk download becomes visible as the aberration it is.
  • What protects it. Access controls, encryption, confidentiality markings, contractual obligations—because this column is, quite literally, the documentation of the "reasonable measures" the company will later point to in court.

A company that has done this work can answer, within hours of a breach, the question that matters most: were the crown jewels touched? A company that has not must reconstruct all of it in real time, mid-crisis, while the notification clock runs and outside counsel bills by the tenth of an hour. The discipline of building this inventory overlaps heavily with the audit practice we describe in building a trade secret protection program from scratch; the incident-response payoff is simply one more reason to do it.

A practical caution is worth pressing here, because it is where most crown-jewels programs decay: the inventory is only useful if it is current, and currency is exactly what these documents lose. A trade secret portfolio is not static. New processes are developed and old ones retired or publicly disclosed; files migrate from one system to another as the company adopts new tools; access lists drift as people change roles and projects spin up and wind down. An inventory that accurately mapped the company's secrets two years ago may now point investigators at the wrong servers, telling them a compromised system held nothing sensitive when in fact the calibration files were quietly moved there last quarter during a storage consolidation no one thought to log. The fix is unglamorous but decisive: treat the inventory as a living document with a named owner and a fixed review cadence, refreshed whenever a significant R&D milestone, system migration, or reorganization occurs. The investment is modest and the payoff is asymmetric—in the hours after a breach, the difference between a current inventory and a stale one is the difference between catching the theft of a crown jewel immediately and discovering it months later, after the secret is already running on a competitor's production line.

The forensic signatures of a hunt

Certain forensic fingerprints suggest a breach was hunting trade secrets rather than, or in addition to, personal data, and Meridian's responders should be trained to flag them. Thieves after proprietary information behave differently from bulk-data harvesters and ransomware crews, and the differences show up in the telemetry.

They exfiltrate selectively. A credential-stuffing operation after payment-card data vacuums up whole databases; a trade-secret thief pulls specific directories and specific file types and leaves the rest. When forensics shows that the attacker ignored the customer database but lingered in the engineering share, that asymmetry is itself a signal.

They spend time on reconnaissance. Targeted theft involves mapping where the valuable material lives and identifying which employees can reach it—lateral movement that looks less like smash-and-grab and more like a careful inventory of the building before the break-in.

The data types tell a story. CAD files, source code, design documents, formulation spreadsheets, and process documentation pulled from R&D folders point to proprietary information, not personal data. A privacy investigator may note these files only to confirm they contained no Social Security numbers and move on; an IP-aware investigator sees a target list.

Attribution informs the risk. A nation-state actor from a jurisdiction known for industrial espionage, an apparent competitor, or a recently departed employee all suggest targeted theft rather than an opportunistic sweep. Attribution is hard and often impossible, but where it exists it reshapes the response.

And timing matters. An intrusion that lands just before a product launch, during M&A diligence, or in the weeks ahead of a patent filing may be aimed squarely at the secrets those events involve.

For Meridian, the selective exfiltration of engineering directories—while the bulk customer database sat largely untouched—is the tell. A privacy-only investigation would have noted that the engineering files contained no regulated personal data and filed them under "no notification required." An IP-aware investigation recognizes that the company may have just lost the only thing that mattered.

Preserving Protection and Pursuing Remedies

Once trade secret exposure is identified, the immediate priorities are containment and preservation—and they must run in parallel with, not behind, the privacy response. The temptation in a mixed breach is to triage the regulated personal data first because it carries hard deadlines, and to get to the IP "once things settle down." That sequencing is exactly backward from the standpoint of the asset's survival, because the secret's value bleeds out with every hour it spreads.

Technical containment comes first. Work with security to stop ongoing exfiltration, close the attack vector, and limit further access—isolating affected systems, revoking compromised credentials, blocking attacker infrastructure. (A word of caution that recurs in the forensics: containment must be done in a way that preserves evidence rather than overwriting it, a tension we return to below.)

An access review usually follows. The investigation frequently reveals that access to the affected secret was far broader than it needed to be—the calibration files readable by three hundred employees when thirty would do. Tightening access now both reduces further risk and, not incidentally, shores up the ongoing reasonable-measures showing.

Evidence preservation through a litigation hold must capture not just the obvious forensic images and logs but the materials that prove the secret's value and the company's protective efforts—the development records, the confidentiality agreements, the access policies. The hold has to issue early and broadly, because the data a trade secret case needs is exactly the data routine retention policies tend to purge.

And counsel should be engaged immediately—not only because trade secret litigation runs on compressed timelines for emergency relief, but because early involvement of counsel is what establishes the privileged posture of the investigation, a point we develop at length below.

The remedies—and why the willingness to use them matters

The remedies available for trade secret misappropriation are substantial, and a company's evident readiness to use them is itself part of the reasonable-measures story. Under the DTSA and parallel state law:

Injunctive relief. A court can enjoin actual or threatened misappropriation, including through emergency temporary restraining orders and preliminary injunctions where irreparable harm is imminent. 18 U.S.C. § 1836(b)(3)(A). The injunction is frequently the real prize—more valuable than any damages award—because it preserves the secret's confidentiality going forward in a way money never can. One important limit, written into the statute to keep trade secret law from becoming a back-door non-compete: an injunction may not prevent a person from entering into an employment relationship, and any conditions on employment must rest on evidence of threatened misappropriation, not merely on what the person knows. § 1836(b)(3)(A)(i)(I). This is where trade secret remedies brush up against the shifting law of restrictive covenants, a subject we treat in non-compete agreements under siege.

Damages. The DTSA allows recovery of actual losses plus the defendant's unjust enrichment to the extent not already captured in the actual-loss figure, or, in the alternative, a reasonable royalty for the unauthorized use. § 1836(b)(3)(B). For willful and malicious misappropriation, a court may award exemplary damages up to twice the compensatory amount. § 1836(b)(3)(C).

Attorneys' fees. Available where the misappropriation was willful and malicious, where a claim is brought in bad faith, or where a motion to terminate an injunction is made or opposed in bad faith. § 1836(b)(3)(D).

A crucial fee-and-exemplary catch. Here is a detail that turns on documents signed years before any breach: under the DTSA, a company forfeits the right to recover exemplary damages or attorneys' fees against an employee unless it gave that employee the statutory whistleblower-immunity notice—the notice required by 18 U.S.C. § 1833(b)(3)—in the confidentiality or IP agreement governing the relationship. A company that never updated its form agreements to include the immunity notice can still sue and still win an injunction and compensatory damages, but it has quietly waived two of its sharpest weapons against the very insiders most likely to steal. We discuss building this notice into agreements in drafting enforceable non-disclosure agreements for technology transactions and employee invention assignment agreements.

Ex parte seizure. In genuinely extraordinary circumstances—where the defendant would evade, avoid, or otherwise violate an ordinary injunction, and immediate and irreparable injury would otherwise occur—the DTSA authorizes a court to order the seizure of property to prevent the propagation of the trade secret, before the defendant even knows a suit exists. § 1836(b)(2). This is a powerful and deliberately rare tool, hedged with procedural safeguards: the applicant must show, among other things, a likelihood of success on the merits, that the target has actual possession of the secret, and that an ordinary Rule 65 injunction would be inadequate; and a wrongful or overbroad seizure exposes the applicant to damages. The seizure provision is unavailable if a conventional injunction can do the job, and courts have used it sparingly. But its mere existence reshapes the leverage in cases where data is about to cross a border.

Criminal referral. Trade secret theft can be a federal crime under the Economic Espionage Act—18 U.S.C. § 1831 for theft that benefits a foreign government or instrumentality, and § 1832 for ordinary commercial theft in or affecting interstate commerce. A criminal referral can be appropriate, particularly for nation-state or competitor-sponsored theft, and it brings investigative resources and deterrent force no private party can match.

The deeper point, which is easy to miss, is that even where litigation is not immediately viable—because the attacker is unidentified, judgment-proof, or beyond reach, or because the commercial calculus disfavors suing a customer or a key partner—documenting the company's consideration of these remedies still supports the reasonable-measures showing, and preserving evidence keeps the options open for the day the calculus changes. The defense bar's favorite argument is that the plaintiff slept on its rights; a contemporaneous record showing the company weighed its options and made a deliberate strategic choice is the answer to it. For a fuller treatment of the litigation mechanics, our DTSA issues and remedies overview and the federal-civil-litigation primers linked below repay the time.

Two dimensions that deserve special handling

Law enforcement coordination brings real advantages—federal investigative reach, the deterrent gravity of criminal prosecution, the possibility of recovering stolen data through a search warrant or seizure. The FBI's Counterintelligence Division and the Department of Justice both treat economic espionage as a national priority, and the government has shown increasing appetite for prosecuting it. But coordination comes with friction. A criminal investigation moves on its own timeline and serves the government's priorities, not the company's commercial ones; evidence the company wants for a civil case may be locked up in a grand-jury proceeding; and the publicity of a prosecution can itself erode the secrecy the company is trying to protect. The decision to refer should be made with counsel weighing the strength of attribution, the realistic odds of prosecution, and the interaction with any civil strategy—because once the government is in, the company no longer fully controls the pace or the narrative.

International theft compounds every difficulty. Attackers may operate from jurisdictions with weak IP enforcement or no extradition treaty, and stolen data scatters across borders within minutes. The DTSA reaches some extraterritorial conduct—it applies where the offender is a U.S. person or organization, or where an act in furtherance of the offense was committed in the United States. 18 U.S.C. § 1837. But enforcing a U.S. judgment against a foreign defendant who never appears remains genuinely hard, which is why the most valuable protections are proactive: choice-of-law and forum-selection clauses in international agreements, careful structuring of what proprietary information ever leaves the country, and pre-existing relationships with the agencies that handle cross-border matters. Companies that find themselves chasing a secret into a foreign court will appreciate why our guides on serving a China-based defendant under the Hague Service Convention exist; service of process is often the first wall a cross-border trade secret plaintiff hits.

Notification duties beyond the privacy laws

Trade secret exposure frequently triggers notification obligations that have nothing to do with the breach-notification statutes. If the stolen secrets were shared with business partners under confidentiality agreements—a joint-development partner, a toll manufacturer, a licensee—those partners may need to be told, both so they can protect themselves and so the company forecloses a later claim that it failed to safeguard information entrusted to it. If likely recipients of the stolen secrets can be identified—a competitor, a new employer—notice through counsel can put them on formal legal notice that they are holding misappropriated material; this matters because a recipient who uses a secret after being told of its provenance acts with the knowledge that supports a finding of willfulness and the enhanced damages that come with it, and sometimes the notice alone deters use. Customers may need to be told if exposed secrets affect the products they rely on—compromised source code that introduces a security vulnerability, for instance. And insurers must almost always be notified promptly, because late notice is a classic, and frequently successful, basis for denying coverage. We take up each of these threads below.

Documenting for the Courtroom, Not Just the Regulator

Here is a distinction that quietly decides cases: forensic documentation that perfectly satisfies a breach-notification statute will not necessarily survive the evidentiary demands of trade secret litigation. A notification analysis asks a binary regulatory question—was regulated personal information accessed, and for how many people?—and once answered, the inquiry is largely complete. A trade secret case asks a different and more demanding set of questions, each of which may rest on forensic evidence that has to withstand challenges to authentication, relevance, and reliability under the Federal Rules of Evidence. The two investigations overlap, but they are not the same investigation, and a company that runs only the first will find gaps in the second exactly where the case is hardest.

Proving trade secret status requires documentation that the compromised information was genuinely secret, derived value from that secrecy, and was guarded by reasonable measures—evidence of access controls, encryption, confidentiality markings, training, and contractual restrictions. Critically, much of this evidence must reflect conditions before the breach, and a privacy-focused investigation triggered by the breach will never capture it. You cannot reconstruct, after the fact, that the calibration files bore a "CONFIDENTIAL—PROPRIETARY" header and lived behind role-based access controls; you either preserved that record or you did not.

Proving misappropriation is aided by the breach itself but strengthened by detailed forensics on how access was gained (supporting the "improper means" element), exactly what was taken, and the precise timeline of the intrusion—ideally tied, where attribution permits, to specific actors. In the insider scenario, this is the access log showing a bulk download wildly out of pattern with the employee's normal work.

Proving damages demands documentation that supports a calculation of actual losses, unjust enrichment, or a reasonable royalty—which means identifying what was taken, when, and by whom, alongside evidence of the information's competitive value, its development cost, and its revenue implications. Trade secret valuation is a discipline of its own, and the record that supports it has to be assembled deliberately.

The protocols litigators recognize

Meeting these standards requires forensic protocols that a litigator and a trial judge will recognize as sound:

  • Chain of custody. A rigorous, contemporaneous record of who collected each piece of evidence, when, how, and where it has been stored since. A break in the chain can render evidence inadmissible no matter how probative it is.
  • Forensically sound imaging. Digital evidence should be preserved through bit-for-bit copies that do not alter the originals, made with industry-standard tools and a documented process, so that all analysis runs on working copies while the originals sit untouched.
  • Cryptographic hash verification. Hash values calculated at acquisition and re-verified later confirm that the originals remain unaltered—the digital equivalent of a tamper-evident seal.
  • Contemporaneous documentation. Analytical conclusions recorded in real time as the investigation unfolds are far more credible than narratives reconstructed months later for litigation, when memory has faded and the temptation to tidy up the story is strong.
  • Qualified examiners. Investigators whose work may be presented in court should be capable of testifying as experts, using methodologies that satisfy Federal Rule of Evidence 702 and the Daubert reliability framework. A forensic conclusion is only as good as the expert who has to defend it on cross-examination.

The same evidentiary rigor that governs other forms of digital evidence applies with full force here. Authentication, in particular, is a recurring battleground—the opposing party will press the company to prove that the log it relies on is what it claims to be and has not been altered. Our companion piece on authenticating website screenshots and electronic evidence in federal court walks through the foundational requirements, and the broader [discovery refresher for federal civil litigation](/documents/a_practical_discovery_refresher---mastering_the_tools_rules_ and_pitfalls_of_federal_civil_litigation) situates forensic evidence within the larger architecture of e-discovery, which in trade secret cases involving former employees has its own well-developed body of practice.

A Word on Privilege: The Lesson of Capital One

There is a tension that runs through every serious breach investigation, and companies that ignore it pay dearly. The same candid forensic report that helps prove a trade secret case can, if mishandled, become a detailed roadmap that the company's own adversaries use against it. Breach investigations generate exactly the material a plaintiff in a consumer class action—or a defendant resisting a trade secret claim—would most love to read: frank assessments of what went wrong, where security failed, what the company knew and when, and what it did or did not do about it. Managing privilege is therefore not a lawyer's nicety appended to the technical work; it shapes whether the investigation ends up strengthening the company's position or sabotaging it.

The doctrines in play are the attorney-client privilege and the related work-product protection, and the hard lesson of the last several years of breach litigation is that neither is automatic merely because lawyers were somewhere in the vicinity.

Start with the work-product doctrine, because it is the one most breach investigations rely on. Federal Rule of Civil Procedure 26(b)(3) protects documents and tangible things "prepared in anticipation of litigation or trial" by or for a party or its representative. Courts interpret "in anticipation of litigation" to mean that the document was created because of anticipated litigation and would not have been created in substantially similar form but for the prospect of that litigation. See In re Grand Jury Subpoena (Torf), 357 F.3d 900, 907–08 (9th Cir. 2004). The trouble for breach investigations is that a forensic report is very often something the company would have created anyway—to remediate the intrusion, to satisfy regulators, to answer its board, to fulfill its contractual security obligations. When that is true, the report is an ordinary business or security document that happened to involve lawyers, and the protection fails.

That is precisely the trap that closed on Capital One. After its 2019 breach, Capital One resisted producing the forensic report prepared by its security vendor, Mandiant, claiming work-product protection on the theory that the report had been commissioned through outside counsel in anticipation of litigation. The court was unpersuaded. It noted that Capital One already had a longstanding master services agreement with Mandiant for incident-response work, that the company would have needed the forensic investigation regardless of any litigation—for business, regulatory, and remediation reasons—and that the report had in fact been distributed well beyond the legal team, to dozens of internal recipients and to regulators and an accounting firm. Routing the engagement through counsel did not transform a report the company would have produced anyway into protected work product. The court ordered the report produced. In re Capital One Consumer Data Security Breach Litigation, 2020 WL 2731238 (E.D. Va. May 26, 2020), aff'd, 2020 WL 3470261 (E.D. Va. June 25, 2020). The ruling sent a chill through the incident-response world, and for good reason: the very document Capital One most wanted to keep confidential became a discovery exhibit in the class action against it.

The attorney-client privilege has its own version of the same problem. The privilege protects confidential communications made for the purpose of seeking or providing legal advice; in the corporate setting it reaches communications between counsel and employees made at the direction of management so the company can obtain legal advice. Upjohn Co. v. United States, 449 U.S. 383, 390–97 (1981). But where a communication serves a mixed business-and-legal purpose, courts ask whether obtaining or providing legal advice was the primary purpose, or at least a significant purpose, of the communication. Cf. In re Kellogg Brown & Root, Inc., 756 F.3d 754, 758–60 (D.C. Cir. 2014). A forensic report generated mainly to fix the network and brief the operations team is not converted into a privileged legal communication by copying a lawyer.

The practical implications are concrete, and they are well worth building into the incident-response plan before a breach forces improvisation:

  • Outside counsel should engage the forensic firm directly, under an engagement letter that frames the work as undertaken to enable legal advice in anticipation of litigation—rather than the security team retaining the firm under a pre-existing operational contract and looping counsel in afterward. The retainer and the report itself should reflect the litigation purpose.
  • Where possible, retain a separate forensic firm for the litigation-driven analysis, distinct from the vendor already on retainer for routine security operations. Capital One turned in part on the fact that the same vendor did both, under the same standing agreement; separating the streams makes the litigation purpose far more credible.
  • The resulting reports should flow to counsel and be marked appropriately—but markings cannot rescue a document whose actual purpose was operational, and overusing privilege labels on everything dilutes the legitimate claims and inflates the cost of any later privilege review.
  • Resist the reflex to circulate the report widely. Broad internal distribution for ordinary operational use, and disclosure to regulators or auditors, is exactly what courts cite when they find protection waived—as Capital One discovered.

None of this is about hiding facts, and it cannot be, because the underlying facts of a breach are never privileged. What happened, when, what data was affected, how the intruder got in—the company will have to disclose all of it, in notifications, in regulatory filings, and in discovery. What privilege can protect, when properly maintained, is the candid legal analysis layered on top of those facts: counsel's assessment of exposure, of what the company should have done differently, of litigation risk. Keeping that analysis confidential is what allows a company to assess its own vulnerabilities honestly without handing the assessment to the plaintiff across the table.

Happily, this privilege discipline coexists comfortably with the trade secret goals described above—indeed, the two reinforce each other. The same early engagement of counsel that makes timely injunctive relief possible is also what establishes the privileged posture of the investigation. The mistake to avoid is the reflexive one that Capital One punished: standing up a purely technical investigation in the first chaotic hours, generating frank written assessments with no thought to privilege, and only later realizing that those documents are now discoverable in the very litigation the company hoped to bring—or the one being brought against it. For the deeper doctrine, our coverage of the attorney-client privilege and work-product protection in federal litigation and the internal-investigations practice it draws on remains the fuller reference.

The Notification Paradox: When Telling the World Threatens the Secret

There is a structural collision at the heart of any mixed breach, and it traps companies that have not thought it through in advance. The privacy laws push relentlessly toward disclosure: notify the affected individuals, alert the attorneys general, sometimes inform the public, usually on tight deadlines and in prescribed language. All fifty states, the District of Columbia, and the U.S. territories now have breach-notification statutes, and they fan out into a thicket of variations—different definitions of "personal information," different triggers, different timelines, different content requirements, layered atop sector-specific federal regimes like HIPAA and GLBA and, for public companies, the SEC's requirement to disclose material cybersecurity incidents. Trade secret protection, by contrast, pushes toward containment and silence: the entire value of the calibration process depends on its not being known.

When the same breach exposes both customer data and a trade secret, these two imperatives pull in opposite directions, and managing the collision is the mark of a sophisticated response.

The danger is concrete and specific. A breach notification or securities disclosure that describes, in the name of transparency, what proprietary information was taken can itself contribute to the loss of secrecy—broadcasting to competitors and the public the existence and nature of the very asset the company is fighting to protect. A regulatory filing that announces "an attacker exfiltrated our proprietary servo-calibration methodology" has, in the act of disclosing, told the world that such a methodology exists, that it is valuable enough to steal, and that it is now loose. Worse, statements made to satisfy one regime can be turned against the company in another. A disclosure crafted for the SEC's materiality framework may resurface in a coverage dispute with an insurer, or in the trade secret litigation itself, where an admission about the breach's scope made to regulators complicates the company's later positions. The transparency that buys regulatory peace can quietly cost the company its case.

The resolution is not to evade notification obligations—they are mandatory, they carry their own penalties, and dodging them invites a far worse problem. The resolution is to coordinate the disclosures so that each says exactly what the law requires without gratuitously compromising the secret or the litigation. In practice that means three things. First, privacy counsel, trade secret counsel, securities counsel, and coverage counsel must work from the same set of facts, in the same room, rather than in silos—because the privacy associate drafting a notification letter may have no idea that a single descriptive phrase undercuts a trade secret claim being prepared down the hall. Second, exposed proprietary information should be described at the level of generality the law permits rather than catalogued in loving detail; "certain proprietary technical information" discloses the fact of exposure without authoring a press release about the secret. Third, the sequencing and wording of disclosures should be planned with every applicable regime in view at once.

For Meridian, the objective is to hit every notification deadline for the exposed customer data while saying as little as the law allows about the calibration files—satisfying the privacy statutes without handing competitors a roadmap. Companies that map this tension before a breach, and assign a single owner to coordinate the disclosures, navigate it. Companies that discover it mid-crisis, with four sets of counsel drafting in isolation and a clock running, make disclosures they spend years regretting.

The Insurance Maze

One reason trade secret theft hurts so much is that the insurance meant to cushion it is scattered across policy types, with no single policy reliably covering all of the loss. Companies that assume their cyber policy "covers breaches" are often unpleasantly surprised to learn how narrowly that coverage is drawn when the loss is intellectual property rather than personal data.

Cyber insurance is the obvious first stop, and modern cyber policies do real work. They typically provide first-party coverage for the costs the insured incurs responding to a breach—forensic investigation, legal advice on notification, the printing and mailing of notice letters, credit monitoring, public relations, and, sometimes, business interruption losses and data restoration. They typically add third-party coverage for the liability that follows: defense costs, settlements and judgments, and regulatory defense costs and fines where insurable. But the treatment of IP theft specifically varies enormously. Some policies exclude IP claims outright; others sublimit them sharply; many define covered "loss" in ways that capture notification expense beautifully but never reach the competitive harm of a stolen process. Cyber policies are also almost always written on a claims-made basis, which makes prompt reporting not just prudent but a condition of coverage. The terms must be read closely, before the breach, by someone looking specifically for the IP question.

Crime insurance sometimes reaches the theft of intangible property, including trade secrets, but it brings its own limits: it often requires a "direct loss" or a "taking," may not clearly extend to a cyberattack as opposed to old-fashioned theft, and frequently excludes precisely the consequential damages—lost profits, eroded market share—that constitute the real injury when a secret leaks.

Directors-and-officers (D&O) insurance may respond if the theft spawns securities or derivative claims against the board, a risk that grows as cyber-governance scrutiny intensifies and shareholders increasingly fault directors for security failures. D&O coverage protects the individuals and the company against those claims; it does not replace the lost secret.

Errors-and-omissions (E&O) coverage may apply where the theft flows from a professional-services failure—for example, where a vendor's negligence exposed the client's secrets.

Policy type What it may cover Common limitations
Cyber Forensics, breach response, notification, sometimes business interruption and data restoration IP theft often excluded or sublimited; "loss" definitions may not reach competitive harm; claims-made
Crime Direct loss from theft of property, sometimes intangibles May require a "taking"; cyber nexus unclear; consequential damages often excluded
D&O Defense of securities/derivative claims against directors and officers Doesn't restore the secret; cyber exclusions emerging
E&O Third-party claims arising from professional services Requires a professional-services nexus

Preserving whatever coverage exists comes down to a handful of disciplines. Prompt notice to every potentially applicable insurer is essential, because late notice is a leading basis for denial—when in doubt, notify, since notice to a policy that turns out not to apply costs nothing while a missed notice can forfeit coverage entirely. Notice content should describe the incident in enough detail to trigger the coverage obligation without volunteering admissions that an insurer (or, recall the notification paradox, an adversary) can later use against the company—work for coverage counsel, not the IT team. Where multiple policies may respond, coordination avoids both gaps and inter-insurer finger-pointing, and loss documentation should capture each cost in the form the relevant policy recognizes, since an expense covered under a cyber policy may be excluded under a crime policy and vice versa. Reservation-of-rights letters, which insurers routinely send to keep their denial options open, should be answered carefully rather than ignored.

Several emerging issues bear watching. A handful of insurers now offer affirmative IP-theft coverage, including the cost of pursuing a misappropriator, which is a meaningful development for companies whose real exposure is the lawsuit they will have to fund. Valuation remains genuinely difficult, because a stolen secret's worth may not surface until a competitor exploits it years later—a timing problem that frustrates claims tied to "loss" measured at the time of breach. War and hostile-act exclusions have moved to center stage as nation-state attribution becomes more common; an insurer that can characterize an intrusion as state-sponsored may invoke a war exclusion to deny the claim entirely, a fight that has already reached the courts in the NotPetya litigation and that every IP-rich company should price into its risk planning. And the SEC's cyber-disclosure rules create a quiet tension with coverage: a disclosure made to satisfy the SEC's materiality standard may be cited by an insurer in a coverage dispute, one more reason the disclosure-coordination discipline described above is not optional.

Two Faces of the Threat: the Outside Intruder and the Inside Departure

It helps to watch the two dominant fact patterns play out, because the legal response differs in instructive ways—and because one of them is far more likely than the other to actually reach a courtroom.

The outside intruder

In the outside-intruder version, the actor who took Meridian's calibration files is an unknown external attacker, possibly working for or planning to sell to a competitor. Here the company's leverage runs through identification and containment. If forensics can attribute the intrusion—an IP range, malware tied to a known group, a competitor that abruptly surfaces with a suspiciously similar capability—Meridian can move against identifiable recipients, send notice through counsel putting them on legal notice that they hold misappropriated material, and, in the extreme case where the secret is about to be handed off across a border, seek the DTSA's ex parte seizure. Where attribution fails, as it often does, the company still documents the theft meticulously, preserves the option of suing later, and concentrates on the reasonable-measures showing—because even an unprosecuted, unattributed theft, met with a vigorous and well-documented response, supports continued trade secret protection going forward. The unidentified hacker is frustrating, but the response to the unidentified hacker is what keeps the secret legally alive.

The inside departure

The inside-departure version is more common, in some respects more dangerous, and overwhelmingly the scenario most likely to land in front of a judge—because there is a defendant you can name, serve, and sue. The classic pattern, played out in courtrooms across the country every month, looks like this. The calibration files left Meridian not through an external hack but through a senior engineer who, in her final two weeks before joining a competitor, downloaded the entire engineering repository to a personal external drive.

What makes the insider case legally distinctive is that this is misappropriation by a person who was authorized to access the very files she took. The legal question therefore does not turn on whether she could reach the information—she plainly could—but on what she did with it and whether she breached a duty of confidence in doing so. And this is where Meridian's earlier discipline decides everything. The case is won or lost on artifacts created long before the departure:

  • The access logs showing a bulk download wildly out of pattern with her normal work—the engineer who touches a dozen files a week suddenly pulling ten thousand.
  • The confidentiality and invention-assignment agreements she signed at hiring—ideally including that DTSA whistleblower-immunity notice, without which the exemplary damages and fees are off the table.
  • The confidentiality markings on the engineering files, identifying them as proprietary and putting their status beyond dispute.
  • The exit interview in which she was reminded, on the record, of her continuing obligations and asked to return company materials.

With those in hand, Meridian can move quickly for a temporary restraining order and preliminary injunction barring her—and her new employer—from using or disclosing the calibration process, and can credibly threaten the full menu of DTSA remedies. Without them, Meridian may struggle to prove it ever had a protectable secret, and the departure becomes a loss it cannot undo. The departing-employee scenario is the precise point where incident response, trade secret law, and ordinary employment practice converge, and it is the single strongest argument for treating crown-jewels protection as a continuous program rather than a breach-day scramble. The hiring-side and departure-side checklists that make this case winnable are exactly the disciplines our trade secret protection program guide develops in full, and the remote-work dimension—employees with sanctioned access to cloud repositories from unmanaged home devices—is the subject of trade secrets in the age of remote work and cloud computing.

What a Meridian suit actually looks like

It is worth tracing how a Meridian trade secret suit would unfold, because the abstract menu of remedies becomes concrete fast. Meridian's opening move would almost always be an emergency motion for a temporary restraining order and preliminary injunction—the goal is to freeze the situation before the calibration process can spread, and the bulk-download logs are exactly the evidence that persuades a court to act on short notice and limited briefing. If the facts were dire enough—say, evidence that the files were already staged for transfer to an overseas contract manufacturer beyond the reach of any later order—Meridian could ask for ex parte seizure of the devices holding the stolen data, accepting the heightened showing and the wrongful-seizure risk that come with that extraordinary remedy.

On the merits, Meridian would seek its actual losses plus the competitor's unjust enrichment from the head start the stolen process conferred, or, in the alternative, a reasonable royalty for the use. If it could show the misappropriation was willful and malicious—and a deliberate, concealed bulk download executed days before a jump to a competitor is the kind of fact that supports such a finding—exemplary damages up to twice the compensatory award and attorneys' fees come into reach, provided Meridian gave the statutory immunity notice in the engineer's agreement. The injunction, more than the money, is usually the real objective, because it preserves the secret's confidentiality in a way no damages award can.

But every one of those remedies rests on Meridian first proving two threshold things: that the calibration process was a trade secret, and that the company took reasonable measures to protect it. Both of those, in turn, were determined years before the breach—by whether Meridian built the program, kept the inventory current, restricted and logged access, papered the agreements with the right notices, and marked the files. The litigation is won or lost in the years of quiet discipline that precede it, which is why this article keeps insisting that incident response cannot be where trade secret protection begins.

A Word About the CFAA

Where the misappropriation involves a computer—and in the modern fact pattern it almost always does—companies sometimes reach for the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, alongside their trade secret claims, because the CFAA can supply a federal hook, civil remedies, and the gravity of a statute with criminal teeth. It is worth understanding both its reach and its sharply narrowed limits.

The CFAA prohibits accessing a protected computer "without authorization" or in a manner that "exceeds authorized access." For the outside intruder, the statute fits comfortably: a hacker who breaks into Meridian's network plainly accessed it without authorization. The harder questions arise in the insider scenario, and the Supreme Court has now resolved one of them in a way that matters here. In Van Buren v. United States, 593 U.S. 374 (2021), the Court held that a person "exceeds authorized access" only by obtaining information from areas of a computer that are off-limits to them—not by accessing information they are entitled to reach but then misusing it. The departing engineer who was authorized to view the engineering repository and then downloaded it for a disloyal purpose may well fall outside the CFAA's "exceeds authorized access" clause precisely because she was authorized to be there. Van Buren did not gut the statute, but it confirmed that the CFAA is a poor fit for the garden-variety faithless-insider case, which is one more reason the DTSA—built around breach of a duty of confidence rather than unauthorized access—is the better-suited vehicle for the insider departure. The interplay of the CFAA, contract, and the access-versus-use distinction is the same terrain we map in data scraping after hiQ v. LinkedIn, where the "without authorization" question took on a life of its own; the doctrine that constrains a scraper also constrains a trade secret plaintiff reaching for the CFAA.

Writing IP Into the Incident-Response Plan

The way to make all of this reliable—rather than a matter of luck and the instincts of whoever happens to be on call—is to write it into the incident-response plan, not as impenetrable boilerplate, but as a clear set of triggers and responsibilities. A workable IP annex to an IRP does a handful of things in plain terms.

It tells the response team, during initial triage, to ask whether the incident might be an intellectual-property incident—by checking whether the accessed or exfiltrated data appears in the crown-jewels inventory, whether the attacker's behavior suggests targeting of proprietary information, whether attribution points to a trade-secret motive, and whether the timing lines up with a sensitive business event. This single triage question is the hinge on which everything else turns; a plan that never prompts the team to ask it will keep solving privacy problems while the real loss goes unnoticed.

It designates an IP liaison—a named role, engaged the moment such an incident is suspected—who assesses the sensitivity of the affected information, pulls in the business units that own it, engages trade secret litigation counsel, and advises on IP-specific response.

It specifies that, in these cases, the forensic investigation will analyze trade secret access and exfiltration specifically, assess the competitive harm of disclosure, identify likely recipients, and document everything to the litigation standard described above—and that the engagement will be structured, from the outset, to preserve privilege along the lines Capital One teaches.

It directs the liaison and counsel to evaluate the legal-response options—injunction, civil suit, criminal referral, notice to recipients, insurer notification—and to coordinate the external disclosures so the notification paradox is managed rather than stumbled into.

And it ties all the resulting documentation into the company's litigation-hold procedures, so that nothing the future case will need is lost to a routine retention purge. The point of writing it down is blunt: a breach is the worst imaginable moment to invent a process, and the plan exists to ensure the IP questions get asked while the answers can still change the outcome. Our cyber incident response plan resources and the broader trade secret materials linked below offer templates worth adapting.

Testing the plan before you need it

A plan only works if people can execute it under pressure, which makes training and testing as important as drafting. Tabletop exercises should include trade-secret scenarios distinct from the usual privacy drills—a departing executive who copies the strategic plan before joining a rival, a ransomware crew threatening to publish stolen R&D unless it is paid, a nation-state intrusion into manufacturing documentation, a supply-chain compromise affecting proprietary software—and should test the escalation triggers, the IP-liaison engagement, the coordination with litigation counsel, and the documentation and privilege practices end to end. The exercise often reveals, as exercises tend to, that the trigger question never gets asked and the liaison is on vacation with no backup.

Response-team members need just enough trade secret literacy to recognize when IP is implicated and to know when to escalate—they do not need to become trade secret lawyers, only to stop treating the engineering files as a non-event because they contained no Social Security numbers. The business units that own secrets need to understand their role, so that when their information is hit they can quickly assess exposure, quantify competitive harm, and weigh in on priorities. External counsel and forensic vendors experienced in trade secret matters should be identified and, ideally, retained in advance, briefed on the company's portfolio, so they are available and oriented in a crisis rather than learning the business for the first time at 2 a.m. on day one. And the IP provisions should be reviewed at least annually, or whenever the portfolio, the threat landscape, or the legal obligations shift.

Security as a Reasonable Measure: the Relationship Runs Both Ways

We opened with the proposition that a breach can cost a company its trade secret. The relationship runs in the other direction too: strong security is itself part of the reasonable-measures showing that establishes the secret in the first place. Courts increasingly weigh access controls, technical safeguards, monitoring and detection capability, vendor management, and incident-response preparedness when deciding whether a company's protective measures were reasonable. The security program is not just a defense against intrusion; it is the evidentiary foundation of the legal right.

The NIST Cybersecurity Framework—organized around the functions Identify, Protect, Detect, Respond, and Recover—gives companies a recognized yardstick, and demonstrating alignment with it strengthens the reasonable-measures argument considerably. Even after a breach, post-incident improvements aligned to the framework can help establish that reasonable measures are now in place for the secrets that were not directly compromised, which matters because misappropriation litigation often unfolds against the backdrop of a company whose security has visibly matured. A Written Information Security Program (WISP) that documents the company's measures provides contemporaneous evidence of protective effort—and a well-built WISP should address trade secret protection specifically, not merely the security of regulated personal data, because the privacy-only WISP is silent on exactly the asset the trade secret case is about.

Technology alone, however, is never enough—and the case law is emphatic on this point—because so many trade secret thefts come from insiders who are authorized to access what they take. No firewall stops the engineer with legitimate credentials and a job offer from a competitor. Building a trade-secret-aware culture means classifying and marking sensitive information clearly so its status is never in doubt, weaving trade secret protection into routine security-awareness training, enforcing handling policies consistently rather than selectively, and running disciplined exit procedures for departing employees—confidentiality reminders, return-of-materials certifications, prompt deprovisioning of access. These human-side measures are where most cases are actually won or lost, and they are developed in full in our trade secret protection program guide.

Frequently Asked Questions

Does a data breach automatically destroy trade secret protection? No. Courts recognize that even reasonably protected secrets can be stolen, and the law requires reasonable—not perfect—security. A single sophisticated intrusion does not, by itself, prove the protection was inadequate or extinguish the secret. What can destroy protection is the response: a company that treats the theft of a crown jewel with indifference, fails to contain further dissemination, and takes no IP-protective steps gives a future defendant powerful evidence that it never genuinely treated the information as secret. Post-breach conduct is part of the reasonable-measures analysis, and prompt, vigorous, well-documented action is what preserves the legal status the company will need to litigate.

Why is the forensic report from our breach investigation discoverable? Because, as In re Capital One Consumer Data Security Breach Litigation held, a forensic report is protected work product only if it was prepared because of anticipated litigation and would not have been created in substantially similar form but for that prospect. A report the company would have generated anyway—to remediate the network, satisfy regulators, or fulfill a standing vendor contract—is an ordinary business document that involving a lawyer does not transform into protected material. To preserve protection, outside counsel should engage the forensic firm directly under a litigation-purpose engagement, ideally a firm separate from the one already on retainer for routine security work, and the resulting report should not be circulated broadly for operational use. Even then, the underlying facts of the breach are never privileged.

Should we report trade secret theft to law enforcement? Sometimes, and the decision deserves counsel's judgment rather than a reflex. Referral to the FBI and the Department of Justice can bring investigative reach, the deterrent weight of an Economic Espionage Act prosecution (18 U.S.C. §§ 1831–1832), and the possibility of recovering data through a search warrant. But a criminal investigation runs on the government's timeline and priorities, can complicate a parallel civil case, and may itself generate publicity that erodes the very secrecy at issue. Weigh the strength of attribution, the realistic odds of prosecution, and the interaction with civil strategy before referring.

What is the single most valuable thing we can do before a breach? Build and maintain a current crown-jewels inventory that maps each key secret to the systems it lives on, the people authorized to touch it, and the measures protecting it. That inventory is what lets the company answer, within hours of an intrusion, the question that decides everything: were the crown jewels taken? It also doubles as the contemporaneous record of reasonable measures the company will need in court. Everything else—privilege discipline, remedies, documentation—depends on first recognizing that a trade secret is in play, and the inventory is what makes that recognition possible.

Will our cyber insurance cover a stolen trade secret? Often only partially, and sometimes not at all. Cyber policies reliably cover breach-response costs—forensics, notification, credit monitoring—but their treatment of IP theft varies widely, with many excluding or sublimiting it and defining covered "loss" in ways that never reach the competitive harm of a leaked process. Crime, D&O, and E&O policies may pick up pieces of the loss under specific conditions. Read every potentially applicable policy before a breach, notify every potentially applicable insurer promptly after one (late notice is a leading basis for denial), and watch for war-exclusion fights when an intrusion is attributed to a nation-state.

Can we sue a departing employee under the Computer Fraud and Abuse Act? Usually the DTSA is the better vehicle. After Van Buren v. United States (2021), an employee who was authorized to access information does not "exceed authorized access" under the CFAA merely by misusing it for a disloyal purpose. The faithless insider who downloaded files she was permitted to view may therefore fall outside the CFAA's reach, while the DTSA—which targets the breach of a duty of confidence rather than the act of access—fits the facts squarely.

Conclusion: Same Breach, Two Outcomes

The intrusions that target proprietary information are growing more frequent and more sophisticated, and the privacy-first reflex that governs most breach response—however necessary for regulatory compliance—is simply not enough to protect trade secrets whose value may dwarf the cost of the privacy exposure many times over. Effective protection requires action across three time horizons: before the breach (a current crown-jewels inventory, appropriate controls, the right notices in the right agreements, pre-identified counsel and vendors), during the breach (folding the IP-trigger question into triage, engaging IP expertise early, structuring the forensic engagement to preserve privilege, and documenting to litigation standards), and after the breach (preserving trade secret status through a prompt and visible legal response, coordinating notifications to manage the disclosure paradox, and protecting whatever insurance coverage exists).

For Meridian Robotics, the difference between keeping and losing its calibration process is not whether it can prevent every intrusion—no one can, and the law does not pretend otherwise. The difference is whether, when the intrusion comes, Meridian recognizes the theft of the process as quickly as it recognizes the exposure of the customer list, and responds to both with equal seriousness and skill. Organizations that treat trade secret protection as integral to incident response—rather than an afterthought addressed once the privacy boxes are checked—will be the ones still holding their competitive advantage after the breach that was supposed to take it.

For help integrating IP protection into your incident-response program, contact our cybersecurity and data-privacy practice or our trade secret litigation team.

Related Articles

Selected Authorities

Defend Trade Secrets Act, 18 U.S.C. §§ 1836–1839 (including § 1836(b)(2) ex parte seizure; § 1836(b)(3)(A)–(D) injunctive relief, damages, exemplary damages, and attorneys' fees; § 1836(d) three-year limitations period; § 1837 extraterritorial reach; § 1839(3) definition and "reasonable measures"; and § 1833(b)(3) whistleblower-immunity notice). Economic Espionage Act, 18 U.S.C. §§ 1831–1832. Computer Fraud and Abuse Act, 18 U.S.C. § 1030. Uniform Trade Secrets Act (adopted in every state except New York). Upjohn Co. v. United States, 449 U.S. 383 (1981); In re Kellogg Brown & Root, Inc., 756 F.3d 754 (D.C. Cir. 2014); In re Grand Jury Subpoena (Torf), 357 F.3d 900 (9th Cir. 2004); In re Capital One Consumer Data Security Breach Litigation, 2020 WL 2731238 (E.D. Va. May 26, 2020), aff'd, 2020 WL 3470261 (E.D. Va. June 25, 2020); Van Buren v. United States, 593 U.S. 374 (2021). Federal Rule of Civil Procedure 26(b)(3) (work-product doctrine); Federal Rule of Evidence 702 and the Daubert reliability standard. NIST Cybersecurity Framework (https://www.nist.gov/cyberframework).

This article is for general informational purposes only and does not constitute legal advice, nor does it create an attorney-client relationship. Cybersecurity, breach-notification, trade secret, and insurance law vary by jurisdiction and continue to evolve; the discussion here may not reflect the most recent developments. Consult qualified cybersecurity and intellectual-property counsel about your specific circumstances.