The same intrusion that scooped up a database of email addresses may also have walked off with the one thing a company can never replace, recreate, or insure away: the proprietary information that is its actual competitive advantage. Most incident-response plans treat intellectual property as an afterthought, if at all — and a clumsy, privacy-only response can forfeit the very legal protection the company would need to stop the bleeding. Under the DTSA, 18 U.S.C. § 1839(3), and the Uniform Trade Secrets Act, security and legal protection are the same question asked twice, and the reasonable-measures inquiry does not freeze at the instant of the breach: post-breach conduct is part of the analysis.

This checklist operationalizes the integration. For the narrative, see cybersecurity incident response and IP protection; for the foundational program, building a trade secret protection program checklist; for the insider variant, employee departure trade secret protection checklist.

Phase 1: Before the breach — be ready

  • Build and maintain a current crown-jewels inventory mapping each key secret to the systems it lives on, who is authorized to touch it, and the measures protecting it.
  • Assign a named owner and refresh the inventory after every R&D milestone, system migration, or reorganization.
  • Put the right notices in the right agreements — the Section 1833(b) whistleblower-immunity notice in confidentiality and IP agreements, so exemplary damages and fees stay available against insiders.
  • Write an IP annex into the incident-response plan with triage triggers, a named IP liaison, and pre-identified trade secret counsel and forensic vendors.
  • Run tabletop exercises that include trade-secret scenarios (a departing executive copying the strategic plan; ransomware threatening to publish R&D; a nation-state intrusion into manufacturing documentation), not just privacy drills.

Why this matters. A current inventory is what lets the company answer, within hours of an intrusion, the question that decides everything: were the crown jewels touched? A company without one must reconstruct it mid-crisis while the notification clock runs. The inventory also doubles as the contemporaneous record of reasonable measures the case will need.

Phase 2: During the breach — recognize the IP incident

  • At initial triage, ask whether this is an intellectual-property incident: does the exfiltrated data appear in the crown-jewels inventory? Does the attacker's behavior suggest targeting of proprietary information? Does attribution or timing point to a trade-secret motive?
  • Watch for the forensic signatures of a hunt: selective exfiltration (engineering directories pulled while the customer database sits untouched), reconnaissance and lateral movement, R&D file types (CAD, source code, formulation spreadsheets), and timing tied to a launch, M&A, or patent filing.
  • Engage the IP liaison and the business units that own the affected secrets the moment such an incident is suspected.

Why this matters. Standard breach forensics answers privacy questions (what personal data, how many people) and will note the engineering files only to confirm they held no Social Security numbers — then file them under "no notification required." An IP-aware investigation recognizes the company may have just lost the only thing that mattered.

Phase 3: Contain and preserve — in parallel, not behind

  • Run technical containment in parallel with the privacy response: stop ongoing exfiltration, close the attack vector, isolate affected systems, revoke compromised credentials — while preserving evidence rather than overwriting it.
  • Run an access review and tighten access to the affected secret (often far broader than needed), shoring up the ongoing reasonable-measures showing.
  • Issue a litigation hold early and broadly, capturing not just forensic images and logs but the materials proving the secret's value and the company's protective efforts (development records, confidentiality agreements, access policies).
  • Engage counsel immediately — both for emergency-relief timelines and to establish the privileged posture of the investigation.

Why this matters. Triaging the regulated personal data first because it carries hard deadlines is exactly backward from the standpoint of the asset's survival; the secret's value bleeds out with every hour it spreads. Prompt, visible, well-documented action is what preserves trade secret status; delay and indifference hand a future defendant evidence that the company never really valued the information's confidentiality.

Phase 4: Document for the courtroom and protect privilege

  • Apply litigation-grade forensic protocols: chain of custody, forensically sound bit-for-bit imaging, cryptographic hash verification, contemporaneous documentation, and qualified examiners able to testify under FRE 702/Daubert.
  • Have outside counsel engage the forensic firm directly, under an engagement letter framing the work as undertaken to enable legal advice in anticipation of litigation.
  • Where possible, retain a forensic firm separate from the one already on retainer for routine security operations.
  • Mark reports appropriately and resist circulating them widely for ordinary operational use or sharing them with regulators/auditors.

Why this matters. A forensic report is protected work product only if it was prepared because of anticipated litigation and would not have been created in substantially similar form but for that prospect. In In re Capital One Consumer Data Security Breach Litigation, 2020 WL 2731238 (E.D. Va. 2020), the report was ordered produced because the company would have created it anyway under a standing vendor contract and distributed it broadly. The underlying facts of a breach are never privileged; what privilege can protect is the candid legal analysis layered on top.

Phase 5: Pursue (or document) remedies

  • Evaluate injunctive relief — a TRO/preliminary injunction to freeze the harm and preserve confidentiality going forward (18 U.S.C. § 1836(b)(3)(A)).
  • Evaluate damages: actual loss plus unjust enrichment, or a reasonable royalty; exemplary damages up to twice the compensatory amount for willful and malicious misappropriation (§ 1836(b)(3)(B)–(C)) — but only if the Section 1833(b) notice was given to the bound insider.
  • Evaluate ex parte seizure under § 1836(b)(2) in genuinely extraordinary circumstances (data about to cross a border), mindful of the eight statutory findings and the wrongful-seizure risk — and that a prior cease-and-desist letter can "publicize" the request and foreclose it.
  • Consider a criminal referral under the Economic Espionage Act, 18 U.S.C. §§ 1831–1832, for nation-state or competitor-sponsored theft, weighing the loss of control and publicity.
  • Even where litigation is not immediately viable, document the consideration of these remedies to support the reasonable-measures showing and preserve evidence.

Why this matters. A company's evident readiness to use these remedies is itself part of the reasonable-measures story, and a contemporaneous record showing the company weighed its options answers the defense argument that the plaintiff slept on its rights. Note that after Van Buren v. United States, 593 U.S. 374 (2021), the CFAA is a poor fit for the authorized-insider case; the DTSA, built around breach of a duty of confidence, fits better.

Phase 6: Coordinate notifications and protect insurance

  • Coordinate disclosures so each says exactly what the law requires without gratuitously compromising the secret — privacy, trade secret, securities, and coverage counsel working from the same facts in the same room.
  • Describe exposed proprietary information at the level of generality the law permits ("certain proprietary technical information"), not in loving detail.
  • Notify business partners bound by confidentiality agreements, identifiable recipients (through counsel, to support willfulness and deter use), and affected customers where exposed secrets affect their products.
  • Notify every potentially applicable insurer promptly (cyber, crime, D&O, E&O); late notice is a leading basis for denial. Read each policy before the breach, because IP theft is often excluded or sublimited and "loss" definitions may not reach competitive harm.

Why this matters. Breach-notification statutes push toward disclosure; trade secret protection pushes toward silence. A regulatory filing that announces what proprietary information was taken can itself contribute to the loss of secrecy — and admissions made to satisfy one regime (the SEC's materiality standard, say) can be turned against the company in a coverage dispute or the misappropriation litigation itself.

Common mistakes

  • A privacy-only triage that never asks whether IP was hit.
  • Standing up a purely technical investigation in the first hours, generating frank written assessments with no privilege structure (the Capital One trap).
  • Sending a cease-and-desist letter first, foreclosing an ex parte seizure.
  • Cataloging the stolen secret in a notification or securities filing, broadcasting its existence and nature.
  • Late notice to insurers, forfeiting coverage.

Primary authority

  • DTSA, 18 U.S.C. §§ 1836–1839, including § 1836(b)(2) (ex parte seizure), § 1836(b)(3)(A)–(D) (remedies), § 1837 (extraterritorial reach), § 1839(3) (reasonable measures), § 1833(b) (whistleblower notice).
  • Economic Espionage Act, 18 U.S.C. §§ 1831–1832; Computer Fraud and Abuse Act, 18 U.S.C. § 1030.
  • Fed. R. Civ. P. 26(b)(3) (work product); FRE 702 and Daubert.
  • Key cases: In re Capital One Consumer Data Security Breach Litigation, 2020 WL 2731238 (E.D. Va. 2020); Van Buren v. United States, 593 U.S. 374 (2021); Upjohn Co. v. United States, 449 U.S. 383 (1981).

Related resources

This checklist is for general informational purposes only and does not constitute legal advice or create an attorney-client relationship. Cybersecurity, breach-notification, trade secret, and insurance law vary by jurisdiction and continue to evolve. Consult qualified cybersecurity and IP counsel about your specific circumstances.