In brief. Trade secret protection requires "reasonable measures" to keep information secret—a standard that has not changed on paper, but whose application has changed enormously now that employees reach proprietary data from kitchen tables, personal phones, and home networks the company cannot see. Defendants increasingly win not by denying they took the information but by attacking the plaintiff's protective measures, and a run of decisions from 2018 through 2025 shows courts crediting layered, enforced controls and punishing inconsistent ones. This article explains the doctrine, maps the recent case law, and builds it into a working program—access controls and multifactor authentication, data-loss prevention, contracts, onboarding, offboarding, departing-employee forensics, monitoring, and incident response—then addresses the inevitable disclosure doctrine and the 2025 collapse of the FTC's non-compete rule. It is informational, not legal advice; tailor any program to your facts with qualified counsel.

There is a particular kind of silence that follows a senior engineer saying, "I've accepted an offer—I'll be at a competitor in two weeks." For a moment everyone is professional. Then the questions start, and they are not really about the engineer. They are about everything the engineer can reach: the thermal-modeling source she has cloned to a laptop, the customer pricing file she has opened a hundred times this quarter, the Slack threads where the team argued out the manufacturing tolerances that took four years and several million dollars to get right. Somewhere in those two weeks, a company learns whether its trade secret protection was a program or a slogan. Most learn the hard way.

The reason the moment is so dangerous is that the wall it used to depend on is gone. For most of the twentieth century, the corporate security perimeter was a physical fact: sensitive information sat behind locked doors, badge readers, and a firewall, on machines the company owned and an IT department could watch. What began as an emergency response to a pandemic has hardened into the permanent architecture of knowledge work. Employees query customer databases from their kitchens, engineers commit code from coffee shops, executives review strategic plans on tablets at a child's soccer game. Information that once flowed only through monitored corporate pipes now crosses home Wi‑Fi, cellular networks, and public hotspots before landing on devices the company may neither own nor control.

This dissolution of the perimeter collides head-on with the oldest requirement in trade secret law. The law has always conditioned protection on the owner's having taken reasonable measures to keep the information secret. That requirement made obvious sense when the information lived inside a building. But what is reasonable when the workforce is scattered across hundreds of addresses, half the laptops are personal, and the collaboration tools everyone loves were designed to make sharing frictionless—which is to say, to make leaking easy? The stakes could not be higher, because trade secrets are uniquely valuable and uniquely fragile. Unlike a patent, a trade secret can last forever—Coca-Cola's formula has outlived every patent ever issued in the year it was created—but only so long as it stays secret. The protection evaporates the instant the owner stops taking reasonable steps to maintain confidentiality. There is no grace period and, usually, no second chance.

To keep this concrete, follow one hypothetical company throughout. Meridian Dynamics (entirely fictional) is a mid-sized engineering firm with a fully hybrid workforce. Its crown jewels are three: a proprietary thermal-modeling software package, a curated database of customer and pricing data, and a body of manufacturing know-how that lives partly in documents and partly in the heads of a dozen veteran engineers. All three are touched daily by people working from home on a mix of company laptops and personal devices. When senior engineer Dana Pruitt gives notice to join a competitor, Meridian has to answer, in real time and later in front of a judge, the single question this entire body of law turns on: did we take reasonable measures to protect what Pruitt can now walk out with—and can we prove it?

The Legal Framework: Federal and State Protection Running in Parallel

Trade secret law in the United States runs on two rails at once. The federal rail is the Defend Trade Secrets Act (DTSA), enacted in 2016 with overwhelming bipartisan support as an amendment to the Economic Espionage Act. The DTSA created, for the first time, a federal civil cause of action for trade secret misappropriation, available whenever the secret relates "to a product or service used in, or intended for use in, interstate or foreign commerce." 18 U.S.C. §§ 1831–1839. It defines a trade secret expansively—"all forms and types of financial, business, scientific, technical, economic, or engineering information," however stored—subject to two non-negotiable criteria: the owner has taken reasonable measures to keep it secret, and the information derives independent economic value from not being generally known or readily ascertainable through proper means. 18 U.S.C. § 1839(3).

That definition is worth pausing on, because it contains a trap that catches sophisticated companies. The value of the information is not enough. A formula that cost ten million dollars to develop and would hand a competitor an instant advantage is not a trade secret unless its owner protected it. As courts like to say, the law demands no "impenetrable fortress"—but it demands a fortress. The two requirements are also linked: the same conduct that keeps information secret is what gives it independent economic value, because the value comes precisely from rivals not having it.

The state rail is the Uniform Trade Secrets Act (UTSA), model legislation now adopted in some form by the District of Columbia and every state except New York, which still applies common-law trade secret principles (drawn largely from the Restatement). The UTSA conditions protection on "efforts that are reasonable under the circumstances to maintain its secrecy"—phrasing that courts treat as functionally identical to the DTSA's "reasonable measures." Because the DTSA borrowed the UTSA's architecture almost wholesale, federal courts routinely analyze DTSA and state claims together and treat them as "functionally equivalent." See Midwest Sign & Screen Printing Supply Co. v. Dalpe, 386 F. Supp. 3d 1037, 1053 (D. Minn. 2019). Critically, the DTSA supplements but does not preempt state law. A plaintiff like Meridian can therefore plead both, gaining a federal forum and tactical flexibility—but it also has to satisfy both frameworks' secrecy requirements, and a failure of reasonable measures sinks both claims at once.

Two older federal statutes lurk in the background and matter more than they used to in a remote-work world. The Economic Espionage Act (EEA) criminalizes trade secret theft, and the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, reaches unauthorized access to protected computers—an increasingly awkward fit for departing-employee cases after Van Buren v. United States, 593 U.S. 374 (2021), narrowed "exceeds authorized access" to exclude misuse of information an employee was permitted to obtain. The practical lesson of Van Buren for our purposes is that a company cannot assume the CFAA will rescue it from a poorly designed access-control regime; if Pruitt was authorized to open the pricing file, copying it for a competitor may breach her duties and the DTSA but not necessarily the CFAA. The remedy architecture, by contrast, is generous. Both the DTSA and the UTSA authorize injunctive relief; compensatory damages measured as actual loss, unjust enrichment, or a reasonable royalty; and—for willful and malicious misappropriation—exemplary damages up to twice the compensatory award plus attorneys' fees. 18 U.S.C. § 1836(b)(3). The DTSA adds two distinctive features we return to below: a civil-seizure remedy and a whistleblower-immunity notice obligation with real teeth.

For a fuller map of how trade secrets relate to the other intellectual property regimes—and when you should choose secrecy over a patent application in the first place—see our companion guides on the protection of trade secrets and on copyright vs. trademark vs. patent vs. trade secret. For software-specific strategy, where the choice among regimes is especially consequential, see legal protection of software.

The Reasonable Measures Requirement: What Courts Actually Examine

Reasonable measures has quietly become one of the most litigated issues in trade secret cases, and the reason is strategic. A defendant who admits taking the file but argues the plaintiff never really protected it can win outright—because if the information was not a trade secret, there is nothing to misappropriate, no matter how plainly it was copied. Empirical studies of trade secret litigation bear this out: defendants prevail on the reasonable-measures issue in a meaningful slice of contested cases, defeating plaintiffs who could have proven the taking ten times over but whose own protective failures disqualified the information from trade-secret status. Reasonable measures is, in other words, the soft underbelly of most trade secret claims, and the first place a good defense lawyer aims.

The inquiry is fact-intensive, holistic, and multi-factored. No single measure is dispositive and none is strictly required; courts weigh the totality. Across the case law, the recurring factors are familiar: whether the company used confidentiality and nondisclosure agreements, and whether it actually enforced them; whether information was marked confidential; whether access was limited to those with a business need to know; whether technical controls (passwords, encryption, access logs) restricted access; whether employees received training; whether physical and electronic security existed; and—the thread that runs through all of it—whether the company consistently implemented its policies rather than merely promulgating them. The animating principle is that courts examine what a company does, not what its handbook says. A policy honored in the breach, an "access control" everyone routes around, a "confidential" stamp applied to nothing—these protect almost nothing.

Two contrasting decisions frame the whole analysis, and every remote-work case is, at bottom, an argument about which one it resembles.

In Yellowfin Yachts, Inc. v. Barker Boatworks, LLC, 898 F.3d 1279 (11th Cir. 2018), the Eleventh Circuit affirmed summary judgment against the employer because no reasonable jury could find reasonable measures. Yellowfin had done a few things right—it limited employee access to customer information and password-protected the network where the data lived. But it undercut those efforts so thoroughly that the court found them inadequate as a matter of law. The company gave a departing employee continued access to sensitive customer information after he refused to sign a confidentiality agreement; it encouraged him to store that information on his personal cellphone and laptop without any security instructions; and it never marked the information confidential. 898 F.3d at 1299–1301. Yellowfin is the cautionary tale practitioners cite first because its facts are not exotic—they are the facts of a hundred ordinary companies that drifted into convenience without thinking about consequences.

Set against it is Hagler Systems, Inc. v. Hagler Group Global, 2020 WL 2042484 (S.D. Ga. Apr. 28, 2020), where the court granted a preliminary injunction because the plaintiff had done the unglamorous work: it labeled files proprietary, restricted them behind login credentials inside a private database, and required separate VPN credentials for remote access. The contrast with Yellowfin is the entire lesson. Same circuit's neighborhood, opposite result, and the difference was not the value of the information but the discipline of the protection.

The remote-work twist is that Yellowfin's fatal facts—personal-device storage, the absence of deletion instructions, casual confidentiality—are exactly the facts that distributed work generates by default. The pull toward convenience that doomed Yellowfin Yachts is now the gravitational field every hybrid company operates in. For Meridian, every section that follows is ultimately about being able to tell the Hagler story rather than the Yellowfin one when Pruitt's departure lands in front of a judge.

How Remote Work Specifically Reshapes the Standard

Remote work does not change the legal test; it changes the facts the test is applied to, and it does so in ways that systematically erode the measures companies historically relied on. Four pressure points recur.

First, the technical controls that worked inside a building don't travel. Network firewalls, monitored endpoints, and physical access controls protect a perimeter; they do little when an employee works from a home network on personal hardware the company never sees. The social architecture of confidentiality disappears too. Inside an office, the badge readers, the visible security, the colleague at the next desk, and the simple fact of being watched all reinforce the norm that this information is special. At a kitchen table, those cues vanish, and confidentiality becomes an abstraction competing with the very concrete convenience of emailing a file to a personal account "just to finish it tonight." Scholars have argued for years that "reasonable" must evolve with the technology—more remote access means more transmission and a need for updated protocols—yet many companies never modified the security and remote-work policies they adopted in haste, and courts are only beginning to articulate how the work-from-home landscape reshapes the standard. See Hannah E. Brown, Rethinking "Reasonableness": Protecting Trade Secrets in a Remote Work Environment, 30 J. Intell. Prop. L. 268 (2023).

Second, bring-your-own-device (BYOD) policies create a structural blind spot. When the device is personal, the company often cannot enforce technical controls, cannot monitor access, and—decisively—cannot guarantee deletion at separation. Yellowfin shows how dangerous it is to encourage personal-device storage without security instructions, but the deeper problem surfaced in DM Trans, LLC v. Scott, 38 F.4th 608 (7th Cir. 2022), where the Seventh Circuit affirmed the denial of injunctive relief in part because the employer "neither requested nor took steps to ensure that [departing] employees deleted" proprietary data from their personal devices. The failure was not that data sat on personal devices—it was that the company never even asked for it back. MGA Home Healthcare Colorado, LLC v. Thun (D. Colo. 2023) sharpened the same point from the other direction: a former employee saved confidential information to his personal phone in violation of a BYOD policy, illustrating both the necessity of clear BYOD rules and the difficulty of enforcing them once company data and personal data blur on a single device.

Third, cloud collaboration tools multiply the ways information leaks by accident. A misconfigured sharing setting on a document, a "share with anyone who has the link" toggle, a group channel that includes one person it shouldn't—each is a disclosure vector that traditional IT never had to imagine. The convenience that makes these tools indispensable is precisely what makes them leaky. And the cloud's auditability cuts both ways: it generates the logs that can prove misappropriation, but only if the company configured logging and retains it.

Fourth, home networks and informality erode the baseline. Sensitive data traverses Wi‑Fi shared with family members on routers running default passwords. Documents sit visible on a desk; a laptop stays unlocked while its user answers the door; a sensitive call happens within earshot of a houseguest. None of these is dramatic, and that is the point—reasonable measures erode not through a single breach but through a thousand small relaxations of habit. The company cannot control any of these variables. It remains, however, fully responsible for reasonable measures despite them. That asymmetry—diminished control, undiminished responsibility—is the central legal predicament of the distributed workplace.

Recent Case Law: Courts Confront the Distributed Workplace

A cluster of decisions from 2022 through 2025 maps both the risks remote work creates and the measures courts credit. Read together, they are less a doctrinal revolution than a stress test of old principles against new facts.

The exfiltration cases show how easily distributed access translates into removal. In TileBar v. Glazzio Tiles (E.D.N.Y. 2024), former employees allegedly exfiltrated confidential customer and pricing data to personal cloud storage and USB devices before decamping to a competitor—a textbook illustration of how remote access lets employees siphon data from locations the company cannot watch. DraftKings Inc. v. Hermalyn (D. Mass.), aff'd, 118 F.4th 416 (1st Cir. 2024), put a name to the modern exfiltration toolkit: a senior executive allegedly moved proprietary documents to personal devices using Dropbox, AirDrop, and Slack—three different consumer channels, any one of which suffices. The First Circuit's affirmance carried a second lesson for the post-FTC-rule landscape: a properly tailored non-compete remains enforceable to protect trade secrets in jurisdictions that permit them, and the court enforced California's competing public policy by declining to let the executive escape a California-law argument he raised too late. TMG of Delaware, Inc. v. Mikkola (D.N.J. 2024) added a procedural wrinkle that every multistate employer should note: a Texas-based remote employee allegedly accessed a New Jersey employer's confidential information via external storage after his employment ended, and the court found it had personal jurisdiction over the remote worker. The case is a reminder that remote work both extends the post-employment window for misappropriation—data left on an unrecovered device is a standing invitation—and complicates the forum question when the wrongdoer never set foot in the forum state.

On the other side of the ledger sits the defense-friendly cautionary tale. In Apple Inc. v. Rivos, Inc., 2023 WL 5183034 (N.D. Cal. Aug. 11, 2023), Apple alleged that roughly forty departing engineers carried confidential information to a chip-design startup, yet the court dismissed the trade secret claims (with leave to amend), emphasizing that mere possession is not misappropriation and crediting evidence that Rivos had affirmatively instructed new hires not to bring prior employers' confidential information. Rivos delivers two messages at once. To plaintiffs: identify the actual secrets and plead acquisition, use, or disclosure with particularity—a parade of departures and a hunch is not a claim. To hiring companies: the instruction not to bring a prior employer's secrets is not boilerplate; it can be case-dispositive, which is why it belongs in every onboarding process (more on that below).

These remote-work disputes do not float free of doctrine; they sit atop the older line of cases that defines the contours of secrecy and misappropriation. The pleading-with-particularity problem that sank Apple's first complaint echoes Heritage Fence Co. v. Malin, 2024 WL 5047468 (E.D. Pa. Dec. 9, 2024), where the plaintiff used NDAs and marked some documents confidential but failed to plead which specific documents the agreements protected. And the third-party disclosure trap—sharing secrets outside the company without protection—runs from Farmers' Edge Inc. v. Farmobile, LLC, 970 F.3d 1027, 1033 (8th Cir. 2020) (no protection where information was shared with a contractor absent a confidentiality agreement or other safeguards), straight into the cloud-vendor question we take up later, because a cloud provider is, legally, just a very large third party with your secrets on its servers.

Technical Controls: The First Line of Defense

Robust technical controls do two things at once: they actually restrict who can reach the crown jewels, and they generate the audit trail that later proves reasonable measures. Courts consistently treat well-designed technical controls as strong evidence of reasonable efforts, so the litigation value and the security value point the same direction.

Access control is the foundation, and least privilege is its governing principle. The goal is that crown-jewel information—Meridian's thermal-modeling source, its customer-and-pricing database—is reachable by a far narrower set of people than general business data, scoped by role to genuine business need. Modern identity-and-access-management (IAM) systems implement role-based access at scale, but they are only as good as their configuration and their hygiene. Access creep is the silent killer: the engineer who rotated to marketing two years ago but never lost her access to technical specifications is both a security gap and an evidentiary liability, because she undermines the "need to know" story the company will need to tell. Periodic access reviews, and immediate revocation across every system upon departure, are therefore not bureaucratic niceties but the difference between Hagler and Yellowfin. The data on revocation latency is sobering: studies find that a substantial share of organizations take more than three days to fully revoke a departed employee's access—a window that maps precisely onto the period in which departing employees do their damage.

VPNs encrypt the pipe but do not police the person. A virtual private network protects data in transit and supplies useful access logs, but it does nothing to stop an authorized user from copying data she is allowed to see. That is why VPNs should be paired with data-loss-prevention (DLP) systems that monitor and, where appropriate, block transfers to personal email, unsanctioned cloud storage, or removable media. DLP is the technical answer to the DM Trans and DraftKings fact patterns: it is what stands between an employee and the Dropbox upload. Multifactor authentication (MFA) is now effectively mandatory—the cheapest high-impact control a company can deploy, ensuring that a phished or reused password alone cannot unlock the secrets. Endpoint detection and response (EDR) tools restore a sliver of the visibility remote work removes, flagging large transfers, unauthorized installations, or anomalous connections on managed devices, substituting (imperfectly) for the physical observation that an office once provided. And comprehensive logging serves the dual purpose that makes it indispensable: it powers real-time investigation when something looks wrong, and it supplies the litigation record that both proves reasonable measures and establishes the defendant's specific access—the exact files Pruitt opened, when, and from where.

Encryption deserves its own line. Encrypting data at rest and in transit, and enforcing full-disk encryption on every device that touches trade secrets, is both a security baseline and a courtroom asset: it is concrete, demonstrable evidence of effort that a judge can understand at a glance. For the breach scenario specifically—where the threat is an external intruder rather than a departing insider—and the overlap between cybersecurity incident response and the preservation of trade-secret status, see cybersecurity incident response and IP protection.

A word on cloud providers, because they are where the modern perimeter actually lives. When Meridian's secrets sit on a third party's infrastructure, the cloud contract becomes part of the reasonable-measures story. The provider agreement should specify robust security commitments, data-location and access controls, breach-notification obligations, audit rights, and—critically—deletion and return obligations at termination, so the company is not in Farmers' Edge territory, having handed its secrets to a third party without contractual protection. Default consumer settings are rarely adequate; the enterprise configuration, the tenant isolation, the logging retention, and the administrative access model all have to be deliberately chosen. For the contract mechanics, see our guidance on drafting software license agreements and software license agreement review checklists.

Contractual Protections: Building the Legal Foundation

Technical controls cannot do everything. Determined insiders find workarounds—a photograph of a screen defeats the most sophisticated DLP—and some of the most valuable information lives in employee knowledge, which no firewall can fence. Contracts supply what technology cannot: a legal obligation that survives the employment relationship, and, just as importantly, documentary evidence of reasonable measures that courts routinely cite when they confer trade-secret status.

The case law makes the point in both directions. In Fujikura Composite Am., Inc. v. Dee, 2024 WL 3261214 (S.D. Cal. June 28, 2024), nondisclosure provisions combined with physical and technical controls were held sufficient to confer trade-secret status—contracts and controls working as a system. But contracts must be drafted with care and tied to identified information. Heritage Fence, again, is the warning: NDAs plus some "confidential" labels were not enough where the plaintiff could not say which documents the agreements actually protected. The lesson is that a confidentiality agreement is not a magic word; it is part of an evidentiary mosaic, and it has to point at something specific.

For distributed environments, the confidentiality and proprietary-rights agreement (often called a PIIA—proprietary information and inventions agreement) should be modernized along several axes. It should define confidential information specifically, because vague catch-alls invite the Heritage Fence problem and give a defendant room to argue the company never identified its secrets. It should address personal-device use directly, reserving the company's right to require, audit, and verify deletion of company information from personal devices and cloud accounts at separation—the contractual answer to DM Trans. It should prohibit unauthorized cloud storage and the use of personal email for company information, converting a security policy into an enforceable promise. And it must carry the DTSA whistleblower-immunity notice, discussed next, because the cost of omitting it is concrete.

That notice obligation is one of the few places in trade secret law where a drafting oversight has a fixed price. The DTSA immunizes an individual—employee, contractor, or consultant—from civil and criminal liability under federal or state trade secret law for disclosing a trade secret in confidence to a government official or attorney solely to report or investigate a suspected violation of law, or in a sealed court filing. 18 U.S.C. § 1833(b)(1). To preserve the right to recover exemplary damages and attorneys' fees against an employee, the employer must give that employee notice of the immunity in any agreement governing trade secrets or confidential information that was entered into or modified after May 11, 2016. 18 U.S.C. § 1833(b)(3). Omit the notice, and you do not lose your trade secret claim—but you forfeit the enhanced damages and fees that often make litigation economically worthwhile. It is, in effect, a free upgrade available to any employer willing to paste a paragraph into its template, and it is astonishing how many fail to do it.

For the detailed mechanics of drafting these instruments—definitions, carve-outs, term, remedies, and the whistleblower notice—see our deep dives on drafting enforceable non-disclosure agreements for technology transactions and on employee invention assignment agreements. Both are foundational to the program described here, and both should be reviewed against current state law before deployment.

Non-Competes and the Inevitable Disclosure Doctrine

Two related doctrines sit at the volatile intersection of trade secret and employment law, and both saw significant movement recently.

Inevitable disclosure is the theory of last resort when a company cannot prove actual misappropriation but fears it is coming. The seminal case is PepsiCo, Inc. v. Redmond, 54 F.3d 1262 (7th Cir. 1995), where a high-level PepsiCo executive with intimate knowledge of the company's strategic plans for sports drinks and "new age" beverages left to join Quaker, which had just acquired Gatorade and Snapple. PepsiCo could not prove Redmond had taken anything, but the Seventh Circuit affirmed an injunction on the theory that Redmond "could not help but rely" on PepsiCo's trade secrets in his new role—that disclosure was, in effect, inevitable given the overlap of his old and new responsibilities. Redmond gave plaintiffs a powerful tool: an injunction premised on the structure of the new job rather than on proof of theft.

But inevitable disclosure has always been controversial precisely because it functions as a judicially imposed non-compete, restraining where someone may work based on what they know. Jurisdictions split sharply. Some embrace it; others, California most prominently, reject it outright as an end-run around the state's ban on non-competes. The doctrine's status under the DTSA is nuanced: although early commentators doubted it would survive (the statute bars injunctions that merely restrain employment "based on the information the person knows"), courts in jurisdictions that already recognize inevitable disclosure have applied it under the DTSA as a way of showing threatened misappropriation, which the statute does reach. The practical takeaway for Meridian is that inevitable disclosure is a real but jurisdiction-specific arrow—worth understanding, dangerous to rely on, and no substitute for the affirmative measures that prove a secret was protected in the first place.

Non-compete agreements themselves underwent a dramatic shift. The FTC's 2024 Non-Compete Clause Rule, 16 C.F.R. pt. 910, would have banned most post-employment non-competes nationwide. It was set aside by the Northern District of Texas in Ryan, LLC v. FTC (Aug. 20, 2024) as exceeding the agency's statutory authority, and on September 5, 2025, the FTC voted to withdraw its appeals and accept the rule's vacatur. The sweeping federal ban is therefore dead, and non-compete enforceability has reverted to the states—a patchwork running from California, Minnesota, Oklahoma, and North Dakota's near-total prohibitions to the reasonableness-based enforcement most states apply. But the story is not "non-competes are safe." The FTC signaled continued case-by-case scrutiny under Section 5 of the FTC Act, state attorneys general remain aggressive, and the trend in state legislatures runs toward narrowing. The upshot for a protection program is to treat non-competes as a fragile, jurisdiction-specific supplement rather than a foundation. Where the firm's real security must come from access controls, contracts, and consistent enforcement—because non-competes may be unenforceable, void, or politically radioactive in a given state. For the full treatment of the rule's collapse and the resulting state-law patchwork, see non-compete agreements under siege: FTC rulemaking and state law developments.

Onboarding: Setting the Foundation Before Day One

Protection begins before an employee's first day, and the omissions at onboarding tend to surface, expensively, at offboarding.

Before extending an offer, a company should think about two things at once: what confidential information the role genuinely requires (least privilege starts at hiring, not at the IAM console), and whether the candidate carries obligations to a prior employer that could create conflict. The second consideration cuts both ways—it protects the company against inducing a breach, and it sets a clean boundary about what the new hire may and may not bring. This is the lesson of Apple v. Rivos operationalized: the most effective defensive move a hiring company can make is to instruct new employees, in writing, not to bring a prior employer's confidential information, and to mean it. That instruction protects the company, builds a culture that takes confidentiality seriously, and—as Rivos showed—can be the fact that defeats a misappropriation claim.

Upon hiring, employees should sign comprehensive confidentiality and invention-assignment agreements before they access any trade-secret information. Sequencing matters more than people realize: an agreement signed after access has begun can be challenged for want of consideration in some states, and it may not cleanly reach disclosures that predated it. The agreement should be reviewed with the employee, not buried in a stack of HR forms to be clicked through, and it should be paired with training that answers the practical questions—what is confidential here, how do I mark and store it, which tools are approved and which are forbidden, and what do I do if I receive information I shouldn't have? For remote workers, onboarding should also configure the technical controls on the work device, verify home-network security where particularly sensitive information is involved, and set explicit expectations about the physical security of the home workspace. The connective tissue here is that onboarding is where the company decides, in advance, whether it will be able to tell the Hagler story. For building this from the ground up rather than retrofitting it onto an existing mess, see building a trade secret protection program from scratch.

The Critical Offboarding Process

If onboarding sets the foundation, offboarding determines whether it holds, and it is the single highest-leverage moment in the entire program. The interval between notice and departure is when misappropriation most often occurs—not because most employees are thieves, but because that is the window in which a tempted or aggrieved employee still has access and now has motive. Weak offboarding can leave a company unable to recover even theft it can plainly see.

Effective offboarding is cross-functional and fast. HR initiates; IT revokes access across every system (not just email and the VPN, but the cloud drives, the code repositories, the SaaS tools that accumulate invisibly); security updates physical controls; and legal secures a written acknowledgment of continuing obligations. For high-access employees like Pruitt, the process should begin the moment notice is given—sometimes with immediate revocation, sometimes, where an abrupt cutoff is impractical, with enhanced monitoring during the notice period. This is not paranoia; it is a sober reading of where the risk concentrates.

Before the final day, the departing employee should return all company property and confirm, in writing and with specificity, that company information has been deleted from personal devices and cloud accounts. That written deletion confirmation is the direct answer to DM Trans v. Scott, where the employer's failure to even ask doomed its request for relief. The exit interview—ideally conducted by a neutral HR representative to keep the departing employee at ease and candid—should reinforce surviving obligations, provide copies of the relevant agreements, and clearly communicate which materials are confidential, removing any future claim of ignorance. Some companies go further and present a formal acknowledgment identifying the categories of trade secrets the employee accessed; it feels confrontational, but it is excellent evidence that the employee knew what was protected. Where the departure is to a direct competitor under suspicious circumstances, the company should consider a continuing-obligations letter to the new employer as well, and—this is the pivot to the next section—forensic preservation of the employee's devices and access logs.

A continuing-obligations letter, an exit-interview script, and a deletion-confirmation form cost almost nothing and prevent enormous problems. The companies that get sued and lose on reasonable measures are rarely the ones that lacked technology; they are the ones that never built the paper trail. When Pruitt gives notice, Meridian's conduct over the next two weeks will matter as much to any future case as everything it did in the preceding two years.

Departing-Employee Forensics: Preserving the Evidence

When a departure looks suspicious—data downloads spiking before notice, a competitor in the same niche, a refusal to confirm deletion—the company moves from offboarding into investigation, and the governing discipline becomes e-discovery and digital forensics. Here speed is not a virtue but a necessity, because the relevant evidence is perishable. Logs roll over, devices get wiped and reissued, cloud accounts get deleted, and a delay of weeks can convert a winnable case into an unprovable one.

The departing employee's electronic devices are, in the words of one practitioner treatise, "a treasure trove." Beyond the proprietary files themselves, forensic review can reveal how and to where information was copied—the USB insertion timestamps, the personal-cloud upload records, the AirDrop logs—as well as communications about what the employee was doing and any attempts to conceal it. Relevant ESI typically spans documents (often carrying metadata that betrays the original author and modification dates), email, text and instant messages, and messages from collaboration tools. That last category has become a litigation flashpoint: in Red Wolf Energy Trading, LLC v. BIA Capital Management, LLC, 2022 WL 4112081 (D. Mass. Sept. 8, 2022), a court imposed serious sanctions for the failure to produce highly relevant Slack messages, and in CaramelCrisp LLC v. Putnam, 2022 WL 1228191 (N.D. Ill. Apr. 26, 2022), the court worked through the now-familiar bundle of claims—misappropriation, breach of fiduciary duty, breach of contract—that a departing-employee data-theft case generates.

The investigative imperative is twofold. First, preserve: issue litigation holds immediately, suspend auto-deletion on the relevant systems, forensically image the departing employee's devices before they are wiped or reissued, and instruct key personnel to limit discussion of the matter. Spoliation—the loss or destruction of evidence—is its own catastrophe, exposing the company to sanctions and an adverse-inference instruction that can lose a case on its own. Second, proceed carefully through privacy: when the device is personal, forensic examination must navigate the employee's privacy interests and any applicable state law, which is one more reason the right to audit and image personal devices should have been secured by contract at onboarding. A protection program, in other words, is not just preventive; it is the infrastructure that makes a later investigation lawful and effective. The bulk-extraction techniques at the heart of many departures also connect to the access-and-authorization doctrines we analyze in data scraping after hiQ v. LinkedIn, which—after Van Buren—shape what counts as unauthorized access in the first place.

Ongoing Vigilance: Monitoring, Audits, and Enforcement

Trade secret protection is a program, not a project. Measures that were reasonable five years ago—before this collaboration suite, before this AI tool, before half the workforce went remote—may be inadequate now, and the reasonableness inquiry is evaluated against current conditions. Three ongoing disciplines keep the program honest.

Periodic trade secret audits answer the question that the litigation will eventually pose: what, exactly, are your trade secrets, and how are they protected? A company that cannot inventory its secrets cannot protect them consistently, and—as Heritage Fence and the first Apple v. Rivos complaint show—cannot plead them with particularity when the time comes. An audit catalogs the crown jewels, maps who can reach them, and surfaces the access creep that accumulates as people change roles. Behavioral monitoring—user-and-entity behavior analytics layered onto DLP and EDR—can surface anomalies early enough to intervene: an unusual download volume, off-hours access to systems unrelated to a role, a sudden interest in files the employee never touched before. The point of monitoring is not surveillance for its own sake but the early warning that lets a company act before the data is gone rather than after.

Consistent, proportionate enforcement is the factor most companies neglect and courts most reliably notice. When assessing reasonable measures, courts ask whether policies were actually implemented or merely written down. An unenforced rule is barely better than no rule, and a violation met with a shrug teaches every employee who hears about it that the rules are optional—quietly dismantling the reasonable-measures case the company will someday need to make. Enforcement does not mean reflexive termination; a minor, inadvertent infraction may warrant a documented warning, a serious or willful one formal discipline. But every violation must be addressed, and the response documented, because the documentation is the evidence. Privacy law sets the outer bounds of all of this: monitoring systems that detect misappropriation must themselves comply with state privacy statutes modeled on the CCPA, with the GDPR for global operations, and with the growing body of state employee-monitoring and biometric-privacy law. The system you build to catch a thief cannot itself become the next lawsuit.

The Intersection with Adjacent Bodies of Law

Trade secret protection in a distributed workplace touches several neighboring regimes, and a program that ignores them will collide with them. Employment law shapes what agreements may contain and what monitoring is permissible—the non-compete limits canvassed above, plus the privacy expectations of remote workers and the constraints on surveilling them. Data-privacy law restricts how employee data may be collected and stored, so the very monitoring that protects secrets must be designed to comply. The choice among IP regimes deserves ongoing attention: information protectable as a trade secret may alternatively be patentable, and the calculus changes as the information ages and as competitors close in. The rise of AI tools in research and development raises fresh ownership and disclosure questions we examine in AI-generated inventions: who owns what the machine creates. For technology companies, the use of open-source components in enterprise development can impose disclosure obligations that directly conflict with a trade-secret strategy—a copyleft license that forces source disclosure can vaporize a secret as surely as a leak. And for the affirmative, soup-to-nuts build, building a trade secret protection program from scratch ties these threads together; for the breach scenario specifically, cybersecurity incident response and IP protection addresses how to preserve secrecy status when an intruder—rather than an insider—is the threat.

Responding to Suspected Misappropriation

Despite the best prevention, misappropriation sometimes happens or is credibly threatened, and the quality of the response can determine whether the company protects its advantage or watches it evaporate.

The first move is investigation: what was taken, how, when, and by whom. Time is the enemy, for all the reasons rehearsed above—logs overwrite, devices get wiped, memories fade. Preservation runs in parallel: litigation holds, suspended auto-deletion, forensic imaging, and disciplined communications, because the evidence that proves the misappropriation is the same evidence a careless response can destroy. A carefully drafted cease-and-desist communication, prepared with counsel, can establish the company's objection and create a record while avoiding the overstatement that later undermines credibility—claiming the moon and proving a pebble is a familiar way to lose. For the craft of the demand letter, see writing a demand letter basics.

When informal resolution fails, the DTSA's remedial toolkit is formidable. Temporary restraining orders and preliminary injunctions can freeze the harm. In genuinely egregious cases, the DTSA authorizes an ex parte civil-seizure order—the court can direct law enforcement to seize property containing or used to access the trade secret—but only on a showing that ordinary injunctive relief would be inadequate, and subject to stringent safeguards designed to prevent abuse. 18 U.S.C. § 1836(b)(2). Civil seizure is a sledgehammer, rarely granted and easy to misuse, and courts scrutinize the applications closely. Throughout, the litigation itself poses a paradox the company must manage: discovery and trial threaten further disclosure of the very secrets at issue, which is why the DTSA codifies the sealing of trade secrets in court filings, 18 U.S.C. § 1835(b), and why protective orders are essential. For how these disputes unfold inside the broader machinery of federal litigation, see a comprehensive guide to federal civil litigation for small businesses.

The hardest truth in this area is that even a winning lawsuit cannot always undo the damage. A patent, once infringed, can be vindicated and the patentee made whole; a secret, once disclosed, cannot be made secret again. The toothpaste does not go back in the tube. That is the deepest reason prevention dominates the analysis: swift, well-documented action minimizes harm and deters the next violation, but the only sure protection is the protection that keeps the secret a secret in the first place.

Frequently Asked Questions

Does letting employees work from home automatically weaken our trade secret protection? Not automatically, but it changes the facts a court will weigh and tends to erode the measures companies historically relied on. The legal test—reasonable measures—does not change. What changes is whether you can satisfy it when data lives on home networks and personal devices. Companies that adapt their controls (least-privilege access, MFA, DLP, EDR, encryption) and their paperwork (modernized confidentiality agreements, BYOD policies, deletion confirmations) can satisfy the standard in a distributed environment; companies that simply carried their old, perimeter-based assumptions into the remote era are the ones telling the Yellowfin story in court.

Can we recover trade secrets from an employee's personal phone or laptop after they leave? Practically and legally, only if you planned for it. Secure the right to audit, image, and require deletion of company information from personal devices by contract at onboarding, get a written deletion confirmation at offboarding, and ask for the data back—the failure even to ask doomed the employer in DM Trans, LLC v. Scott, 38 F.4th 608 (7th Cir. 2022). Forensic examination of a personal device also implicates the employee's privacy interests and state law, which is another reason the contractual right matters.

Is a confidentiality agreement enough on its own to make information a trade secret? No. An NDA is necessary evidence but not sufficient. Courts look at the totality—technical controls, marking, access limits, training, and enforcement—and they penalize agreements untethered to identified information (Heritage Fence Co. v. Malin) while crediting NDAs combined with real controls (Fujikura Composite Am., Inc. v. Dee). Treat contracts and controls as a single system.

What is the DTSA whistleblower-immunity notice, and what happens if we forget it? Section 1833(b) immunizes employees, contractors, and consultants who disclose a trade secret in confidence to a government official or attorney to report a suspected legal violation, or in a sealed court filing. To keep the right to recover exemplary damages and attorneys' fees against an employee, you must include notice of that immunity in any trade-secret or confidentiality agreement entered or modified after May 11, 2016. Omit it and you keep your claim but lose the enhanced remedies—a self-inflicted wound that a single paragraph prevents.

Now that the FTC non-compete ban is dead, can we rely on non-competes to protect our secrets? Cautiously and locally, at best. The Ryan v. FTC vacatur and the FTC's 2025 withdrawal of its appeals returned non-compete enforceability to the states, which range from near-total bans (California, Minnesota, Oklahoma, North Dakota) to reasonableness-based enforcement elsewhere. Even where enforceable, non-competes draw scrutiny from the FTC under Section 5 and from state attorneys general. Build your program on access controls, contracts, and consistent enforcement; treat non-competes as a fragile supplement, not a foundation.

What is inevitable disclosure, and can we use it? It is the theory that a former employee will inevitably use or disclose your secrets in a sufficiently similar new role, allowing an injunction without proof of actual taking—established in PepsiCo, Inc. v. Redmond, 54 F.3d 1262 (7th Cir. 1995). Its availability is highly jurisdiction-dependent; California and others reject it as a backdoor non-compete. It can support a threatened-misappropriation theory under the DTSA where recognized, but it is no substitute for the affirmative measures that prove your secret was protected.

How fast do we have to move when we suspect a departing employee took data? Immediately. The evidence is perishable—logs roll over, devices get wiped, cloud accounts get deleted. Issue litigation holds, suspend auto-deletion, and forensically image the relevant devices before they are reused. Delay risks both losing the proof and exposing the company to spoliation sanctions, as the Slack-message sanctions in Red Wolf Energy Trading, LLC v. BIA Capital Management, LLC illustrate.

Conclusion: Adapting to the New Reality

The disappearance of the traditional perimeter is permanent, and pretending otherwise is its own risk. The legal requirement has not moved—reasonable measures, no impenetrable fortress but some real fortress—yet what satisfies it in a distributed environment looks markedly different from what sufficed when everyone worked in a building on company machines. Companies that take protection seriously will build in layers: technical controls that restrict access and generate audit trails, contracts that create obligations and document effort, training that turns rules into habits, rigorous onboarding and offboarding that govern the highest-risk moments, forensic readiness for the departures that go wrong, and ongoing monitoring and enforcement that catch problems early and prove the program was real. No single layer suffices, and courts weigh the totality—strength in one area can offset weakness in another, but only up to a point, and never if the weakness is a pattern.

The investment is justified by the value at stake and the finality of failure. Trade secrets lost are usually lost forever; years of advantage can vanish in the time it takes a departing employee to drag a folder into a personal cloud. When Dana Pruitt walks out Meridian's door, the company will not get to argue about its intentions. It will get to show what it did—the access logs, the signed agreements with the whistleblower notice intact, the deletion confirmation, the enforcement record. The perimeter has disappeared. The value of trade secrets has not, and neither has the obligation to protect them through measures a court will recognize as reasonable.

This article is for informational purposes only and is not legal advice. Trade secret strategy must be tailored to specific facts, and the law in this area—including the status of non-compete agreements and the reach of the CFAA after Van Buren—continues to evolve. For help developing or updating a protection program, please contact our intellectual property and technology practice.

Related Articles

Selected Authorities

Statutes and rules: Defend Trade Secrets Act, 18 U.S.C. §§ 1831–1839 (including § 1833(b) whistleblower immunity, § 1835(b) sealing, and § 1836(b)(2) civil seizure); Uniform Trade Secrets Act (1985); Economic Espionage Act; Computer Fraud and Abuse Act, 18 U.S.C. § 1030; FTC Non-Compete Clause Rule, 16 C.F.R. pt. 910 (2024) (vacated).

Cases: PepsiCo, Inc. v. Redmond, 54 F.3d 1262 (7th Cir. 1995); Yellowfin Yachts, Inc. v. Barker Boatworks, LLC, 898 F.3d 1279 (11th Cir. 2018); Farmers' Edge Inc. v. Farmobile, LLC, 970 F.3d 1027 (8th Cir. 2020); Hagler Systems, Inc. v. Hagler Group Global, 2020 WL 2042484 (S.D. Ga. 2020); Van Buren v. United States, 593 U.S. 374 (2021); DM Trans, LLC v. Scott, 38 F.4th 608 (7th Cir. 2022); CaramelCrisp LLC v. Putnam, 2022 WL 1228191 (N.D. Ill. 2022); Red Wolf Energy Trading, LLC v. BIA Capital Management, LLC, 2022 WL 4112081 (D. Mass. 2022); Apple Inc. v. Rivos, Inc., 2023 WL 5183034 (N.D. Cal. 2023); MGA Home Healthcare Colorado, LLC v. Thun (D. Colo. 2023); DraftKings Inc. v. Hermalyn, 118 F.4th 416 (1st Cir. 2024); Fujikura Composite Am., Inc. v. Dee, 2024 WL 3261214 (S.D. Cal. 2024); Heritage Fence Co. v. Malin, 2024 WL 5047468 (E.D. Pa. 2024); TileBar v. Glazzio Tiles (E.D.N.Y. 2024); TMG of Delaware, Inc. v. Mikkola (D.N.J. 2024); Ryan, LLC v. FTC (N.D. Tex. 2024) (vacating FTC non-compete rule; appeals withdrawn Sept. 2025).

Secondary sources: Hannah E. Brown, Rethinking "Reasonableness": Protecting Trade Secrets in a Remote Work Environment, 30 J. Intell. Prop. L. 268 (2023); Senate Report on the Defend Trade Secrets Act of 2016; Practical Law, Protection of Employers' Trade Secrets and Confidential Information and DTSA Issues and Remedies Checklist; contemporary practitioner analyses (2024–2026) of the FTC non-compete rule's vacatur. Case postures change quickly; confirm current status before relying on any matter described here.