By: Leo K. Barnes Jr.[1]
Most business owners have the contact information for a trusted attorney for when things go wrong. But prudent, successful business owners are proactive, rather than merely reactive, and know that an investment in counsel before things go wrong (the proverbial ounce of prevention) can have the long term, lasting benefit of avoiding problems arising (the pound of cure). In that regard, in analyzing claims of theft of trade secrets and confidential business information, federal courts are scrutinizing the steps taken by businesses to protect such information before any theft even takes place, and summarily dismissing claims when the requisite effort falls short. Stated differently, if a business did not undertake the ounce of prevention – if it did not bring in that good attorney, it may be barred from any cure.
In a recent case on this point, Negative, Inc. v. McNamara, 2025 WL 814755 (E.D.N.Y. 2025), the plaintiff business alleged that it gave the defendant, a freelance contract worker providing demand planning services, access to information maintained on the plaintiff’s Google Drive and Shopify user account (a sales platform). Then, using this access, the defendant allegedly changed certain program settings in order to secretly download the following: (1) customer contact and sales information; (2) information regarding supplier relationships; (3) financial information concerning costs of goods and pricing; (4) marketing strategies; (5) pricing strategies; (6) information for managing inventory, logistics, and distribution; (7) business plans; (8) tech packs for the manufacture of products; and (9) non-public product designs and drawings for future products. Then, with this information in hand, the defendant allegedly left the plaintiff and established a competing business.
When the defendant’s actions were discovered, the plaintiff brought suit in federal court for violations of the federal Computer Fraud and Abuse Act (“CFAA”) and the Defend Trade Secrets Act (“DTSA”), along with claims of misappropriation of trade secrets, conversion, unfair competition, and unjust enrichment. The defendant, in turn, filed a motion to dismiss for failure to state a claim, which the Negative Court not only granted, but it also dismissed the CFAA and DTSA claims with prejudice.
At face value, the defendant’s misappropriation intuitively appears sufficient to sustain the plaintiff’s claim at least through the pleading stage. Why, then, did the plaintiff’s claims here fail? As explained by the Negative Court, both the CFAA and the DTSA require more than just a defendant’s wrongdoing. Equally necessary is that the victimized business must have kept its proverbial door locked, with technology, physical means, and contractual agreements. In fact, as per Negative, those measures must be factually pled in a plaintiff’s initial complaint.
As shown in Negative, the nature of the requisite protective measures can also be easily misunderstood. For example, the Negative Court found the plaintiff’s CFAA claim failed to “plausibly allege” that the defendant accessed the plaintiff’s computer system “without authorization” or that her access “exceeded authorized access.” Citing the recent Supreme Court decision Van Buren v. United States, 593 U.S. 374 (2021), the Negative Court explained that “authorized access” under the CFAA is defined by the areas of the computer system into which the defendant was allowed, in a “gates-up-or-down inquiry.” Therefore, even though the defendant did not need to access the plaintiff’s customer list (among other things) for her work, and she was certainly not authorized to take the plaintiff’s private information and use it to set up a competing business, the fact that she was generally allowed on the plaintiff’s Google Drive and Shopify user account was sufficient “authorized access” to defeat a CFAA claim.
In an even sharper instance of legal requirements defeating the plain meaning of business terms, the Negative Court also found that the plaintiff’s DTSA claim failed to establish that the above-listed information constituted “trade secrets.” The Negative Court even admitted that it is “well established” that in the business world this “type” of “information such as customer lists, pricing strategies, and product designs satisfy this element of a ‘trade secret,’” but as per the DTSA, the plaintiff also must have “taken reasonable measures to keep such information secret.”
While admitting that the DTSA gives scant guidance on what such measures should have been, the Negative Court found the following insufficient as a matter of law: “that [the plaintiff’s] Google Drive and Shopify account require an intentional sign-in with multiple authentication factors; that the files [the defendant] accessed were not accessible to all [the plaintiff’s] employees or contractors, and the access to those files is controlled on a ‘need-to-know’ basis; that some of the files [the defendant] retained would be shared in a ‘for-eyes-only format,’ meaning they could not be downloaded or printed; that when someone stops working for [the plaintiff], [the plaintiff] terminates their file access; and that when [the plaintiff] became aware [the defendant] had downloaded information, they demanded its return.”
Even further, while the Negative Court referenced that the plaintiff had not directly and explicitly told the defendant that the information she took was secret or confidential, the Court also cited precedent that simply verbally informing her would also not have been enough. In short, the Negative Court’s decision means that in order to protect trade secrets, written confidentiality agreements, along with physical protective measures, are essentially mandatory to state a viable claim.
On the bases of these failure of prevention alone then, the plaintiff’s claims were dismissed. The Negative Court’s decision did not even reach the actions of the defendant – her considerable alleged wrongdoing did not rescue the plaintiff’s claims.
Importantly though, while the Negative Court’s decision may be disconcerting, it is also useful for business owners setting parameters for granting anyone accessing their confidential information and trade secrets, especially in computer networks or online. The Negative decision makes it crystal clear that best practice means not only consulting a cyber security expert, but also that good lawyer, not only to get up those contractual protections, but as a guide to the currently evolving legal standards. After all, an ounce of prevention is worth a pound of cure.
[1] Mr. Barnes, a member of Barnes & Barnes, P.C. in Melville, practices commercial litigation and can be reached at [email protected]
