Corporate Espionage: How to Document Trade Secret Theft with Court-Ready Digital Evidence
A senior engineer resigns on a Friday. By Monday, the security team has worked out that, in his last 72 hours of access, he pulled the full source repository to a personal cloud folder, forwarded three R&D specifications to a Gmail address, and dropped a customer pricing list onto a USB drive. So far, so bad. The harder question is whether the company can prove any of it in court without the judge tossing the evidence out, and without becoming a defendant itself in a parallel privacy or workplace monitoring claim.
That second part is what catches most employers off guard. Sloppy collection of corporate espionage evidence does more than weaken a civil case. It can flip the litigation, trigger GDPR exposure, and turn what looked like a clean trade secret theft into a contested mess where the court refuses to read the most damning logs because of how they were pulled. As covered in our guide on court-ready evidence for private investigations, the rule sounds simple but is hard to apply: digital evidence holds up only when it's acquired with forensic methodology and inside the legal boundaries that govern workplace monitoring.
Under both US and EU frameworks, corporate espionage isn't just a breach of contract. It is criminal and civil at the same time. In the United States, the Defend Trade Secrets Act of 2016 (18 USC 1836) gives trade secret owners a federal civil cause of action, and the Economic Espionage Act (18 USC 1831 for state-sponsored theft, 18 USC 1832 for commercial misappropriation) makes it a felony with multi-year prison terms. In the EU, Directive 2016/943 harmonised civil protection across member states, with criminal exposure routed through national computer crime statutes.
This insight is part of our guide: Court-Ready Evidence for Private Investigations: Chain of Custody Included
What constitutes corporate espionage under EU and US law
Corporate espionage is the unauthorised acquisition, use, or disclosure of information that a business has taken reasonable steps to keep confidential and that has commercial value because it is not public. The category is wider than the cinematic version. It covers the disgruntled employee who walks out with the customer database. It covers the supplier who reverse-engineers a manufacturing recipe. It also covers the competitor who hires a whole team to extract know-how through the back door. Whether any of this becomes a legal claim turns on one threshold question: does the information qualify as a trade secret?
Trade secret vs general know-how vs public information
Not every internal document is a trade secret. Courts draw clear lines between three categories, and the distinction decides whether the case even gets off the ground.
| Category | Definition | Legal protection | Typical examples |
|---|---|---|---|
| Trade secret | Information with independent economic value, not generally known, subject to reasonable secrecy measures | Full DTSA / EU Directive 2016/943 protection | Source code, customer pricing models, manufacturing parameters, unreleased product roadmaps |
| General know-how | Skills and experience an employee accumulates during normal work | No proprietary protection; portable with the worker | Industry best practices, soft skills, generic technical competence |
| Public information | Disclosed in patents, marketing materials, public filings, conference talks | None | Published specs, marketing brochures, expired patents |
Under DTSA Section 1839(3), a trade secret has to satisfy three cumulative conditions: (1) the information derives independent economic value from not being generally known, (2) the owner has taken reasonable measures to keep it secret, and (3) it is not readily ascertainable by proper means. EU Directive 2016/943, Article 2(1), mirrors these three requirements almost word for word. That is why cross-border trade secret disputes between US and EU courts increasingly converge on similar evidentiary expectations.
The burden of proof: what the employer must demonstrate
Civil trade secret claims under DTSA run on a preponderance of the evidence standard. The plaintiff has to show it is more likely than not that the defendant misappropriated the information. Criminal prosecutions under the Economic Espionage Act demand proof beyond a reasonable doubt, which is why most companies start in civil court and let federal prosecutors decide whether to add a parallel criminal track.
The employer has to prove four things. The information qualifies as a trade secret. Reasonable secrecy measures were in place. The defendant acquired or used the information through improper means. And the timing of the alleged misappropriation matches the available technical evidence. That last element is where digital forensics decides the case. A log entry showing a 2 AM file download three days before resignation tells a story. A log reconstructed two weeks later from a copy-paste into a spreadsheet does not.
Unfair competition and the disloyal employee
Even when information falls short of the trade secret threshold, the conduct can still be actionable. Most US states recognise tortious interference with business relations and breach of the duty of loyalty. EU member states apply general unfair competition principles harmonised through Directive 2005/29/EC. The evidentiary bar is lower, but so is the recoverable damage. For a company that lost a bid because a former sales lead handed the proposal to a competitor, the unfair competition route is often more pragmatic than fighting over whether the proposal qualifies as a trade secret in the strict sense.
Turning a technical signal into admissible digital evidence
The gap between knowing something happened and proving it in court is almost always evidentiary. Internal IT teams pull logs, take screenshots, export email headers, and drop the lot in a folder on a shared drive. Then defence counsel walks in and asks whether anyone can demonstrate that the timestamps were not modified, that the screenshots were taken on the dates claimed, and that the chain of custody is unbroken. If the answer involves the words "we trust our admin," the evidence is already in trouble.
Typical sources and their forensic transformation
| Source | Raw signal | Forensic transformation | Reference standard |
|---|---|---|---|
| System and access logs | SIEM exports, file server audit trails | Hash + qualified timestamp on log file at moment of acquisition | ISO/IEC 27037, FRE 902(13)-(14) |
| Native EML / MSG with full headers | Forensic copy of mailbox + header preservation | ISO/IEC 27037, FRE 901(b)(4) | |
| USB and removable media | Endpoint DLP events, registry artifacts | Bit-by-bit image of source disk + write-blocker | ISO/IEC 27037, FRE 901(b)(9) |
| Cloud folder activity | API audit log from Google Drive, OneDrive, Box | Timestamped snapshot of API response with cryptographic seal | eIDAS qualified timestamp, FRE 902(14) |
| Screen and browser sessions | Live observation of a still-active session | Certified screen capture from forensic browsing tool | eIDAS, ISO/IEC 27037 |
The hash, qualified timestamp and chain of custody triad
Digital evidence becomes admissible in court when three conditions are satisfied at the moment of acquisition, not afterwards. First, a cryptographic hash (SHA-256 or stronger) anchors the bit content of the file or capture, so any later modification is mathematically detectable. Second, a qualified electronic timestamp under eIDAS Regulation (EU) 910/2014 binds that hash to a specific moment in time, with legal value across all member states. Third, an unbroken chain of custody, documented as required by ISO/IEC 27037, traces who handled the evidence and how. US courts admit the same package under FRE 901 (authentication) and FRE 902(13)-(14), the self-authentication rules for electronic records covered by certified hash and chain-of-custody documentation.
What courts say about device-extracted evidence
US federal courts have repeatedly held that screenshots and copy-pasted content are admissible only when accompanied by testimony or technical authentication establishing how and when they were captured. Lorraine v. Markel American Insurance Co., 241 F.R.D. 534, still holds the canonical analysis for the FRE 901 threshold, and it is the case most defence counsel will reach for first. On the EU side, the principle of forensic copy, codified in ISO/IEC 27037 and embraced by national courts across France, Germany and Italy, treats a non-forensic screenshot as a starting indication. It is not, on its own, enough to support a trade secret claim.
Boundaries you cannot cross: GDPR Article 88 and lawful workplace monitoring
Workplace monitoring is lawful only when it satisfies four cumulative conditions: a clear legal basis grounded in either employment contract or legitimate interest, transparency through prior notice to workers, proportionality between the monitoring intensity and the risk addressed, and a Data Protection Impact Assessment when systematic monitoring is involved. GDPR Article 88 explicitly leaves room for member states to add specific protective rules, which means a monitoring practice that is lawful in one EU country may be unlawful in another. Investigations that cross this line do not just lose evidentiary weight: they can become the basis of a counterclaim or a regulatory fine that dwarfs the trade secret damages.
What changed with NIS2 and EU employee monitoring rules
NIS2 (Directive (EU) 2022/2555), in force since October 2024, raised baseline cybersecurity obligations for medium and large entities and pushed companies to deploy stronger logging and incident response capabilities. The trade-off is uncomfortable. More granular logging means more personal data captured about employees, which raises the GDPR Article 88 stakes. A company that turns on full endpoint telemetry without updating its acceptable use policy and DPIA is buying litigation risk in exchange for security maturity.
When internal investigation crosses into unlawful access
Pulling a former employee's personal Gmail because the laptop was logged in is not investigation. It is unauthorised access under the Computer Fraud and Abuse Act (18 USC 1030) in the US and under national equivalents of the EU Cybersecurity Directive across the EU. Investigators have to stay on accounts, devices and data the company actually owns, with documented policies establishing the boundary in advance.
How TrueScreen seals corporate espionage evidence at source
When the security officer discovers an unauthorised file copy on a USB drive, an email forwarded to an external domain, or access to a restricted cloud folder, the evidence exists only as volatile data on the corporate system. A simple copy or a regular screenshot is editable, and any defence lawyer will say so. TrueScreen, the Data Authenticity Platform, works further upstream. The operator captures system logs, screen views, files and metadata directly through the mobile app, the Forensic Browser, or the Chrome Extension, and every piece of evidence is sealed at the moment of acquisition with cryptographic hash, eIDAS qualified timestamp, and geolocation. The chain of custody is documented automatically following ISO/IEC 27037. The resulting evidentiary package is verifiable by any third party, admissible in civil and criminal proceedings under FRE 901/902 and EU equivalents, and resistant to the tampering objections that defeat digital evidence collected late in the timeline.
Certified capture from app, Forensic Browser, and Chrome Extension
The same forensic methodology applies across three acquisition surfaces. The mobile app is the right tool when the operator has to document a physical artefact: a USB drive plugged into a workstation, a printed document on a desk, an unlocked screen during a walkthrough. The Forensic Browser handles cloud folders, webmail, SaaS dashboards and any web-resident evidence, capturing the full session, including network responses. The Chrome Extension lets investigators seal individual web pages, threads or social posts inline, without changing tools.
The verifiable evidentiary package
Each acquisition produces a self-contained package: original artefact, cryptographic seal, qualified timestamp, geolocation, and a chain-of-custody report formatted to ISO/IEC 27037. The package does not live only inside TrueScreen. It can be exported, handed to opposing counsel, and verified independently with the public verification tool. That is what turns ordinary internal IT work into certified private investigations suitable for civil suits, criminal complaints and regulatory filings.
