The Case: A Cautionary Tale

Imagine your company’s most valuable secrets walking out the door—your proprietary technology, customer lists, financial projections—all in the hands of someone who no longer works for you. That’s what allegedly happened in one recent case, a cautionary tale of trade secret theft.

The plaintiff was a promising biotech startup focused on automating biotech R&D. Like many startups, they needed funding, so they allegedly hired a CFO who claimed to have connections with a Stanford professor who could help secure investment. As part of the onboarding process, the CFO signed a confidentiality agreement. Standard practice, right?

Fast forward: The CFO allegedly didn’t deliver, and the company let him go. That’s when things took a turn.

Immediately after his termination, the former CFO allegedly accessed sensitive company data. Using desktop programs, the Complaint (see below) alleges he copied proprietary documents and trade secrets to his personal cloud storage. He then allegedly started a competing company and pitched investors using Trilobio’s stolen IP.

The plantiff sued, and the court granted a Temporary Restraining Order (TRO), agreeing that there was a strong likelihood that the theft occurred. The case is ongoing, but the damage is done. So what can we learn from this?

The “Need to Know” Principle: Why It Matters

Let’s be real—many startups operate on trust. But trust doesn’t prevent insider threats. The “need to know” principle dictates that employees should only have access to the data required for their specific job functions.

Here’s why it’s essential:

• Reduces insider threats: If employees don’t have access to sensitive data they don’t need, they can’t steal it.
• Minimises external attack risk: Fewer access points make it harder for hackers to infiltrate your systems.
• Enhances compliance: Many regulations require strict data access controls.

In the plaintiff’s case, did the CFO need access to detailed engineering schematics? Unlikely. Had the company applied “need to know” principles, could the damage could have been prevented?

Access Control: Putting “Need to Know” into Practice

To apply this principle, businesses must implement access controls. Here’s what that looks like:

1. Role-Based Access Control (RBAC)

Assign permissions based on job roles (e.g., Engineers don’t need access to financial data, and CFOs don’t need access to proprietary hardware designs). This is the best approach for SMBs.

2. Access Control Lists (ACL)

Specify which users or groups can access specific files or databases. Useful for more granular control but can become complex.

3. Information Protection Program

Classify data as Confidential, Internal, or Public (or similar) and apply technical controls accordingly – see below. You might also want to read my previous article on how confidential information is compromise.

How is confidential information compromised?

4. Technical Controls to Implement

• Multi-Factor Authentication (MFA): Essential for protecting sensitive accounts.
• Least Privilege Principle: Give employees the bare minimum access needed.
• Regular Access Reviews: Audit permissions periodically and remove unnecessary access.
• Data Loss Prevention (DLP) Tools: Prevent unauthorised data transfers.
• Endpoint Detection and Response (EDR) Software: Monitor and prevent data exfiltration.
• Data Encryption: Ensures that even if stolen, the data remains unreadable.

Had the plaintiff restricted access and implemented controls like these, it would have been much harder for the CFO to (allegedly) exfiltrate sensitive files so easily. Perhaps this reputational damage and legal fees could have been avoided, or at least minimised, and the founders could have got on with core business.

Practical Steps for Founders & Business Owners (Your Call to Action)

Startups and SMBs are prime targets for trade secret theft. If you think it can’t happen to you, think again. Implementing access controls and information security measures is not optional—it’s essential for survival and growth.

If you’re in knowledge-intensive industries like DeepTech, Life Sciences, MedTech, Biotech or Digital Health, don’t wait until a former employee walks off with your IP. Take action now and protect what you’ve built.

Further Reading

• Dynamic Standards International (2025). A multi-tiered cybersecurity certification standard for small and medium-sized businesses, international edition. SMB1001:2025 Standards
• ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection — Information security management systems — Requirements
• Curwell, P. (2021). How is confidential information compromised?

DISCLAIMER: All information presented on paulcurwell.com is intended for general information purposes only. The content of paulcurwell.com should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon paulcurwell.com is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.