Popcorn Recipe Case Highlights Niche Trade Secret Theft Risk
This company protected its sensitive data with biometric thumbprint scanner but still managed to suffer trade secret theft after a former director of research allegedly stole gigabytes of data on its recipes.
We've heard plenty of stories over the last several years about former employees making off with highly technical data before leaving their job. Insiders have pilfered proprietary algorithms, source code, and programming language scripts, all before cutting ties, many hoping the data will help give them a leg up at their next job.
Trade secrets can take many forms however; they can also refer to proprietary formulas and recipes, sensitive data that's not only critical to day-to-day operations but integral to a company's legacy.
We were reminded of this just two weeks ago when Garrett Popcorn Shops, a brand that's almost as synonymous with Chicago as Lou Malnati's and Old Style, filed a lawsuit against its former director of research and development alleging she absconded with more than 5,400 files, roughly three gigabytes of data, having to do with its recipes, secret formulas, and other trade secrets.
The ex-employee, Aisha Putnam, worked for the company for four years and was one of three with the highest access to the company’s most confidential information and trade secrets. Putnam worked for CaramelCrisp – the parent company of Garrett and the company that filed the lawsuit – until she was terminated in March, earlier this year.
According to the complaint, filed in the U.S. District Court for the Northern District of Illinois on April 22, Putnam got news that the company was planning to relieve her from her duties on March 7. Days prior to that, she began copying data to a personal external USB drive which she took home. She also, around March 5, sent emails to her personal email account with documents attached. Putnam sent five emails, with the subject line "documents Garrett" no less, to herself, with 43 different attachments.
Some of the data Putnam emailed herself included files on "recipes, batch pricing, product weights, production processes, development and distribution agreements, supplier information, customer service reports and market research," according to the court filing.
Putnam told the company she deleted the data after being engaged by the company but refused a forensic review of her electronic devices, something which helped spur the lawsuit.
“The release of confidential and trade secret information, especially CaramelCrisp’s proprietary popcorn formulas, processes and recipes, would be severely detrimental to CaramelCrisp’s business. Any dissemination of such information would cause irreparable harm to CaramelCrisp because once it has been shared there is no way to “undo” the disclosure,” Martin Carroll, one of CaramelCrisp's attorneys wrote in the complaint.
Like many of these cases, it wasn’t like the company didn’t take efforts to protect its trade secrets.
Putnam signed two confidentiality agreements and one non-compete with the company, documents that bound her from disclosing confidential company information.
The company also kept its recipes on a secure drive, under a setup that’s tantamount to lock and key. Putnam and two others – its CEO and its Vice President, Lead Chef, Global Innovation - were required to verify their identity with a biometric thumbprint to access the folder containing the sensitive data.
According to the complaint, the company's IT department realized something was awry during an analysis of her machine on or around March 22, weeks after Putnam left the company. This is despite Putnam taking efforts to hide her activity, like deleting nearly everything from her computer in the days leading up to her termination, another action that went against a compliance agreement she signed.
While CaramelCrisp maintained stringent security measures, the fact the company’s IT department couldn’t fully grasp Putnam’s activity until over two weeks after she had left is unfortunate. It’s possible that by deploying a solution that can flag anomalous behavior and block actions - like copying files to a USB drive, sending certain documents via email, and deleting troves of data - the company could have caught Putnam’s actions in real time and saved itself from this scenario.
The Definitive Guide to DLP
- The seven trends that have made DLP hot again
- How to determine the right approach for your organization
- Making the business case to executives
The Definitive Guide to Data Classification
- Why Data Classification is Foundational
- How to Classify Your Data
- Selling Data Classification to the Business