A Playbook for Protecting Trade Secrets in the Modern Digital Age and Under Pennsylvania Law

Trade secrets are the lifeblood of many companies. Whether in the form of research and development, compilations of data, key internal strategies, innovative formulae or processes, unique methodologies, or even financial information, virtually every business has to keep confidential information protected to maintain long-term growth and profits, as well as to maintain and improve the company’s position in the market against competitors. But in the modern digital age, where virtually all information is stored electronically, one of the greatest risks for potential misappropriation or exploitation of a company’s trade secrets is through devices, applications, and systems that employees and contractors use every single day. As the legal and technological landscapes continue to evolve, and as new means of storing and exfiltrating data emerge, companies must take proactive steps to ensure that their trade secrets are protected and that access to them is appropriately restricted and monitored.

Pennsylvania’s version of the Uniform Trade Secrets Act (like its federal companion, the Defend Trade Secrets Act) provides substantial protections and a broad array of remedies. However, a company typically must engage in lengthy, costly litigation to avail itself of those statutory remedies. Litigation also often arises as an option after the damage is already done, and litigation itself can risk disclosure and public airing of the very trade secrets at issue. As a result, protecting valuable trade secrets from inception, and in the right way, remains the best practice to avoid litigation in the first place.

Businesses can and should take proactive steps to safeguard valuable business assets, including:

• integrating strong, enforceable contractual protections for trade secrets and other sensitive, confidential business information, and carefully navigating the related pitfalls under applicable state law;
• developing integrated teams and robust information security and monitoring policies, tools, and practices to facilitate monitoring and tracking of access to and potential exfiltration of electronically stored data; and
• using those strong contractual and data protections to identify and address potential misappropriation through early investigation and remediation.

By taking these steps, those operating under Pennsylvania law can take advantage of the full protections of applicable trade secrets laws and supplement those legal tools with added contractual safeguards and remedies, better positioning themselves up for short- and long-term success in court, if litigation is necessary.

Developing strong, enforceable contracts to protect trade secrets

A foundational step to protecting trade secrets and other sensitive, confidential business information is implementing strong contractual protections as a supplement to the protections existing under Pennsylvania common law and applicable state and federal statutes. The most common contractual provisions – including confidentiality and non-disclosure terms, return-of-property obligations, invention/assignment provisions, and post-employment restrictive covenants (eg, non-competition and non-solicitation obligations) – are valuable and typically a prerequisite to establishing that a company has taken appropriate and “reasonable” steps to protect the secrecy of information it contends should be treated as trade secrets under applicable law. Companies must, however, take care to draft and implement these agreements in a way that avoids common pitfalls while providing the strongest protections possible and the best footing should litigation be required.

Starting strong: implementing agreements with key employees

Agreements that limit activities post-employment (or post-transaction) are often the best way to prevent departing key employees or former business partners from being in a position that places a company’s trade secrets at risk. However, because these restrictions limit competitive activities, they are scrutinised more closely, and they are subject, particularly under Pennsylvania law, to unique procedural requirements.

As just one example, Pennsylvania has long enforced a bright-line, minority rule that leaves companies without the ability to restrict the competitive activities of employees who either (i) failed to execute non-competes or non-solicitation obligations on or prior to the first day of employment or (ii) were not provided additional valuable consideration after starting employment sufficient to support such an agreement. In Rullex Co., LLC v Tel-Stream, Inc., the Pennsylvania Supreme Court recently recognised that “in the business world events can move faster than paper” and held that in order for restrictive covenants signed shortly after commencement of employment to be enforceable, the parties must have had a “meeting of the minds” such that they “agreed to its essential provisions as of the beginning of the relationship”. 232 A.3d 620, 626-27 (Pa. 2020).

Practically speaking, the Supreme Court’s ruling in Rullex confirms that restrictive covenants in the employment context must be signed before commencement of employment and should, as a best practice, be provided to a prospective employee with the offer of employment to avoid any dispute over the terms of employment and the enforceability of the restrictive covenants. If a company fails to do so, separate valuable consideration must be provided to ensure enforceability, just as has always been required for agreements presented to employees after the commencement of employment.

Historically, these same procedural requirements have not applied to routine confidentiality and invention assignment obligations under Pennsylvania law. But, as with courts across the country, Pennsylvania courts have started to consider whether the bright-line standard from Rullex also implicates confidentiality clauses used to protect trade secrets and other sensitive, confidential business information. In West Shore Home, LLC v Graeser, for instance, a federal court in Pennsylvania surveyed state and federal cases and found that confidentiality clauses are likely to be treated differently than non-competition and non-solicitation covenants under Pennsylvania law. 661 F. Supp. 3d 356, 368-71 (M.D. Pa. 2023). But this issue has not been clearly decided in Pennsylvania state courts as of this date, leaving the question of whether the Rullex standard should also apply to standard confidentiality agreements unsettled – though West Shore provides helpful guidance.

When an existing employee advances to a higher-level position in which the individual will have greater exposure to or control over a business’s trade secrets, protection through an agreement containing appropriately tailored confidentiality obligations and restrictive covenants like non-competes and non-solicits is imperative. Given the bright-line standards discussed above, companies subject to Pennsylvania law must therefore ensure that distinct, additional valuable consideration is provided to support the covenants’ enforceability. It is beyond challenge that continued at-will employment or maintenance of the same compensation is inadequate alone to constitute sufficient consideration.

Instead, a beneficial change in employment status, like a promotion, long-term incentive plan or other bonus eligibility, base compensation increase, equity or phantom equity award (vested or subject to a vesting schedule), severance, or other new terms favourable to an employee are commonly used as additional consideration to support restrictive covenants with existing employees. As with any contract, the best practice is to reference and memorialise the consideration that is being exchanged for the restrictive covenants in the document itself, and the consideration should not be provided unless and until the employee agrees to the restrictions at issue, establishing a “meeting of the minds” of the sort envisaged by the court in Rullex.

Preserving rights to assign restrictive covenants

In addition to considering an individual employee’s agreements, businesses also have to consider what happens to restrictive covenants during corporate transactions, such as acquisitions. Here, too, Pennsylvania has a unique requirement. Under Pennsylvania law, assignments of restrictive covenants to third parties are not generally enforceable without the consent of an employee. That is significant in the realm of corporate transactions because, in an equity transaction, the covenants generally flow automatically to the new buyer; but, if there is a change in the legal employer as a result of the transaction or a related corporate reorganisation, or if the acquisition is, instead, an asset purchase, there can be unintended enforceability risks. Even though a company may have acquired the trade secrets and other sensitive, confidential business information, intellectual property, and goodwill upon which the restrictive covenants are based – and may have even expressly acquired the restrictive covenant agreements – there is often a question over whether the relevant employees’ agreements permit assignment of rights to third parties.

Pennsylvania courts have long held, unlike some other jurisdictions, that restrictive covenants, including non-competes in employment agreements, are not assignable to the purchasing entity unless there is an express assignability provision in the employee’s agreement. See, eg, Hess v Gebhard & Co, Inc., 808 A.2d 912, 922-23 (Pa. 2002). This standard has consistently been applied by Pennsylvania trial and appellate courts for years, and a new twist on the issue recently arose in McCarthy and Company, Inc. v Pollen, 343 A.3d 231 (Table), 2025 WL 1743726 (Pa. Super. Ct. June 24, 2025).

In McCarthy, the restrictive covenants at issue were not contained in an employment agreement, but were instead incorporated directly into the asset purchase agreement pursuant to which the plaintiff purchased the assets of another firm. The plaintiff subsequently planned to sell its assets to a third-party firm. Shortly before that third-party sale, employees from the firm whose assets plaintiff had previously acquired were offered employment with the third-party firm. But days after the sale was executed, those employees resigned, formed their own company, and allegedly took dozens of clients with them.

Applying the rationale of Hess, the Pennsylvania Superior Court found that the plaintiff, which had sold its goodwill as part of the asset purchase agreement to the third entity, did not have rights to enforce the restrictive covenants with that group of former employees because the plaintiff’s right to retain the “goodwill, revenues, and profits from existing clients” was “too attenuated” to be protectable. McCarthy, 2025 WL 1743726 at *8. Since that decision, the Supreme Court granted the petition for appeal and will take up the issues. See McCarthy and Company, Inc. v Pollen, 2026 WL 111839 (Pa. Jan. 15, 2026) (per curiam). Time will tell whether the Pennsylvania Supreme Court will alter the law in this area on appeal.

Had the restrictive covenant agreements been expressly assignable and assigned by the plaintiff, or had the third-party purchaser signed new agreements with the employees in connection with the asset purchase, there likely would have been a different outcome. Although we await clarity on appeal, that difference in approach illustrates the care that should be taken by companies seeking to “acquire” and enforce restrictive covenants in connection with an asset purchase transaction, reorganisations, or other corporate transactions resulting in a change in the individual’s legal employer.

Building teams, practices, and policies to protect trade secrets and support remediation and, if necessary, litigation

Contractual protections of trade secrets, ranging from confidentiality provisions to non-competition and non-solicitation covenants, provide a wide array of protections for companies if properly scoped and implemented. However, a central issue in trade secrets litigation (and other cases concerning sensitive, confidential business information) is whether the information at issue was subject to “reasonable” measures to keep it secret and protected.

When companies make information public, allow it to be accessed without restrictions, or fail to restrict and police the activities of employees handling the data at issue, they risk misappropriation, misuse, and loss of trade secret protection over these valuable business assets. Therefore, in addition to implementing agreements with employees that restrict their use or disclosure of confidential information and bar engagement in certain post-employment competitive activities, it is essential for companies to (i) adopt practical, modern technological safeguards, policies, software, and practices to monitor and restrict access and exfiltration and (ii) to align information and technology teams (information governance, information technology, data security, etc) with legal and investigative teams.

These steps enable a company to streamline processes that effectively, quickly, and accurately identify and assess data theft and misappropriation when it occurs, and to flag the issue and escalate it to relevant stakeholders to ensure appropriate remediation or legal actions are taken. If necessary, an investigation may require retaining outside legal counsel and third-party forensic vendors to ensure that all of the data – in all of the forms that it may have been taken – is ultimately identified, retrieved, and removed from any non-company device or storage application.

Ensuring the adoption of such tools for success is essential and may include the following:

• providing company-issued devices to employees to control and monitor company information, or implementing employer-controlled “sandbox” programs that protect and manage data on non-company devices;
• using device-specific hardware limitations that prevent employees from accessing company data or devices with outside USB devices (eg, thumb/flash drives or external hard drives);
• imposing restrictions on the use of cloud data storage platforms (eg Box, Google Drive, iCloud, or OneDrive) that are not explicitly associated with the company;
• developing acceptable use policies that outline how company information must be treated;
• monitoring data repositories and user activity, including logs of user’s access or downloading activities and the dates, times, devices, and IP addresses associated with such activity;
• investing in security programs or systems that automatically trigger a report when employees commit, or attempt, a mass downloading or transfer activity involving sensitive databases or data;
• maintaining forensically sound images of departing employees’ company-issued devices and backups of their IT environments upon separation and before reformatting the devices or reissuing them to other employees;
• executing policies and contracts requiring departing employees to return all company devices, data, and other property and to co-operate in any necessary forensic remediation,
• executing policies and contracts requiring departing employees to provide notice of their contractual obligations to any prospective employer, as well as notice to the company of any prospective employment; and
• conducting timely analysis of returned devices and employee emails or accounts to assess the risk of potential exfiltration and evidence of misappropriation – including contracting with in-house or outside forensic vendors and legal teams as necessary.

While the above are only examples, they provide capabilities to protect trade secrets and other sensitive, confidential business information and enable companies to assess the availability of legal tools to address any potential misappropriation. And should litigation be necessary, the information yielded from these processes and procedures is likely to promote and expedite litigation success.

Executing the information protection strategy: the onus is on the company

Inevitably, there will be instances when former employees leave a company and take or retain trade secrets or other sensitive, confidential business information – whether inadvertently or intentionally. In either case, the company needs to be prepared to detect when this has occurred and to address the issue, including scaling their response to the potential misappropriation. This preparation is all the more essential because the onus to enforce policies and practices and address any theft lies with the company itself. That burden carries over should litigation be necessary, requiring that companies have the information necessary to plead a claim for misappropriation of trade secrets and to meet the standard for receiving interim equitable relief, such as an injunction or forensic inspection.

Even where misappropriation is not prevented, the information yielded from hands-on monitoring and detection is beneficial to companies when litigation is ultimately required, especially in trade secrets litigation in federal court in the Third Circuit, which has joined the growing majority of federal courts requiring plaintiffs to identify the trade secrets and alleged misappropriation with particularity. See, eg, Mallet and Company Inc. v Lacayo, 16 F.4th 364 (3d Cir. 2021) (holding that general descriptions of categories of trade secrets were insufficient to uphold a preliminary injunction). And while courts applying this standard have observed that a company does not need to have “direct evidence tying each trade secret to a defendant’s acquisitive conduct”, they have indicated that the company must still plead the existence of specific and identifiable trade secrets – evaluated on a “fact-specific” and “case-by-case” basis by the courts – in order to proceed past the pleading stages. See, eg, Oakwood Labs., LLC v Thanoo, 999 F.3d 892, 907-908 (3d Cir. 2021) (discussing that the amended pleading sufficiently identified the exact categories of the trade secrets at issue and provided specific examples of documents that contained the trade secrets). As highlighted in Oakwood, even though some versions of the complaints had “arguably” identified the trade secrets with sufficient specificity, the plaintiff’s complaints were still dismissed several times by the district court until the issue had to be taken up on appeal.

In light of such heightened standards and the fact-specific, case-by-case scrutiny companies face in trade secrets litigation at both the pleading and preliminary injunction stages, there are multiple steps that a company can take to streamline its investigation, quickly identify the information and activity at issue, and provide information critical for any court filing seeking relief.

Step one: exit interviews

Exit interviews often enable a company to detect and address potential misappropriation, and provide departing or former employees with an opportunity to co-operate with the company to identify, return, and delete trade secrets and other sensitive, confidential information without the need for litigation.

Interviewers should be trained to ask questions that gather information on the employee’s return-of-property and confidentiality obligations as well as the employee’s post-employment plans. Interviewers should ask whether the employee has ever used USB drives or personal cloud or email accounts to store, view, print, or transmit company data and whether the employee has ever downloaded or copied any company information to personal devices, flagging any instances for further review. The interviewer should also confer with appropriate legal team members on the recommended response and any necessary follow-up steps to ensure that the employee complies with their obligations.

Step two: investigation and forensic inspection

In addition to discussions with the former employee, the information technology and security team members should advise departing employees, particularly those who may have accessed or exfiltrated company data, that they should not delete any data or information and should not reset or reformat any company device so that all relevant data is preserved. All company devices (eg, computers, cell phones, tablets, and USB drives) should be returned to the company in an unaltered state whenever possible. This is critical, as the devices may need to be forensically imaged for review, and the alteration or destruction of data, including metadata, will impede an investigation as to whether and how data exfiltration occurred. Company accounts, or any other accounts that may contain company data should be treated similarly.

When analysing devices and accounts for potential misappropriation, there are some common indicators that companies and the investigating teams should be on the lookout for, including:

• an employee forwarding company documents to personal email accounts;
• mass downloads of documents in the months prior to the employee’s departure;
• unusual log-in activities, whether suspicious first-time logins or logins using others’ credentials or non-company devices;
• any evidence of copying or transferring data to a USB drive or to unauthorised cloud applications;
• directly transferring data from one device to another (such as a phone data transfer);
• comparisons of data access with temporal use of personal email accounts or non-company cloud accounts, as reflected in internet activity data; and
• mass deletion or wiping activity, which often destroys the associated metadata to track how data was accessed or copied.

Also note that if the data at issue has been transferred to a non-company device or application, then it may be necessary to hire a third-party forensic vendor to remediate (ie, identify, retrieve, and permanently remove) the data from the personal device or application. When compared to long-term litigation costs, this approach can provide an efficient, cost-effective method to protecting a company’s trade secrets and other sensitive, confidential data and avoiding protracted litigation and discovery disputes.

Step three: initiating a targeted litigation strategy

Sometimes disputes can be resolved amicably. However, there will inevitably be instances where an employee attempts to take information from the company to use it for the employee’s own benefit or for the benefit of a third party, such as a competitor. By taking all of the steps described above, a company will equip their in-house and external legal teams with information and evidence that will set the company up for success in litigation. Given that trade secret misappropriation often warrants a rapid response to avoid irreparable harm, the upfront identification of misappropriated trade secrets and attempts at remediation, where possible, prove valuable in court – and, if in federal court, in meeting the heightened pleading and injunction standards in the Third Circuit. Equipped with this information, an effective legal team can file appropriate claims for trade secret misappropriation with parallel breach of contract claims under any applicable agreements (including confidentiality, return-of-property, and restrictive covenants, as may be applicable), and other related state-law claims, while also meeting the rigorous standards for pleading and seeking interim injunctive relief.

Summation

Developments in trade secret law and technology compel companies to take a forward-thinking and proactive approach to protecting their trade secrets and other sensitive, confidential business information on the devices, platforms, and programs used to conduct their business and to access, store, or transmit such information. By taking a holistic approach to those protections – from onboarding employees, to offboarding employees, and conducting appropriate monitoring and investigations – companies can better protect their trade secrets and maintain their competitive position in the marketplace while also positioning themselves for litigation as a last resort.