A California-based payment-processing firm alleged last week in federal court that its former CEO and several former employees stole sensitive trade secrets in order to form a competing business.

Granite Payment Alliance, an accounting firm headquartered in the Sacramento suburb of Roseville, filed a suit - Granite Payments LLC et al. v. 1Point Merchant Solutions Inc. - last week in the United States District Court for the Eastern District of California.

In the complaint, the company alleges that Wayne Keddy, the CEO of Granite Payment Alliance (GPA), worked with now former sales representatives and customer service specialists to harvest GPA’s confidential files in order to start a new firm, 1Point Merchant Solutions.

Keddy, who founded GPA in 2006, started 1Point Merchant Solutions, Inc., in neighboring Rocklin, Calif., in July.

The complaint alleges that Keddy was triggered after he discovered Cosway, a company that absorbed GPA in 2016, was going to sell its assets. The CEO, who had access to a slew of information on the company, including “operating procedures, customer information, pricing and contracts with banks and merchants,” offered to lend a hand in marketing projects in the weeks leading up to the sale. GPA made it clear it was going to keep him and other employees at GPA employed following the sale but the suit alleges Keddy had different plans.

Under Keddy’s directive, employees at the company purportedly stole trade secrets belonging to GPA, including customer contact information, documents detailing the company’s merchant and bank activity, and revenue sharing agreements. According to the complaint, Keddy even tweaked the phrasing of agreements between customers, banks, and GPA, giving them the ability to terminate their contracts if there was ever a change in ownership or a sale of the company's assets.

To compound the damage for GPA further, the employees stopped looking for new customers shortly before GPA sold its assets. In early July, as the sale was nearing its end, Keddy resigned, telling Cosway he was leaving the payment processing industry to “get away for a while.” Keddy apparently did just the opposite as he formed 1Point Merchant Solutions one week later, on July 10.

GPA processes payments for retail shops like grocery stores, hotels, e-commerce platforms, and mail-order and pay-by-phone businesses. Judging by 1Point Merchant Solutions' website, the company performs much of the same services, including facilitating payment processing, online payments, and payments for businesses that rely on point of sale terminals. 1Point Merchant Solutions did not return a request for comment for this story.

According to the suit, Michel Meyer, a customer support specialist with Cosway, helped spearhead the plan, forwarding emails and attachments to her personal email account. Connie Pearce, a sales rep, helped too. According to the court filing, Pearce accessed 20 files including confidential revenue sharing agreements. She also took pricing proposals and analyses and saved them to removable USB drives. 10 minutes after taking the documents she notified the company of her intent to resign.

Despite being unemployed by GPA, both Meyer and Keddy accessed 7,000 GPA files after their departure, including data on the company's merchant and bank activity, and profitability numbers, on July 17, after the company had been sold. The defendant employees were able to continue to access confidential and proprietary files at Batlle, the company that aborbed GPA, after moving to 1Point because they retained access to their computers. When asked, the defendants returned the machines but held onto removable storage devices that still contained sensitive GPA property.

"The accessed documents allowed 1Point to calculate precisely the percentage that GPA had negotiated for its unique customer agreements such that 1Point could undercut Batlle GPA on the price for each agreement," the suit reads.

It wasn’t like Cosway didn’t have protections in place; it safeguarded its company data on a secured network server, ensuring it wasn't configured for remote access. It also had a proprietary information and confidentiality policy in place, something that at least in theory was supposed to prevent employees from sending data outside the company.

Encouraging employees to maintain confidentiality can often be a lesson in the limits of good faith. If the allegations against Keddy and his employees are true it clearly didn't stop them from misappropriating that data. While keeping its confidential and proprietary files on secure computer and network systems likely helped GPA prevent it from getting in the hands of outside hackers it didn't stop the defendants, employees with privileged access to the data, from removing it.

The fact that employees appear to have taken data by copying it to removable devices, perhaps the most popular method of data exfiltration, adds insult to injury. A robust data protection plan not only ensures that data can't be misused or accessed but enforces device encryption policies. It can even make it possible to log device usage and data transfer activities, and even block access to devices that can be used to steal data like USB and removable drives