The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls
DATAINSIDER

Digital Guardian's Blog

Software Company Claims Ex-Employee Stole Data, Clients Before Exit

by Chris Brook on Friday June 4, 2021

Contact Us
Free Demo
Chat

The former executive allegedly stole thousands of files, including financial reports, client files, and strategies - then deleted that data - in anticipation of leaving the company.

A software company is alleging that when a former employee and business partner left the company, he left with confidential client information in hand, in order to start a rival firm.

In a case filed last week, shortly before Memorial Day weekend, Rapid Software LLC claimed that Douglas Brown, a former employee breached a number of non-compete, non-solicitation, and confidentiality agreements when he downloaded thousands of company files.

According to a lawsuit filed in the United States District Court for the Northern District of Georgia last Thursday, Brown was the founder and former owner of Brown Bag Marketing, Inc, a marketing company that was purchased by Rapid in 2019. After Brown’s company was purchased, he agreed to stay on, as president, receive a salary, benefits, for a year. While Brown's employment with the company technically ended in October 2020, following this, he began working for the company under a Work For Hire Agreement, something which still bound him from accessing and misappropriating Brown Bag company data.

Six months later, the court filing claims, Brown began accessing the company's systems, downloading almost 1,500 files that were the property of his employer. He downloaded seven times that amount later on that year, over 11,000 files over the course of a week in October, all without authorization to do so, the complaint alleges.

The information Brown purportedly took is diverse, including everything from financial data, financial reports, financial statements, forecasts, client files, client pricing information, contract terms and templates, business strategies, and information on the company’s marketing processes and strategies.

The complaint alleges that Brown didn't just take data from the company, he also outright deleted files from the company's computer systems.

Akin to an act of sabotage, the complaint claims Brown "intentionally and knowingly" deleted over 29,000 files from his employers' computers before his employment ended. Even after he left the company for good, Brown had secured access to company data: The complaint claims Brown sent Box.com URLs to his personal Gmail email address which alllowed him access to sensitive files. Following the sale of Brown Bag, as part of a purchase agreement, signed by Brown, he wasn't allowed to own, manage, control, or even work for a marketing or advertising agency until October, 2020 – but it appears he did just that.

While at Brown Bag, the complaint alleges that Brown was behind the formation of a marketing agency of his own, ProjecX Group, LLC; the document claims ProjecX filed a Certificate of Organization with the Georgia Secretary of State, which provides that ProjecX was organized on May 29, 2020. Brown's actions really hit home after GaXtracts, a bioscience company, stopped doing business with Brown Bag and started doing business with ProjecX.

"By utilizing ProjecX to provide marketing and advertising services to GaXtracts during his employment with Brown Bag, Defendant Brown actively undermined the interests of Brown Bag while benefiting himself and another entity that was actively competing with Brown Bag for marketing business," the complaint reads.

While the company clearly had logging in place - it was able to see what files Brown accessed and when he downloaded them – it doesn’t appear it had the capability to stop data from being removed from its systems. The document claims Brown copied data onto portable storage devices like thumb drives, and via cloud storage, and email - vectors that can be blocked by the right solution.

Still, Brown had a fiduciary duty to the company, not to mention a legal duty, to safeguard his former company’s data. That’s why Rapid and Brown Bag are alleging that his actions were both willful and malicious done for the “express purpose of injuring” the company.

In the lawsuit, Brown Bag is claiming Brown violated the Defend Trade Secrets Act, the Computer Fraud and Abuse Act, the Georgia Computer Systems Protection Act, and the Georgia Trade Secrets Act.

Tags: IP theft

Recommended Resources


  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business
  • How to simplify the classification process
  • Why classification is important to your firm's security
  • How automation can expedite data classification

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.