Last Reviewed: 2026-06-24
Reviewer: ITMG® Security Advisory
BoK Reference Sheet
Core Event taxonomy

Intellectual Property Theft

Intellectual property theft occurs when an insider copies, removes, retains, transfers, or uses protected business, technical, scientific, or creative information without authorization.

Based on real event: DuPont trade-secret theft by employee joining competitor.

Incident Case Analysis & Real-World Context

Case basis: Based on real event. A former DuPont employee admitted to stealing and misappropriating DuPont trade secrets after accepting an offer from a smaller competitor. The case illustrates a common leaver-risk pattern: a trusted employee with access to valuable technical or business information transitions toward another opportunity and moves protected information before, during, or after departure.

Why This Event Pattern Matters

IP theft cases matter because the harm may not be visible immediately. The organization may still possess the data, while losing exclusivity, competitive advantage, trade-secret protection, or negotiation leverage.

Common Event Scenarios & Progression Path

Access to high-value technical, commercial, or strategic information.

Career transition, competitor opportunity, or new venture context.

Unusual downloads, file collection, email forwarding, repository cloning, printing, or personal cloud synchronization.

Need to prove protectability, access, movement, retention, and possible use.

IRCF™ Capability Alignment

Lessons from this event pattern directly map to the following canonical Insider Risk Capability Framework™ (IRCF™) components for organizational capability improvement:

Data ProtectionIAMMonitoringAnalysisInvestigationPersonnel AssuranceOversight and ComplianceRisk Management and Reporting

Insider Threat Matrix Alignment

Matrix mapping includes preparation through file exploration and staging, infringement through exfiltration or unauthorized retention, and anti-forensics through deletion or concealment.

*The Insider Threat Matrix™ is an open framework maintained by Forscie Limited for computer-enabled insider threat investigations.

Controls & Safeguards to Leverage

Crown-jewel identification and data classification.
Least-privilege access to sensitive repositories and project files.
Leaver and mover risk review.
DLP, repository, endpoint, cloud, and email telemetry correlation.
Trade-secret protection measures and legal preservation workflow.

Relevant Program Metrics & KPIs

Metric
Crown-jewel coverage.
Metric
Sensitive repository access anomalies.
Metric
Large download or export events before resignation or role change.
Metric
Legal hold and evidence completeness.
Metric
Time to contain leaver-risk data movement.

Legal, Privacy, and Ethical Cautions

IP theft can involve trade-secret law, confidentiality obligations, employment agreements, computer-access law, discovery, privacy, and cross-border investigation. State facts carefully and preserve evidence early.

Source References & Investigation Fact-Verification

DOJ, Northern District of Iowa, Former DuPont Employee Sentenced To Over Three Years in Prison for Stealing Trade Secrets and Lying to the FBI, Apr. 19, 2019.

Operationalize This Learning

Need to evaluate whether this scenario is covered in your environment? Use RiskTKO® or request a Guided Exposure Assessment to evaluate your current control coverage, capability maturity, and exposure trends.