Intellectual Property Theft Investigation: Protecting Your Business

The threat to UK businesses

Intellectual property theft costs UK businesses billions of pounds each year. Trade secrets copied by departing employees, product designs replicated by competitors, customer databases downloaded before a resignation, and proprietary software code taken to a rival firm – these are not hypothetical scenarios. They are cases that UKPI investigates regularly, across sectors from manufacturing and technology to professional services and pharmaceuticals.

The damage from IP theft extends beyond the immediate financial loss. A competitor who obtains your product designs can undercut your pricing because they did not bear the development cost. A former employee who takes your customer list can approach your clients with a competing offer before you know they have left. A trade secret that becomes public knowledge loses its value permanently – unlike a stolen physical asset, it cannot be recovered in its original condition.

This article examines how IP theft occurs in UK businesses, the legal protections available for intellectual property, how professional investigators detect and prove IP theft, and the steps businesses can take to reduce their exposure.

How IP theft happens

Departing employees

The most common source of IP theft is employees who leave to join a competitor or start their own business. In the weeks before their departure, often while still employed, they download files, forward documents to personal email accounts, copy databases to USB drives, or upload proprietary information to personal cloud storage.

The motivation varies. Some believe the information is “theirs” because they created it. Others take it deliberately to give themselves or their new employer a competitive advantage. A few take it as insurance – files they plan to use only if negotiations over their departure become hostile. Regardless of motivation, taking confidential business information without authorisation is a breach of contract and, depending on the circumstances, a criminal offence.

The warning signs are often visible in retrospect: accessing files outside their normal work area, logging in at unusual hours, downloading large volumes of data, or connecting removable storage devices. But without monitoring systems in place, these activities go unnoticed until the damage is done.

Competitors and industrial espionage

Deliberate espionage by competitors is less common than employee theft but causes disproportionate damage. Methods include recruiting employees specifically to obtain trade secrets (so-called “talent raiding”), placing agents within a target company, hiring third parties to obtain information through social engineering or technical means, and reverse engineering products to access protected information.

Industrial espionage is difficult to detect because it is designed not to be detected. The victim may not know their IP has been stolen until a competitor launches a product that is strikingly similar to one still in development, or until a patent application reveals that someone else has filed first with suspiciously similar claims.

Cyber attacks

State-sponsored and criminal cyber attacks targeting intellectual property have increased markedly in recent years. The National Cyber Security Centre (NCSC) has warned specifically about threats to UK businesses in sectors including defence, technology, pharmaceuticals, and high-end manufacturing. Attack methods include phishing emails that install malware capable of exfiltrating documents, exploitation of unpatched software vulnerabilities, compromise of supply chain partners with weaker security, and insider-facilitated access (where an employee, willingly or through coercion, provides credentials to external attackers).

Cyber investigation following a suspected breach determines what was accessed, what was taken, how the attacker gained entry, and whether the intrusion is ongoing. This information is critical for both the legal response and the technical remediation.

Counterfeiting and product copying

Physical products, packaging, and branding are copied and sold by counterfeiters who operate through online marketplaces, trade fairs, and parallel supply chains. Counterfeit goods cause direct financial loss through diverted sales, and indirect damage through inferior quality products that damage the brand’s reputation.

Counterfeiting investigations involve purchasing and analysing suspected counterfeit goods, identifying the source of supply, gathering evidence for civil and criminal proceedings, and working with trading standards, customs authorities, and online platforms to intercept counterfeit goods and remove infringing listings.

Legal protections

Trade secrets and confidential information

UK law protects trade secrets through the common law of confidence, the Trade Secrets (Enforcement, etc.) Regulations 2018 (implementing the EU Trade Secrets Directive), and contractual provisions (confidentiality agreements, restrictive covenants, and employment contract terms).

The Trade Secrets Regulations define a trade secret as information that is not generally known, has commercial value because it is secret, and has been subject to reasonable steps to keep it secret. The third requirement is critical: if a business does not take reasonable steps to protect its confidential information, it may struggle to enforce its rights when that information is misappropriated.

Reasonable steps include marking documents as confidential, restricting access on a need-to-know basis, using non-disclosure agreements, implementing technical controls (access restrictions, encryption, monitoring), and including confidentiality obligations in employment contracts.

Patents, trademarks, and copyright

Registered IP rights, patents and trademarks, provide statutory protection that is enforceable through the courts. Copyright protects original creative works (including software code, written materials, and artistic works) automatically without registration. Design rights protect the appearance of products.

Enforcement of these rights requires evidence that the right exists, that it has been infringed, and that the infringement has caused loss. Investigation gathers this evidence: purchasing infringing goods, documenting the infringement, identifying the infringer, and preserving the evidence for legal proceedings.

Criminal offences

IP theft can constitute criminal offences including fraud (Fraud Act 2006), theft (Theft Act 1968), computer misuse (Computer Misuse Act 1990), and criminal trademark infringement (Trade Marks Act 1994). Criminal prosecution is pursued through the police, the Crown Prosecution Service, or (for trademark offences) trading standards. The investigator’s role is to gather evidence that meets the criminal standard of proof (beyond reasonable doubt) and to present it in a format suitable for prosecution.

Investigating IP theft

Initial assessment

The investigation begins with establishing what intellectual property may have been taken, who had access to it, and what evidence exists. This involves reviewing access logs and system records, identifying which files or data were accessed, downloaded, or transferred, establishing the timeline of events, and identifying the suspects and their current activities.

For cases involving departing employees, the IT systems often contain the evidence. File access logs show what the employee accessed in their final weeks. Email servers retain sent and received messages (including those the employee deleted from their inbox but not from the server). Cloud storage access logs show uploads to personal accounts. USB device connection logs show when removable storage was attached.

Digital forensics

Digital forensic examination of the suspect’s company devices, laptop, desktop, mobile phone, and email account, can recover deleted files, reconstruct internet activity, identify file transfers, and establish a chronological record of the suspect’s digital activity. This evidence is preserved through forensic imaging (creating a verified copy of the device’s storage) so that the original evidence remains unaltered.

If the suspect used personal devices for work (under a BYOD policy), the employer’s ability to examine those devices depends on the terms of the BYOD policy and the employee’s consent. A well-drafted BYOD policy reserves the employer’s right to inspect personal devices used for work purposes, but many businesses do not have adequate policies in place.

Surveillance and monitoring

If the suspect has left and is believed to be using stolen IP in a new role or business, surveillance may be appropriate. Surveillance can establish whether the former employee is operating a competing business, meeting with the employer’s clients, or involved in activities that suggest they are using confidential information.

Monitoring of online marketplaces, social media, and competitor websites can identify the use of stolen IP – products that appear suspiciously similar to the victim’s designs, marketing materials that reproduce confidential pricing or specifications, or job advertisements that reveal knowledge of proprietary processes.

Interviews and witness evidence

Colleagues of the suspect may have observed relevant behaviour: the suspect discussing plans to start a competing business, asking unusual questions about systems or processes outside their normal responsibilities, or mentioning access to files they should not have seen. These witnesses provide context and corroboration for the digital evidence.

If the employer discovers the theft before the employee has left (or during their notice period), a properly conducted interview can secure admissions that support the case. The interview must be conducted carefully – the employee retains their employment rights, and evidence obtained through coercion or deception may be inadmissible.

Legal remedies

Injunctions

An interim injunction can prevent the suspect from using, disclosing, or disposing of stolen IP while the case is resolved. Speed is critical: once a trade secret is disclosed to a third party, its value as a secret is destroyed. Applications for injunctions can be made without notice to the respondent if there is a risk that notice would cause the evidence to be destroyed.

Search orders

A search order (formerly an Anton Piller order) allows the claimant’s solicitors to enter the defendant’s premises and search for evidence of IP theft. These orders are granted in cases where there is strong evidence that the defendant possesses the claimant’s IP and a real risk that evidence will be destroyed if advance notice is given. The order is executed by a supervising solicitor (independent of the claimant’s solicitors) and the search is conducted under controlled conditions.

Damages and account of profits

The claimant can recover financial compensation for the loss caused by the IP theft, or alternatively, claim an account of the profits the defendant made by using the stolen IP. The choice between damages and account of profits depends on which produces the higher recovery – if the defendant made large profits from the stolen IP, an account of profits may exceed the claimant’s provable losses.

Delivery up and destruction

The court can order the defendant to deliver up all copies of the stolen IP and to destroy any products made using it. This prevents ongoing infringement and ensures that the stolen information does not remain in circulation.

Prevention measures

Contractual protections

Employment contracts should include clear confidentiality obligations that survive termination, restrictive covenants (non-compete, non-solicitation, and non-dealing clauses) that are reasonable in scope and duration, IP assignment clauses that confirm all IP created during employment belongs to the employer, and garden leave provisions that allow the employer to remove the employee from their role during the notice period while retaining them on the payroll.

Restrictive covenants must be reasonable to be enforceable. A non-compete clause that prevents a junior employee from working in any related industry for five years will not be enforced. A clause that prevents a senior sales director from soliciting specific clients for 12 months is more likely to be upheld. The key is that the restriction must protect a legitimate business interest and must not go further than is reasonably necessary for that protection.

Technical controls

Access controls that restrict information to those who need it. Data loss prevention (DLP) software that monitors and blocks the transfer of sensitive files to external devices, personal email, and cloud storage. USB port controls that prevent connection of removable storage devices. Email monitoring that flags large attachments or transfers to personal accounts. These technical measures do not prevent all IP theft, but they create barriers, generate audit trails, and deter opportunistic theft.

Exit procedures

A structured exit process for departing employees reduces the risk of IP theft at the point of greatest vulnerability. Exit procedures should include reminding the employee of their confidentiality obligations (in writing), conducting an exit interview that covers IP and confidentiality, revoking system access promptly (ideally before the employee’s departure is announced), recovering all company devices and materials, and reviewing the employee’s recent file access and email activity for anomalies.

This last step is the one most employers skip – and it is the one that most often catches IP theft early. A quick review of the employee’s access logs in their final month can reveal whether they downloaded unusual volumes of data or accessed files outside their normal working pattern.

Working with UKPI

UKPI investigates intellectual property theft for businesses across all sectors. Our investigations combine digital forensics, surveillance, corporate intelligence, and financial analysis to identify what was taken, who took it, where it went, and how to recover it.

We work alongside your solicitors to gather evidence that meets court standards, support injunction and search order applications, and provide witness evidence in proceedings. Our investigators include former police officers and corporate security professionals with direct experience of IP theft cases.

If you suspect that your intellectual property has been stolen, or if a key employee is leaving and you want to verify that your confidential information is secure, call 0800 043 1754 for a confidential discussion. Speed matters in IP cases: the sooner investigation begins, the more evidence can be preserved and the stronger legal remedies will be. You can also reach us via our online contact form.