You’ve just discovered that your pricing model is showing up in a competitor’s proposals. Or that client list you spent years building has somehow ended up with your former sales manager’s new employer. Or sensitive financial data leaked during a cyber incident.
This isn’t theoretical. It’s happening right now, and you need to know what to do.
The question isn’t whether you have legal rights. In most cases, you do. The real questions are: What should you do today? What evidence do you need? How fast do you need to move? And when does the cost and disruption of taking legal action actually make commercial sense?
Let’s walk through it.
Key Takeaways
- Act fast to contain damage – Lock down access, preserve evidence, and conduct quiet fact-finding in the first 48-72 hours before the trail goes cold or information spreads further
- Your own security practices matter – Courts assess whether you treated information as truly confidential; sloppy internal controls weaken your legal position and limit your options
- Contracts aren’t everything – Even without a perfect NDA or employment clause, an equitable duty of confidence can arise when information is clearly confidential and shared in circumstances of trust
- Match your response to the situation – Not every misuse requires litigation; sometimes a well-drafted letter and negotiated undertakings achieve better commercial outcomes faster and cheaper than court
- Evidence is your strongest tool – Document access logs, emails, timelines, and witness accounts methodically; without solid proof of misuse, even strong legal rights won’t get you far
- Think through the whole picture – Consider relationships with customers, investors, key staff, and the reputational impact before deciding whether to escalate to formal proceedings
Understanding what’s really been taken
Before you can respond effectively, you need to work out what you’re actually dealing with.
Not everything an employee or contractor knows is confidential. People take general skills, experience, and industry knowledge with them when they leave. That’s expected. The law doesn’t stop someone using what they’ve learned.
But some information is different. Trade secrets and confidential business information sit in a protected category.
This includes things like customer lists with pricing history and buying patterns, not just names from a public directory. Detailed financial models, margin breakdowns, and cost structures. Source code, algorithms, technical specifications, and manufacturing processes that aren’t publicly available. Business strategies, expansion plans, and tender pricing before they’re executed.
The common thread: this is information that gives your business a competitive edge, that you’ve deliberately kept under wraps, and that would cause real damage if a competitor got hold of it.
Ask yourself: would someone outside the business need months or years to reverse-engineer this, or could they figure it out in a day? If your information represents genuine effort, investment, and secrecy, it’s likely protectable.
The harder question is where ordinary business knowledge ends and true confidential information begins.
Your former product manager knows your product development process. Is that confidential? It depends. If the process itself is standard but they’ve taken your detailed roadmap and unannounced feature specifications, that crosses the line. If they’re just bringing their experience in product management to a new role, it probably doesn’t.
Think about it this way: did you treat the information as confidential when it was in your hands? Was it marked as restricted, kept on secure systems, shared only with people who needed it? Did you make clear, through contracts or conduct, that it wasn’t to be disclosed?
If you didn’t, courts are less likely to protect it now.
Your past conduct shapes your current options. If you emailed sensitive pricing to external parties without confidentiality warnings, or let contractors access core IP without written terms, you’ve made it harder to argue the information was truly secret.
Your first steps when you suspect misuse
Speed matters. Not panic, but considered, immediate action.
The moment you suspect confidential information has been misused, your priority is containment and evidence. The trail gets colder every day, and the damage spreads.
Here’s what that looks like in practice.
Lock down access immediately. If the person is still employed or has system access, disable it now. Revoke email, cloud storage, VPN, and any other accounts. Do this quietly and document the exact time you did it. If they’ve already left, check whether any access remains active. It happens more often than you’d think.
Conduct quiet fact-finding. Before you make accusations or send letters, you need to understand what actually happened. Talk to IT. Pull access logs. Check email trails. Review file sharing history. Find out what the person had access to, what they downloaded or emailed, and when.
This isn’t about building a full legal case in 48 hours. It’s about understanding the scope of what you’re dealing with so you can make informed decisions.
Preserve evidence, methodically. Take screenshots of relevant communications, file access logs, version histories, and anything showing when information was accessed or moved. Export emails to a separate secure location. If devices are involved (laptop, phone, USB drives), secure them and don’t let anyone touch them until you’ve taken advice.
Do not access the person’s personal accounts, devices, or external systems they’re now using. That’s a separate legal problem you don’t need.
Decide who needs to know, and who doesn’t, yet. You’ll need to involve a tight circle: your legal adviser, IT or cybersecurity team if relevant, and senior management. But think carefully before widening that circle. If you alert the person who’s misusing the information too early, you lose the advantage of surprise and they have time to cover tracks.
Sometimes, the right move is to monitor quietly for a few days while you lock down evidence and assess your options. That’s a judgment call, and it depends on how quickly the information is being used and how much damage is being done.
Document everything. Start a timeline. Write down when you first became aware of the issue, what you did, who you spoke to, what you found. Keep it factual and dated. This becomes critical if you need to move fast for an injunction or prove you acted reasonably to protect your interests.
Can you do all of this in 72 hours? You can, if you’re clear-headed and organised.
Resist the urge to confront the person immediately. An angry phone call or premature accusation gives them time to delete evidence, prepare a defence, or stop using the information temporarily until the heat dies down. Build your case first.
Checking your legal position
Once you’ve contained the immediate situation and gathered initial evidence, you need to understand where you stand legally.
This isn’t about memorising legal tests. It’s about working out: do I have a strong foundation to act, or are there gaps I need to manage?
Start with contracts. Pull the employment agreement, contractor terms, or supply agreement you had with the person. Look for confidentiality clauses, non-disclosure obligations, IP assignment terms, and post-employment restraints.
If there’s a clear, well-drafted confidentiality clause that covers the information in question, you’re in a strong position. The person knew they owed you a duty, and the terms are spelled out.
But what if the contract is silent, vague, or non-existent?
You’re not out of options. Australia recognises an equitable duty of confidence, even without a contract. If you shared information in circumstances where it was clear the information was confidential, and a reasonable person would understand they shouldn’t disclose or misuse it, the law can still protect you.
This matters most with contractors, consultants, or informal business relationships where paperwork was light or non-existent. Courts look at the nature of the information, how it was shared, and the relationship between the parties.
Consider your own conduct. How did you treat the information when it was in your hands?
If you sent sensitive pricing in plain emails with no confidentiality markings, stored it on shared drives anyone could access, or never told people it was confidential, it’s harder to argue it was truly secret. Courts expect you to take reasonable steps to protect confidential information.
“Reasonable steps” doesn’t mean Fort Knox security. It means proportionate care. Mark documents as confidential. Use access controls. Limit sharing to people who need to know. Make it clear, through your actions and your contracts, that the information isn’t for public consumption.
If your practices were sloppy, that doesn’t kill your claim. But it weakens it, and it narrows your remedies. A court might still find a breach but decline an injunction or limit damages because you didn’t treat the information seriously yourself.
Look at what’s actually being used. Is the person using your exact client list, with contact details, purchase history, and pricing? Or are they just calling on businesses they remember from their time with you?
If they’ve taken documents, files, or data, that’s misuse. If they’re relying on memory and general knowledge from their role, it’s murkier. Courts distinguish between using confidential information and simply applying experience gained during employment.
Think about timing and limitation periods. If the misuse happened months or years ago and you did nothing, delay can undermine your position. Courts are less willing to grant urgent relief if you sat on your rights.
If you’re discovering misuse now but it started a while ago, don’t wait. The clock is already running.
Strong legal rights and a perfect contract don’t guarantee a good outcome if you can’t prove what was taken and how it’s being used. Evidence and proof matter more than doctrine.
Options for responding: from quiet resolutions to urgent court action
You’ve worked out what happened. You’ve checked your legal position. Now you need to decide how to respond.
Litigation isn’t always the answer. Sometimes it is, but often there’s a faster, cheaper, less disruptive path that still protects your interests.
Commercial resolution without lawyers. In some cases, a direct conversation works. If the misuse is inadvertent, or the relationship still has goodwill, a phone call explaining the issue and asking for undertakings to stop using the information can resolve it.
This works best when the person didn’t realise they’d crossed a line, or where the commercial cost of a dispute outweighs the value of the information to them. You might negotiate a licence, agree on terms for transition, or simply get a commitment to delete files and stop using the data.
Document the outcome. Even an informal resolution should be recorded in writing.
Formal letter of demand. If a quiet conversation isn’t appropriate, or if you need to set a clear line, a strongly worded legal letter can achieve a lot without court proceedings.
A good letter of demand sets out what confidential information was taken, the legal obligations that were breached, what you’re requiring (cease use, return/destroy materials, provide undertakings), and the consequences if they don’t comply (injunction, damages claim, costs).
This puts the other side on notice. It creates a documented record. And it often prompts a negotiated resolution, especially if their legal advice confirms your position is strong.
Sometimes the letter itself is the end of it. They comply, give undertakings, and that’s that. Other times, it’s the opening move in a broader dispute.
Negotiated undertakings and settlement. Many misuse cases settle. The person agrees to stop using the information, destroy copies, provide a sworn statement confirming what they’ve done, and sometimes pay compensation.
These settlements often include confidentiality clauses, so neither side talks publicly about what happened. That can be valuable if you want to avoid signalling to the market that there was a breach.
Think about what you actually need. Do you need money, or do you just need the use of the information to stop? Do you need to make an example, or do you need to move on quietly? Settlement gives you control over the outcome in a way litigation doesn’t.
Urgent injunctions. If the misuse is serious, ongoing, and causing real damage, you might need to move fast for an injunction.
An injunction is a court order restraining the person from using or disclosing the confidential information. You can seek an interim injunction (urgent, short-term) while the case progresses, and then a final injunction if you win.
Getting an urgent injunction requires showing the court that there’s a serious question to be tried, that damages wouldn’t be an adequate remedy, and that the balance of convenience favours granting the injunction. You need to move quickly and have solid evidence.
This is expensive and high-stakes. If you apply for an injunction and lose, you might be on the hook for the other side’s costs. But if the information is being used to undercut you in tenders, poach your clients, or launch a competing product using your IP, an injunction can stop the bleeding.
Search and preservation orders. In extreme cases, where you suspect the other side is destroying evidence or you need to secure physical materials (devices, documents), you can apply for search orders (formerly Anton Piller orders) or preservation orders.
These are rare, intrusive, and require compelling evidence of serious misconduct and a real risk of evidence being destroyed. Courts don’t grant them lightly, but they exist for situations where standard processes won’t protect your position.
Criminal and regulatory options. If someone hacked your systems, stole data using unauthorised access, or committed fraud, there may be criminal offences involved. You can report to police, though criminal prosecution is a separate process and not within your control.
In some sectors, there may also be regulatory avenues (privacy breaches, for example, if personal information was involved). These can run parallel to civil claims but require separate advice.
Doing nothing, strategically. Sometimes, after weighing it all, the smart move is to monitor but not act immediately.
If the information is low-value, if the person is using it in a way that doesn’t materially hurt you, or if the cost and distraction of a dispute outweighs the benefit, you might decide to strengthen your defences and move on.
That’s a commercial decision. Just make sure it’s a decision, not just avoidance.
Before you send a letter or file proceedings, game out the other side’s likely response. Will they fold? Fight? Counterclaim? The goal is to achieve your commercial objective, not to win a moral victory at huge cost.
Building and protecting your case
If you’re heading toward formal action, or even if you’re just preparing for the possibility, you need a solid evidentiary foundation.
Without proof, even the strongest legal rights won’t get you far. Courts decide cases on evidence, not assertions.
Document the timeline, meticulously. Create a chronology of everything relevant: when the person had access, when they left, when you discovered the misuse, what steps you took, what you found. Include dates, times, and who was involved.
This becomes your master reference. It helps your legal team understand the case. It helps you stay organised. And it’s critical if you need to swear affidavits or give evidence.
Preserve digital evidence. Work with your IT team or an external forensic consultant to pull access logs, email trails, file downloads, cloud sharing activity, and login records. Export this data and store it securely.
If devices are involved, forensic imaging may be necessary. This creates a bit-for-bit copy of a hard drive or phone that can be analysed without altering the original. Don’t let anyone access the devices until you’ve taken advice on how to handle them properly.
Screenshots are useful, but they’re not enough on their own. You need the underlying data, metadata, and logs that prove when something was accessed or sent.
Identify and secure witnesses. Who else knows about this? Colleagues who worked with the person, IT staff who can explain the systems, clients or suppliers who’ve seen your confidential information being misused?
Talk to them early. Take statements while memories are fresh. If the matter goes to court, their evidence might be critical.
Show what you did to protect the information. Gather evidence of your own confidentiality practices. Contracts with confidentiality clauses. Internal policies. Access controls. Training records. Confidentiality markings on documents.
You’re trying to show that we treated this information as secret, took reasonable steps to protect it, and that it wasn’t generally available.
Avoid “self-help” that crosses legal lines. Do not access the other person’s personal email, social media, or devices without permission. Do not hack into their new employer’s systems. Do not pressure third parties to breach their own confidentiality obligations to give you information.
You can gather publicly available information. You can use your own systems and data. But if you cross ethical or legal lines to get evidence, it can backfire spectacularly.
Work with lawyers early on evidence strategy. Not all evidence is admissible. Some is more persuasive than others. A good litigator will help you focus on what matters and avoid wasting time on peripheral material.
If you’re dealing with complex digital evidence, technical documents, or industry-specific information, you might need expert witnesses to explain it to the court. Plan for that early.
The strength of your case isn’t just about what happened. It’s about what you can prove happened. Assume everything will be tested, and build your evidence accordingly.
Balancing legal rights with commercial realities
You have strong evidence. You have clear legal rights. Your lawyer is confident you’d win in court.
Should you litigate?
Maybe. But maybe not.
This is where many businesses make mistakes. They either rush into litigation without thinking through the consequences, or they hesitate so long that the opportunity to act effectively passes.
Let’s talk about the decision-making framework.
What will it cost, and what will it take? Litigation is expensive. An urgent injunction application can cost tens of thousands in legal fees in the first few weeks. A full trial can cost hundreds of thousands or more, depending on complexity.
It’s also slow. Even with urgent applications, you’re looking at weeks for interim relief and often a year or more for a final hearing.
And it’s disruptive. Senior staff get pulled into legal meetings, giving evidence, and dealing with discovery. Your attention shifts from running the business to managing the dispute.
Weigh that against the value of the information being misused and the damage being caused. If the misuse is costing you $50,000 a year in lost margins but litigation will cost $200,000, the maths doesn’t work unless you’re trying to set a broader precedent or send a message.
What are the realistic outcomes? If you win, what do you actually get?
An injunction stops further use, but it doesn’t undo what’s already happened. Damages compensate for loss, but proving quantum can be difficult, especially if the misuse gave the other side a head start rather than a direct revenue gain. Account of profits is available in some cases, but it requires detailed evidence of what they earned.
Sometimes the best outcome is a negotiated resolution where they stop using the information, give undertakings, and pay a contribution to your costs. That’s not a “win” in the dramatic sense, but it achieves the commercial goal.
What are the risks if you proceed? Litigation can expose your own practices to scrutiny. If your confidentiality measures were weak, that comes out in discovery. If you’ve got skeletons (underpaid contractors, poor IP assignment practices, messy records), the other side’s lawyers will find them.
There’s also the risk of counterclaims. If you’re alleging an ex-employee breached confidence, they might counterclaim for unpaid entitlements, bullying, or breach of contract. Suddenly, you’re defending claims you didn’t anticipate.
Think about the relationship dynamics. If the person now works for a key customer, supplier, or partner, litigation can damage those relationships. If they’re well-connected in your industry, it can get messy reputationally.
None of this means you shouldn’t act. But it means you need to go in with your eyes open.
What happens if you don’t act? There’s a cost to inaction, too.
If you let the misuse continue, the damage compounds. If you send a letter and don’t follow through, you’ve signalled that your threats are hollow. If staff see that breaches aren’t taken seriously, it undermines your confidentiality culture.
Sometimes doing nothing is the right call, but it should be a deliberate decision based on cost-benefit, not avoidance or fear.
Managing internal and external stakeholders. If the breach involves client data, your customers may need to know. If it’s a significant incident, investors or your board may expect updates. If it’s an employee matter, HR and senior management need to be looped in.
Think through who needs to know what, and when. Overcommunication can cause panic or reputational damage. Undercommunication can leave you exposed if something goes wrong.
In some cases, you’ll need to notify regulators (if personal information is involved and there’s a data breach, for example). Take advice on those obligations early.
Balancing principle and pragmatism. Some clients want to fight on principle. They’re angry, they feel betrayed, and they want justice.
That’s understandable. But principle doesn’t pay legal bills, and justice in court is rarely as satisfying as you imagine.
If you can achieve your commercial objectives without litigation, that’s almost always the better path. Save litigation for when it’s the only way to protect something that really matters, or when the cost of not acting is clearly higher than the cost of proceeding.
Treat litigation as a business decision, not an emotional one. If your lawyer can’t explain the likely cost, timeframe, and outcomes in clear terms, keep asking until they do. You’re making a commercial judgment, and you need the information to make it well.
Strengthening your position for next time
Once you’ve dealt with the immediate situation, the question becomes: how do I make sure this doesn’t happen again, or at least that I’m in a much stronger position if it does?
This isn’t about locking down your business in paranoia. It’s about sensible measures that protect what matters without stifling collaboration.
Tighten your contracts. Review employment agreements, contractor terms, supplier contracts, and NDAs. Make sure confidentiality clauses are clear, broad enough to cover your key information, and enforceable.
Include IP assignment clauses so there’s no ambiguity about who owns work product. Include post-employment obligations that survive termination. Make sure restraint clauses, if you’re using them, are reasonable and tailored (overreach and they’ll be struck down).
Get these signed before the person starts working with you, not six months in when you realise you forgot.
Implement practical confidentiality measures. You don’t need enterprise-grade security, but you do need proportionate controls.
Mark confidential documents as such. Use access controls so people only see what they need for their role. Log who accesses sensitive systems and data. Use confidentiality agreements before sharing information externally.
Train staff on what’s confidential and what’s not. Make it part of induction and ongoing compliance. If people don’t understand what they’re supposed to protect, they won’t protect it.
Conduct exit processes properly. When someone leaves, disable their access immediately. Conduct an exit interview that reminds them of their ongoing confidentiality obligations. Collect devices, documents, and USB drives.
If the role was sensitive, consider whether you need a more formal process: certifying they’ve returned everything, confirming they haven’t retained copies, reminding them in writing of their obligations.
For very senior roles or high-risk departures, you might engage forensics to check what was accessed or downloaded in the final weeks. Do this before you lose access to the data.
Embed an incident response plan. If a breach happens, who do you call? What are the first steps? Who has authority to lock down systems, speak to the other side, or instruct lawyers?
Having a plan means you act faster, more calmly, and more effectively. You’re not improvising under pressure.
The plan should cover: immediate containment, evidence preservation, internal communication, external communication (if needed), legal escalation pathways, and decision-making authority.
Review your insurance. Cyber insurance and management liability policies sometimes cover costs associated with confidential information breaches. Check what you’re covered for and whether gaps exist.
Create a culture where confidentiality matters. If confidentiality is just a clause buried in a contract no one reads, it won’t work.
Make it clear, from the top down, that protecting confidential information is part of how the business operates. Reward people who raise concerns. Deal with breaches seriously and consistently.
Culture isn’t everything, but it’s the foundation. Strong contracts and good systems only work if people understand why they matter.
The goal isn’t to eliminate all risk. It’s to make it harder for misuse to happen, easier to detect when it does, and stronger to enforce if you need to act. Small, consistent steps compound over time.
Moving forward: clarity in the face of misuse
Discovering that your confidential information has been misused is unsettling. It feels like a betrayal, a loss of control, and a threat to what you’ve built.
But it’s also manageable, if you approach it with clarity and purpose.
You don’t need to know every legal test or case precedent. You need to understand what’s actually happened, what your realistic options are, and how to weigh those options against your commercial priorities.
Act fast in the first 72 hours to contain damage and preserve evidence. Check your legal position, but don’t assume that perfect contracts or strong rights automatically mean litigation is the right path. Think through the full picture: cost, time, relationships, and whether you can achieve your goals without court.
And once you’ve dealt with the immediate issue, take the lessons and use them to strengthen your position for the future.
The right legal partner won’t just tell you what the law says. They’ll help you make the decisions that protect your business, in the real world, with all its complexity and compromise.
If you’re facing a situation where confidential information has been misused, or if you want to strengthen your defences before something happens, we’re here to help you think it through.
Disclaimer: This article provides general information only and does not constitute legal advice. Every situation involving misuse of confidential information is unique and depends on specific facts, contracts, and circumstances. If you are dealing with a potential breach, you should seek tailored legal advice promptly. Aptum Legal is a litigation-only commercial and tax disputes firm and can assist with disputes involving confidential information and trade secrets.
