Trade-secret leakage into public AI models

Can putting company secrets into public AI tools destroy trade-secret protection?

Public AI use can create bad secrecy facts because trade-secret protection still turns on reasonable measures and disclosure control. Courts have not adopted a broad AI rule, but consumer tools with training, review, or retention rights are the hardest record to defend.

The federal baseline is still the DTSA. A trade secret exists only if “the owner thereof has taken reasonable measures to keep such information secret” and the information derives value from not being generally known. The remedial section matters too. Section 1836 authorizes seizure and injunction-style relief to prevent the propagation or dissemination of the trade secret and permits affirmative actions to be taken to protect the trade secret.

State trade-secret law mostly uses the same idea, usually through a UTSA formulation that asks whether secrecy efforts were reasonable under the circumstances. New Jersey is representative: information qualifies only if it “is the subject of efforts that are reasonable under the circumstances to maintain its secrecy”. That is why AI-era disputes will probably turn less on novel doctrine than on whether the company can show a sensible match between the sensitivity of the information and the way it allowed employees or agents to use AI.

One useful recent example is Snyder v. Beam Technologies, Inc. The Tenth Circuit treated password protection and possession alone as inadequate where the claimant had not marked the material confidential and had not imposed downstream restrictions on recipients. That is not an AI case. But it is the right kind of case. It suggests that courts are looking for specificity, labeling, segregation, and recipient control rather than broad statements that information is proprietary.

The employer-side bar is unusually aligned on the threshold point. Proskauer says that putting information into ChatGPT may weaken a company’s position that the information remained a trade secret. Goodwin says user inputs to many generative-AI systems are not protected as confidential. Winston says a simple confidentiality agreement may need reevaluation when AI inputs may be stored, reviewed, or used in later learning. Fisher Phillips reaches the same place more bluntly: the company’s most important data needs distance from public GenAI if later trade-secret protection is going to be credible.

The 2026 privilege commentary sharpened the trade-secret analysis by giving firms a cleaner analogy. Goodwin says public generative-AI platforms are third parties. Proskauer says standard consumer offerings provide less confidentiality protection, while leaving open whether enterprise products with no-training and contractual confidentiality commitments could look different on different facts. Perkins adds that later handing AI-generated work to counsel does not retroactively restore protection.

The second consequence is that public consumer tools create the worst record. OpenAI says individual services “may use your content to train our models” unless the user opts out, while Temporary Chat still may be retained for abuse monitoring for up to 30 days. Google’s consumer Gemini materials are even more direct: users are told not to enter confidential information or any data you wouldn't want a reviewer to see and reviewed chats may be retained for up to three years. If a later plaintiff says the company tolerated disclosure to a third party with its own review and retention rights, those terms supply the argument for free.

The narrow reading is that consumer-chatbot development without confidentiality commitments is bad facts. The broader reading is that courts may start treating public AI use itself as inconsistent with secrecy. We think the narrow reading is safer for now. The case is early, and the stronger distinction in the commentary is still consumer versus enterprise, not AI versus non-AI.

Sources for this answer

Primary law

A.1 18 U.S.C. § 1839(3)(A)

Supports the cited proposition. (18 U.S.C. § 1839(3)(A))

the owner thereof has taken reasonable measures to keep such information secret

See 18 U.S.C. § 1839(3)(A).

Primary law

A.2 18 U.S.C. § 1836(b)(2)(A)(i)

Federal district courts possess exclusive original jurisdiction over civil actions involving the misappropriation of trade secrets.

The district courts of the United States shall have exclusive original jurisdiction of civil actions under this section.

See 18 U.S.C. § 1836(b)(2)(A)(i).

Commentary

A.3 N.J.S.A. 56:15-2

Supports the cited proposition. (N.J.S.A. 56:15-2)

is the subject of efforts that are reasonable under the circumstances to maintain its secrecy

See N.J.S.A. 56:15-2.

Case law

A.4 Snyder v. Beam Technologies, Inc., No. 24-1136 (10th Cir. Aug. 5, 2025)

The court held that a plaintiff must demonstrate ownership or possession of a valid trade secret and take reasonable measures to maintain its secrecy to prevail on misappropriation claims under the DTSA and CUTSA, while also clarifying that Rule 702 orders cannot be used to effectively grant summary judgment without following proper procedural protections.

The district court granted summary judgment on Snyder’s two trade secret claims. It held that Snyder offered insufficient evidence to show that he “owned” the alleged trade secret, a customer list.

See Snyder v. Beam Technologies, Inc., No. 24-1136 (10th Cir. Aug. 5, 2025).

Law-firm commentary

A.5 Proskauer Rose commentary

Organizations should proactively evaluate the risks associated with generative artificial intelligence and implement appropriate internal policies and technical guardrails to ensure compliance and mitigate potential legal and operational exposure.

businesses are well advised to evaluate the issues and risks to determine what policies or technical guardrails, if any, should be imposed on GAI’s use in the workplace.

See Proskauer Rose, ChatGPT Risks and the Need for Corporate Policies.

Law-firm commentary

A.6 Goodwin commentary

Employers face significant legal risks regarding the loss of trade secret protection when employees input confidential data into generative AI systems and must ensure that AI-driven HR tools comply with anti-discrimination regulations.

In most cases, employees and contractors that input company information, including confidential or sensitive information, are essentially putting it in the public domain.

See Goodwin, What Employers Need to Know About Use of Generative AI at Work.

Law-firm commentary

A.7 Winston & Strawn commentary

Companies must implement robust confidentiality policies, contractual safeguards, and employee training to mitigate the risk that using Generative AI tools will result in the loss of trade secret protection.

Inputs that are comprised of trade secrets may also be used to further train the tool, and thus be disclosed to users not affiliated with the company that owns the trade secrets.

See Winston & Strawn, Harnessing Generative AI: Best Practices for Trade Secret Protection.

Law-firm commentary

A.8 Fisher Phillips, The 10 Things All Employers Must Include in Any Workplace AI Policy

Employers should implement a comprehensive workplace policy governing the use of generative AI to mitigate legal risks, protect confidential data, and ensure compliance with employment and labor laws.

A first step is developing a workplace GenAI policy.

See Fisher Phillips, The 10 Things All Employers Must Include in Any Workplace AI Policy.

Law-firm commentary

A.9 Goodwin, AI Chatbots, Privilege, and Pitfalls: Lessons for Keeping Generative AI Exchanges Out of the Hands of Legal Adversaries

Communications with generative AI platforms are generally not protected by attorney-client privilege or the work product doctrine, particularly when initiated by a client without attorney direction or when the platform's privacy policy negates a reasonable expectation of confidentiality.

Disclosing attorney-client communications or privileged work product to a public AI platform may constitute a waiver of applicable legal privilege in connection with the underlying material, similar to other disclosures to unrelated third parties.

See Goodwin, AI Chatbots, Privilege, and Pitfalls: Lessons for Keeping Generative AI Exchanges Out of the Hands of Legal Adversaries.

Law-firm commentary

A.10 Proskauer Rose commentary

The use of consumer-grade, non-enterprise AI tools to process privileged information may result in a waiver of attorney-client privilege and work-product protection because such tools are treated as third parties and lack the necessary confidentiality.

disclosure of privileged communications to a third party in circumstances that undermine confidentiality (here, the corporation operating the AI tool) may result in waiver.

See Proskauer Rose, SDNY Addresses Privilege and Work Product Implications of Using Unsecured Public AI Tools.

Law-firm commentary

A.11 Perkins Coie, Heppner and Gilbarco: Courts Apply Privilege and Work Product Protection to Generative AI Tools

Courts are applying existing attorney-client privilege and work product doctrine frameworks to generative AI, treating these platforms as tools rather than persons and evaluating protections based on traditional criteria like the existence of an attorney-client relationship and the nature of the disclosure.

generative AI programs[] are tools, not persons, even if they may have administrators somewhere in the background.

See Perkins Coie, Heppner and Gilbarco: Courts Apply Privilege and Work Product Protection to Generative AI Tools.

Vendor documentation

A.12 OpenAI Help Center, How your data is used to improve model performance

Supports the cited proposition. (OpenAI Help Center, How your data is used to improve model performance)

may use your content to train our models

See OpenAI Help Center, How your data is used to improve model performance.

Vendor documentation

A.13 OpenAI Help Center, Temporary Chat FAQ

OpenAI's Temporary Chat feature limits data retention and model training, though third-party GPT actions and compliance API requirements may involve different data handling practices.

Temporary Chats won’t appear in your history, and ChatGPT won’t remember anything you talk about.

See OpenAI Help Center, Temporary Chat FAQ.

Vendor documentation

A.14 Google, Gemini Apps Privacy Hub

Google processes user data from Gemini Apps to provide, maintain, and improve its services, including through human review and the training of generative AI models, while adhering to specific retention policies and prohibiting the use of chat data for advertising.

Human reviewers (including trained reviewers from our service providers) review some of the data we collect for these purposes.

See Google, Gemini Apps Privacy Hub.

Law-firm commentary

A.15 Thompson Hine, Trade Secret Quarterly, February 2026

Federal circuit courts are currently split on whether the Defend Trade Secrets Act requires plaintiffs to identify trade secrets with sufficient particularity at the pleadings stage or if such identification can be deferred until discovery.

There is a growing split among federal circuit courts regarding how particularly plaintiffs must describe the trade secrets at issue, and at which point in the litigation this particularity is required.

See Thompson Hine, Trade Secret Quarterly, February 2026.

Commentary

A.16 IPWatchdog, Navigating Recent Developments in Generative AI and Trade Secret Protection

Recent judicial decisions confirm that sharing confidential information with public generative AI platforms without adequate contractual safeguards constitutes a voluntary disclosure that can extinguish trade secret protection and privilege.

Taken together, Trinidad and Heppner are among the first decisions to establish that confidential information shared with a public AI platform is not legally protected.

See IPWatchdog, Navigating Recent Developments in Generative AI and Trade Secret Protection.

Does enterprise AI preserve trade-secret protection for confidential company data?

Enterprise AI can improve the confidentiality record, especially with no-training terms and retention controls. It is not a safe harbor because product settings, logging, safety review, connectors, and tenant boundaries still matter.

Trade-secret law has not acquired an AI exception. It still asks whether the owner took reasonable measures. What changed is the factual record courts will examine. Public consumer models increasingly look like disclosure to an outside recipient that is not clearly bound to keep the material secret, especially where the provider may train on inputs, retain logs, permit human review, or preserve chats for other proceedings. Enterprise AI improves those facts, but it does not make external processing disappear. The record still depends on which tenant, which endpoints, which retention settings, which connectors, and whether the company can show that sensitive material was classified, restricted, and preserved when leakage was suspected.

Enterprise terms materially improve the facts, but they do not create a safe harbor. OpenAI says business customers own and control their data and that it does not train on business data by default, yet its platform guide still says default abuse-monitoring logs may retain prompts and responses for up to 30 days absent stricter controls. Anthropic says it does not train on commercial inputs and outputs by default, but standard commercial retention still exists, zero-data-retention is limited to eligible products, and flagged chats can be retained for up to two years. Google Workspace says it does not use Workspace customer data to train outside Workspace without permission, and licensed Workspace with Gemini submissions are not used to train models or reviewed by humans. Microsoft says Copilot prompts, responses, and Microsoft Graph data are not used to train foundation models, while also saying Copilot Chat prompts and responses are logged and stored in Exchange for auditing and eDiscovery. So the legal question is not did we buy enterprise AI. It is which product, with which settings, on which path.

The argument for preservation is familiar: trade-secret law has long tolerated disclosure to service providers acting under confidentiality restrictions. The counterargument is that provider-side logging, safety review, application-state storage, and third-party connectors mean the material still moved outside the owner’s exclusive control. Perhaps enterprise AI looks less like publication and more like outsourced processing. It probably does not look like no disclosure at all.

Sources for this answer

Vendor documentation

B.1 OpenAI Help Center, How your data is used to improve model performance

Supports the cited proposition. (OpenAI Help Center, How your data is used to improve model performance)

may use your content to train our models

See OpenAI Help Center, How your data is used to improve model performance.

Vendor documentation

B.2 Google, Gemini Apps Privacy Hub

Human reviewers (including trained reviewers from our service providers) review some of the data we collect for these purposes.

See Google, Gemini Apps Privacy Hub.

Law-firm commentary

B.3 Goodwin, AI Chatbots, Privilege, and Pitfalls: Lessons for Keeping Generative AI Exchanges Out of the Hands of Legal Adversaries

Disclosing attorney-client communications or privileged work product to a public AI platform may constitute a waiver of applicable legal privilege in connection with the underlying material, similar to other disclosures to unrelated third parties.

See Goodwin, AI Chatbots, Privilege, and Pitfalls: Lessons for Keeping Generative AI Exchanges Out of the Hands of Legal Adversaries.

Vendor documentation

B.4 OpenAI, Enterprise privacy at OpenAI

OpenAI provides enterprise-level data privacy and security controls, including user ownership of inputs and outputs and a default policy against training models on customer data.

We do not train our models on your data by default

See OpenAI, Enterprise privacy at OpenAI.

Vendor documentation

B.5 OpenAI, Data controls in the OpenAI platform

OpenAI provides enterprise customers with specific data controls, including options to opt out of model training, configure data retention periods, select data residency regions, and implement customer-managed encryption keys.

As of March 1, 2023, data sent to the OpenAI API is not used to train or improve OpenAI models (unless you explicitly opt in to share data with us).

See OpenAI, Data controls in the OpenAI platform.

Law-firm commentary

B.6 Quinn Emanuel Urquhart & Sullivan commentary

This source outlines legal considerations for mitigating and litigating trade secret theft involving enterprise AI, including the importance of DTSA-compliant employment agreements and the preservation of platform-side forensic evidence.

AI-specific provisions may serve as deterrents and, where a dispute arises, as evidence bearing on willfulness under the Defend Trade Secrets Act (“DTSA”).

See Quinn Emanuel Urquhart & Sullivan, Preventing, Detecting, and Litigating Trade Secret Theft in the Age of AI.

Vendor documentation

B.7 Anthropic Privacy Center, Is my data used for model training?

Anthropic does not use inputs or outputs from its commercial products to train its models by default, but may use data if a user explicitly provides feedback or opts into data usage.

By default, we will not use your inputs or outputs from our commercial products (e.g. Claude for Work, Anthropic API, Claude Gov, etc.) to train our models.

See Anthropic Privacy Center, Is my data used for model training?.

Vendor documentation

B.8 Anthropic Privacy Center, How long do you store my organization's data?

Anthropic maintains specific data retention policies for its commercial products, including standard 30-day deletion for API inputs and outputs, extended retention for policy violations, and user-controlled deletion for chat history.

For Anthropic API users, we automatically delete inputs and outputs on our backend within 30 days of receipt or generation

See Anthropic Privacy Center, How long do you store my organization's data?.

Vendor documentation

B.9 Anthropic Privacy Center, I have a zero data retention agreement with Anthropic. What products does it apply to?

Zero data retention arrangements with Anthropic are limited to specific eligible APIs and products utilizing a Commercial organization API key.

the only products to which zero data retention applies are eligible Anthropic APIs, and Anthropic products that use your Commercial organization API key (including Claude Code).

See Anthropic Privacy Center, I have a zero data retention agreement with Anthropic. What products does it apply to?.

Vendor documentation

B.10 Anthropic Privacy Center, Does Anthropic Act as a Data Processor or Controller?

For commercial Claude for Work accounts, the customer acts as the data controller while Anthropic serves as the data processor, processing information solely to provide the requested services.

When a commercial customer creates a Claude for Work account (Team or Enterprise plan), under our Commercial Terms of Service the customer is the "Controller" of the data submitted by its Users.

See Anthropic Privacy Center, Does Anthropic Act as a Data Processor or Controller?.

Vendor documentation

B.11 Google Workspace, Generative AI Security, Compliance and Privacy

Google Workspace with Gemini provides enterprise-grade security and privacy controls, including data sovereignty options, user-based access permissions, and a commitment not to use customer data for model training without authorization.

Google does not use customersâ Workspace data to train or improve the underlying generative AI and large language models (LLMs) that power Gemini, Search, and other systems outside of Workspace without permission.

See Google Workspace, Generative AI Security, Compliance and Privacy.

Vendor documentation

B.12 Google Workspace Help, Google Workspace with Gemini FAQ

Google Workspace with Gemini provides enterprise-grade data protections for licensed users, ensuring that user submissions and interactions remain within the organization and are not used for model training without permission.

Users with a Google Workspace with Gemini license get enterprise-grade data protections when they use Gemini app. Submissions aren't used to train models and are never reviewed by humans.

See Google Workspace Help, Google Workspace with Gemini FAQ.

Vendor documentation

B.13 Microsoft Learn, Microsoft 365 Copilot Chat Privacy and Protections

Microsoft 365 Copilot Chat provides enterprise data protection for user prompts and responses while ensuring that such data is not utilized to train underlying foundation models.

Prompts and responses aren't used to train the underlying foundation models.

See Microsoft Learn, Microsoft 365 Copilot Chat Privacy and Protections.

Vendor documentation

B.14 Microsoft Learn, Data, Privacy, and Security for Microsoft 365 Copilot

Microsoft 365 Copilot maintains strict data privacy and security standards by prohibiting the use of organizational data for model training, enforcing existing user access permissions, and providing a copyright defense commitment for commercial customers.

Prompts, responses, and data accessed through Microsoft Graph aren't used to train foundation LLMs, including those used by Microsoft 365 Copilot.

See Microsoft Learn, Data, Privacy, and Security for Microsoft 365 Copilot.

Law-firm commentary

B.15 Proskauer Rose commentary

disclosure of privileged communications to a third party in circumstances that undermine confidentiality (here, the corporation operating the AI tool) may result in waiver.

See Proskauer Rose, SDNY Addresses Privilege and Work Product Implications of Using Unsecured Public AI Tools.

What AI-use policy helps show reasonable trade-secret protection measures?

A defensible AI-use policy should be tool-specific, data-specific, and enforceable in logs and access controls. Mandatory AI use makes those controls more important because approved tools and excluded data become part of the normal operating record.

The more interesting agreement is about structure. Perkins Coie, Orrick, Fisher Phillips, and Goodwin do not describe the solution as an abstract AI policy. They describe tool-specific governance: rules for what may be entered, differentiated treatment by use case, approval and visibility for higher-risk deployments, and contractual restrictions when third parties touch the data or the model. That is a small but important shift. The firms are not really talking about employee training as culture. They are talking about it as evidence.

The first consequence is that AI governance is becoming part of the secrecy showing. A company that can only point to a handbook clause saying employees must protect confidential information has weaker facts than a company that can identify which information counts as secret, which tools are approved, which categories cannot be pasted into them, and which logs exist if something goes wrong.

Mandatory AI adoption raises the burden again. Once AI use becomes a baseline expectation, the company loses the easy story that any AI use was rogue behavior at the edge of the organization. Shopify’s public posture matters for that reason. It ties AI use to hiring, review, and resource allocation, which means the controls around approved tools and excluded data become part of the company’s basic operating record. The opposite extreme is not obviously cleaner. Samsung’s temporary restriction on employee use after sensitive code was uploaded shows the other problem: once a real leak occurs, later litigation will care not just about the preexisting rule but about the speed and completeness of containment.

Perhaps reasonableness under the circumstances does not require perfect prevention if the company classified secrets, trained workers, restricted exports, and forced work into approved tenants. The harder line is that downstream recipient control still matters, so a company that blocks ChatGPT on the corporate network but tolerates copying into personal accounts may have worse facts than it assumes.

Sources for this answer

Law-firm commentary

C.1 Perkins Coie commentary

Companies should implement tailored acceptable use policies for generative AI to manage evolving legal, regulatory, and operational risks associated with the technology.

To manage these risks, many companies are adopting an acceptable use policy (AUP) governing their use of third-party generative AI tools, educating employees on their use, and monitoring initial use cases and the quality, legality, and accuracy of the outputs

See Perkins Coie, Ten Considerations for Developing an Effective Generative AI Use Policy.

Law-firm commentary

C.2 Orrick commentary

Trade secret protection for AI innovations does not require registration but necessitates active measures to maintain secrecy, while independent discovery remains a valid defense against misappropriation claims.

A company does not need to register a trade secret to invoke it in litigation, unlike other IP protections.

See Orrick, Protecting Trade Secrets: Tips for AI Companies.

Law-firm commentary

C.3 Fisher Phillips, The 10 Things All Employers Must Include in Any Workplace AI Policy

A first step is developing a workplace GenAI policy.

See Fisher Phillips, The 10 Things All Employers Must Include in Any Workplace AI Policy.

Law-firm commentary

C.4 Goodwin commentary

In most cases, employees and contractors that input company information, including confidential or sensitive information, are essentially putting it in the public domain.

See Goodwin, What Employers Need to Know About Use of Generative AI at Work.

Case law

C.5 Snyder v. Beam Technologies, Inc., No. 24-1136 (10th Cir. Aug. 5, 2025)

The district court granted summary judgment on Snyder’s two trade secret claims. It held that Snyder offered insufficient evidence to show that he “owned” the alleged trade secret, a customer list.

See Snyder v. Beam Technologies, Inc., No. 24-1136 (10th Cir. Aug. 5, 2025).

Law-firm commentary

C.6 Quinn Emanuel Urquhart & Sullivan commentary

AI-specific provisions may serve as deterrents and, where a dispute arises, as evidence bearing on willfulness under the Defend Trade Secrets Act (“DTSA”).

See Quinn Emanuel Urquhart & Sullivan, Preventing, Detecting, and Litigating Trade Secret Theft in the Age of AI.

Commentary

C.7 First Round Review, From Memo to Movement: Shopify's Cultural Adoption of AI

Effective organizational AI adoption requires leadership alignment to prioritize enabling use cases while proactively addressing security and legal concerns through a default-to-yes framework.

Alignment at the highest level means everyone understands you have to find a way to get to “yes,” including the key conversations around security and privacy.

See First Round Review, From Memo to Movement: Shopify's Cultural Adoption of AI.

Commentary

C.8 The Verge, Shopify CEO says no new hires without proof AI can't do the job

Shopify has implemented a policy requiring employees to demonstrate that tasks cannot be completed using AI before requesting additional headcount, while establishing AI proficiency as a core performance expectation.

Before asking for more Headcount and resources, teams must demonstrate why they cannot get what they want done using AI.

See The Verge, Shopify CEO says no new hires without proof AI can't do the job.

Commentary

C.9 Reuters, ChatGPT fever spreads to US workplace, sounding alarm for some

The widespread adoption of generative AI tools by employees in the workplace presents significant security risks, including the potential for intellectual property leaks and unauthorized data exposure, leading many companies to implement restrictions or bans on their use.

Security firms and companies have raised concerns, however, that it could result in intellectual property and strategy leaks.

See Reuters, ChatGPT fever spreads to US workplace, sounding alarm for some.

How should a company contain suspected trade-secret leakage through AI prompts?

Containment should start before evidence disappears by preserving prompts, outputs, accounts, connectors, exports, and provider-side logs where available. The faster the company can reconstruct the AI path, the better its secrecy and remedy record.

An early 2026 district-court decision, Trinidad v. OpenAI, Inc., has been described in commentary as treating consumer-chatbot development of the claimed secret as voluntary disclosure inconsistent with secrecy. If later courts read it the same way, it could become the first direct AI-era statement on the point. For now it looks more like a signal than settled doctrine.

Quinn Emanuel pushes the operational point furthest. In its telling, AI changes the mechanics of theft. The leak can happen in a conversation rather than a file transfer. That makes chat histories, memory features, export functions, and prompt logs part of the trade-secret story rather than peripheral eDiscovery debris.

The final consequence is about time. Suspected leakage now becomes a preservation problem very quickly. Consumer chats may be reviewed or retained elsewhere. Enterprise logs may be short-lived, or separated across the AI provider, the identity stack, the browser, and the device. Companies that can reconstruct prompts, outputs, accounts, connectors, and export paths have materially better facts than companies that discover the leak after the retention window closed.

Sources for this answer

Law-firm commentary

D.1 Thompson Hine, Trade Secret Quarterly, February 2026

There is a growing split among federal circuit courts regarding how particularly plaintiffs must describe the trade secrets at issue, and at which point in the litigation this particularity is required.

See Thompson Hine, Trade Secret Quarterly, February 2026.

Commentary

D.2 IPWatchdog, Navigating Recent Developments in Generative AI and Trade Secret Protection

Taken together, Trinidad and Heppner are among the first decisions to establish that confidential information shared with a public AI platform is not legally protected.

See IPWatchdog, Navigating Recent Developments in Generative AI and Trade Secret Protection.

Law-firm commentary

D.3 Quinn Emanuel Urquhart & Sullivan commentary

AI-specific provisions may serve as deterrents and, where a dispute arises, as evidence bearing on willfulness under the Defend Trade Secrets Act (“DTSA”).

See Quinn Emanuel Urquhart & Sullivan, Preventing, Detecting, and Litigating Trade Secret Theft in the Age of AI.

Primary law

D.4 18 U.S.C. § 1836(b)(2)(A)(i)

Federal district courts possess exclusive original jurisdiction over civil actions involving the misappropriation of trade secrets.

The district courts of the United States shall have exclusive original jurisdiction of civil actions under this section.

See 18 U.S.C. § 1836(b)(2)(A)(i).

Does AI model memorization make training on trade secrets a disclosure risk?

Model memorization does not yet support a categorical rule that any training equals publication. It does make training, fine-tuning, repetition, and extraction risk relevant to the secrecy analysis.

The technical literature makes it hard to say the risk is imaginary. Carlini and later work show that training data can sometimes be extracted, especially under adversarial prompting or after fine-tuning on repeated sensitive data. Later work also argues that some common leakage measures overstate genuine memorization. So there is not yet a clean basis for the categorical claim that any training equals publication. But there is enough evidence to make training and fine-tuning choices part of the secrecy analysis.

Sources for this answer

Commentary

E.1 Nicholas Carlini et al., Extracting Training Data from Large Language Models

Large language models trained on private or public datasets are susceptible to training data extraction attacks that can recover sensitive information, with larger models exhibiting increased vulnerability.

This paper demonstrates that in such settings, an adversary can perform a training data extraction attack to recover individual training examples by querying the language model.

See Nicholas Carlini et al., Extracting Training Data from Large Language Models.

Commentary

E.2 Extracting Memorized Training Data via Decomposition

Large Language Models are susceptible to training data extraction attacks, which can be facilitated by query-based decompositional methods that bypass traditional alignment safeguards.

In this paper, we demonstrate a simple, query-based decompositional method to extract news articles from two frontier LLMs.

See Extracting Memorized Training Data via Decomposition.

Commentary

E.3 Do LLMs Really Memorize Personally Identifiable Information?

The authors demonstrate that reported PII leakage in LLMs is largely an artifact of cue-driven reconstruction rather than genuine memorization, and that controlling for these cues reveals that privacy risks are significantly lower than previously estimated.

Our results show that existing evaluation of PII leakage substantially overestimates privacy risk, as such evaluations conflate cue-driven reconstruction with genuine memorization across languages and evaluation paradigms.

See Do LLMs Really Memorize Personally Identifiable Information?.