Respond to data misappropriation with compelling evidence and emergency legal strategies.
Calculate the quote
Margherita Manca
When a client breaches confidentiality, legal protection becomes far from straightforward. In this article, we analyze what to do in cases of project, file, and confidential material misappropriation by an untrustworthy client. From evidence gathering to legal action—through cease and desist letters, injunctions, and compensation—we outline an effective strategy. We also explain how to create truly enforceable NDAs and implement tools for prevention, control, and fostering a culture of confidentiality within the company.
When offering high-value services—such as strategic consulting, proprietary methods, confidential formulas, technical models, or design solutions—the golden rule is simple: never share what you can’t afford to lose. Absolute confidentiality is the most effective protection. However, in many professional contexts, sharing becomes necessary: to propose a tailored solution, participate in a selection process, or co-develop a project.
In such cases, it’s essential to regulate access to information through a confidentiality agreement—the classic Non-Disclosure Agreement (NDA)—which formally binds the recipient to neither disclose nor use the information beyond the agreed purposes.
Typically, NDAs are used by clients to protect themselves from suppliers. But the reverse scenario is also possible: the professional or supplier may be the one harmed. This happens when a client, after receiving confidential documents, ideas, or materials, decides to use them independently, perhaps involving another partner or replicating them without authorization.
In these situations, the NDA is an essential tool for the party who shared sensitive content. But compliance with the agreement is never guaranteed. Signals of a possible violation can be subtle: out-of-context technical questions, sudden communication drop-offs, or exclusion from crucial operational phases. Sometimes it becomes apparent only when a “too similar” product is announced by someone else [see: Copied products: the case of the former reseller turned competitor (Court of Brescia, December 5, 2024) – Canella Camaiora].
When you suspect a violation, speed is fundamental. It’s not enough to be right—you must be able to prove it with solid evidence. Here’s how to document information theft and prepare an effective legal attack strategy.
At the first signs of a potential violation—sudden communication gaps, unclear technical requests, or being left out of operations— it is essential not to waste time. The priority is not confronting the client, but building strong evidentiary support.
Start by saving every relevant communication: emails, messages, shared notes. Even seemingly minor details—like the time a file was sent or the version history of a document—can become central in court. It’s also useful to retrieve subsequent versions of shared materials to spot suspicious modifications or unauthorized reuse.
Simultaneously, check access logs on collaborative platforms: who downloaded what and when. In digital environments, monitoring information isn’t just possible—it’s necessary. Companies dealing with confidential content must be set up to trace, archive, and preserve every interaction to accurately reconstruct events in case of abuse.
Sometimes, information theft is facilitated internally, for example, by disloyal collaborators or employees who improperly pass sensitive documents to the client or third parties (see: The case of the disloyal employee who steals confidential company information – Canella Camaiora). In these cases, evidence collection must also be timely and focused on traceability.
Another key step is proving ownership of the content: who created it? When? With what tools? Many companies underestimate the importance of documented authorship, opening the door to avoidable disputes.
Finally, consult a specialized attorney immediately—not just to prepare a formal warning, but to evaluate protective legal strategies, even urgent and surprise measures. Because once the breach is evident, it might already be too late to respond effectively.
When you discover that a client—or commercial partner—has improperly used confidential information, your legal response must be carefully planned. Many assume the first step is a cease and desist letter, but this approach can be overrated: if the evidentiary groundwork hasn’t been secured, you may compromise your case.
In cases of information theft, it’s essential to map the situation, gather all useful elements, and act swiftly, often with the help of a technical expert or bailiff, to secure evidence. Only after this phase can you proceed effectively.
A well-structured cease and desist letter remains a useful tool: it holds legal value, formalizes the complaint, and—if crafted properly—can lead to an out-of-court resolution or set the stage for litigation.
If the damage is ongoing or likely to worsen, you can request urgent judicial measures (precautionary relief), allowing rapid legal protection. The judge may order:
These are powerful and rapid tools but must be requested based on solid evidence. Weak or contradictory evidence can turn the action into a dangerous backfire, with legal costs and reputational harm.
After the precautionary phase, you can proceed with a merits case to seek compensation. Main criteria for quantifying damages include:
Often, NDA violations are accompanied by additional offenses—such as unfair competition or intellectual property infringement—which can strengthen your case.
Confidentiality protection doesn’t begin after a violation—it starts with drafting the agreement. Much of your legal defense strength is determined at this stage. That’s why companies, startups, and development teams should work with expert professionals from the very first interactions to create customized, practical, and enforceable NDAs.
A confidentiality agreement shouldn’t be a generic template copied from the internet. It must be adapted to the type of shared information, technologies used, operational dynamics of the project, and actual misuse risks.
An effective NDA clearly defines:
In some cases, including a penalty clause is helpful: a contractual provision that pre-defines the amount payable in the event of a breach, avoiding the need to prove the extent of the damage. For example, the agreement might state that unauthorized disclosure incurs a €50,000 penalty. This clause has a strong deterrent effect and simplifies legal action.
But a document alone isn’t enough—you need a structured culture of confidentiality. Companies should implement internal systems to:
Many companies already use professional tools for document management, legal archiving, and activity monitoring (e.g., Google Vault, Microsoft Purview, Mimecast Archive, Proofpoint), proving that this is not science fiction but best practice.
In a world where knowledge has economic value and sharing is part of strategy, protecting what you create isn’t a luxury—it’s a mark of entrepreneurial responsibility.
A well-drafted NDA is not mere formality—it’s the first legal safeguard for the value a company generates every day.
Margherita Manca
