US-based automotive company, Tesla, and former Tesla engineer, Dr. Guangzhi Cao, recently settled their two-year litigation in which Tesla accused Cao of stealing source code for its driver-assistance software.[1] This fact pattern of trade secret misappropriation cases stemming from an individual leaving one company to work at its competitor is all too common. The facts and ultimate resolution of the Tesla v. Cao case highlight the risks faced by employers and employees alike when dealing with confidential materials, as well as the ways that careful compliance and protective measures can mitigate those risks.

Summary of the Case

In March 2019, Tesla sued one of its former employees, Dr. Guangzhi Cao, accusing him of stealing the source code for its driver-assistance software, codenamed "Autopilot." Tesla alleged that while he was employed at Tesla, Dr. Cao uploaded confidential information relating to Autopilot to his personal iCloud account. Dr. Cao ultimately began working for a competitor of Tesla’s, XMotors. Tesla sued Dr. Cao for trade secret misappropriation under both the Defend Trade Secrets Act (“DTSA”) and the California Uniform Trade Secrets Act ("CUTSA") as well as for breach of various non‑disclosure agreements and for breach of the employee’s duty of loyalty.[2]

Tesla alleged that it protected its confidential information via a series of security measures and policies, including non-disclosure agreements, restricting access to its physical facilities, password and firewall protection for its information resources, revoking access to Tesla resources when an employee leaves the company. Tesla also prohibited employees from storing confidential information on third-party systems like iCloud, Google Drive, or Dropbox.[3]

Tesla described its Autopilot source code as the "crown jewel of Tesla’s intellectual property portfolio" and alleged that it took extraordinary security measures as to that project, beyond the standard practices above.[4] For example, Tesla physically separated the Autopilot team from the rest of its employees, and the area dedicated to that team was protected by further physical security measures.[5]

According to Tesla, a forensic analysis showed that Dr. Cao created backup copies of numerous sensitive Tesla projects, over the course of his employment from 2017 to 2019, including while he was seeking employment with XMotors.[6] Weeks before Dr. Cao left employment at Tesla, he began deleting files from his Tesla laptop and clearing his browser history, though no one directed him to do so.[7]

Dr. Cao admitted that he had uploaded Autopilot code and other Tesla confidential information to his iCloud account while he worked there as well as to a thumb drive,[8] but he insisted he had "done precisely nothing with Tesla’s IP," including that he never transferred or used those materials for the benefit of XMotors.[9] He further stated that Tesla’s management routinely allowed employees to store sensitive work-related information on their personal devices, notwithstanding the alleged policy to the contrary.[10] Indeed, Dr. Cao contended that before he left Tesla, he took pains to identify any Tesla confidential information in his possession and to delete it, including from his iCloud account.[11] Further, he stated that he destroyed a thumb drive containing Tesla materials by smashing it with a hammer and flushing it down a toilet.[12]

Tesla dismissed Dr. Cao’s purported deletion of files from his iCloud account as "meaningless," because by default, "deleted" files in iCloud remained accessible across a user's devices for at least 30 days after deletion.[13] And Tesla derided Dr. Cao’s destruction of the thumb drive as "unbelievable,"—emphasizing the difficulty of reconciling certain facts, such as Dr. Cao’s decision, despite his technical expertise, that physically destroying a thumb drive was the most prudent approach to dispose of the Tesla confidential information in his possession.[14]

Although Tesla did not sue Dr. Cao's new employer, XMotors, nor its sister company, Xiaopeng, Tesla did subpoena XMotors for all of the source code for its automated driving program, among other materials, which the court required XMotors to produce over its objection.[15]

The case settled on the deadline for Tesla to move for summary judgment. Although the terms of the settlement are not public, the parties’ stipulation includes admissions and apologies by Dr. Cao, and notes that the agreement includes a monetary payment by Dr. Cao to Tesla.[16]

Trade secret litigation has been on the rise for a number of years in the US[17], driven in part by the success of plaintiffs in cases under the new federal Defend Trade Secrets Act and developments that have cast doubt on the reliability of patents as a means to protect innovations, especially software. The increase in claims of trade secret litigation has been particularly sharp against companies with significant presences in China, perhaps a reflection of the political environment in the US.[18]

Particularly in view of this trend, the Tesla v. Cao case serves as a cautionary reminder of the hazards of the digital age with regard to sensitive confidential materials. Companies must be mindful both to protect their own information and to protect against trade secret misappropriation risks when hiring employees from their competitors, and individuals must be mindful of how they handle confidential information in their possession. Below we provide some preliminary analysis of the case from the perspectives of a new employer, a previous employer, and an employee.

From XMotors’s Perspective: Quick Response to Allegations and Hiring from Competitors

On the date that Tesla filed its lawsuit against Dr. Cao, XMotors immediately placed Dr. Cao on administrative leave, instructing him not to use or access any XMotors-related accounts or systems until further notice. XMotors also collected and archived Dr. Cao’s personal and work-issued electronic devices, then turned them over for forensic imaging.[19]

XMotors’ swift reaction to a trade secret misappropriation claim filed against its employee was prudent. By responding decisively, XMotors signaled that it took Tesla’s allegation seriously and demonstrated its good faith. XMotors efforts to preserve evidence relating to Dr. Cao further positioned XMotors to prove precisely what influence, if any, the Tesla confidential information in Dr. Cao’s possession might have had on XMotors’s own products. And promptly putting Dr. Cao on administrative leave—including by cutting off his access to XMotors’s technical systems—helped mitigate the risk of any dissemination of Tesla’s information within the company. This was wise whether or not Dr. Cao intended to use Tesla’s information, because even unintentional disclosure could have put XMotors at risk—especially once it knew of the allegations against Dr. Cao.

Although the case eventually settled, and XMotors was never sued as a defendant, XMotors was nevertheless dragged into a fight that it might have been able to mitigate, such as by prescribing procedures for sanitizing Dr. Cao's personal accounts and devices. And it might have found itself in the position of defending against a trade secret misappropriation claim, which can be a lengthy and expensive process, even where the claim lacks merit. Even as a third party, XMotors needed to undertake the costly effort to gather and produce its source code, including ensuring that the production was subject to appropriate protective measures.

This case highlights the risks a company faces when it hires a new employee from its competitor—and the importance of mitigating that risk proactively. The level of scrutiny involved may depend on the context. It may not be possible for a company to review every single personal device or account of every new hire. But for important hires (here, Dr. Cao appeared to be quite important, given that XMotors’s founder interviewed him directly)[20], it is advisable to thoroughly vet the new employee to ensure that he or she did not retain any information from his prior employer (or access to it)—even if inadvertently. This is particularly important where the new employee will be working in direct competition with his former employer. And it is prudent to complete this diligence before allowing the new employee to begin work or to access the company’s system—effectively quarantining against any possible improper information.

From Tesla's Perspective: Protecting Your IP with Policy AND Practice

For the most part, this case demonstrated that Tesla's security measures worked. Tesla learned of Dr. Cao's iCloud backups quickly enough that it was able to file a lawsuit just two months after his departure. And the settlement of this case indicates that Tesla is satisfied that any harm resulting from Dr. Cao’s actions has been remedied or mitigated. But it could have been worse: had Tesla’s confidential information been publicly disclosed, there might have been no way to get the proverbial toothpaste back in the tube. Companies are therefore best protected when they prevent employees from walking out the door with confidential information in the first place.

Although Tesla claimed that it protected its confidential information with numerous security measures, including policies prohibiting employees from storing company confidential information on personal devices, Dr. Cao suggested that the policy was not rigorously enforced. If companies have a disparity between policy and practice, it could undermine their ability to claim trade secret protection altogether. This is because the law requires the owner of a trade secret to "take[] reasonable measures to keep such information secret[.]"[21] It is critical to establish protective policies, but they might be vitiated if they are not rigorously enforced.

One safeguard that companies can implement is to put in place technical measures that prevent employees from connecting to their personal devices or cloud-based storage. Alternatively, companies can proactively monitor employees’ connection of personal devices and accounts to company resources, then thoroughly vet those repositories prior to an employee's departure from the company. Companies can also configure their systems to detect anomalies in an employees’ usage of the system. And frequent IP compliance training can encourage employees to be vigilant about the various risks they might be taking with company information. Ultimately, there is no surefire formula for protecting information. Rather, it is important to strike a careful balance between protection and practicality. Lax and limited policies may not provide adequate protection, but draconian policies that impede employees’ work or personal lives might drive an employee culture of nonfeasance.

From Dr. Cao’s Perspective: Taking Care with Your Employer’s Confidential Information

According to Dr. Cao’s account, he not only lacked any intention to use Tesla’s confidential information improperly, he took significant efforts to protect that information. Nevertheless, Dr. Cao appears to have violated Tesla’s data security and intellectual property policies and then promptly began working for a key competitor of Tesla’s. And the protective measures he took—deleting files on his iCloud and destroying the thumb drive—ultimately raised more suspicions, rather than vindicating him. As Dr. Cao acknowledged, his conduct risked liability that could have destroyed his family—even with no ill intent.[22]