Silicon Valley-based solar panel giant SunPower sued five former employees and competitor SolarCity today, contending that shortly before they left SunPower, the employees connected USB drives to the company’s computer network, “and used them to steal tens-of-thousands of computer files” with confidential and non-confidential proprietary information.
In addition to civil damages and injunctive relief, SunPower also wants to hold the ex-employees criminally liable for violating a California law prohibiting unauthorized computer data access and fraud.
The case raises important questions about what, if any, data loss prevention (DLP) systems were in place to prevent employee theft and the loss of such highly confidential and proprietary data. How could the alleged data transfer of information on hundreds of millions of dollars in sales at a Silicon Valley company occur so brazenly?
The lawsuit maintains that “within days of leaving SunPower,” Tom Leyden, a Managing Director for the company’s East Operations, copied highly confidential data from the company’s SalesForce database with information on the company’s major customers accounting for over $100 million in sales for 2011. Using this information, the complaint charges, Leyden recruited at least three other SunPower employees to work at Redwood City-based SolarCity to help the competitor jump start its commercial sales operations.
According to an affidavit filed by Mark Bronez, SunPower’s head of North American Commercial Sales, the information allegedly taken by his company’s ex-employees “would take years to independently develop.” The allegedly stolen data included “critical market summaries,” detailed business plan, financial analysis, sales information, and other highly confidential information critical to the company.
All former SunPower employees named are said to have signed confidential agreements concerning the company’s proprietary information and inventions, and that a ‘no-solicitation’ clause prohibited them from recruiting workers still employed at SunPower for at least two years after leaving.
The suit contends that even “after he was terminated,” defendant and former SunPower project development director Felix Aguayo was still able to access his company email account and forward “several emails containing customer information, price lists, and market reports to his personal email address.” Didn’t SunPower have a policy in place the would immediately lock-down an ex-employee’s access to e-mail and other data on the company’s computer network? If so, it clearly doesn’t appear to have been effective.
It was Aguayo’s forwarding of these emails, the suit alleges, that prompted SunPower to launch a forensic analysis of computers used by the five former employees. That analysis, the suit suggests, eventually led the company to discover the alleged data theft and transfers leading up to this lawsuit.
Significantly, SunPower seeks to hold the five former employees criminally liable under California Penal Code § 502(c), the states Comprehensive Computer Data Access and Fraud law.
Photo credit: Brian A Jackson/Shutterstock.com
You can follow the case docket here, amd read the complaint in the case below: