Protecting trade secrets in the age of remote work: a Nigerian perspective

Tuesday 9 June 2026

Christian Aniukwu
Stren & Blan, Lagos Island
ChristianAniukwu@strenandblan.com

Introduction

Trade secret theft by departing employees has become a recurring challenge across many industries. Major corporations in technology, pharmaceuticals, manufacturing and financial services have pursued civil litigation against former employees accused of misappropriating confidential information. Cases have involved the theft of proprietary formulas, client databases, manufacturing processes and strategic business plans. In one notable technology sector case, Intel filed suit against a former engineer accused of downloading approximately 18,000 files, many classified as ‘top secret’, before their departure.^[1] Similarly, pharmaceutical companies have pursued actions involving stolen drug formulas and clinical trial data, while financial institutions have litigated cases involving proprietary trading algorithms and client information. These incidents highlight the vulnerability of corporate intellectual property during employee transitions and the need for robust data protection protocols.

For organisations, customer databases, business strategies, technical processes and other commercially valuable information constitute core competitive advantages.^[2] Through technology, commercially valuable information can easily be routinely accessed, transmitted and stored across multiple devices and jurisdictions. Consequently, employees whether inadvertently or deliberately can extract and retain confidential information with relative ease and often with minimal detection. As a result, trade secrets, which derive their value from secrecy, have become increasingly vulnerable in ways that traditional legal protections do not accommodate.

This paper argues that technological advancements and regulatory gaps have created the ‘digital walkout’ where employees can exit organisations with valuable proprietary information in digital form. It contends that existing legal mechanisms are insufficient and advocates for a more robust, technology-responsive framework for trade secret protection in Nigeria.

The evolving risk landscape for trade secrets in Nigeria

From the point of entry into an organisation, employees are typically exposed to varying degrees of confidential and proprietary information. This access is provided for their effective integration into the company’s operational systems and adequate performance of their roles to the required standard. Consequently, businesses routinely embed protective mechanisms within employment contracts, including confidentiality clauses, non-disclosure agreements (NDAs)^[3] and non-compete provisions aimed at restricting the use or disclosure of sensitive information during and after the employment relationship.^[4]

While these contractual safeguards serve as a foundational layer of protection, their effectiveness is constrained by several factors. First, enforcement is inherently reactive, as remedies are only triggered after a breach of the contractual agreement has occurred. Second, non-compete clauses, which typically restrict post-employment misuse, are sometimes narrowly construed and may be deemed unenforceable where they impose unreasonable restraints on trade.^[5]

Under Nigerian common law principles inherited from English equity, restraint of trade clauses are enforceable only where they protect legitimate proprietary interests and are reasonable in terms of their scope, duration and geographical reach. Nigerian courts have shown reluctance to enforce overly broad post-employment restrictions, particularly where they effectively prevent an employee from earning a livelihood. This judicial caution, while protecting employee mobility, creates enforcement uncertainty for employers seeking to prevent trade secret misappropriation through restrictive covenants alone. Third, these mechanisms are largely based on traditional assumptions that confidential data remains within defined organisational boundaries and is subject to effective physical supervision. But the sad reality is that these ‘paper-based’ protections are increasingly inadequate in the face of the present sophisticated digital technologies.

The shift to remote work has fundamentally altered the information security landscape. Confidential data is now routinely accessed through cloud platforms, collaboration tools and personal devices, multiplying the number of potential data exfiltration vectors beyond the reach of traditional contractual and physical security measures. Unauthorised disclosures may occur through deliberate misconduct, inadvertent human error, weak cybersecurity practices or unregulated third-party applications (‘shadow IT’). Digital repositories pose particular challenges: documents can be downloaded, shared externally or synchronised across different devices without leaving obvious traces, making monitoring and control during employee exit processes increasingly difficult.

In other jurisdictions, there are structured legal frameworks on trade secrets that are designed to keep pace with the challenges of the digital age, such as the United States Defend Trade Secrets Act (DTSA), Germany’s Trade Secrets Act 2019 and the United Kingdom’s Trade Secrets (Enforcement, etc) Regulationts 2018. For instance, section 1839(3) of the DTSA provides that information qualifies as a trade secret only where ‘the owner thereof has taken reasonable measures to keep such information secret’. These ‘reasonable measures’ could include virtual private network (VPN) access, encryption, password protection, the use of NDAs and confidentiality agreements, restricted cloud access and device-management policies. Similarly, Germany’s Trade Secrets Act requires businesses to implement ‘appropriate secrecy measures’ for businesses to enjoy legal protection.^[6]

However, Nigeria, by contrast, remains a signatory to the World Trade Organization’s Agreement on Trade-Related Aspects of Intellectual Property Rights (otherwise known as the TRIPS Agreement), under which Article 39 obliges member states to protect undisclosed information. But Nigeria is yet to fully translate this obligation into a comprehensive domestic legal framework, leaving trade secret protection largely dependent on fragmented legal principles rather than a unified statutory regime. Similarly, the scope of the Nigeria Data Protection Act 2023 does not extend to proprietary business information or commercial trade secrets, thereby leaving a significant regulatory gap.

Therefore, the evolving risk landscape concerning trade secrets necessitates a shift from purely legalistic protections towards an integrated framework that combines legal enforcement, cybersecurity infrastructure and proactive risk management strategies.

Legal strategies for mitigating digital walkouts

Post-employment data exfiltration is no longer an isolated risk but a structural feature of remote work systems. Legal practitioners play a critical role in reshaping trade secret protection frameworks that are technologically aligned in order to mitigate the risks associated with digital walkouts. Hence, a multilayered framework that integrates legal enforceability, cybersecurity infrastructure and organisational controls is necessary.

A foundational safeguard is the strict application of the principle of least privilege through role-based access control (RBACs). Lawyers, working alongside information technology (IT) teams ensure that an organisation’s governance policies are not only technically sound, but also legally enforceable and clearly documented. Thus, employees are only allowed to access data necessary for them to carry out their roles, which reduces their exposure to sensitive information.^[7] Permissions must be granular, limiting actions such as downloading, copying or external sharing,^[8] reducing unnecessary exposure to sensitive information.

Furthermore, lawyers are able to support the deployment and governance of data loss prevention (DLP) systems and endpoint monitoring tools,^[9] which detect and block unauthorised transfers of confidential data to USB drives, personal email addresses or unapproved cloud services. DLP solutions, such as Microsoft Purview, Symantec DLP and Forcepoint DLP,^[10] monitor high-risk user behaviours, preventing data leakage, particularly during employee exit periods.

Moreover, a structured digital offboarding process must be established for the immediate revocation of digital access rights upon an employee’s resignation or the termination of their employment.^[11] Lawyers can design legally robust exit protocols alongside the relevant IT teams, disabling employee credentials, revoking authentication tokens and removing access to online collaboration platforms in real time to eliminate post-employment access.

In addition, organisations should adopt a company-issued device policy,^[12] where employees use employer-provided laptops, work phones, subscriber identity module (SIM) cards and related devices for all of the work activities, encrypting all of the important information sent across the internet and on any networked device, and setting up clear procedures on data handling and proper device use. This eliminates the risk of exfiltration of the organisation’s data via the personal cloud accounts of employees and allows for full control over data security. Also, companies should conduct routine IT audits and system monitoring on company-owned systems, including regular password changes, access-log reviews and behavioural analysis. Such monitoring may also extend to the post-employment period where there is reasonable suspicion of trade secret misappropriation or unauthorised retention, disclosure or use of confidential information.

Legal remedies for trade secret exposure

Organisational success and continuity depend largely on the security of the company’s competitive advantages. But where unlawful disclosures of these competitive advantages by employees occur, employers can request urgent court intervention through the issuance of injunctions to prevent further disclosure before irreversible damage occurs. Although, it may not always completely reverse the damage already done, especially in the context of the fluidity of access to technology, injunctions are useful to combat a continuous further breach by an employee.

Also, where the breach results in financial loss, employers may bring action against the employee for compensation. The court may require payment of compensatory damages by the employee for actual losses suffered by the employer, profits gained unlawfully by the employee and a loss of market advantage. Exemplary or punitive damages may be awarded, which serve as punishment and deterrence against intentional misconduct by the employee.

Furthermore, criminal sanctions under the relevant cybercrime law may apply, but the nature of remote employees operating across different countries may pose a jurisdictional challenge to the enforceability of such provisions. For instance, in Nigeria, section 6 of the Cybercrime Act provides that any person who intentionally accesses a computer system without authorisation for the purpose of obtaining ‘commercial or industrial secrets’ commits an offence. The law prescribes penalties of up to seven years imprisonment, a fine of up to NGN 7m or both.^[13] This provision demonstrates the seriousness attached to the protection of confidential business information within Nigeria’s digital and remote working environment.

Conclusion

The protection of trade secrets remains fundamental to the economic competitiveness and sustainability of organisations, as it directly safeguards the intellectual capital that underpins innovation, market positioning and long-term profitability. Hence, unique end-to-end cybersecurity measures with strong encryption, additional verification and increased protection aimed at protecting proprietary information must be embedded as core components of organisational governance and risk management in the context of remote work arrangements. Organisations must maintain a firm stand towards strengthening cybersecurity infrastructure, enforcing robust internal controls and fostering a culture of compliance among their employees. Ultimately, a coordinated approach that integrates law, technology and organisational discipline will ensure that Nigeria’s business environment remains secure, competitive and globally aligned.

Notes

^[1] Craig Hale, ‘An ex-Intel employee apparently stole thousands of secret files when he left’ TechRadar https://www.techradar.com/pro/an-ex-intel-employee-apparently-stole-thousands-of-secret-files-when-he-left last accessed on 29 April 2026.

^[2] Adamu A Pam and John Ishaku Mantu, ‘An Appraisal of The Legal Framework on Confidential Information And Trade Secrets In Nigeria’ https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3422302 last accessed on 29 April 2026.

^[3] Deloitte, ‘Non-Disclosure Agreement - A Shield for Business Secrets’ https://www.deloitte.com/se/sv/services/legal/perspectives/non-disclosure-agreement-a-shield-for-business-secrets.html last accessed on 29 April 2026.

^[4] Ian Ross, ‘Non-compete clauses in employment contracts: The case for regulatory response’ https://www.cambridge.org/core/journals/the-economic-and-labour-relations-review/article/noncompete-clauses-in-employment-contracts-the-case-for-regulatory response/560A1EF23C213948FC83400F3AB0F10B last accessed on 29 April 2026.

^[5] Dayo Bello and Bashir Ramoni, ‘Restricting Competition or Protecting Interests? Navigating Non-Compete Agreements In Nigeria’ https://www.mondaq.com/nigeria/antitrust-eu-competition/1614040/restricting-competition-or-protecting-interests-navigating-non-compete-agreements-in-nigeria%23:~:text=The%20court%20held%20that%20non,duration%2C%20and%20the%20geographical%20reach.&text=Both%20cases%20established%20that%20overly,legitimate%20business%20interests%2C%20are%20void last accessed on 29 April 2026.

^[6] Section 2, No 1 (b) of Germany Trade Secrets Act.

^[7] Taresh Mehra, ‘The Critical Role of Role-Based Access Control (RBAC) in securing backup, recovery, and storage systems’ International Journal of Science and Research Archive (IJSRA), https://ijsra.net/sites/default/files/fulltext_pdf/IJSRA-2024-1733.pdf last accessed on 29 April 2026.

^[8] Mahammad Shaik et al, ‘Granular Access Control for the Perpetually Expanding Internet of Things: A Deep Dive into Implementing Role-Based Access Control (RBAC) for Enhanced Device Security and Privacy’ British Journal of Multidisciplinary and Advanced Studies Vol. 2, No. 2, pp.136-160, June 2018 https://www.abluva.com/ebook_pdf/Implementing%20Principles%20of%20Least%20Privilege%20in%20Cybersecurity.pdf last accessed on 29 April 2026.

^[9] Noman Abid, ‘Advancements and Best Practices in Data Loss Prevention: A Comprehensive Review’ Global Journal of Universal Studies Volume1, Issue1 ISSN: 3008-050 https://media.neliti.com/media/publications/590136-advancements-and-best-practices-in-data-a5521663.pdf last accessed on 29 April 2026.

^[10] Joe Barron, ‘The 14 Best Data Loss Prevention (DLP) Tools in 2026’ Teramind https://www.teramind.co/blog/best-data-loss-prevention-tools/ last accessed on 29 April 2026.

^[11] Savlaram Padte, Anderson Llanos and Jim Griffiths, ‘Revolutionizing IT Asset Lifecycle by Enhancing Efficiency and Compliance through Software Abstraction’ https://dx.doi.org/10.2139/ssrn.6198559 last accessed on 29 April 2026.

^[12] Marc Chase McAllister, ‘Cell Phone Searches by Employers’ https://dx.doi.org/10.2139/ssrn.3665349 last accessed on 29 April 2026.

^[13] Section 6(2) of the Cybercrime Act 2015.

International Bar Association is incorporated as a Not-for-Profit Corporation under the laws of the State of New York in the United States of America and is registered with the Department of State of the State of New York with registration number 071114000655 - and the liability of its members is limited. Its registered address in New York is c/o Capitol Services Inc, 1218 Central Avenue, Suite 100, Albany, New York 12205.

The London office of International Bar Association is registered in England and Wales as a branch with registration number FC028342.