Infosec firm Proofpoint has won $14m from a former vice president and his new employer after a jury found they had unlawfully used its trade secrets when he moved to the other company.
Both his new firm, infosec company Vade, and Olivier Lemarié misappropriated trade secrets relating to Proofpoint subsidiary Cloudmark’s Trident spear-phishing detection platform, a federal jury in the US state of California ruled late last week.
Lemarié, the San Francisco jury found, then went on to share those trade secrets with his new employer, French email security firm Vade Secure.
Of 20 trade secrets Proofpoint said Lemarié and Vade had used unlawfully, the jury agreed that 15 had been misappropriated by Vade Secure in a “wilful and malicious” way, according to the final verdict form [PDF]. It did not find that Lemarié’s misuse of the trade secrets was wilful and malicious, however. The reason this distinction is made is because the judge has discretion to raise the amount the plaintiffs are owed.
The jury also found that both Vade and Lemarié had infringed at least one of Cloudmark’s copyrights and that Lemarié had breached his employee agreement with the now-Proofpoint subsidiary.
The original complaint, filed in July 2019 [PDF], sued Lemarié and Vade for misappropriation of trade secrets and Lemarié for breach of contract. As detailed in the filing, the vice president had joined Proofpoint when it acquired Cloudmark, a firm Lemarié had been employed by since 2010.
According to the complaint:
The engineer left the firm voluntarily in November 2016, joining Vade. According to the complaint, Vade’s subsequent “new email security product was a dispositive factor in its ability to secure nearly $80 million USD in funding from its investor, General Catalyst.”
It also alleged the pair had used its Message (or Mail) Transfer Agent (MTA) tech “for which [Lemarié] had led the design, development, and implementation,” with the complaint noting Vade had “been developing an MTA product that it intends to launch by the end of this year and, as explained by Lemarié himself, is intended to displace Cloudmark’s MTA, by offering a similarly flexible, cloud-based MTA.”
In a statement made in April, just before the case went to trial, Proofpoint claimed Lemarié “took and used Cloudmark’s confidential and proprietary information and source code when he joined Vade Secure as Chief Technology Officer in 2017.”
French IT news website Le Monde Informatique reported that Vade had spent “€13m in 2019” alone fighting the case, which the site characterised as “half of [Vade’s] turnover in legal fees.”
Proofpoint bought Cloudmark, a message-filtering firm used by the FTC, among others, in 2017 for $110m, praising both its email security tech and its threat intelligence products. The smaller company was founded in 2001, came out of stealth in 2002 with a “Napster-style” technology for fighting spam, briefly crashed Microsoft Outlook in 2007 after a borked update to its anti-spam plugin, and was last seen on El Reg after analysing blackmail claims made in the wake of the Ashley Madison breach in 2015.
A jubilant Gary Steele, Proofpoint’s chief exec, told legal newswire Law360: “While we welcome fair competition and collaboration within the cybersecurity community, the misappropriation, copying and theft of our intellectual property required us to vigorously enforce our rights.”
According to the verdict, Proofpoint will get $13.4m for unjust enrichment and $480k for breach of contract but $0 for actual loss.
Vade Secure told The Reg: “While we were hopeful we would be successful on all claims, we are pleased that the jury saw that Proofpoint and Cloudmark’s claims were an overreach as evidenced by their decision on damages.
“As a company whose core values are integrity and innovation, we don’t believe this outcome accurately reflects who we are. We will be evaluating our next steps in the coming days in light of this verdict.” ®