Arcturus v. AbbVie: How the Theft Happened and Why Departing Employees Matter More Than Ever

In late September 2025, Arcturus Therapeutics filed a federal lawsuit in the Southern District of California, accusing AbbVie Inc. (and Capstan Therapeutics, a company AbbVie acquired) of misappropriating trade secrets tied to Arcturus' lipid-nanoparticle (LNP) drug-delivery platform.

‍

The allegations are specific: Arcturus says Capstan hired a former Arcturus employee and a consultant in 2022 who transferred proprietary LNP know-how. Shortly afterward, Capstan filed a patent application listing those hires as inventors. Arcturus alleges that those transferred trade secrets materially increased Capstan's value and were central to the acquisition. The company is seeking money damages and an injunction to stop AbbVie from using the proprietary information.

‍

The Background: A $2.1 Billion Acquisition at Stake

‍

AbbVie announced an agreement to acquire Capstan (a developer of in-vivo targeted LNP CAR-T technology) in mid-2025 in a transaction with an aggregate consideration of up to $2.1 billion. The deal closed later that summer. The acquisition was presented publicly as a strategic bet on in-vivo CAR-T and LNP delivery platforms (the very kinds of platform technologies that, if misappropriated, can move both scientific value and acquisition price).

‍

Lawyers and life-sciences counsel have already flagged this as a canonical fact pattern: platform R&D, targeted hiring of domain experts, rapid patenting by the buyer, and then litigation from the alleged originator. That combination (hire → transfer → patent → acquisition) is exactly what trade-secret plaintiffs and their counsel watch for when evaluating whether to sue.

How Common Is Employee Data Theft? More Than You Think

‍

Short answer: not rare. Multiple surveys and vendor studies show that a significant fraction of departing employees either take company data with them or have the ability to do so.

‍

The Numbers Don't Lie

‍

Depending on the study and the exact question, the headline number ranges from "about one in four" to "nearly one in three" admitting they took data when they left:

• Tessian's 2022 research found roughly 29% of respondents admitted to taking data when they left a job
• Other vendor surveys put the figure at "more than one in four"
• These headline numbers actually understate the operational reality, only higlightling users who admitted to stealing data
  ‍

Here's what the data shows: Data exfiltration spikes around resignations and lay-offs. Even shorter measurement windows show non-trivial proportions of staff copying sensitive files or exporting mailboxes.

‍

When Data Theft Happens: The Critical Window

‍

Longitudinal monitoring studies (for example, endpoint/cloud telemetry analyses) often show that while only a minority of employees ever exfiltrate data, that minority accounts for a disproportionate share of high-value leaks. The probability of exfiltration increases in the days and weeks before and immediately after an employee's exit. That timing is what makes departure events a critical risk window.

‍

Why Employees Take Data: Understanding the Motives

‍

When you peel back the headlines, the reasons people walk away with files fall on a spectrum from benign to malicious. The same set of behaviors can require very different legal and operational responses.

‍

1. To Accelerate or Improve Prospects at a New Job

A departing engineer or scientist may copy working drafts, benchmarks, or snippets of code to reduce onboarding time or to reproduce work at a new employer. Sometimes the intent is explicit (to reuse tradecraft) and sometimes it's rationalized as "I need this to do the job." In high-tech R&D fields, those artifacts can be exactly what makes a startup attractive.

‍

2. To Build a Portfolio or Prove Competence (Often Claimed as Non-Malicious or Accidental)

Designers, data scientists, and product people often keep samples of their work. That impulse ("I want evidence of what I did") frequently leads to copying documents or datasets that contain proprietary details. Even if the motive is personal career advancement, the result can be a commercial risk for the employer.

‍

3. As an Inducement or "Pay to Play" for a New Job

Less common but high-impact: a hiring party that wants specific know-how may implicitly or explicitly value transfers of proprietary information. Plaintiffs in trade-secret suits often argue the new employer induced hires to bring protected knowledge (and sometimes court filings focus on patent timing or inventorship as evidence of that inducement). The Arcturus complaint alleges exactly this pattern.

‍

4. Because Employees Believe the Work "Belongs" to Them

Particularly in startups or long-tenured roles, individuals sometimes think that spreadsheets or technical notes they produced are "their" work. That subjective sense of ownership leads to copies being taken at departure (often of materials the company considers confidential). Studies show these sentiments are higher in younger generations of employees, indicating this risk will continue to increase.

‍

5. Accidentally or Through Careless Personal Backups (The PST Example)

‍

A surprisingly mundane vector: employees trying to keep personal materials accidentally export corporate content.

‍

A common example: Exporting an Outlook PST to preserve personal email. Unless mailbox contents are carefully filtered, the PST can include attachments, draft protocols, or internal tables that are corporate IP. Microsoft documents and many admin playbooks describe PST export as a standard way to save email, but it's also a blunt instrument that scoops up everything.

‍

Similarly, employees synchronizing folders to a personal cloud account, or copying "just a few files" to a USB stick, can inadvertently remove trade secrets.

‍

The Legal Framework: What Trade Secret Owners Can Do

‍

In the U.S., trade-secret owners can sue under both state law (the Uniform Trade Secrets Act as adopted by most states) and the federal Defend Trade Secrets Act (DTSA).

‍

Available remedies include:

• Damages (actual loss, unjust enrichment, or a reasonable royalty)
• Injunctive relief
  ‍

Federal practice also includes specific procedural and remedial rules (and limitations on injunctions that would effectively bar employment). In other words, commercial litigants have a broad but structured toolbox.

‍

What determines case outcomes? Typically the specificity of the alleged trade secrets, the evidence of misuse or inducement, and whether the defendant actually gained a competitive advantage from the information. Recent life-sciences trade-secret verdicts and rulings show courts will issue large remedies when misappropriation and harm are proven.

‍

Practical Mitigation: What Teams Should Do Right Now

‍

The technical and process playbook is well known and aligns with national guidelines: implement least-privilege access, automate immediate de-provisioning, monitor for bulk exports around notice periods, apply DLP and user-behavior analytics, and include offboarding in HR-IT playbooks. Federal and industry guides (CISA, NIST, SIFMA) all stress layered controls (people + process + tech) and recommend continuous monitoring rather than one-off audits.
‍

Concrete Actions You Can Take Today
‍

1. Enforce least privilege and role-based access -  Remove privileges immediately on resignation/termination notices.

2. Monitor and alert on high-risk activities -  Watch for bulk downloads, PST exports, large cloud syncs, and mass outbound emails/attachments.

3. Use DLP and endpoint/cloud telemetry -  Classify and block sensitive exports before they happen.

4. Tie HR offboarding workflows to IT automation -  Transfer ownership of docs, archive mailboxes, and disable SSO automatically.

5. For M&A diligence, audit inventorship -  Check version histories and access logs before closing and create contractual protections for disputed IP.

‍

Why InnerActiv Helps: Closing Critical Visibility Gaps

‍

InnerActiv is designed to close exactly the visibility gaps that make departures risky. Below I map common mitigation needs to how InnerActiv's capabilities (ActivPrint, ActivAnalyst, ActivDesktop, and platform AI) address them.

‍

Problem 1: Blind Spots Around Non-Endpoint and Shadow Channels

Why it matters: Multi-function printers and copy/scan workflows are a frequent, under-monitored channel for data duplication. Documents that don't show up in endpoint DLP may be duplicated at the MFP.

How InnerActiv helps: ActivPrint monitors print/copy/scan activities directly on MFPs and sends context-rich signals into ActivAnalyst so teams can see which documents were duplicated and by whom. That visibility closes the "air gap" between document storage and physical reproduction.

‍

Problem 2: Offboarding Telemetry Is Noisy and Delayed

Why it matters: Bulk downloads and mailbox exports happen fast. Human review is slow.

How InnerActiv helps: InnerActiv correlates process-level telemetry and contextual signals (who, what, when) and applies AI-driven risk ranking so security teams can prioritize high-risk departures rather than chasing benign activity. This reduces false positives and focuses legal/IR workflows on the highest business risk.

‍

Problem 3: Shadow IT and Unknown Processes Circumvent Controls

Why it matters: Employees use personal cloud, unsanctioned apps, or vendor tools to move files.

How InnerActiv helps: The platform discovers and inventories processes and where they run (even if they look like benign utilities), flags anomalous usage patterns, and stops "shadow IT" workflows before they become data leaks. InnerActiv does this without a kernel-level agent architecture, easing deployment and compatibility with enterprise environments.

‍

Problem 4: The Need to Tie Data Movement to Legal Proof

Why it matters: Plaintiffs and defendants both rely on logs, time-stamped activity and patent inventorship during M&A or litigation.

How InnerActiv helps: Because ActivAnalyst correlates process activity with file/context metadata, teams get a defensible chain of custody and prioritized evidence that can be used in diligence, preservation, and (if necessary) litigation support.

‍

The Bottom Line

InnerActiv aligns to the industry controls recommended by NIST and CISA (least privilege, DLP, monitoring, and behavioral detection) while filling coverage gaps (MFPs, process telemetry, shadow IT) that conventional endpoint and cloud DLP tooling can miss. The result is faster detection during critical windows (resignation, lay-off, acquisition) and higher-signal evidence for legal action or remediation.

‍

What Security, HR, and Legal Teams Should Do This Week

‍

1. Treat Every Departure as a High-Priority Security Event

Whether voluntary or involuntary, automate access revocation and trigger a short, focused forensic review of exports/logs in the preceding 30 to 90 days.

‍

2. Add MFP/Print/Scan Monitoring to Your Threat Model

Physical duplication happens and is often overlooked. Consider appliances or services that capture print metadata and correlate it to user identity.

‍

3. Make It Easy for Employees to Preserve Approved Work Samples

Create clear policies and approved redaction/export workflows so employees don't need to export bulk corporate content.

‍

4. If You're Doing M&A, Include Forensic IP Diligence

Check patent application timing and inventorship against access logs and hiring events. Litigation often turns on those timelines.

‍

5. Operationalize InnerActiv for Immediate Protection

InnerActiv can be deployed to:

• Detect unusual bulk exports and MFP duplication
• Rank risky process activity with AI so analysts spend time on the highest-value incidents
• Provide correlated evidence that supports legal preservation and enforcement workflows
  ‍

Final Thoughts: The Stakes Have Never Been Higher

‍

The Arcturus v. AbbVie case isn't just another trade secrets lawsuit. It's a reminder that in an era of platform technologies and multi-billion-dollar acquisitions, the knowledge walking out your door with departing employees can represent existential commercial risk.

‍

The good news? The playbook for mitigation is well understood. The challenge is execution: closing visibility gaps, automating response, and treating every departure as the critical security moment it truly is.

‍

What will you do differently this week?

‍