Developments in UK Trade Secret Litigation for 2025

This year saw a world in which many employees had forms of Generative AI (GenAI) at their fingertips, either in the workplace or on their personal devices, and a world in which organizations continued to face unprecedented levels of cyber risk as they continued their digital transformation journeys.

While data breach litigation is not new and tales of company confidential information being copied and pasted into open GenAI tools have haunted employers for what feels like years, trade secret issues arising from data breaches and GenAI use were not really trending issues in the courts in 2025. Indeed, perhaps surprisingly, equitable and contractual duties of confidence lay at the heart of the few cases involving trade secrets that were considered by the UK courts in 2025, with directors being under the microscope and the courts again grappling with issues around the identification and particularization of the confidential information at issue. We take a look at these issues and explore what impacts we might begin to see from the cyber and GenAI sphere in 2026 below.

Claims for Trade Secret Misappropriation are Often Intertwined with Equitable and/or Contractual Claims for Breach of Confidence

In the UK, traditional trade secret cases often concern contractual claims for breach of confidence and misuse of trade secrets alongside allegations of equitable and/or common law breaches of confidence in confidential information, and breaches of the Trade Secrets (Enforcement, etc.) Regulations 2018. While separate, and while the courts will not ordinarily extend express contractual duties of confidence to encompass more extensive equitable obligations, these causes of action are often intertwined, with all actions often falling or standing with each other. The standard traditional fact patterns generally revolve around confidential/trade secret information being accessed and disseminated by an employee; or information shared with a counterparty under NDA during the early stages of a what ultimately becomes a failed joint venture arrangement, and in 2025, these fact patterns were no different.

Director Liability

It has long been established that third parties and directors can be liable for procuring breaches of contract, and perhaps it can be said that 2025 served as a timely reminder for directors of exactly the circumstances in which they may personally be on the hook for any actions done by them in their position as a director if those actions ultimately lead to the terms of a contract being breached. Indeed, issues surrounding director liability were addressed this year in Illiquidx Ltd v Altana Wealth Ltd & others [2025] EWHC 299 (Ch), in the context of asserted beaches of a non-disclosure agreement, breaches of confidence, and breaches of the Trade Secrets (Enforcement, etc.) Regulations 2018; and in IBM United Kingdom Ltd v LzLabs GmbH & Ors [2025] EWHC 532 (TCC), in a more traditional breach of contract context.

While always fact dependent, these cases make it clear that for a director to be liable for an act that causes their company to act in breach of contract, they need to have knowledge of the essential facts which make the act unlawful. In Illiquidx, for example, one defendant, being the sole director and shareholder of another, was successfully able to defend allegations that they were personally liable for the actions of their consulting services company on the basis that the claimant was unable to establish that the director defendant knew that they were using information that was provided under NDA.

They will not be personally liable for acts which cause their company to act in breach of contract if:

• they have acted bona fide and in the course of their duties as a director; or
• they have not acted willfully or knowingly.

Identification of Confidential Information

For any claim concerning the misappropriation of trade secrets and/or misuse of confidential information to get off the ground, the trade secret/confidential information at issue needs to be sufficiently particularized, not least because actions for breach of confidence can be used as artillery against competitors and ex-employees and the courts ought to be able to satisfy themselves that the purpose of the claims are legitimate before allowing them to proceed, but also because of the remedies sought often involve the delivery up/destruction of information, and because safeguards need to be put in place to preserve the confidentiality of the information throughout proceedings.

If the information is not properly identified, then it cannot be delivered up, destroyed, or protected. Although this is not a new issue,  it is an issue that features in Lord Justice Arnold’s “exposition” of the relevant principles concerning the protection of trade secrets in Celgard LLC v Shenzhen Senior Technology Material Co Ltd [2020] EWCA Civ 1293, which he referred to and took as read in Playtech Software Limited v Realtime SIA & Anor [2025] EWCA Civ 1472, perhaps serving as a timely reminder to organizations to ensure that operative terms of NDAs and employment agreements are sufficiently and appropriately defined.

Information in the Public Domain or in the Public Knowledge

Another issue somewhat related to the issue of trade secret/confidential information being sufficiently and appropriately defined reared its head in 2025. This is the issue of when information will be considered to have lost its confidential value and no longer be secret. It was an issue that was considered in Illiquidx, as parts of the information at issue could be obtained from public sources, such as the claimant’s website and in newsletters issued by the claimant to around 500 people. .

Agreements that impose obligations of confidence will often contain a provision which provides that the obligations cease if the information becomes public knowledge or in the public domain; or provide that the information will cease being “Confidential Information” or a “trade secret” if it becomes public knowledge or in the public domain. But when does information become public knowledge or be regarded as being in the public domain?  If trade secrets are leaked, can they still be regarded as trade secrets?

It is well known that if information intended for a specific person or group of persons becomes known or available to a wider group, the information can still have value deriving from the fact that it is still “relatively secret”. It could be detrimental to the person to whom the duty of confidence is owed if the information is published more broadly. The courts continued to apply these principles to cases in 2025, but only in the context of information being purposefully disseminated. But what if that information is taken by a cyber-criminal as part of a ransomware attack, and then published on the dark web? Could a party still take the position that the information is still (relatively) secret?

Information Subject to Reasonable Steps Under the Circumstances

Putting the question of whether information stolen from an organization and published on the dark web can still be regarded as relatively secret to one side, the scenario does raise another question – with GenAI use on the rise and organizations facing unprecedented cyber risks, what steps will be considered “reasonable” for the purposes of trade secret protection? After all, a trade secret is defined by Regulation 2 of the Trade Secrets (Enforcement, etc.) Regulation 2018 to be “information which – “(a) is secret in the sense that it is not, as a body or in the precise configuration and assembly of its components, generally known among, or readily accessible to, persons within the circles that normally deal with the kind of information in question, (b) has commercial value because it is secret, and has been subject to reasonable steps under the circumstances, (c) by the person lawfully in control of the information, to keep it secret”.

If having NDAs in place and marking documents as “confidential” can be enough to satisfy the threshold, is there potential for user policies and procedures to be scrutinized, or for an organization’s cyber posture to be put under the microscope? Will steps taken by organizations to reduce the risk of the information being published post a cyber incident become important? While these questions were not considered by the courts in 2025, perhaps this is a space to watch as we move into 2026.