In a lawsuit filed in Delaware Chancery Court, DuPont accused Hong Meng, a former senior research scientist at the company, of stealing data on a new, thin-computer display technology called "organic light emitting diode" or OLED. DuPont claims that Meng planned to use the stolen information to develop and commercialize products using OLED technology with his alma mater, Peking University, in Beijing, which is also developing similar technology.
In a brief statement sent via email, DuPont confirmed that it filed suit against Meng for theft of trade secrets and breach of his employment agreement.
"As indicated by our civil complaint, a recent internal investigation revealed evidence that Hong Meng was attempting to misappropriate proprietary company information," Thomas Sager, DuPont's general counsel, said in the statement. "Hong Meng's employment with the company was terminated and we promptly filed suit to ensure that he not use or disclose DuPont trade secrets," Sager said. The company its commitment to protecting the proprietary science and technology it has developed.
Meng worked at Dupont's Central Research and Development facility in Wilmington, Del. In its complaint, DuPont described him as a Chinese citizen with permanent resident status in the U.S. The company claimed that Meng secretly accepted employment at Peking University while he was still working for DuPont.
Meng's alleged theft was discovered around the time he was scheduled to be transferred to a DuPont facility in China last month. A standard review of Meng's hard drive during the transfer process disclosed an "illicit connection to Peking University," said DuPont. The company described the university as a rival because of its work involving OLED. A subsequent examination of Meng's company laptop indicated he had downloaded files related to the technology from DuPont's databases and copied them onto an external drive.
Meng denied wrongdoing but after being told about the data found on the laptop, admitting to possessing an external drive containing OLED-related data. A search of his home computer by DuPont's corporate security team allegedly showed that Meng had been working with Peking University over a "long period of time" and had launched a program at the school to commercialize OLED technology for industrial applications in "direct competition with DuPont," according to the lawsuit.
DuPont asked the court to issue a permanent injunction requiring Meng and those he worked with to return all misappropriated material. It also asked the court to issue an injunction prohibiting Meng from working with Peking University or with any other entity developing technologies that he worked on while at DuPont.
This is the second significant trade-secret theft involving a relatively high-level research scientist to be disclosed by DuPont in the last two and a half years. In February 2007, Gary Min, a former research scientist at DuPont admitted to stealing proprietary and information valued by federal authorities at $400 million. The theft was noticed only after Min announced plans to leave DuPont to join a rival company in the U.K.
Min is currently serving an 18-month sentence in connection with the theft.
The manner in which both Min and Meng were caught suggests that DuPont has a "great exit process" for checking employees on their way out the door, said Michael Maloof, chief technology officer at TriGeo.Network Security Inc. What it appears to lack, however, is a similar mechanism for monitoring employees' while on the job, he said. While it can be extremely difficult for a company the size of DuPont to keep tabs on every bit of sensitive data on its networks, "common sense" policy enforcement mechanisms -- such as monitoring the use of USB storage devices and access controls -- could have helped cut the risk somewhat, he said.
Such data thefts are becoming increasingly common and highlight the continuing challenges companies face in protecting their corporate assets from insiders with legitimate access to them.
Too often, the focus of security efforts is on satisfying compliance requirements such as those involving the protection of credit card and other financial data, said Phil Neray, vice president of security strategy at Guardium, a vendor of database protection products. "What this reminds us is that many companies have a lot of valuable data that is not covered by compliance" and, therefore, not as well protected he said.
While such thefts can be hard to stop, security controls are available at multiple layers that can help, he said. For instance, activity monitoring products can help detect suspicious activity such as a high volume of downloads involving sensitive data, or downloads that occur after hours, he said. Similarly, tools can help companies restrict the copying and downloading of certain kinds of data to USB devices, for instance, or to an e-mail account, Neray said.