Terms.Law > NDA Studio > Software Dev > Breach Response
Incident Response

NDA Breach Response Guide

What to do when a developer contractor breaches your NDA. Evidence preservation, immediate response steps, legal remedies, and technical forensics procedures.

Immediate Response Protocol

If you've just discovered an NDA breach, follow these steps immediately. Do not confront the breaching party until evidence is preserved.

1

Preserve Evidence

Screenshot, export logs, don't modify anything

2

Revoke Access

Immediately disable all credentials and access

3

Document Timeline

Write down everything you know with timestamps

4

Contact Counsel

Engage attorney before any communication

Critical: Do Not Contact the Breaching Party

Your first instinct may be to confront the contractor or send an angry email. Do not do this. Any communication before evidence is preserved and legal counsel is engaged can: (1) alert them to destroy evidence, (2) create statements that hurt your case, (3) trigger counterclaims. Let your attorney send the first communication.

Response Timeline

First Hour: Evidence Preservation

Minutes 0-60
  • Export all access logs from affected systems (git, cloud, databases)
  • Screenshot or screen record any visible evidence of the breach
  • Export email/Slack communications with the contractor
  • Download the original signed NDA and any amendments
  • Create timestamped copies of any code/data that may have been stolen
  • Do NOT modify any systems or files that may be evidence
# Export git logs with all metadata
git log --all --oneline --graph --decorate > git_history_$(date +%Y%m%d_%H%M%S).log

# Export GitHub audit log (Enterprise)
gh api /orgs/YOUR_ORG/audit-log --paginate > audit_log_$(date +%Y%m%d).json

Hours 1-4: Access Revocation

After evidence is preserved
  • Revoke all credentials following the Access Revocation Checklist
  • Rotate any secrets or API keys the contractor had access to
  • Disable SSO/OAuth sessions and force logout from all devices
  • Update firewall rules to block known IP addresses
  • Enable enhanced monitoring on all systems for continued access attempts

Hours 4-24: Legal Engagement

Same day
  • Contact your attorney or engage IP litigation counsel
  • Provide attorney with NDA, evidence package, and timeline
  • Discuss potential remedies: TRO, injunction, damages
  • Determine if law enforcement involvement is appropriate
  • Draft (but do not send) cease and desist letter

Days 1-7: Investigation & Assessment

First week
  • Conduct thorough forensic analysis of all affected systems
  • Identify full scope of accessed/exfiltrated information
  • Check if stolen code/data has appeared publicly (GitHub, Pastebin, competitors)
  • Assess business impact and potential damages
  • Prepare comprehensive breach report for legal team
  • Consider engaging digital forensics firm for complex cases

Week 2+: Enforcement Action

Ongoing
  • Send cease and desist letter through attorney
  • File for emergency injunctive relief if needed
  • Initiate formal legal proceedings if settlement not reached
  • Consider DMCA takedown notices for published code
  • Report to relevant platforms (GitHub, AWS) for TOS violations

Evidence to Preserve

Evidence quality determines case outcome. Digital evidence is fragile and can be overwritten, deleted, or questioned if not properly preserved. Follow chain-of-custody procedures and create cryptographic hashes of all evidence files.

Access & Audit Logs

System logs proving what was accessed, when, and by whom.

  • Git clone/pull/push logs
  • Cloud provider audit trails (CloudTrail, etc.)
  • VPN connection logs with IP addresses
  • Database query logs
  • SSH session recordings

Communications

Messages showing knowledge of confidentiality obligations.

  • Email threads discussing confidential info
  • Slack/Teams messages mentioning NDA
  • Meeting recordings or notes
  • Any admissions or suspicious statements
  • Requests for access to sensitive systems

Contractual Documents

The agreements that establish the breach.

  • Signed NDA with all exhibits
  • Contractor agreement/SOW
  • Access provisioning requests
  • Acknowledgment of security policies
  • Any amendments or extensions

Technical Evidence

Proof of what information was compromised.

  • Source code comparison (original vs. leaked)
  • Unique identifiers or watermarks in code
  • Build artifacts with contractor fingerprints
  • Database export timestamps
  • File access metadata

Public Disclosure Evidence

Proof the information was actually disclosed.

  • Screenshots of leaked code (with timestamps)
  • Archive.org snapshots of competitor sites
  • GitHub commit history on new repos
  • App store submissions with similar code
  • Job postings showing knowledge of your tech

Damages Evidence

Documentation supporting monetary claims.

  • R&D costs for stolen technology
  • Lost contracts or customers
  • Competitive harm documentation
  • Costs of breach response
  • Value of trade secrets

Legal Remedies

Temporary Restraining Order (TRO)

Emergency injunctive relief

A TRO can be obtained quickly (sometimes same-day) to immediately stop ongoing disclosure or use of your confidential information. Requires showing irreparable harm and likelihood of success.

Pros
  • Fast (days, not months)
  • Stops bleeding immediately
  • Strong signal of seriousness
Cons
  • Requires posting bond
  • High evidentiary burden
  • Temporary (14-28 days)

Monetary Damages

Financial compensation for breach

Sue for actual damages caused by the breach, including lost profits, unjust enrichment, and potentially punitive damages for willful violations. May include attorney's fees if NDA provides.

Pros
  • Financial recovery
  • Discovery process reveals scope
  • Deterrent effect
Cons
  • Slow (1-3 years)
  • Expensive litigation
  • Collectability issues

Cease & Desist Letter

Formal demand to stop and remediate

A strongly-worded attorney letter demanding immediate cessation of breach, return/destruction of materials, and preservation of evidence. Often resolves matters without litigation.

Pros
  • Low cost ($1-3K)
  • Often effective
  • Creates paper trail
Cons
  • No enforcement power
  • May be ignored
  • Tips off bad actor

Criminal Referral

Federal trade secret theft prosecution

For egregious cases, the Economic Espionage Act (18 USC 1831-1839) provides for criminal prosecution of trade secret theft. FBI handles investigations.

Pros
  • Maximum deterrent
  • Government pays costs
  • Prison time possible
Cons
  • High threshold for prosecution
  • You lose control of case
  • May not get restitution

Technical Forensics

For significant breaches, consider engaging a digital forensics firm. They can provide expert testimony and chain-of-custody documentation that holds up in court. For smaller matters, here are self-service forensic steps:

# Create forensic image hash for integrity verification
shasum -a 256 evidence_file.zip > evidence_file.zip.sha256

# Export AWS CloudTrail logs for specific user
aws cloudtrail lookup-events --lookup-attributes AttributeKey=Username,AttributeValue=contractor@email.com --start-time 2025-01-01 --end-time 2025-12-31 > cloudtrail_evidence.json

# Git: Find all commits by specific author
git log --author="Contractor Name" --all --oneline > contractor_commits.log

# Check if code appears in public repos
# Use GitHub code search or specialized tools like GitGuardian

Forensic Analysis Checklist

Related Resources

Access Revocation Checklist Credential Access NDA Source Code NDA Security Requirements Guide Negotiation Playbook NDA Studio Home

Need a Stronger NDA with Breach Provisions?

Generate an NDA with clear breach definitions, notification requirements, and remedies provisions.

Start Free Generator