In February 2024, Tokyo prosecutors convicted Kappa Sushi of stealing trade-secret data from rival Hama Sushi. A former Hama executive, after joining Kappa, secretly took a file of Hama’s cost and product plans and handed it to Kappa’s planning manager. As a result, Kappa gained an unfair edge in competition. The court ruled this was a violation of Japan’s trade-secret law, despite Kappa’s claim that the data wasn’t properly protected. This high-profile “sushi wars” case shows how critical data security for businesses truly is. Even routine file-sharing and employee changes can trigger breaches if sensitive information isn’t guarded. This fun story about sushi competition reflects real problems related to data security today.
In fact, trade secrets are among a company’s most valuable assets and especially vulnerable when employees change jobs. Under U.S. and Japanese law, information only qualifies as a protected trade secret if it “derives independent economic value” from being secret and the owner makes reasonable efforts to keep it confidential. In the Kappa case, the court noted the stolen file contained “technical or business information” crucial to Hama Sushi. The lesson is clear: businesses must identify and actively protect their confidential data or risk losing both legal rights and competitive advantage.
1. Identify and Classify Sensitive Data
Companies should first define what data needs protection. This means inventorying assets like R&D plans, pricing models or customer lists that give a competitive edge. U.S. trade-secret law (DTSA/UTSA) and Japan’s Unfair Competition Prevention Act both hinge on having “reasonable efforts” to maintain secrecy. In practice, organizations should label or tag files as “Confidential,” use NDAs, and train staff about handling secrets. If data isn’t classified and controlled, courts may decide it isn’t a true trade secret. For example, Kappa’s lawyers argued the Hama data wasn’t protected enough; the court disagreed, still treating it as secret and punishable. These situations are similar to what happens when data security is overlooked inside a company.
Key actions:
-
Maintain an up-to-date inventory of critical information and mark it as confidential.
-
Use clear policies and agreements (NDAs, employee handbooks) to define trade secrets.
-
Regularly remind teams of data-classification rules and legal obligations.
2. Restrict Access Rigorously
Granting file access on a need-to-know basis is essential. Applying the principle of least privilege (allowing employees to see only what they need) minimizes exposure. In our sushi case, only a few people should have seen the cost sheet. Many organizations underestimate how critical data security has become in modern digital environments. Once an insider misuses their permission, traditional IT guards (firewalls, logins) can’t stop the leak.
Key actions:
-
Enforce strict role-based permissions and require strong authentication for file access.
-
Conduct regular audits of who is accessing sensitive files, watching for unusual downloads or shares.
-
Implement Data Loss Prevention (DLP) tools to flag large transfers of confidential information.
3. Encrypt Files and Use IRM for Secure File Sharing
To truly secure files, encrypt them and control usage at the file level. Information Rights Management (IRM) or similar technologies embed encryption and usage restrictions into documents themselves. IRM “uses encryption to prevent unauthorized access”. Even if a file is leaked, only someone with the right key can open it. For example, if Hama Sushi had applied IRM to the cost file, the departing executive who received it wouldn’t have been able to view the contents. IRM can also block actions like copying or printing, and permits revoking access later.
Similarly, secure file-transfer platforms should use end-to-end encryption. This means files are encrypted on the sender’s device and only decrypted by the intended recipient. Compared to ordinary email or consumer cloud services, such tools prevent outsiders (and even other employees) from reading files in transit or at rest. In short, if a confidential document must be shared, always use a secure, encrypted channel.
Key actions:
-
Require enterprise-grade file-sharing tools that use end-to-end encryption.
-
Apply IRM or digital rights management to critical documents so unauthorized users can’t open themen.wikipedia.org.
-
Use secure links or portals instead of email attachments for confidential content.
4. Manage Insider Threats and Employee Transitions
Insider threats are a growing problem: one study found 83% of organizations had an insider-related security incident in 2024. Companies must assume that employees, intentionally or not, can leak data. Formal offboarding processes are essential. Conduct exit interviews to remind departing staff of their confidentiality obligations, and immediately revoke all their access to systems and files. Be sure all company devices (laptops, USB drives) are returned. Also, ongoing employee training can deter misconduct by explaining that theft of trade secrets is illegal and enforceable. Without proper data security practices, small internal mistakes can escalate into major incidents that damage trust and operations.
Key actions:
-
Implement exit protocols: cancel access tokens, recover devices, and have departing employees sign acknowledgments of confidentiality.
-
Maintain strong exit interviews and debriefings about data-handling responsibilities.
-
Monitor for suspicious activity: e.g., large file downloads or transfers when someone is leaving.
5. Layer Multiple Security Measures
No single safeguard will stop every threat. The sushi case shows the need for a layered approach. Besides policies, access controls, and encryption, companies should deploy logging, alerts, and incident response plans. For instance, software can alert administrators if an employee tries to email or copy out a large secret file.
Regular security audits and compliance checks help ensure policies actually work. Tech evolves quickly (cloud apps, remote work, etc.), so update security measures accordingly. By combining people, processes, and technology, businesses build resilience. As one law firm advises, companies should “actively protect their trade secrets” with robust processes and by “restricting employee access (both physical and electronic)” wherever possible. If businesses fail to strengthen data security, small mistakes can quickly turn into costly incidents.
Key actions:
-
Use security monitoring to detect unusual file-sharing behavior in real time.
-
Keep security policies up to date with new collaboration tools (cloud services, mobile devices).
-
Foster a culture of security awareness: make sure every employee understands their role in protecting data.
In summary, the Kappa vs. Hama sushi scandal underscores that data security for businesses requires constant vigilance. Improving data security helps companies prevent leaks, maintain trust, and avoid unnecessary risks. Companies must also encrypt files, use secure file-sharing methods, and prepare for insider risks. CIOs and CISOs should integrate these lessons into a comprehensive strategy for secure file sharing and trade-secret protection. By doing so, organizations not only comply with law (e.g. U.S. Defend Trade Secrets Act and similar regulations) but also safeguard their competitive advantage in a fiercely competitive market. Strengthening data security is essential for every modern business aiming to reduce risks and protect sensitive information.