Third Circuit: Your Passwords May Be Valuable to You, But They Are Not Trade Secrets

The plaintiff National Recovery Agency Group, LLC (NRA) is a debt-collection firm that maintains large volumes of personally identifiable information (PII) of individual debtors.

On

NRA enforces computer-use and data-security policies to protect the PII by, for example, only permitting employees access to such information at an NRA office or remotely through a company-issued laptop and VPN. Moreover, NRA prohibits password sharing, storing passwords in readable form, and allowing employees access to information for which they are not responsible. Employees assent to these policies when they are hired and are reminded of them annually.

The defendants Nicole Durenleau and Jamie Badaczewski were employees of NRA. Durenleau served as NRA’s senior manager of compliance services and Badaczewski was in NRA’s marketing office. In January 2021, Durenleau was out sick with COVID-19. When faced with a time-sensitive problem, Durenleau could not remotely access NRA’s systems. After discussing options with her supervisor, Durenleau asked Badaczewski to log in at the office using Durenleau’s credentials, locate an Excel file Durenleau had created titled “My Passwords.xlsx,” and retrieve her login and resolve the issue. The spreadsheet contained Durenleau’s passwords for dozens of NRA systems and accounts. Though the spreadsheet itself contained no consumer PII, many systems and accounts it listed did. After receiving Durenleau’s login information, Badaczewski pulled the credentials from the spreadsheet, and the team resolved the issue that day.

The following day, during a call with Durenleau, Badaczewski again accessed Durenleau’s computer and emailed the password spreadsheet. First, to Durenleau’s personal Gmail by mistake (both addresses began with the same handle), and then to her NRA work email minutes later.

Separately, NRA alleged Durenleau had manipulated NRA’s account tracking system in a way that made her improperly eligible for about $3,000 in bonuses. After an internal audit and a February 2021 “Final Warning,” Durenleau resigned later that month. Badaczewski was terminated in March 2021 after an internal investigation revealed that she had been the one who had accessed Durenleau’s account to access and email the spreadsheet.

In April 2021, NRA sued Durenleau and Badaczewski and brought claims under the Defend Trade Secrets Act (DTSA) and the Pennsylvania Uniform Trade Secrets Act (PUTSA), among others. The district court granted summary judgment for the Defendants on all NRA’s claims.

Case Information

NRA Group, LLC v. Durenleau, No. 24-1123, 2025 WL 2835754 (3d Cir. Oct. 7, 2025)

Plaintiff: NRA Group, LLC

Defendants: Nicole DurenleauJamie Badaczewski

Judges: Thomas M. Hardiman, Theodore McKee, Thomas L. Ambro

Analysis and Outcome

The Third Circuit affirmed the lower court’s dismissal of NRA’s DTSA and PUTSA claims. NRA argued that the spreadsheet containing Durenleau’s passwords constituted protectable trade secrets and that emailing it to a personal account was a misappropriation.

The Third Circuit rejected NRA’s theory. It found that passwords, standing alone, lack independent economic value in the way a formula, strategy, or proprietary customer compilation might. It reasoned that passwords are “simply a series of random numbers and letters that is a barrier to” other proprietary material. Passwords only have economic value insofar as they are integral in accessing proprietary information. Passwords would only have value if NRA alleged that they were a product of a special formula or algorithm that it developed, which it did not. Though the passwords protected valuable customer information, the passwords themselves were not valuable customer information themselves.

To explain its holding, the Third Circuit used an analogy:

[NRA’s] passwords granted access to client databases and other business-use information. But imagine they instead protected a website with pictures of cute puppies or a beloved couple’s wedding registry. (And NRA is assuredly not in the business of chihuahuas or china sets.) Because the revealed content would have no economic value to NRA, there is no serious claim the passwords would either.

Though leaking passwords could endanger valuable information, the owner of the information can remedy this problem by resetting those passwords, which NRA did in this case. The court also specifically rejected NRA’s argument that the spreadsheet functioned as a protected “customer list,” observing it did not present the kind and quantity of customer information required to constitute a trade secret.

Accordingly, the court affirmed summary judgment for the employees on the DTSA and PUTSA claims because the passwords contained in the spreadsheet were not trade secrets as they lacked independent economic value. 

Contacts

Continue Reading

All Insights from Trade Secrets Case Watch

Trade Secrets Case Watch
Wu Tang’s ‘Shaolin’ Album: Court Lets Trade Secret Case Proceed
Linda M. Jackson, Matthew F. Prewitt, Allan E. Anderson, Nicholas J. Nesgos, Alexander H. Spiegler, Meghan F. Hart, John M. Hindley, Nicole Curtis Martinez
Trade Secrets Case Watch
Insurance Broker List Not Protected as Trade Secret After Employee’s Unrestricted Sharing
Linda M. Jackson, Matthew F. Prewitt, Allan E. Anderson, Nicholas J. Nesgos, Alexander H. Spiegler, Meghan F. Hart, John M. Hindley, Nicole Curtis Martinez
Trade Secrets Case Watch
Court Allows Biohaven and Yale’s Trade Secret Claims to Proceed in MODA Technology Dispute
Linda M. Jackson, Matthew F. Prewitt, Allan E. Anderson, Nicholas J. Nesgos, Alexander H. Spiegler, Meghan F. Hart, John M. Hindley, Nicole Curtis Martinez