Trade Secrets

Turret Labs v. CargoSprint: When Locking the Windows Isn't Enough

The Second Circuit affirmed dismissal of a software trade-secret claim because the owner delegated access control to a licensee and never required anyone downstream to keep the secret.

February 23, 2026
A locked server cabinet in a data center
The dispute turned on whether physical and password controls were enough when no one downstream was bound to confidentiality. Shutterstock
Educational content, not legal advice. This article explains general legal concepts. It does not create an attorney–client relationship. For your specific situation, consult a licensed attorney.

Turret Labs USA, Inc. v. CargoSprint, LLC, No. 21-952 (2d Cir. Mar. 9, 2022), is a short, non-precedential summary order that has become a fixture in trade-secret briefing for one reason: it shows, cleanly and at the pleading stage, how a company can take real security measures and still fail the “reasonable measures” element of a misappropriation claim. The panel — affirming Judge Eric Komitee of the Eastern District of New York, Turret Labs USA, Inc. v. CargoSprint, LLC, No. 19-cv-06793 (E.D.N.Y. Feb. 12, 2021) — held that Turret Labs had not plausibly alleged it took reasonable steps to keep the functionality of its software secret, because it had handed control over who could access that software to a licensee, Lufthansa, without ever obligating Lufthansa or its downstream users to maintain confidentiality. The claims arose under the federal Defend Trade Secrets Act (DTSA), 18 U.S.C. § 1836, and New York common law, and both fell on a Rule 12(b)(6) motion to dismiss.

The decision is worth studying not for any novel doctrine — it applies settled law — but for how directly it ties the reasonableness inquiry to the nature of the asserted secret and to the architecture of access a plaintiff builds around it.

At a glance

  • Case: Turret Labs USA, Inc. v. CargoSprint, LLC, No. 21-952 (2d Cir.)
  • Decision: Summary order affirming dismissal, March 9, 2022
  • Court below: E.D.N.Y., No. 19-cv-06793 (Komitee, J.), dismissal entered February 12, 2021
  • Claims: Trade-secret misappropriation under the DTSA (18 U.S.C. § 1836) and New York common law
  • Posture: Rule 12(b)(6) dismissal, affirmed
  • Holding: Turret failed to plausibly allege reasonable measures to maintain secrecy because it delegated access control to its licensee and did not allege that the licensee or its customers were contractually bound to keep the software’s functionality confidential

The asserted secret and the access architecture

The trade secret at issue was the functionality of “Dock EnRoll,” an air-cargo ground-handling application. The software allowed freight forwarders to schedule the hand-off of cargo arriving in the United States and to pay associated storage and handling fees, synchronized to real-time U.S. Customs release notifications. At the time, Turret alleged, that capability was genuinely innovative.

The commercial structure is the heart of the case. Turret did not sell or distribute Dock EnRoll broadly. It licensed the software exclusively to Lufthansa Cargo Americas. Lufthansa, in turn, decided which freight forwarders received access — every customer Lufthansa admitted could see and use the functions Turret claimed as its secret. Turret pointed to several protective measures: the physical servers sat in monitored cages within a restricted-access data center, and access to the software required usernames and passwords that Lufthansa approved.

CargoSprint allegedly obtained access — Turret claimed by misrepresenting itself as a freight forwarder — and reverse-engineered Dock EnRoll to build a competing product. But the panel never reached whether CargoSprint’s conduct was wrongful, because the antecedent question swallowed the case: had Turret done enough to make the information a protectable secret in the first place?

”Reasonable measures” tracks the nature of the secret

Both the DTSA and New York law condition protection on the owner’s having taken reasonable measures to keep the information secret. The Second Circuit’s framing is the line most often quoted from the order: what counts as reasonable “must depend in significant part on the nature of the trade secret at issue.” Where the asserted secret is the functionality of software that is exposed to everyone who uses it, the reasonableness analysis “will often focus on who is given access, and on the importance of confidentiality and nondisclosure agreements to maintaining secrecy.”

That framing is decisive because it relocates the inquiry. For a chemical formula or a source-code repository, secrecy can be maintained by keeping the artifact itself hidden. But when the secret is what the program does — behavior visible to any authorized user — locking the artifact away accomplishes little. Every legitimate user already perceives the secret simply by operating the software. The only meaningful protection left is contractual: binding those users not to disclose or exploit what they see. Turret’s measures were aimed at the wrong threat surface. Password gates and caged servers controlled whether someone could log in; they did nothing to restrain what an authorized user could do with the functionality once inside.

Delegated control without a confidentiality backstop

The fatal gap was the absence of any confidentiality obligation running to the people who could actually see the secret. Turret had delegated “total control” over sharing Dock EnRoll to Lufthansa. Yet Turret did not plead that Lufthansa was required to keep the software’s proprietary functionality confidential, nor that the freight-forwarder customers Lufthansa admitted were bound by any nondisclosure obligation. The username-and-password regime was administered by Lufthansa, for Lufthansa’s commercial purposes — not as a confidentiality control policed by Turret.

Judge Komitee’s metaphor below captured the deficiency, and the panel echoed its logic: the allegations were “akin to a Plaintiff having pleaded that he locked all the upstairs windows of his house, while remaining silent on whether the front and back doors were left wide open.” The physical and credential controls were the upstairs windows. The doors were the licensee and its customers — the channel through which the functionality was actually exposed — and Turret said nothing about whether that channel was closed by contract.

This is the practical teaching of the order. A licensing structure can itself be a secrecy measure, but only if the license and its sublicense chain carry confidentiality terms down to every party who encounters the secret. Exclusivity is not confidentiality. Granting one licensee sole rights tells you nothing about whether that licensee, or the users it admits, may freely disclose what they learn.

What defeated the claim — and what might have saved it

The claim failed at the pleading stage, which is notable. Reasonableness is ordinarily a fact question, and courts frequently let trade-secret plaintiffs past a motion to dismiss. Turret lost on the pleadings because the deficiency was structural and apparent from its own allegations: it described an access model in which the secret was necessarily revealed to third parties, and it omitted any allegation that those third parties were bound to secrecy. There was nothing to develop in discovery; the complaint affirmatively disclosed the hole.

A few additional allegations could have changed the trajectory — if they were true. An NDA or confidentiality clause in the Turret-Lufthansa license. A flow-down provision requiring Lufthansa to impose confidentiality on the freight forwarders it admitted. Click-through confidentiality terms presented to users at login. Any of these would have let Turret plead that the people who could see the functionality were forbidden to disclose it, shifting the case from “no reasonable measures as a matter of law” to a fact dispute about adequacy.

Open questions

The order is a summary order, so its reach is limited and it resolves narrow ground. Several questions remain genuinely open. How much does the analysis change when the secret is not purely functional — when software combines visible behavior with hidden architecture or non-obvious implementation that authorized users cannot perceive? The panel’s “nature of the secret” framing implies a different calculus there, but does not map it. Nor does the order address how courts should treat reverse-engineering allegations once a confidentiality backstop is pleaded: if users are bound by NDA, does a defendant’s surreptitious, misrepresented access become the central wrong rather than a sideshow? Finally, the decision leaves unsettled how granular flow-down confidentiality must be — whether a general license confidentiality clause suffices, or whether an owner must show that each downstream user was actually bound.

Implications

  • Match the measure to the threat surface. For software whose value is its observable functionality, password gates and physical security are necessary but rarely sufficient; the operative control is contractual confidentiality binding everyone who can use the program.
  • Exclusivity is not confidentiality. Licensing to a single partner does not protect a secret unless the license obligates that partner — and everyone it admits — to keep the secret.
  • Build flow-down obligations. Licenses should require the licensee to impose confidentiality on its own customers and sublicensees who touch the secret, and the owner should be able to allege that chain.
  • Plead the access architecture deliberately. Because reasonableness can be decided on the pleadings, a complaint that describes broad third-party access without describing the confidentiality obligations attached to it invites dismissal.
  • Don’t delegate secrecy control unconditionally. Handing a partner total control over who sees the secret, without retained confidentiality terms, can itself be the fact that defeats the claim.

Frequently asked questions

Is Turret Labs binding precedent? No. It is a non-precedential summary order of the Second Circuit. It is widely cited as persuasive authority for how the “reasonable measures” element applies to software functionality, but it does not bind lower courts.

Did the court decide whether CargoSprint did anything wrong? No. The court never reached the propriety of CargoSprint’s access or its alleged reverse engineering. The claim failed at the threshold because Turret had not plausibly alleged a protectable secret — it had not taken reasonable measures to keep the functionality secret.

What single step would most likely have changed the outcome? Alleging an enforceable confidentiality obligation binding Lufthansa and the freight forwarders who could use Dock EnRoll. The decisive gap was that the parties who could actually see the secret were not pleaded to be bound to keep it.

Authorities and sources