Table of contents
A recent filing in federal court signals a shift in the government’s strategy against former Headlands Technologies developer Richard Ho, offering a window into how insider misuse of privileged systems can escalate into a criminal case. In a Dec. 4 memorandum, prosecutors opposed Ho’s motion to dismiss, arguing that the indictment already outlines “dozens of instances” of alleged copying and warning that forcing more detail into the public record would “cause even greater harm to the victim by publishing their trade secret information for the world to see."
The exchange lands as the court cements a July 13, 2026 trial date, pushing the case into a phase that security leaders will recognize: a high-stakes investigation testing how well a company’s data protections held up against a trusted insider.
Insider risk moves from policy issue to criminal exposure
“The Headlands case shows that a substantial threat to high-value intellectual property does not come only from hackers breaking in, but trusted insiders walking it out and courts are moving toward judging whether firms used real technical controls to prevent that, not just policies and trust,” said Jacey Kaps, a cybersecurity litigator with RumbergerKirk.
Background on the insider allegations
Ho, a quantitative researcher at Headlands from 2019 to 2021, allegedly had near-total access to the firm’s proprietary trading code, an access level that now sits at the center of the indictment. Prosecutors say he secretly launched a competing firm, One R Squared, while still on the job, then incorporated elements of Headlands’ internal “Atoms” and “Alphas” into his new codebase.
Privileged access to proprietary trading systems
At a Sept. 12 hearing, his attorney David Meister of Skadden, Arps, Slate, Meagher & Flom LLP challenged that characterization:
“My client says he wrote the source code. All we have from the Government is 61 snippets,” he said.
For CISOs, those 61 code segments represent a familiar problem: Even when suspicious behavior is detected, proving misuse often depends on granular technical evidence and exhaustive audit logs. The government confirmed it seized 15 terabytes from Ho’s AWS environment, a reminder of how sprawling forensic reviews become when insiders have deep architectural access.
Forensic scale exposes limits of insider monitoring
When Judge Jeannette Vargas asked prosecutors whether AI search tools could speed analysis, the assistant district attorney replied, “We don’t currently have that capability.” That exchange underscores a truth security leaders know well: dDetection and investigation tools often lag far behind the scale of modern data footprints.
Sealed evidence and insider reporting signals
In July, Ho asked the court to order prosecutors to require additional disclosures from the government under its Brady obligations, specifically, to turn over additional material that would reveal a key witness and make it easier for the defense to find any favorable evidence in the government’s huge discovery production.
On August 8, Judge Jeannette Vargas ordered those exhibits to remain under seal.
For CISOs, that language implies that at least one insider at Headlands has provided information or context to investigators, and that the related documents would reveal how the firm detected, escalated, and documented the suspected misuse of code. In practical terms, those exhibits may touch on internal monitoring, access reviews, code comparisons, or informal reporting channels. If made public, they could expose both Headlands’ detection methods and its blind spots.
On September 11, Judge Vargas denied Ho’s Brady motion in full.
Subpoena fight reveals insider-risk governance gaps
A larger dispute has played out around Ho’s attempt to obtain internal records from Headlands, which appears in filings as “Nonparty-1.”
On Aug. 4, Ho served an 18-item subpoena seeking a wide range of materials from Headlands. Headlands later described the requests as spanning multiple years and covering categories that ranged from communications and interviews to trading and strategy-related records.
On Sept. 19, Headlands moved to quash the subpoena and backed the motion with a memorandum and a declaration attaching four exhibits.
On Sept. 26, before filing his opposition, Ho asked the court for permission to submit an appendix ex parte and under seal, saying the appendix would contain confidential defense theories responding to Headlands’ relevance objections.
The government responded on Oct. 3, and Ho replied on Oct. 6, warning that sharing the appendix with prosecutors “would obviously defeat the purpose.”
On Oct. 10, Judge Vargas granted Ho’s request, with the caveat that if the sealed submission was not limited to confidential defense theories, Ho would have the option to withdraw it.
Ho then filed his opposition on Oct. 13, with the appendix submitted under seal and ex parte.
On Nov. 7, prosecutors joined Headlands in seeking to quash the subpoena, calling several of Ho’s requests “impermissible fishing expeditions.” Ho replied on Nov. 10 that Headlands had already produced “more than a million documents” to the government and that the defense was seeking only a targeted set of materials relevant to intent and context.
For CISOs, this exchange maps directly onto insider-risk governance. When an insider departs, questions linger about:
- What they accessed
- What they retained
- Whether internal monitoring detected anomalies
- Whether documentation exists to reconstruct what happened
The subpoena fight reflects precisely those deficiencies and pressure points.
Trade secret specificity versus disclosure risk
Ho escalated his challenge on Oct. 30 with a motion to dismiss or, failing that, for a bill of particulars. He argued that the indictment’s references to non-specific “portions” or “components” of Headlands’ code, including unnamed Atoms and Alphas, left him without constitutionally adequate notice. He warned that the government’s “non-exhaustive” list allows prosecutors to “roam at large” in identifying alleged trade secrets.
On Dec. 4, prosecutors responded that the indictment is detailed enough under federal standards and that specifying individual trade-secret elements would itself risk public disclosure. They pointed to four examples in the indictment—instances where comments, variable names or functionality allegedly mirror Headlands’ code—and noted that expert disclosures due in February 2026 will offer additional detail.
The court has already adopted a full pretrial schedule, including expert reports, Daubert motions and a July 13 start to a three-week trial.
For CISOs, this phase highlights a familiar tension: When proprietary systems are compromised, proving precisely what was taken can require both technical and legal precision. The Ho case shows how quickly that precision becomes the battleground.
What the Headlands case signals for security leaders
This prosecution is shaping up to be a rare, detailed look at how insider risk plays out when privileged access, intellectual property, and weak internal guardrails converge. Several lessons already stand out for CISOs:
- Access scope matters. Ho allegedly retained expansive permissions even after signaling his departure—an operational red flag in any environment.
- Auditability determines survivability. The government’s reliance on snippet-level code comparisons shows how crucial detailed logging and version control becomes in post-incident forensics.
- Cloud environments complicate everything. The 15 TB seized from AWS illustrates how much harder insider cases become when infrastructure is distributed.
- Employee reports may be decisive. The sealed witness exhibits suggest that internal observations often surface what tools miss.
- Trade-secret prosecutions depend heavily on governance. When companies cannot articulate what is sensitive and why, the legal process becomes slower and costlier.
As more filings emerge, this case will continue testing the systems and policies that modern trading firms and most high-tech environments rely on to guard against insider misuse. Even well-resourced companies can find themselves reconstructing basic activity after a highly trusted employee walks out the door.
Frequently asked questions
What is the Headlands insider risk case about?
The case involves allegations that a former Headlands developer copied proprietary trading source code and incorporated it into a competing firm while still employed.
Why is insider access central to the allegations?
Prosecutors allege the defendant had broad, privileged access to proprietary systems, which made it possible to copy sensitive code without immediate detection.
Why are audit logs and code comparisons important in insider cases?
Insider cases often rely on granular technical evidence such as access logs, version control records, and code similarity analysis to prove misuse.
How do cloud environments complicate insider investigations?
Cloud platforms can generate massive data sets, making it difficult to quickly identify what an insider accessed, copied, or retained after departure.
Why are some insider-related exhibits kept under seal?
Courts may seal exhibits to avoid publicly disclosing trade secrets, detection methods, or internal monitoring practices that could harm the victim organization.
What lessons does this offer for CISOs?
The case highlights the need for least-privilege access, detailed logging, strong offboarding controls, and clear documentation of what constitutes sensitive intellectual property.
