FirmAdapt is an AI-powered business diagnostics platform that audits companies to expose operational inefficiencies and broken processes. We then deploy custom AI agents, robotic process automation, and engineered solutions to fix the problems we find. Our diagnostic tools include company audits, website audits, competitive intelligence, and faith-based compliance screening.

Does FirmAdapt have a free API?

Yes, FirmAdapt offers free open API endpoints that require no authentication. AI agents and developers can make up to 10 requests per week without signing up. The API supports company profile lookups, faith-based compliance screening, and stock searches across 12 global markets.

What is faith-based stock screening?

Faith-based stock screening analyzes a company's financial ratios and business activities to determine compliance with religious investment guidelines. FirmAdapt supports 9 frameworks including Shariah (AAOIFI, S&P), Christian (BRI), Catholic (USCCB), Jewish (Halakhic), LDS/Mormon, ESG Religious, and Evangelical standards.

Can AI agents use FirmAdapt?

Yes, FirmAdapt is designed for native AI agent integration. It provides an MCP (Model Context Protocol) server for Claude Desktop, Cursor, and other AI tools. AI agents can access company profiles, run faith-based compliance screens, and search stocks across 12 global markets using free open endpoints with no API key required.

What markets does FirmAdapt support?

FirmAdapt supports 12 global markets: US (NYSE/NASDAQ), UK (London Stock Exchange), Germany (XETRA), France (Euronext Paris), Japan (Tokyo Stock Exchange), India (NSE/BSE), Saudi Arabia (Tadawul), UAE (Dubai/Abu Dhabi), Malaysia (Bursa), Indonesia (IDX), Canada (TSX), and Australia (ASX).

Back to Blog

AI complianceregulatorytrade secretsIPconfidentialityTrade secret

What Samsung Lost in 20 Days: The 2023 ChatGPT Leak Nobody Has Forgotten

By Basel IsmailMay 19, 2026

What Samsung Lost in 20 Days: The 2023 ChatGPT Leak Nobody Has Forgotten

In March 2023, Samsung Semiconductor lifted its internal ban on ChatGPT. Within 20 days, engineers at the company's chip division had leaked confidential information to OpenAI's servers on at least three separate occasions. The details of those incidents remain some of the most cited examples in enterprise AI risk discussions, and for good reason. They illustrate exactly how quickly trade secret protections can evaporate when employees interact with third-party generative AI tools.

Three Incidents, Three Weeks

The leaks were reported by South Korean media outlet Economist Korea on March 30, 2023, and subsequently confirmed by Samsung's internal communications. Here is what happened:

Incident 1: Semiconductor source code. An engineer pasted proprietary source code into ChatGPT to check for errors. That code related to Samsung's semiconductor measurement database. Once submitted, it became part of the data OpenAI could potentially use for model training under the terms of service in effect at the time.
Incident 2: Defective equipment detection code. A separate engineer copied code related to yield and defect identification for semiconductor equipment into the tool, again seeking optimization suggestions. This was production-level intellectual property tied to Samsung's manufacturing processes.
Incident 3: Meeting notes. An employee used ChatGPT to generate meeting minutes by feeding it a recording transcript. That transcript contained internal strategic discussions, the kind of content that would be protected under virtually any reasonable confidentiality framework.

All three incidents occurred within roughly three weeks of the ban being lifted. Samsung responded by restricting ChatGPT prompt uploads to 1,024 bytes, launching an internal investigation, and reportedly developing its own in-house AI tool. By May 2023, Samsung had also warned employees that violations could result in termination.

Why This Is a Trade Secret Problem, Not Just a Data Privacy Problem

Most of the commentary around the Samsung leaks focuses on data privacy or cybersecurity. Those are real concerns, but the trade secret angle is arguably more consequential and less well understood.

Under the U.S. Defend Trade Secrets Act of 2016 (DTSA, 18 U.S.C. 1836), a trade secret loses its protected status if the owner fails to take "reasonable measures" to keep it secret. The same standard applies under the Uniform Trade Secrets Act (UTSA), adopted in some form by 48 states. South Korea's Unfair Competition Prevention Act contains a similar requirement.

The critical question is straightforward: does submitting proprietary information to a third-party AI service constitute a failure to maintain secrecy?

At the time of these incidents, OpenAI's terms of service stated that user inputs could be used to improve models unless users opted out through a specific API configuration. Consumer-facing ChatGPT did not offer that opt-out in March 2023. OpenAI later introduced the ability to disable chat history for training purposes, but that came in April 2023, after the Samsung leaks.

So the engineers were, in practical terms, handing proprietary information to a third party under terms that allowed reuse. In a trade secret misappropriation case, opposing counsel would have a field day with that fact pattern. If Samsung ever needed to enforce trade secret protections over that source code or those manufacturing processes against a competitor, the defense would point directly to these disclosures as evidence that Samsung failed the "reasonable measures" test.

The Reasonable Measures Standard in Practice

Courts have been fairly specific about what "reasonable measures" means. In Compulife Software Inc. v. Newman (11th Cir. 2020), the court examined whether the plaintiff had taken adequate steps to protect its data, including access controls, confidentiality agreements, and technical safeguards. In Waymo LLC v. Uber Technologies (N.D. Cal. 2017), the scope of internal security protocols was central to establishing trade secret status.

The pattern across DTSA cases is consistent: you do not need perfect security, but you need demonstrable, affirmative steps. Allowing employees to paste source code into a consumer AI tool with no data processing agreement, no enterprise license, and no input filtering is going to be very hard to characterize as "reasonable" under any reading of the statute.

What It Actually Cost Samsung

Samsung has not disclosed a specific dollar figure tied to these incidents, and it is unlikely they ever will. But the costs are real and measurable in several dimensions.

Weakened IP position. Any trade secret disclosed to a third party without adequate protections is potentially compromised for enforcement purposes. Samsung's semiconductor IP is worth billions. Even a marginal reduction in enforceability represents enormous exposure.

Operational disruption. Samsung's response included restricting prompt length, launching internal investigations, building proprietary AI tools, and revising employee policies. None of that is free. Building an in-house LLM alternative is a multi-year, multi-million-dollar effort.

Reputational cost. The Samsung incident became the canonical example of why enterprises should not let employees use consumer AI tools with sensitive data. It is referenced in virtually every enterprise AI governance presentation, every board-level risk briefing on generative AI, and most regulatory guidance documents on the topic. For a company that licenses technology and partners with other semiconductor firms, being the cautionary tale is not a neutral outcome.

Regulatory scrutiny. Samsung faced inquiries from South Korean regulators, and the incident accelerated the Korean government's development of AI-specific guidelines for the private sector. Internally, Samsung's compliance and legal teams were forced into reactive mode, which is always more expensive than proactive governance.

The Broader Pattern

Samsung was not unique. A June 2023 study by Cyberhaven found that 11% of data employees pasted into ChatGPT was confidential. A separate survey by Fishbowl found that 68% of employees using AI tools at work did so without their employer's knowledge. The Samsung incident was simply the most visible example of a problem that was, and still is, widespread.

What made Samsung's situation particularly instructive is the speed. Three separate incidents in 20 days, across different teams, involving different types of confidential information. This was not a rogue employee. It was a systemic gap between policy (lifting the ban) and controls (having no guardrails in place when the ban was lifted).

For companies subject to U.S. trade secret law, the lesson is concrete. The DTSA does not care about your intentions. It evaluates your actions. If your employees can paste source code into a consumer AI tool and nothing stops them, your "reasonable measures" argument has a serious problem.

What This Means for Regulated Industries

If you are in financial services, healthcare, defense, or legal, the stakes are compounded. You are not just dealing with trade secret risk; you are layering on HIPAA, GLBA, ITAR, CMMC, or professional conduct rules that impose independent obligations around data handling. A healthcare company's employee pasting patient-adjacent data into ChatGPT is simultaneously a trade secret problem, a HIPAA problem, and potentially an FTC Section 5 problem.

The Samsung scenario keeps repeating in different forms across regulated industries because the underlying dynamic has not changed. Employees want to use powerful tools. The tools are trivially easy to access. And the gap between "we have a policy" and "we have a control" remains wide at most organizations.

How FirmAdapt Addresses This

FirmAdapt was built specifically to close the gap between AI adoption and trade secret (and broader regulatory) compliance. The platform processes data within a compliance-first architecture where inputs are not sent to third-party model providers for training, retention policies are configurable to organizational and regulatory requirements, and sensitive data classifications can be enforced at the input layer before any model interaction occurs. This means employees get AI capabilities without the organization sacrificing its "reasonable measures" posture under the DTSA or equivalent frameworks.

For organizations in regulated industries, FirmAdapt also maps these controls to sector-specific requirements, so the same architecture that protects trade secrets simultaneously addresses HIPAA, CMMC, GLBA, and other applicable frameworks. The goal is not to prevent teams from using AI. It is to make sure that using AI does not quietly destroy the legal protections your organization depends on.

Ready to uncover operational inefficiencies and learn how to fix them with AI?

Try FirmAdapt free with 10 analysis credits. No credit card required.

Get Started Free