Putting the specifics of this case aside, the whole question underlines once again the questionable sanity behind copyright and intellectual property. The corner cases like these are a signal that the copyright thinking isn't entirely in alignment with reality. With physical goods it's very clear: if an employee had gone rogue and given off a prototype device built by the company, any resale of that device would naturally be illegal (it's illegal to buy and sell stolen goods) and the device could eventually be returned to the company.
However, with bits, things are different. Bits can be copied, they can't be stolen, and bits aren't unique things whose possession can be controlled. Thus, the idea of copyright is to "own" the copyrighted works so as to control making copies of it. The company tried to assert that it owns the library and extrapolate from there that they could control the bits that represent copies of the library. But if the thing companies intend to control is the idea or "the works" instead of the physical bits then we're faced with another dilemma.
Consider if the leaked thing was a trade secret, which is an idea with no physical presentation. The trade secret was published without permission by a rogue employee and thus it wouldn't be a secret any longer, then how could the company possibly claim it could be restored somehow? How could anyone who had read about the trade secret explicitly unmemorize it? There are no physical copies or bits to destroy, the idea would simply live in peoples' minds and eventually travel to the company's competitors. The cat's out of the bag, what can you do.
I think that in this case, the only plausible view of what actually happened is just that. The culprit is the employee who should be liable for the damages if it turns out that he actually did publish the source code without a permission. (Based on the comments even verifying that is still uncertain.) Similarly, if an employee smuggles in GPLv3 code in to the company's codebase then the company can't just shrug that off, and must release their proprietary source code as GPLv3.
Both are quite harsh conclusions. It seems that for any company larger than a few dozen people would eventually bump into one of these two cases. Employees would have to require written permission from their managers to release source code. (What if their managers didn't have the permission to give that permission?) Companies would have to audit all new source code before adding it to their version control system. (Nearly an impossible task unless commit lag of months would be considered agile in their line of business.)
In practice, things don't work——neither way, as long as copyright is removed from the realm of bits, data, and software and the concept of intellectual "property" is disintegrated from the beginning. WHen companies stop relying on those delusions and base their business on things that actually work on real life, they are relieved of much suffering.
If you "copy" the bits that happen to open up access to my bank account, I'm not likely to use the word "copy", I'm going to say "stolen" and involve the police.
Similarly, if you "copy" the bits that I'm trying to monetize (they're a book, or a movie, or a computer program), I will also prefer the word "steal" and likewise involve the police.
Just because a low-level mechanism ("hey, we /copy/ bits, we don't destroy them! You still have them!") enables behavior on your part does not make that behavior ethical or lawful, nor does it imply that the notion that someone can control ownership of mere bits is bankrupt or delusional.
"Stealing" as applied to physical property involves two elements: it must be unauthorised by the owner, and it deprives the owner of the thing.
So I wouldn't define your password as stolen, just "known". As soon as the perp used it to take money from your account, then stealing has occurred.
"Stealing" is a very loaded word, which is why big media is desperate to frame their business problems using it. And in this case, I doubt many people would consider those who used NVD3 were guilty of stealing, given that a) they had been authorised to use it (as far as they knew), and b) they haven't deprived Novus of anything.
If you "don't read" my book, I'm going to call that "stealing". After all, if you had read it, I would have gotten $20, and I didn't get my $20, so you must have stolen something from me.
"Similarly, if an employee smuggles in GPLv3 code in to the company's codebase then the company can't just shrug that off, and must release their proprietary source code as GPLv3."
No, assuming the company was in violation of the GPLv3, they would probably need to stop using it, and potentially pay damages if sued by copyright holders, but would be under no compulsion to release their own proprietary source code. Unless, of course, they wanted to comply with the terms of the license and continue using it. However, the GPLv3 alone wouldn't even require that unless they were selling or making available copies of the software.
However, with bits, things are different. Bits can be copied, they can't be stolen, and bits aren't unique things whose possession can be controlled. Thus, the idea of copyright is to "own" the copyrighted works so as to control making copies of it. The company tried to assert that it owns the library and extrapolate from there that they could control the bits that represent copies of the library. But if the thing companies intend to control is the idea or "the works" instead of the physical bits then we're faced with another dilemma.
Consider if the leaked thing was a trade secret, which is an idea with no physical presentation. The trade secret was published without permission by a rogue employee and thus it wouldn't be a secret any longer, then how could the company possibly claim it could be restored somehow? How could anyone who had read about the trade secret explicitly unmemorize it? There are no physical copies or bits to destroy, the idea would simply live in peoples' minds and eventually travel to the company's competitors. The cat's out of the bag, what can you do.
I think that in this case, the only plausible view of what actually happened is just that. The culprit is the employee who should be liable for the damages if it turns out that he actually did publish the source code without a permission. (Based on the comments even verifying that is still uncertain.) Similarly, if an employee smuggles in GPLv3 code in to the company's codebase then the company can't just shrug that off, and must release their proprietary source code as GPLv3.
Both are quite harsh conclusions. It seems that for any company larger than a few dozen people would eventually bump into one of these two cases. Employees would have to require written permission from their managers to release source code. (What if their managers didn't have the permission to give that permission?) Companies would have to audit all new source code before adding it to their version control system. (Nearly an impossible task unless commit lag of months would be considered agile in their line of business.)
In practice, things don't work——neither way, as long as copyright is removed from the realm of bits, data, and software and the concept of intellectual "property" is disintegrated from the beginning. WHen companies stop relying on those delusions and base their business on things that actually work on real life, they are relieved of much suffering.