Noncompete ban would force companies to become smarter about data-loss strategies

Noncompetes were never a perfect way for companies to try to limit data loss, according to legal observers, who say an outright ban would force businesses to adopt more proactive measures.

“It’s really a blunt instrument, and it’s inherently retrospective,” David Huberman said of noncompetes. Huberman is general counsel of Minneapolis-based Code42, a cybersecurity software company that specializes managing insider risk.

“If a company is looking to enforce a contract, it’s after the fact. The damage has already been suffered,” he said.

The information-security industry is among many business sectors assessing the potential impact of the Federal Trade Commission’s noncompete ban, a proposal that has many supporters and detractors.

Huberman said that, when companies seek to enforce noncompetes in court, they often have to conduct a painstaking forensic analysis to determine what information was taken and when. “All that stuff is really hard, and it’s really expensive. That’s the reality of noncompetes, and for a long time that’s all companies had.”

Redgrave partner Martin Tully, who co-leads the firm’s data privacy & cybersecurity practice group, said that while noncompetes can help recover stolen data, it’s better to keep it secure from the beginning.

“You may have a border collie that you can send out to get the cow back in the barn, but the better thing is to have a lock on the barn so the cow doesn’t leave in the first place,” he said. “This is where data loss prevention comes into play.”

Two-thirds of employees who take data with them to a new job have done so before, according to Code42’s 2020 Data Exposure Report on Insider Threat.

“If you go to any company and you ask if people are taking stuff with them, they’re going to say they know people are taking stuff. Until recently it was difficult to know what they were taking and how they were taking it. Now you can take action much more quickly to recover the IP or prevent it from leaving and avoid having to file that lawsuit,” Huberman said.

The report, which surveyed about 4,500 knowledge workers in the U.S., U.K., and Europe, also found that the ease by which data can be viewed and shared throughout a company poses an unintended security risk.

“A lot of data is put at risk accidentally by well-intentioned people who are just trying to get their jobs done. But they might upload some data to an unsanctioned sharing app,” Huberman said.

Tully said companies should identify what their “crown jewels” are and who has access to that information.

“There are some tools out there that can help with monitoring who has access to information and whether you’re seeing unusual modes of activity with respect to that information,” Tully said. “One of the easiest ways that people typically will identify whether an employee is getting ready to leave is all of a sudden they are suddenly starting to unusually access information at a pace or scope that they otherwise wouldn’t.”

The nondisclosure agreement is another critical tool, one companies should be relying on much more heavily than noncompetes, said Kenya Dixon, vice president and assistant general counsel for the McLean, Virginia-based data security consulting firm Celerity.

Employee turnover is an inherent risk of doing business, she said, but employees shouldn’t be forced into long cooling-off periods that delay their careers.

“Having people sit on the sidelines isn’t going to make them any more loyal to you,” she said. “We don’t have indentured servitude in this country — employees are free to go from one company to another, but they must leave proprietary information behind.”

Dixon also strongly recommends that companies strictly limit who has access to that information.

“You should only give employees access to data on a need-to-know basis,” she said, adding that companies should also log when that data is being viewed, “so if a competitor gets the recipe to Coke, you should know exactly who accessed the recipe, what day it was accessed, what time it was accessed and where they were sitting when they accessed it. The logs should clearly show how the recipe was accessed.”

It’s not about employee surveillance, Tully said, but monitoring data to see where it moves.

“It’s not too different than what is done for general data security,” he said. “This how oftentimes data security teams will be tipped off that’s there has been some kind of malicious intrusion, because all of a sudden they’ll see unusual activity in places where it doesn’t ordinarily exist. And that can mean a data breach, or perhaps an insider is up to something they shouldn’t be.”

Dixon said that, for too long, companies have relied on noncompetes as a crutch.

“Everybody wants to do what’s easiest, and what’s easiest is the status quo. If the FTC changes the law, you have to implement the new law, and that isn’t easy. It means you have to actually have an access and permissioning policy in your organization and have implemented that policy,” she said.

Read more: With a proposed ban on non-competes, will NDAs be next on the chopping block?

“You have to implement an access on a need-to-know basis policy and a zero-trust policy. Then, you have to determine if your intellectual property or sensitive data has been used by a competitor. You have to actually pay attention.”