Recently, the Federal Trade Commission (FTC) proposed a new rule that, if passed, would prohibit organizations from requiring employees to sign non-compete agreements. While this could have many positive outcomes for employees, businesses need to understand how this change could impact data security.
For many security teams, this could create an unexpected urgency to fine-tune protocols that ensure adequate visibility over their organization’s sensitive data and intellectual property in the event employees leave for a competing company.
The history of non-competes
During his campaign in 2020, President Biden touted plans to eliminate non-compete clauses. He took the first major step toward this in July 2021 by issuing his Executive Order on Promoting Competition in the American Economy. Non-compete agreements are used across industries to prevent workers from quitting their jobs and taking new positions at rival companies or starting a similar business within a specific time period.
The new FTC proposed rule would prohibit employers from imposing non-compete agreements on their workers – a practice it calls “exploitative and widespread.” The rule will not immediately take effect, and the public has 60 days to offer comments through the FTC website. After this period, the commission will review public comments, make additional changes and finalize the rule, which would go into effect 180 days later. The FTC estimates this ruling could increase wages by nearly $300 billion a year by allowing workers to pursue better opportunities.
However, businesses need to prepare for what this could mean from a data protection perspective. With this ruling, employees could easily leave their company for a competitor and take sensitive company data and intellectual property with them.
Non-competes and the risk of data loss
While the debate around the pros and cons of non-competes continues, the intention versus the reality doesn’t really matter for security teams.
Here’s the truth: there’s a one-in-three chance a company loses intellectual property when an employee quits, and 71% of organizations are unaware of how much sensitive data their departing employees typically take with them. Most people feel an inherent ownership of the data they create while employed, despite that legally, employers typically own the intellectual property created by their employees.
It’s easy to verify when an employee takes a new position with a competitor, but knowing if that employee took company data with them can be much harder to distinguish. Whether or not the ruling proceeds, it's incredibly important for security teams to have the right visibility into the types of data leaving with employees.
The FTC proposal also serves as a critical reminder that companies need to heavily focus on having the proper tools to detect data exfiltration by departing employees and maintaining a positive company culture. Without technology offering the right visibility, it’s nearly impossible for security to focus on the right protections and mitigate the overall data exposure risk. Organizations need tools that will let them see movement across a variety of cloud applications, automate security alerts, and prioritize insider risk concerns.
Culturally, security teams should not look to “catch” and punish employees, but to better educate and guide them. When data gets exposed, teams should approach the investigation assuming the employee’s intent was positive and give them awareness education in the moment for a longer-lasting impact. Opportunities to improve company security culture begin right when an employee starts at the company. With or without a non-compete, security and HR teams should define formal on- and off-boarding policies to ensure any data and system access is appropriately revoked when they move on to their next gig.
Ultimately, a strong culture of security starts with a security team willing to enable the organization to get its job done. Companies need a security-aware culture that establishes data ownership policies and empowers employees to do their part to protect the company. Creating this culture leads to every employee taking responsibility for security and encourages them to speak up. This also includes:
- Upfront employee agreements around data ownership and protection.
- Periodic separation agreement reminders to reinforce that employees do not own the data created while employed.
- The proper tools to detect data exfiltration by departing employees.
- Role-based trainings, especially on departure dos and don’ts.
- Systems that detect the movement of sensitive data and offer the controls to respond.
By having a holistic data protection program in place internally, security teams can have peace of mind that important, competitive data does not leave with employees.
Jadee Hanson, CIO and CISO, Code42