Cybersecurity In-Depth: Getting answers to questions about IT security threats and best practices from trusted cybersecurity professionals and industry experts.

How Would the FTC Rule on Noncompetes Affect Data Security?

Without noncompetes, how do organizations make sure employees aren't taking intellectual property when they go work to work for a competitor?

Jadee Hanson, CISO and CIO, Code42

January 18, 2023

3 Min Read
Closeup of a blue pen resting on a noncompete contract on a clipboard
Source: William W. Potter via Adobe Stock

Question: How would the FTC rule on noncompetes affect data security?

Jadee Hanson, CIO and CISO, Code42: The Federal Trade Commission's proposed rule grants employees well-deserved autonomy regarding where they work, and when. However, it also complicates the relationship between employer and employee when it comes to data ownership, and security teams need to be aware that, if passed, their employees could easily leave their company for a competitor, with sensitive data and intellectual property (IP) in tow.

One reason noncompetes exist is to keep company data and intellectual property from leaking to competitors. It's easy to verify when a former employee takes a new position with a competitor, but not so easy to know if that employee took company data with them. I would argue that companies should not be relying solely on noncompete agreements to keep their valuable IP safe — but their potential ban makes it even more important to have the proper data security in place.

Organizations should incorporate technologies and processes that can identify risky file movements without inhibiting the organization's collaborative culture and employee productivity. They need technology that can see movement across a variety of cloud applications, automate security alerts, and prioritize insider risk concerns. Today, data is highly portable, and users are doing their jobs off the company network — greatly decreasing security's visibility into file movements. Potential risk indicators could include file movements made while users are off-hours, changing file extensions, or having access to the files of a highly confidential project. Without technology providing the right visibility, it's nearly impossible for security to focus on the right protections and mitigate the overall data exposure risk.

There's an assortment of tools that business leaders can choose from, but the most effective data protection technology can tell the difference between trusted and untrusted locations and allows employees to openly collaborate. In particular, insider risk management tools allow you to monitor, filter, and prioritize risk events, detecting when files are moving to noncorporate locations, including personal devices and cloud storage solutions.

This being said, it's not solely about the tools. Security and HR teams should also be sure to define formal onboarding and offboarding policies for employees, proper data handling training, and processes to address insider risks as they are found. A good security culture starts with a security team that is willing to empower the entire organization to get its job done. Using a "trust but verify" approach allows leaders to facilitate positive, trusting relationships with employees, using monitoring tools to ensure they're only intervening when it's absolutely necessary. The way organizations manage the relationship between their security teams and the broader employee and user base has decisive effects on retention and the overall employee experience. If security, legal, and HR teams approach insider risk events in the same combative, and sometimes hostile, manner they do external threats, it can increase tension between themselves and the rest of the organization, sowing the seeds for a culture of distrust among employees.

At the end of the day, it's on every employee in the workforce to do their part in keeping the company secure, and creating a security-aware culture from the get-go is a great way to create this vigilance.

By embodying a security-focused attitude and having a holistic data protection program in place internally, security leaders can have peace of mind knowing that they're maintaining a positive work environment for their teams while also feeling confident that important competitive data is not leaving with employees.

About the Author(s)

Jadee Hanson

CISO and CIO, Code42

Jadee Hanson is the Chief Information Security Officer and Chief Information Officer at Code42, where she is responsible for business technology strategy and purchasing and leads global risk and compliance, security operations, incident response, and insider risk programs. Prior to Code42, Jadee held senior leadership roles in security at Target Corporation, where she implemented compliance, risk management, and insider threat programs. She also served as the security lead for the sale of Target Pharmacies to CVS Health. Before Target, Jadee was a security consultant at Deloitte. Jadee also co-authored the book, Inside Jobs: Why Insider Risk Is the Biggest Cyber Threat You Can’t Ignore, and in addition to her day job, Jadee is the founder and CEO of the nonprofit organization Building Without Borders.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights