Noncompetes Nearing Extinction
In early April, the Federal Trade Commission (FTC) ruled – by a vote of 3-2 – to ban noncompete agreements nationwide for all employees, with limited exceptions. This federal ruling follows many state decisions to also ban noncompetes. The FTC argued noncompetes unfairly stymy innovation and keep wages artificially low. The FTC also predicted their decision will inject a fresh dynamism into the current gloomy American economy.
Specifically, they’ve predicted the ruling will spur new business formation to grow 2.7% per year. They estimate this will result in approximately 8,500 new businesses each year and raise average worker earnings about $524 annually.
Businesses scrambling to adjust
The promise of new businesses and higher wages comes with a sense of uncertainty. For workers, naturally, this ruling is a cause of celebration. Many businesses are hastily building contingency plans to mitigate potential fallout as the near elimination of noncompetes removes an important tool they use to protect intellectual property (IP).
The scramble to protect IP is understandable and widespread. IP is the primary source of innovation, differentiation and economic growth. While the FTC ruling is meant to promote competition, businesses are fundamentally worried it will potentially rob them of the innovation that drives their ability to compete.
Paper tiger or red herring?
While not unfounded, these worries may be overstated. The truth is, noncompetes were always a bit of a blunt instrument for protecting IP. While they did keep former employees from taking IP to competitors, they also had a number of unintended consequences that were bad for the economy as a whole. Foremost among them: noncompetes interfered with the ability of employers and workers to create good matches between themselves, as the most qualified workers were often barred from working for anybody but their former employers.
Addressing this issue, the FTC argued there are other tools businesses can use to protect IP. Some tools, they wrote, are even more efficacious than noncompetes – specifically trade secret laws and non-disclosure agreements (NDAs), which about 95% of employees are already bound by. While the federal ruling has businesses worried about their IP, that worry may be misplaced. Given the other instruments at their disposal to protect their IP from walking out the door, the ruling against noncompetes seems to be a bit of a paper tiger.
In fact, for contingency planning teams, it may not even be a paper tiger, but a red herring. There is a more serious and unaddressed threat to most business IP – one that’s been building steadily since digital transformation began to take hold. That escalating threat is inadequate backup protocols.
The more troubling threat to IP
Let’s be clear: IP can lose value if workers transfer trade secrets from one employer to another. While this is worrying, it doesn’t necessarily disrupt business continuity. Even stolen trade secrets still remain with the original employer, allowing them to continue business with their customers. There’s no question the value of that business is diluted. But it’s not a full disruption. A far greater threat, for example, is massive data loss. A 2023 study from Verizon noted, large-scale data loss can cost businesses up to $15.6 million per incident. Given the strong reaction to the FTC noncompete ruling, it seems businesses might also react strongly to this growing threat to their IP.
On the surface, this seems to be the case. According to a recent study from TAG Infosphere, about 93% of businesses have a policy in place to protect their IP. The same study reported only 7% are confident in the effectiveness of those plans. Of CISOs surveyed in the study, 71% said they wouldn’t be surprised by a data breach. In surveying the weak points across the data resilience landscape, the study found three common problems: data loss protocols relied too heavily on manual enforcement, cloud collaboration tools are misused as a form of backup, and, in general, there was a false sense of security among IT teams as to their data resilience and ability to restore their data post-incident. This all amounts to a “security blanket” model of IP protection, which seems to be industry wide. In other words, there are solutions, but no one is confident they work, or wants to look too deeply at why that might be.
Protect your IP with a data recovery plan
Businesses need a solid strategy to protect data against a variety of threats. With that in mind, contingency planners who value data should ensure – aside from any planning they might be doing to protect their IP from the loss of noncompetes – they have a more comprehensive data protection strategy. IP threats take many forms, from cyberattacks to a well-meaning employee accidentally hitting the delete button. While plans should be tailored to the needs of each business, in general they should include:
1. Data protection protocols to ensure IP is handled safely
Having good protocols in place in the first place will help minimize data-theft. Protocols should include true endpoint backup, to ensure all company data on all devices is automatically backed up to the cloud.
2. A list of emergency contacts, including all necessary parties for smooth data recovery
Mapping out necessary contacts in light of an emergency will help teams keep a cool head in the event of an incident, as well as a clear sense of who should be informed and in what order.
3. An inventory of assets ranked by criticality for business continuity
Your IP is distributed across company endpoints – laptops, desktop computers, tablets, etc. Keeping track of them all will help you determine the source of data loss and will also help you prioritize your restoration process.
4. A catalog of crucial IP including backup locations
Teams need to know what data is absolutely necessary to keep business moving, and what can be recovered more slowly. Again, this is a matter of priorities – knowing the bare minimum a business needs to keep going in the event of an incident.
5. Policies and procedures for unforeseeable disasters
This ensures there’s appropriate steps to follow in light of disaster. While these really are specific to each business, they might include identifying potential offsite locations to keep business moving while incidents play out.
6. A recovery point objective (RPO) and recovery time objective (RTO)
These are helpful metrics for contingency plan teams to benchmark their responses to data loss. RPOs help determine how much data loss is acceptable in a recovery plan. For example, you might say, “No matter what happens, we want to be able to return to the company’s data profile that existed an hour before the incident occurred.” This will help decide how frequent you want your backups to be. RTO on the other hand refers to how quickly you want that restoration to happen. Having both in place will keep your team and plan accountable.
7. Communication plans for employees, external stakeholders (eg. shareholders, board members or law enforcement partners), and customers where applicable
Doing crisis communication work in advance can help you weather the storm with stakeholders and keep reputational risks at a minimum while you recover your IP.
8. Continual tests, drills, and updates
Untested plans are basically worthless, as are plans that don’t consider new threats and risks. Ensure your backup plan is well-tested, and up to date.
Starting a conversation about IP
While the loss of noncompetes may make businesses uneasy, the larger threat to IP remains insufficiently addressed at an industry level. The FTC’s decision is useful as a starting point to discuss IP security in general – and particularly those challenges posed by the rash of inadequate data resilience policies afflicting enterprises at large. By remediating these with an airtight backup plan, businesses can cut the legs out from under the biggest threats to their IPs. For everything else, there’s still NDAs.