The Brief Case: DRI Committee News

Diversity and Inclusion: Diversity Insider

The Shifting Landscape of Non-Compete and Non-Solicitation Agreements 

By Kennard Davis and Dillon Williams

The landscape is changing in the realm of restrictive covenants such as non-compete and non-solicitation agreements. Several new laws limit the use and scope of restrictive covenants, one of which was recently enacted in Washington, D.C. Employers will now have to navigate these additional obstacles in its practices.

Courts scrutinize restrictive covenants

For many years, some courts have scrutinized non-compete agreements by calling into question the viability of such agreements, finding them unenforceable as overbroad, vague, or otherwise invalid. This disfavored treatment of non-competes is growing among the courts and is also creating a negative effect on the protection of trade secrets. This is especially significant considering the legal standard for protecting work secrets is also evolving as more employees are increasingly working remotely.

Limiting restrictive covenants

In addition to this judicial trend, it is also a recent legislative priority to limit or ban the use of restrictive covenants. In 2021, President Biden signed an executive order encouraging the Federal Trade Commission (FTC) to employ its statutory rulemaking authority "to curtail the unfair use of non-compete clauses and other clauses or agreements that may unfairly limit worker mobility." As a result, the FTC, and the Department of Justice (DOJ) Anti-trust Division recently partnered with the National Labor Relations Board to address key issues such as the regulation of non-competes. The DOJ and other federal anti-trust agencies are increasingly paying attention to employer-employee non-compete agreements to determine whether the agreements are enforceable.

Legislative restraints

In the year since President Biden signed the executive order, numerous states have enacted or amended statutes limiting or banning non-compete agreements. For example, Washington, D.C. recently changed its non-compete laws for all employers with D.C. employees. D.C. Law 23-209. Ban on Non-Compete Agreements Amendment Act of 2020. Effective on October 1, 2022, the newly amended law bans non-compete agreements for employees below a certain financial threshold, permitting only non-compete agreements for “highly compensated employees.” Id. It allows employers to bar their employees from disclosing, using, selling, or accessing the employer's confidential and proprietary information during or after employment. 

A couple of months before the new D.C. law went into effect, U.S. Representative Mike Garcia introduced a bill titled the Restoring Workers' Rights Act (RWRA), which, if codified, will amend the Fair Labor Standards Act (FLSA) to ban non-compete agreements nationwide for employees considered non-exempt under the FLSA. The act seeks to prohibit employers from restricting employees from:

1. Doing any work for another employer for a specified period of time;
2. Performing any work in a specified geographical area; or
3. Doing any work for another employer that is similar to the work performed by the employee for that employer. 

This legislation, if passed, will effectively create a federal ban on non-compete agreements for a substantial portion of the workforce. 

Tips for employers

Consider the following best practices when drafting non-compete and non-solicitation agreements, particularly as employers review those that apply to remote workers:

1. Keep the restrictions reasonable and narrow;

a. Limit the scope of the restrictions;
b. Limit the geographical scope of the restrictions; and 
c. Limit the duration of the restrictions. 

2. Be aware of the current applicable law of the state where your employee will reside while working for the company; 

a. There is a likelihood if the non-compete agreement includes a forum selection clause or choice of law provision that provides another state’s law governs any disputes related to the agreement, the presiding state’s public policy may render the agreement void and unenforceable.

3. Include specific provision(s) solely aimed at protecting the company’s confidential information and trade secrets.

a. Consider including the following federal laws in specific provisions of the agreement to assist in protecting the company’s confidential information and trade secrets: 1) the Defend Trade Secrets Act (18 U.S.C. § 1836); 2) the Computer Fraud and Abuse Act (18 U.S.C. § 1030); and 3) the Stored Communications Act (18 U.S.C. § 2701).

Conclusion

Considering the change in the landscape of restrictive covenants, employers should be proactive and speak to an attorney before disseminating the company’s current non-compete and non- solicitation agreement. Using such agreements will be more challenging than ever, as companies must consider changing, or additional, federal and state-specific regulations, along with the fact that their employees are increasingly working remotely. These changes in the legal landscape of non-compete and non-solicitation agreements could render a company’s current agreement unenforceable. Therefore, employers must now apply new, additional best practices to effectively manage their growing remote workforce and protect their business. 

Kennard Davis is an associate in Baker Donelson’s New Orleans office. He assists clients in a wide variety of litigation and regulatory matters, including commercial litigation, environmental and energy law, and arbitration. Kennard is currently the Chair of DRI’s Diversity and Inclusion Membership Committee. 

Dillon Williams is an associate attorney in the Kansas City office of Rasmussen Dickey Moore (“RDM”). He practices primarily in the areas of products liability, toxic torts, and premises liability. Prior to joining RDM, Dillon worked as a clerk at a consumer protection firm in Kansas City, Missouri. During law school, he was an intern with the Johnson County District Attorney’s Office, prosecuting criminal defendants on behalf of the State of Kansas. Dillon also successfully competed on the Mock Trial team and was recognized as the Top Advocate for the Final Round of the KU Mock Trial Tournament. Dillon is a member of DRI (Defense Research Institute) and a member of the Diversity and Inclusion Committee, Membership Subcommittee. 

Interested in joining the Diversity and Inclusion Committee? Click here for more information.

Cybersecurity and Data Privacy: Data and Security Dispatch

Will the Crypto Crash Trash the Ransomware Racket?

By Brent Arnold

Cryptocurrency is the coin of the realm for cybercrime. What happens when crypto becomes too risky for even criminals? And what does this all mean for defense counsel?

To answer this, it may be useful to begin with a primer on ransomware and ransomware attacks.

Ransomware by the numbers

For some time now, ransomware attacks have been the most pernicious and potentially disruptive form of cyber threat to Western business and government. Global attacks spiked during the COVID-19 pandemic from 188 million attacks worldwide to 305 million in 2020 and 623 million in 2021; by the middle of 2022, the world had seen 236 million attacks (statista.com). Put differently, attacks are up 232% since 2019 (panaseer, 2022). Even more alarmingly:

• 78% of organizations admitted to experiencing ransomware attacks in 2021 (Proofpoint, 2022);
• 68% of organizations admitted to being actually infected by such attacks in 2021 (Proofpoint, 2022);
• Of those 68%, two thirds of the organizations experienced three separate infections each, and 15% experienced more than ten separate infections (Proofpoint, 2022);
• Not unlike COVID-19, ransomware has spawned numerous variants, producing 130 different strains since 2020 (VirusTotal, 2021).

The cost of ransomware attacks has spiraled as well, with the average ransom payment increasing from $312,000 to $570,000 by 2021 (Mimecast, 2021), and the total cost of breaches (including ransom payment, mitigation costs, lost revenue, increased insurance premiums and reputational damage) averaging $4.6 million. Several “mega-breaches” cost up to 100 times that amount (Mimecast, 2021).

How does it work, and where does crypto come in?

Traditional ransomware attacks were simple: 

1. A virus was introduced into an organization’s computing environment;
2. The virus encrypted the organization’s data, making it impossible to access without help from the attacker.
3. A digital ransom note would pop up, demanding the organization pay a ransom in exchange for the digital decryption “keys” to allow the organization to decrypt and thus regain access to its data. The organization would pay, or not; if it didn’t, it simply lost access to the data.

In the last several years, ransomware attacks have become far more complex and damaging. Nowadays, a typical attack looks more like this:

1. A virus enters the organization’s computing environment;
2. This access gives the attackers the ability to move around in that environment, learning about the organization, its business and profitability, its unpatented intellectual property and trade secrets, the scope and quantum of its cyber insurance coverage (if any), and what personal information it collects and stores about its customers / clients and employees;
3. The attacker takes days, weeks, sometimes months to study its prey undetected. When it’s ready, the attacker copies and downloads (“exfiltrates”) large swathes of the data described above, and encrypts as much data as it can access.
4. A digital ransom note pops up, demanding the organization pay a ransom in exchange for the digital decryption “keys” to allow the organization to decrypt and thus regain access to its data.
5. The attacker also threatens, if not paid, to:

a. Sell the stolen data on the dark web to the highest bidder;
b. Dump the data, either on the dark web, or on publicly shaming sites on the regular internet;
c. Contact reporters, and / or inform the organization’s customers / clients, employees, or anyone else who’s sensitive personal data the attacker has in its hands that the organization hasn’t paid.

All this to say that ransomware has become more sophisticated in both the technical and tactical sense, with increasingly creative psychological approaches coming to bear to incent payment.

Payment, when it is made by an organization, takes the form of cryptocurrency—typically, but not exclusively, Bitcoin or Moneris. Cryptocurrency has the advantage of being extremely difficult, though not impossible, to trace back to an individual. Payments flow through the blockchain in a manner that, as with all blockchain transactions, can be traced by anyone, using publicly available websites. However, transactions while trackable are also anonymous; you may be able to trace the ransomware payment to the threat actor’s wallet, but that won’t tell you who owns the wallet, or where they are in the physical world. And while ransomware gangs are generally upfront in taking credit for attacks—they devote considerable energy to branding, so that victims take them seriously, and trust them to keep promises and carry out threats—they aren’t corporations with head offices; unlike the gangsters of old, their members aren’t public, targetable figures.  

Why does this matter to defense counsel?

Defense counsel may find themselves in the picture in several ways. 
They may act as data breach coaches, who:

• Advise clients on how to manage a ransomware attack in process; 
• Retain and instruct the experts (including data forensics and recovery experts, crisis communications experts, and ransomware negotiators and ransom payment brokers) as the crisis unfolds;
• Advise and assist in compliance with statutory notice and reporting obligations under various privacy laws, and
• Put the client in the best position possible to defend ensuing civil litigation or regulatory scrutiny.

Counsel may instead find themselves defending civil actions against their clients by companies or persons affected by the breach. These actions may range from claims by customers or vendors affected by the interruption in the attack victim’s business (which can have ripple effects throughout the supply chain) to class actions by large groups of individuals whose personal data was exposed, leaving them victim to identify fraud and other risks, as well as the embarrassment of having their privacy breached. 

Counsel may have to represent clients in regulatory proceedings that may follow from a ransomware attack, as their clients face scrutiny for breaches of statutory notice and reporting obligations, or statutory obligations to protect the personal information about individuals that the client has collected and stored.

In the worst-case scenario (depending on how a given client defines “worst”), counsel may have to defend clients for inadvertently (or intentionally) violating laws against money laundering or the financing of terrorist activities. In the United States, Canada and many other jurisdictions, it is illegal to make payments to individuals or organizations located in sanctioned countries (such as Iran). This, in part, is why reliable and current intelligence about threat actors is crucial in advising clients on the “pay / no-pay” decision: if it becomes apparent that the threat actor is operating out of a sanctioned state, paying the ransom would be a crime.

Is the cratering of crypto in 2022 affecting the ransomware ecosystem?

2022 has seen the greatest volatility in the cryptocurrency market since its inception. In May, the Terra algorithmic stablecoin (a cryptocurrency ostensibly pegged to the value of the U.S. dollar, but backed by no actual USD reserves, and dependent on automated arbitrage involving another cryptocurrency called Luna to maintain parity) became unmoored from its 1:1 value ratio to the U.S. dollar. This led to a devaluation triggering panic in the marketplace, resulting in massive liquidation of crypto holdings by investors, the ultimate result of which was the drop in value of Bitcoin (the dominant cryptocurrency from $68,000 USD in May to just $20,000 USD in June. As the markets were wobbling toward recovery, the crypto lending firm Celsius entered Chapter 11 bankruptcy proceedings in the U.S., further destabilizing the crypto ecosystem.

The effect of all of this on ransomware gangs and their tactics has been a matter of some debate. Theoretically, it should make their business model at least less convenient than it has been to date.

The overall effect of volatility in the cryptocurrency market is the same for cybercriminals paid in crypto as it is for regular crypto investors: if they leave their holdings in crypto wallets or exchanges instead of cashing them out immediately as fiat currency, their holdings may drop in value to nothing overnight when a massive market upheaval takes place. Also, when crypto markets crash, cryptocurrency exchange platforms often lock down, preventing runs on the digital bank. Cybercriminals thus need to cash out regularly quickly to minimize risk of exposure to a downturn in value. But, cashing out for criminals can be more difficult than for regular investors, as reputable exchanges tend to cooperate with law enforcement in blocking transactions involving suspected ill-gotten funds. By the time of the Terra / Luna implosion, dozens of dark web exchanges, where criminals could cash out crypto, had already shuttered.

The theory that the collapse of crypto markets has impacted the actions of ransomware gangs finds some support in the 23% drop in ransomware attacks from January to June 2022, with some experts seeing a seeming correlation between this drop and the decline in cryptocurrency markets (Kim, Axios, 2022). However, that decline correlates with other possible factors, including the shift in focus of the more patriotic among Russian cybercriminals to conducting cyberattacks on Ukraine (Kim, Axios, 2022), and intensified international law enforcement efforts that may be deterring attacks somewhat (Pimentel, Protocol, 2022). 

Some security professionals take the view that the devaluation of cryptocurrency has simply accelerated an already-in-progress shift by many cybercriminals away from ransomware and toward phishing scams, business email compromises, and other forms of attack that result in the simple theft of fiat currency without relying on crypto as a volatile intermediary (Fowler, CNET, 2022).

The FTX Epilogue

The last two months has seen the implosion of cryptocurrency markets following the collapse of FTX, one of the largest cryptocurrency exchanges. Unlike the Terra / Luna-led collapse, this one took place over a matter of days and saw the price of Bitcoin drop to $15,485 USD in November (its lowest in two years: Jagtiani, Bloomberg, 2022), following revelations of irregularities on the books of its sister crypto trading firm) and a $5 billion run on the digital bank that saw $40 billion in value on the exchange evaporate almost overnight. 

In the confusion and extraordinary events that have followed, virtually nothing has been said about the effect of this collapse on the cybercrime ecosystem (except, ironically, in connection with the apparent mid-collapse cyberattack on FTX that further drained its coffers). One assumes that the resulting market volatility, to the extent such volatility pushes cybercriminals away from ransomware and into more conventional forms of attack, will continue to do so. It would certainly be satisfying to hear that the further collapse of crypto markets has hurt threat actors as much as it has regular investors. 

As for defense counsel, a cyber threatscape in which ransomware recedes into the background in favor of more direct cybercrimes will greatly reduce counsel’s role as crisis manager during attacks in progress and lessen the extent to which counsel and clients need agonize over whether to pay ransoms and what the fallout of payment might be. Counsel will find themselves more often in their accustomed role of defending clients in the civil and regulatory proceedings that follow attacks.

Brent J. Arnold is a partner practicing in the Toronto office of Gowling WLG’s Advocacy department,  specializing in commercial litigation, Web3 technology disputes, data breach coaching and response, and data breach class action defense. He leads the Firm’s Technology Litigation Sub-Group. Brent is the Chair of the Cybersecurity and Data Privacy section of the U.S.-based Defense Research Institute (DRI), as well Chair of the Ontario Bar Association’s Privacy and Access to Information Law Committee. He is a Director of the Canadian chapter of the Internet Society, a global organization devoted to improving the affordability, accessibility, fairness and security of the internet.

Interested in joining Cybersecurity and Data Privacy Committee? Click here for more information.