Monday, July 26, 2021

Protecting Your Business from President Biden's "New Deal" for FTC to Curtail "Non-Compete Clauses"


                 On July 9, 2021, President Biden issued an Executive Order to coordinate all federal agencies around a national policy to promote competition, prevent and curtail abusive monopolies and monopolistic practices.  

 The Executive Order calls upon the Federal Trade Commission (FTC) to “address agreements that may unduly limit workers' ability to change jobs.”  Under Section 5(a) of the FTC Act, the FTC can regulate “unfair or deceptive trade practices in or affecting interstate commerce.”  Existing 2015 FTC policy targets “the promotion of consumer welfare.”   President Biden seeks to expand that policy to include worker mobility: “to curtail the unfair use of non-compete clauses and other clauses or agreements that may unfairly limit worker mobility.”  But “unfairness” is not defined by statute.  If a non-compete agreement is too restrictive, a worker might not find a new job with higher wages or better employment opportunities.

                For business owners and tech investors, it is time to anticipate and manage potential challenges to non-competition covenants. 

                For employees, consultants, business service providers and strategic alliance partners, new federal regulations probably cannot replace the need for smart negotiations to prevent possible abusive enforcement of a valid restrictive covenant.  

                What is a Non-Compete Clause?  A non-competition clause or “covenant” is a contractual obligation by an employee not to compete with the employer’s business during employment and for some limited period after employment.  This restricts the employee from joining a competitor until after a reasonable “cooling off” period.  But the restriction is limited in scope, duration and, if appropriate, geography.  Every situation is different, so courts analyze the benefits, burdens and reasonableness.  The non-compete clause typically includes protections for trade secrets, which can exist forever (e.g., Coca Cola’s secret formula for its soft drink).

Why Businesses Require Non-Compete Clauses.  Non-compete clauses serve valid competitive purposes.  They protect a business against:

·         Poaching of the business’s clients and employees (but not forever);

·         Unauthorized disclosure of trade secrets (both of the employer and third parties doing business with the employer) and other employer confidential information; and

·         An employee’s abuse of his or her duty of loyalty while an employee.

 What are the Public Policy Limitations on Enforcement of Non-Compete Covenants.  In New York, such clauses are permitted as a matter of long-standing public policy (“common law,” not statute) to protect an employer.  (An exception exists for the broadcast industry.)  New York common law (“public policy”) already limits non-compete covenants.  The covenant must be reasonable in scope of work (relating to the first employer’s business activities), duration and geography.  As summarized by a former New York attorney general in 2017:

A non-compete [agreement] is only allowed and enforceable to the extent it (1) is necessary to protect the employer’s legitimate interests, (2) does not impose an undue hardship on the employee, (3) does not harm the public, and (4) is reasonable in time period and geographic scope. An employer’s legitimate interest may include protecting an employer’s trade secrets and confidential information and preventing employees from taking specialized skills they gained on the job to a competitor. A non-compete’s restrictions must be no greater than necessary to protect the legitimate interests of the employer. To determine if a non-compete is enforceable, courts consider an employee’s job duties, the employer’s business interest, and the language of the agreement.

In contrast, a California statute bans non-competition covenants as a “restraint of trade” unless negotiated as part of the sale of shares or the employer’s business.  Exceptions apply to situations involving business exit transactions including the sale of the goodwill of a business, the seller’s entire ownership interest in the business entity, or all or substantially all of a business’ operating assets together with the goodwill.  Calif. Bus. & Prof. Code §§ 16600 and 16601.

 Negotiated Contractual Limitations on Non-Compete Clauses. To limit an overly broad limitation on mobility of workers and business service providers, employees, business service providers, licensors, strategic partners and others can negotiate limitations on non-compete clauses.  For example, one might negotiate an exclusion for information and know-how that is “general skill and knowledge” in an industry.  Or an employee might negotiate a separation bonus can seek some compensation, particularly where the employee to cover the post-termination period, especially where the termination was “without cause.”   For new senior executives coming on board with broad substantive and strategic knowledge, a blacklist of “competitors” and a whitelist of “non-competitors” might be identified to give comfort to both employer and executive.

 Planning How to Improve your Chances of Enforcing a non-Competition Clause.  Anticipating new FTC regulations on interstate businesses, you can improve your odds of judicial enforcement of your non-competition covenants.  In addition to carefully crafting your non-compete clauses, you can:

 ·         Pay some money that is earned only during the post-termination period.  This provides special “consideration” beyond one’s normal salary. 

-        In England, they send such employees to “garden leave” to do nothing but grow a garden. 

-      In Japan, the “corner office work” serves the same function, where job duties are restricted with full pay.

·          Limit the scope to what is needed for saving your customers, your employees and your trade secrets from poaching.  

·         Protect trade secrets through internal management practices, manuals, trainings and segregation of functions, as well as clauses in employment agreements, licensing agreements, business services agreements (outsourcing), non-disclosure agreements, financings, strategic transactions, and any transaction for a change of control.

·         Protect existing and prospective client relationships and employees from being poached by delivering good customer experiences and employee satisfaction.

·         Link non-compete clauses to stock options, restricted stock units and/or deferred compensation.

·         Negotiate with your new employees (and their attorneys) to have them agree the restrictions are reasonable.

·         Require disclosure to new employers so that they can evaluate whether there is a risk of conflict and breach.

·         Consult an attorney who understands your business model and can help you build, protect and securely exit your business.

Thursday, January 28, 2021

U.S. National Security Regulation of Information Technology Supply Chains and IT Infrastructure as a Service: (CFIUS-Style National Security Review for Cloud Computing, Software, Hardware, SaaS, IoT and Other Tech-Enabled Devices)

Regulation of IT Supply Chain after January 19, 2021 and after SolarWinds

On January 19, 2021, as a final act of the departing Trump administration, the Department of Commerce published an interim final rule (the “Rule”) and President Trump signed an Executive Order (the “Order”) to regulate U.S. information technology (“IT”) companies in transactions with foreign actors.  Entitled “Securing the Information and Communications Technology and Services Supply Chain,” the Rule is based on delegated authority under the International Emergency Economic Powers Act. The Order expands on an Executive Order issued May 15, 2019.   The Rule coincides with newspaper reports that some U.S. governmental agencies and other tech services companies downloaded malicious software from SolarWinds, a Texas tech services company reportedly with over 18,000 customers, that appears to have been hacked by foreign hackers.

Summary of New ITSC Regulation

As of January 19, 2021, any American business’s purchase of Information and Communications Technology and Services (“ICTS”) from “persons owned, controlled our under the jurisdiction or direction” of a “foreign adversary” is subject to a Commerce Department review for national security and critical dependency risks.  The Rule covers all ICTS Transactions where the tech or services are “designed, developed, manufactured or supplied” by such persons.  The Rule seeks to protect the American IT supply chain (“ITSC”).  No exemptions apply, regardless of your company’s size, industry or activities.  

The 2021 ITSC Rule follows the policies reflected in the 2018 amendments to laws governing virtually all foreign acquisitions of U.S. tech companies, under scrutiny for national security by the Committee on Foreign Investment in the United States (“CFIUS”).  To avoid duplication, the Rule states it does not apply to ICTS Transactions that CFIUS is actively reviewing, unless the ICTS Transaction is distinct from a CFIUS-reviewed transaction.  Like the CFIUS review process, the Commerce Department can identify a mechanism and relevant factors for the negotiation of agreements to mitigate concerns raised in connection with the Order.

The ITSC Rule

Scope of ITSC Transactions

Virtually every digital service and product is covered, regardless whether it handles a single computer, a computer network, cloud service, telecommunications switches or just individual product data.

Definition of ICTS.  The Rule defines “Information and communications technology or services or ICTS” to mean “any hardware, software, or other product or service, including cloud-computing services, primarily intended to fulfill or enable the function of information or data processing, storage, retrieval, or communication by electronic means (including electromagnetic, magnetic, and photonic), including through transmission, storage, or display.”

Definition of ICTS Transaction.  Under the Rule, “ICTS Transaction” means any acquisition, importation, transfer, installation, dealing in, or use of any information and communications technology or service, including ongoing activities, such as managed services, data transmission, software updates, repairs, or the platforming or data hosting of applications for consumer download. An ICTS Transaction includes any other transaction, the structure of which is designed or intended to evade or circumvent the application of the Executive Order.”

Broad Scope.  In its preliminary discussion of ITSC vulnerabilities, the Commerce Department clearly intended to include SaaS (software as a service), Infrastructure as a Service, Cloud data storage and computing, IoT Internet-devices embedded in consumer goods, mobile phones and their Apps, Web browsers, drones and networked surveillance cameras.  

“Foreign Adversaries.”  The list of “foreign adversaries” consists of the following foreign governments and non-government persons: the People's Republic of China, including the Hong Kong Special Administrative Region; the Republic of Cuba; the Islamic Republic of Iran; the Democratic People's Republic of Korea; the Russian Federation; and Venezuelan politician Nicol├ís Maduro (Maduro Regime).

Effective Date of Rule

The Rule applies to any ICTS Transaction that is initiated, pending, or completed on or after January 19, 2021.  Further, any act or service with respect to an ICTS Transaction, such as execution of any provision of a managed services contract or installation of software updates, is an ICTS Transaction on the date that the service or update is provided.

Future Compliance Impact

The ITSC Rule imposes potentially costly compliance obligations for risk identification, assessment and regulatory licensing.  The Rule serves as a boycott of technologies from “foreign adversaries” unless approved by a Commerce Department license.  There are civil and criminal penalties, but prosecution of millions of small businesses is not practical.  Assuming the Biden Administration pursues the Rule, the scope will change the landscape for everyone, including our foreign trading partners, with potential retaliation by “foreign adversaries.”

If implemented, the ITSC Rule will likely generate a hornet’s nest in the business world and international politics.  But the reported SolarWinds hacking supports the logic of greater transparency in IT supply chains.

ICT Company Burdens.
  ICT providers will need to verify countries of origin and give warranties about their extended ICT supply chains.  Even absent a legal requirement, there will be an increased need to document supply chain risk management analysis in the event an ITSC transaction is investigated by the Commerce Department.  ICT services companies must now identify the nationality, origin, foreign control and sensitivity of data that flow through their digital infrastructures.   

Corporate Governance.  Corporate boards, officers, purchasing and procurement departments and strategic planners will need to identify the risks across a potentially multi-layered IT supply chain.  How much should a board spend on verification?  Is an ICTS supplier’s self-certification sufficient?  Will an independent sourcing audit become the norm?  What should be the policy, the process and the budget?

Information Governance.  New Information Governance ("IG") policies and procedures will be needed for ITSC risk management and regulatory licensing compliance.

Privacy and Cyber-Security Risk Management.  The ITSC Rule will highlight special risk management procedures, and perhaps insurance, that relate to compliance with privacy laws, such as the California Consumer Privacy Act (to be replaced in 2023 by a Consumer Privacy Rights Act) and potentially EU’s GDPR and draft Digital Services Act.

Antitrust and Competition Law.  If Google or other dominant market player were to insist that its European subsidiaries buy only from suppliers complying with the ITSC Rule, that would have the effect of exporting American ITSC risk management compliance.  Foreign local suppliers sourcing from a “foreign adversary” would be barred.  This would be a secondary boycott unless a Commerce Department license were granted.

Best Practices for Vetting: Know Your IT Service Provider.  If they don’t already do so, enterprise customers will include an ITSC Transaction questionnaire in their requests for proposals, requests for quotations and master services agreements.  ICT agreements will include warranties and rights to audit and inspect supply chain information.  Chief Information Security Officers (CISO’s) will push for more certifications by “ethical hackers” -- independent third party testers of malware – and perhaps even direct testing.

Redrawing Supply Chains and Strategic Alliances.  Geographic and national security issues will translate into modifications in supply chains, starting with digital business models and leading into all enterprise strategic alliances, global business services, outsourcing services providers and shared services centers.  Procurement and IT departments will also examine the impact across strategic sourcing, supplier management, assessment of third party risks, artificial intelligence and robotic/intelligent process automation.

M&A and Corporate Finance.  New representations and warranties will appear in die diligence and documentation for business valuation, corporate finance and M&A transactions.

Audits.  Accountants will require ITSC audits before certifying or commenting on financial statements, which could include disclaimers as to an entity’s viability due to “incomplete” ITSC disclosures.

Cyber-risks, Hacking, Cyber-Security and Privacy.  The new Rule concerns national security, digital security, privacy and extortion.  “This [potential] data exfiltration—supported by U.S. web data hosting and storage servers—threatens to allow foreign adversaries to exploit Americans' personal and proprietary information by allowing a foreign adversary to track the locations of Americans, build dossiers of sensitive personal data for blackmail, and conduct corporate espionage from inside the borders of the United States.” Cyber-insurance policies will need to be revised to impose underwriting constraints and higher premiums on non-conforming insured enterprises.

International Trade Agreements.  In light of the reported SolarWinds hacking, President Biden will need to decide how stringently to enforce the Trump administration’s ICTS Rule.  New trade agreements might create group action against the same “foreign adversaries.”  Conflicts with allies may arise as to ICT products designed or manufactured in a trade ally country by a subsidiary from a “foreign adversary.”  For example, the Chinese tech company Huawei is planning to build 5G telecom products in France, potentially for sale to other trade allies.

How to Get a Department of Commerce License.  

Assuming a company plans to update or sign up for any "foreign adversary" technologies, a license will be needed.  To afford parties greater certainty, the Commerce Department intends to publish, within 60 days after January 19, procedures to allow a party or parties to a proposed, pending, or ongoing ICTS Transaction to seek a license.  Implementation is scheduled within 120 days after January 19.  The change from President Trump to President Biden will determine how this Rule plays out in March and May 2021.

This summary is not legal advice.  These matters are subject to change.  If you have any questions or comments, please feel free to contact us. (C) 2021 W.Bierce.