IBM earlier this month sued its former CIO for taking a senior position at rival Amazon Web Services By
Aug 15, 2017 5:08 pm ET
Chief information officers are likely to face a rising number of legal disputes with employers over noncompete agreements, as cloud computing, data analytics and other digital capabilities expand from back-office operations to key strategic business tools, IT market recruiters, analysts and researchers say.
“CIOs are prime candidates for having a noncompete since they are highly-valued, educated—and highly compensated—employees and have access to virtually all of the valuable information and strategy at a company,” Norman Bishara, associate professor of business law and ethics at the University of Michigan’s Ross School of Business told CIO Journal.
“With the higher stakes, there will be more cases ending up in court,” he said
International Business Machines Corp. earlier this month sued its former CIO, Jeff Smith, in federal court in White Plains, N.Y., claiming he had breached a one-year non-compete agreement by taking a senior position at rival Amazon Web Services, Amazon.com Inc.’s cloud computing unit.
IBM describes Mr. Smith in the suit as one of its “most senior executives with knowledge of IBM’s most closely guarded product development plans” and cites AWS as a “main competitor in cloud computing.”
As such, it alleges, Mr. Smith will “take with him to AWS all the highly confidential information he knows about the technological innovations IBM is developing specifically in the cloud computing business.”
In addition to temporarily barring him from taking the job, IBM is seeking to reclaim $1.7 million in stock bonuses paid to Mr. Smith, as part of his contract.
Under a typical noncompete agreement, a worker agrees not to take a job at a company, or start a business, that is in direct competition with the employer.
“Most noncompetes have a time dimension and a geographic dimension, though this varies considerably by industry,” said Evan Starr, an assistant professor at the University of Maryland’s Robert H. Smith School of Business Management and Organization. He said the agreements usually cover a one- to two-year span from the day an employee leaves a company, and range from nationwide, state-wide, or within a few miles from the place of business.
Since the agreements are private contracts, they generally are enforced through lawsuits, and the extent to which companies can enforce them varies from state to state.
Whatever the merits of IBM’s case, the number of legal disputes over non-compete agreements involving CIOs is likely to increase, as digital tools continue to spread into more areas of business, industry insiders say.
“CIOs are getting closer to products and services, and they have more access to intellectual property than ever before,” says Martha Heller, president of Heller Search Associates, a recruiting firm that focuses on technology executives.
“As such, legal is going to be putting more and more emphasis on protecting the company,” she said.
Ms. Heller said noncompete agreements are included in roughly two thirds of all the employment contracts her firm makes on behalf of clients.
One of the first extensive studies of noncomepte agreements, conducted in 2014 by researchers at the University of Michigan, and updated last month, shows that 38.1% of the U.S. labor force have agreed to a noncompete at some point in their lives.
Based on a survey of more than 10,000 workers, the study found that noncompetes are more common in high-skilled occupations and industries, led by architecture and engineering at 36%, and computer and mathematical jobs at 35%.
By industry, noncompetes are most prevalent in information-intensive fields, at 32%, followed by mining and extraction and professional and scientific services, the study found.
Mr. Starr, who worked on the study, said there is scant empirical evidence that examines noncompete breach explicitly, let alone among CIOs.
But research has shown noncompete litigation has increased over time, with around 1,000 reported cases per year being the norm today, he adds.
“Of course, reported cases are the tip of the iceberg, since most cases settle or are not even brought in the first place,” he says.
He advises CIOs to be very cautious when they are agreeing to terms of a new job.
“CIOs should not only read the terms, but consult a lawyer and negotiate out of unfavorable terms up front depending on their preferences,” he said.
Likewise, Ms. Heller said CIOs should read the agreement carefully and understand how the employer is defining competition, especially as digital technology spreads across most industries.
“Get them to name names of specific companies that they consider competitors, and negotiate a timeframe,” she said. “I wouldn’t sign anything more than six months.”
resident Obama’s recent extraction of a pledgefrom Chinese leader Xi Jinping that neither government would conduct or continue economic espionage in cyberspace, while important, still comes up far short of addressing the significant and growing global concerns about the potential for a 9/11-style cyberattack on critical financial sectors.
Now more than ever, dramatically increased cyberthreats to the financial and business sector call for laws governing cyberthreat information sharing between the government and industry — before it’s too late.
Author James Michener once wrote, “We are never prepared for what we expect.” Cyberattacks involving data breaches, destructive software and attempts to disable critical segments of the financial sector worldwide have been dramatically increasing. This is not new news — alarm bells have been ringing.
Similarly, a 2011 U.S. Government Accountability Office report entitled Critical Infrastructure Protection reported that threats to financial institutions have included increased attacks from a variety of sources, including criminal groups, hackers, disgruntled employees, foreign governments engaged in espionage and information warfare and terrorist groups.
Furthermore, the media has reported that these cyberattacks have included, among other things:
Attempts by cybercriminals to use online banking and payment systems to transfer money from financial institutions to their own accounts.
Government and terrorist attacks designed to disrupt or disable key parts of the financial sector and probe infrastructure weaknesses.
Data breaches of confidential customer data used to cause reputational and financial harm.
Data breaches of confidential customer data used for extortion.
Cyberattacks involving data breaches, destructive software and attempts to disable critical segments of the financial sector worldwide have been dramatically increasing.
U.S. financial regulators are increasingly recognizing the threats of cyberattacks, with one senior regulator characterizing it as “the biggest system risk we have facing us.” The Financial Stability Oversight Counsel recently warned that the U.S. financial system is “highly dependent on” often interconnected information technology systems that create — and thus, enhance — the risk of a single cyber incident impacting many institutions simultaneously, with malicious actions infiltrating internal systems and infrastructure in ways that may be hard to detect.
Given the real and rising threats of cyberattacks against major financial institutions, and the potential for significant impact on the global economy, financial regulation and law enforcement have not only heightened their scrutiny of cybersecurity programs, but are increasingly adopting new laws, regulations and policies that focus on cyber resilience and threat response. The U.S., for example, has in recent years issued hundreds of cybersecurity regulatory guidance documents related to the banking and finance sector.
These cyberattack concerns extend to the U.S. government itself, with Senator Mark Warner (D-VA) recently co-sponsoring the RECOVER Act, in response to the fact that the federal government has been recently subjected to various cyberattacks compromising the personal data of 21.5 million federal workers, including OPM’s recent disclosure that the fingerprints of 5.6 million government employees had been stolen in these data hacks.
Notably, Presidential Executive Order 13691, issued by President Obama on February 13, 2015, characterizes cyberthreats as a “national emergency” and calls for increased cooperation and information sharing on such threats within both the government and private sector, as well as enhanced cyber resilience standards. Executive Order 13691 encourages — but does not require — information sharing. Legislation establishing a legal and procedural framework for cyberthreat information sharing is viewed by many as a necessary next step.
In response to recent cyberattacks on Sony, JPMorgan Chase, Home Depot, Target and other major companies, important legislative efforts are already underway to require information sharing on cyberthreats. The U.S. House of Representatives recently voted on a bipartisan basis 307-116 to approve the Protecting Cyber Networks Act. Similarly, S. 754, the proposed Cybersecurity Information Sharing Act of 2015, was recently reconciled with the House bill and passed by the Senate on a bipartisan basis, with a 74-21 vote.
Companies are likely to raise competitive concerns about pooling cyberthreat information in their industry. Also, the possibility of government turf battles is reminiscent of pre-9/11 “compartmentalization” of important threat information dispersed among various agencies.
Thus, these concerns, while important, can be resolved, consistent with protecting privacy and competitive concerns, and certainly pale in comparison to the potential threats presented. Both the private sector and government will benefit from a shared database of threat assessment information.
The ability to analyze trends and data in a comprehensive cyberthreat information database will help both government and private sector to be in a far better position “connect the dots” and, thus, take steps to address and prevent cyberthreats. As with terrorist threat information — notably, also a potential source of current cyberattacks — post-9/11 legislation has provided for information sharing among critical agencies; the same can be done for cyberthreat information sharing.
The results of a cyberattack that would potentially cripple critical financial sector infrastructure and businesses cannot be underestimated.
Interestingly enough, financial institutions already are generally required to file a SAR (suspicious activity report) with the U.S. Department of Treasury’s FinCEN office, and with their primary regulatory agency, regarding any reasonable suspicion of illegal cyberhacking or data breach activity — which certainly includes data breaching and cyberattacks. To expand this type of reporting to other segments of the critical business sector is important.
The Senate bill’s provisions provide immunity from lawsuits by consumers and shareholders for companies sharing information, and will help to encourage information sharing. The real question is whether voluntary information sharing will ultimately prove to be enough. The results of a cyberattack that would potentially cripple critical financial sector infrastructure and businesses cannot be underestimated, and could result in catastrophic effect on the U.S. and global economies.
This potential threat requires strong and decisive legislative action soon to put private sector companies and the U.S. government in a position to share potential cyberthreat information in order to protect our country and the global economy.