FTC proposes ban on non-compete clauses for employees

By Anita Byer, Setnor Byer Insurance & Risk

The Federal Trade Commission recently proposed a new rule that would ban the use of non-compete clauses in employment agreements. The FTC believes that the widespread use of non-compete clauses suppresses wages, hampers innovation and stifles entrepreneurship. According to FTC estimates, the proposed rule could increase wages by nearly $300 billion per year and expand career opportunities for millions of Americans. It could also cause inconvenience, disruption and even financial harm to countless individuals and businesses nationwide. A watershed moment indeed, but for better or worse?

Under the proposed rule, the use of non-compete clauses would be considered an unfair method of competition. As such, it would be unlawful for an employer to:

  • enter into or attempt to enter into a non-compete clause with a worker;
  • maintain a non-compete clause with a worker; or
  • represent to a worker, under certain circumstances, that the worker is subject to a non-compete clause.

The notable breadth of the proposed rule comes from its definitions. “Worker” is defined broadly to mean any natural person who works for an employer, whether paid or unpaid, including employees, independent contractors, interns and volunteers. A “non-compete clause” is any contractual term between an employer and a worker that prevents the worker from seeking or accepting employment, or operating a business, after the conclusion of the worker’s employment with the employer. This already broad definition is made even broader by including de facto non-compete clauses.

A de facto non-compete clause is any contractual term that has the effect of prohibiting a worker from seeking or accepting employment or operating a business after the conclusion of the worker’s employment with the employer. A non-disclosure agreement, for example, could be considered a de facto non-compete clauses if it is written so broadly that it effectively precludes the worker from working elsewhere in the same field. If the proposed rule is adopted, this functional test to determine whether a contractual term should be interpreted as a prohibited non-compete clause seems to be fertile ground for litigation.

So, what happens to existing non-compete clauses under the proposed rule? If adopted as is, the rule would require employers to rescind existing non-compete clauses with workers and actively inform their employees that the contracts are no longer in effect. The rule, however, does have a limited sale-of-business exception that allows a person who owns at least 25 percent of a business entity to execute a non-compete clause as part of a sales transaction.

It’s important to note that this is not a final rule. If and when the FTC publishes a final rule, it may be substantially different than the proposed rule. However, since any such rule could have potentially significant implications, employers should be paying attention to the FTC and its desire to essentially prohibit the use of non-compete clauses. Those not comfortable taking the wait-and-see approach are free to participate in the rule-making process. The FTC is accepting public comments on the proposed rule through March 10, 2023. So, what do you think? Should non-compete clauses be banned?

If adopted, the proposed rule would supersede any inconsistent state statute, regulation, order or interpretation, altering the nature employer / employee relationships nationwide. Please contact us to discuss the value of having Employment Practices Liability insurance coverage in this rapidly changing regulatory environment.

Don’t Let Weak Site Security Compromise Your Business’s Cybersecurity

Setnor Byer Insurance & Risk

Small businesses spend a lot of time and money to protect their sensitive and confidential information, and rightfully so. Data breaches can lead to crippling, often insurmountable financial and reputational harm. Unfortunately, many businesses overlook the most basic security measures. Cyber criminals, for example, pose the biggest threat to data security, so most businesses focus almost exclusively on cybersecurity while paying little or no attention to physical (site) security. This can prove disastrous because sophisticated firewalls and advanced security software cannot stop someone from stealing a flash drive or paper file containing sensitive information.

According to the Federal Trade Commission, cybersecurity begins with strong physical security that effectively protects sensitive or confidential information in paper files and electronic devices (hard drives, flash drives, laptops, point-of-sale devices, etc.). The FTC offers the following tips for maintaining physical security.

  • Store paper files and electronic devices containing sensitive information in a locked cabinet or room to keep them secure.
  • Train employees to put paper files in locked file cabinets, log out of networks and applications before leaving and never leave files or devices with sensitive data unattended.
  • Limit physical access to records or devices containing sensitive data to only those who need it.
  • Keep track of documents and devices containing sensitive data so they can be handled accordingly.

To protect sensitive data stored on devices,

  • Require passwords that are long, complex and unique.
  • Require multi-factor authentication, like a password and a temporary code, to access sensitive information.
  • Limit the number of incorrect login attempts allowed to unlock devices.
  • Encrypt portable media, including laptops and thumb drives, that contain sensitive information.

Sensitive and confidential business data can be stolen online or onsite, so businesses must make physical (site) security a key component of their cybersecurity protocols. Since security measures aren’t always enough, small and medium-sized businesses should have Cyber Perils Insurance Coverage to protect against various cyber threats and liability exposures, including the cost of complying with data breach notice laws. Please contact us if you would like more information about insurance specifically designed to protect against cyber threats and data security breaches

Ransomware Attacks Are Becoming More Common and More Expensive

Setnor Byer Insurance & Risk

Did you know that the average ransomware demand in the first quarter of 2020 was $111,605? Ransomware is a type of malware that encrypts critical data so it cannot be accessed without a decryption key. Victims must, you guessed it, pay a ransom to get the key. The costs associated with a successful attack, which can far exceed the ransom, typically include investigation and remediation expenses and lost revenue due to downtime. Ransomware can also inflict insurmountable brand damage and reputational harm.

According to the Federal Trade Commission (FTC), hackers try to exploit network or server vulnerabilities to access a target’s data, but the malicious code used to launch ransomware attacks is often installed on devices and networks by:

  • scam (phishing) emails that appear legitimate;
  • infected websites; and
  • online ads, which often appear on websites you know and trust.

The FTC recommends the following measures to reduce the risk of a successful ransomware attack.

  • Have a Plan. Businesses need a plan to remain operational after a ransomware attack. Plans should be written and shared with those needing to know.
  • Back up Data. Regularly save important data to a drive or server that’s not connected to a network. Make this part of your routine business operations.
  • Update Security Software. Always install the latest patches and updates. Consider adjusting your settings to update automatically.
  • Train Staff. Train all employees how to identify and avoid common threats. Provide examples of the most common ways devices and networks become infected.

If your business experiences a ransomware attack, the FTC recommends taking the following steps.

  • Limit the damage. Immediately disconnect infected devices from your network.
  • Contact Authorities. Immediately report the attack to local and federal authorities (local FBI office).
  • Provide Required Notices. If data has been exposed, compromised or stolen, notify authorities and affected individuals pursuant to any applicable data breach notification laws.

Preventative measures can effectively reduce the risk of a ransomware attack, but they’re not foolproof. Every business should have Cyber Perils Insurance Coverage to protect against various cyber threats and liability exposures, including the cost of complying with data breach notice laws. Please contact us if you would like more information about insurance specifically designed to protect against cyber threats and data security breaches.

October is National Cybersecurity Awareness Month

Cybersecurity Awareness Month was launched in 2004 to promote online safety and security. This is particularly important in 2020 because so many things took a back seat when coronavirus disease 2019 arrived. COVID-19 may dominate the headlines, but data security breaches continue to pose a serious threat to small businesses nationwide. According to the Federal Trade Commission, cyber criminals target businesses of all sizes, so all are encouraged to take advantage of Cybersecurity Awareness Month 2020.

This year’s theme, “Do Your Part. #BeCyberSmart,” is intended to empower individuals and organizations to own their role in maintaining cybersecurity. The key message in 2020 emphasizes the importance of doing your part. “If you connect it, protect it.” Small businesses can reduce the risk of a cybersecurity incident by educating employees about basic cybersecurity measures and putting them in practice. The FTC suggests various measures that every small business should have in place.

  • Update Software. This includes apps, web browsers and operating systems. Set updates to happen automatically.
  • Back Up Files. Regularly back-up important files (offline, external hard drive, in the cloud, etc.).
  • Require Strong Passwords. All devices should be password protected. A strong password is at least 12 characters that includes numbers, symbols and capital and lowercase letters. Never reuse or share passwords.
  • Encrypt Devices. Encryption protects information from unauthorized access. Any devices containing sensitive information should be encrypted. This includes laptops, tablets, smartphones, removable drives, backup tapes and cloud storage solutions.
  • Use Multi-Factor Authentication. Require multi-factor authentication to access sensitive information. This requires additional steps beyond logging in with a password, like entering a temporary code or providing additional identifying information.
  • Secure Routers and Wireless Networks. Change the default name and password, turn off remote management and log out as the administrator once the router is set up. Make sure your router offers WPA2 or WPA3 encryption, and that it’s turned on.
  • Train Employees. Create a culture of security by implementing a regular schedule of mandatory employee training. Update employees about new risks or vulnerabilities.
  • Have a Plan. A response plan should be in place before a data breach happens. It should include plans for protecting and saving data, maintaining operations and notifying customers affected by the beach.

Implementing, maintaining and updating security policies and procedures is important, but it’s not always enough. Small and medium-sized businesses should have Cyber Perils Insurance Coverage to protect against various cyber threats and liability exposures, including the cost of complying with data breach notice laws. Please contact us if you would like more information about insurance specifically designed to protect against cyber threats and data security breaches.

How Can You Limit the Damage Caused by Identity Theft?

What’s worse than filing your taxes? Finding out that your return was already filed and your refund check was already cashed. Yep, that’s definitely worse. Unfortunately, tax season has become the time of year when many first discover that their identities have been stolen.

According to Javelin Strategy & Research’s 2017 Identity Fraud Study, there were 15.4 million U.S. victims of identity theft in 2016, which is 16 percent higher than 2015. It was the highest rate since Javelin began tracking identity fraud in 2003.

So, what should you do if your identity has been stolen? According to the Federal Trade Commission (FTC), you must take immediate action to limit the damage.

What to do right away.

Contact the fraud department of each company (retailer, bank, etc.) where you know fraud occurred. Explain that someone stole your identity and ask them to close or freeze the accounts so no one can add new charges unless you agree. Change logins, passwords and PINS for your accounts.

Contact one of the three credit bureaus to place a free 90-day fraud alert. That company must tell the other two. A fraud alert makes it harder for someone to open new accounts in your name. When you have an alert on your report, a business must verify your identity before it issues new credit in your name.

Get your credit reports from Equifax, Experian and TransUnion. Review your reports and note any accounts or transactions you don’t recognize.

Report identity theft to the FTC. The FTC will create an Identity Theft Report and recovery plan. An identity theft report proves to businesses that someone stole your identity. It also guarantees you certain rights.

File a report with your local police department. Tell the police someone stole your identity and that you need to file a report. Ask for a copy of the police report.

What to do next.

Close new accounts. Ask the fraud department of each business where an account was opened to close the account. Request a confirmation letter and keep a record of who you contacted and when.

Remove fraudulent charges from your accounts. Let the fraud department know which charges are fraudulent and ask that they be removed from your account. Request a confirmation letter and keep a record of who you contacted and when.

Correct your credit report. Write each of the three credit bureaus. Identify what information on your report came from identity theft and ask them to block that information. You have the right to block fraudulent information so that it won’t show up on your credit report and companies can’t try to collect the debt from you. If you have an Identity Theft Report, credit bureaus must honor your request to block this information.

Consider an extended fraud alert or credit freeze. Both can help prevent further misuse of your personal information, but there are important differences between the two. For example, an extended fraud alert allows access to your credit reports as long as steps are taken to verify your identity. A credit freeze stops all access until it’s removed. Though fraud alerts are free to place and remove, there may be small fees associated with credit freezes.

Protective measures to protect against identity theft are important, but they’re not always enough. However, there is insurance that is specifically designed to protect both individuals and businesses against identity thieves and hackers. For example, identity theft coverage can help individuals cover the cost of clearing their name. Cyber Liability and Security Breach (Cyber Perils) coverage can protect businesses against various cyber threats, including the cost of complying with data breach notice laws.

Please contact us if you would like more information about insurance specifically designed to protect against identity theft.

Additional information is also available in our weekly Risk Management Newsletters.

How Can You Prevent Identity Theft?

According to the Federal Trade Commission, identity theft continues to top the list of consumer complaints. In 2013, American consumers reported losing more than $1.6 billion to fraud, which is approximately $2,294 per incident. The highest reported age group for identity theft is 20-29, and the most common form of identity theft is tax- or wage-related, followed by credit card fraud, utilities fraud and bank fraud. Florida has the highest per capita rate of reported identity theft complaints, followed by Georgia and California.

Since October is National Cyber Security Awareness Month, now is the perfect time to learn about preventing identity theft. Here are some tips from the Insurance Information Institute.

  • Don’t carry unnecessary personal information (social security card, passport, etc.).
  • Prevent ‘shoulder surfers’ from seeing credit card numbers or PINs.
  • Always take credit card or ATM receipts.
  • Don’t give out personal information, whether on the phone, via mail or online, unless you initiated contact or you know the transmission will be secure.
  • Only use authenticated websites to conduct business online. Check for the locked padlock image or look for ‘https://’ rather than ‘http://’ in your browser window.
  • Be aware of phishing and pharming scams that use fake emails and websites to impersonate legitimate organizations. Exercise caution when opening emails and instant messages from unknown sources.
  • Never send personal, financial or password-related information via email.
  • Use up-to-date firewall, anti-spyware and anti-virus programs.
  • Monitor all financial accounts and review monthly statements to make sure all transactions are accurate.
  • Immediately contact your credit card or bank if you suspect a problem.
  • Order your credit report from the three major credit bureaus to make sure it’s accurate and includes only authorized activities. You are entitled to one free credit report per year.
  • Place passwords on your credit card, bank and phone accounts.
  • Don’t use passwords containing easily available information (mother’s maiden name, birth date, phone number, etc.) or any series of consecutive numbers.
  • Change passwords if you suspect a problem.
  • Shred documents containing personal information such as credit card numbers, bank statements, charge receipts or credit card applications.

In the event of identity theft, early detection is the key to limiting the damage. Here are some clues from the FTC that someone may have stolen your identity.

  • You see withdrawals from your bank account that you can’t explain.
  • You stop getting bills or other mail.
  • Debt collectors call you about debts that aren’t yours.
  • You find unfamiliar accounts or charges on your credit report.
  • The IRS notifies you that a tax return was already filed in your name.
  • A company where you do business or have an account suffers a data security breach.

Despite taking preventative measures, identity theft can still happen. However, insurance may be purchased to help victims of identity theft through the often expensive and time consuming battle to clear their name. Depending on the insurance company, identity theft coverage may be included under a homeowners’ policy, or it may be added by endorsement or obtained under a separate, stand-alone policy.

If you would like to learn more about identity theft insurance coverage, please contact us.

If you would like to subscribe to our newsletters please click here.

Preventing Data Security Breaches

Every business must be able to identify the likeliest source of a data security breach so that they can also identify how to prevent it. Is it an executive’s laptop computer, the copy machine or the office’s wireless network? Could it be something else? Since the first step to preventing a data security breach is understanding the risk, it’s time to learn more about your business’s sensitive data.

Effective data security starts by assessing the kind of information a business has and identifying who has access to it. Evaluating data security vulnerabilities requires an understanding of how sensitive data moves into, through, and out of a business, and who has or could have access to it. Here are some tips from the Federal Trade Commission.

Take Inventory

Take an inventory of all devices and equipment capable of storing sensitive data, such as laptop computers, mobile devices, flash drives, off-site servers, disks and digital copiers. Do employees work from home? If so, add their home computers to the list.

The type and location of sensitive data should also be inventoried. Don’t stop with the office’s filing cabinets and computer systems. Sensitive data may also be received from other sources, such as websites, contractors or call centers. Every possible source and destination for sensitive data must be considered.

Track Sensitive Data

It is important to know how the business obtains, stores, shares and disposes of sensitive data. Every department should be consulted, including sales, information technology, human resources and accounting. Don’t forget about contractors and other third-party service providers.

This process should provide a business with a thorough understanding of:

  • Who provides sen­sitive data? Does it come from customers, credit card companies, banks or other financial institutions, credit bureaus, job applicants, contractors, third-party service providers?
  • How is sensitive data received? Does it come via phone, fax, mail or email? Is there a website designed to request and receive sensitive data? Are there any other possible entry points?
  • What kind of sensitive data is collected? Do business operations require or permit collecting financial information (credit cards, bank accounts, credit reports), personally identifying information (drivers’ licenses, social security numbers) or medical information?
  • Where is sensitive data stored? Is it kept on disks, tapes, laptops, smartphones, tablets or other mobile devices? Employees’ personal computers or mobile devices? Where are data backups and copies stored?
  • Who can access sensitive data? Is access to sensitive data limited to only those who need it? Are there security measures in place? Is sensitive data protected against unauthorized access by contractors or other third-party service providers?

Throughout this process, pay particular attention to certain kinds of sensitive data. Identity thieves typically look for social security numbers, credit card and other financial information.

Organizations should also consider protecting against data security breaches with insurance.Various cyber liability products are available to protect against privacy injuries, such as identity theft, and to cover the cost of complying with various data breach notice laws. Given the complexity of the risk, an experienced insurance agent should be consulted to ensure that adequate coverage is obtained. If you would like to learn more about insuring against data security breaches, contact us.

If you would like to subscribe to our newsletters please click here.