An Illinois federal judge’s recent decision continues a trend toward supporting a “totality of the circumstances” approach to the enforcement of restrictive covenants.

In Stericycle, Inc. v. Simota, et al., 2017 WL 4742197, the defendants moved to dismiss plaintiff’s breach of contract claims arguing that 13 months of continued employment was inadequate consideration to enforce certain restrictive covenants. Following the majority of federal judges that have considered this issue in Illinois, Judge John J. Tharp found that if confronted with the issue, the Illinois Supreme Court would reject a bright line rule of two years of continued employment and apply a fact-specific approach in assessing consideration. Using this approach, Judge Tharp found that 13 months of continued employment was adequate consideration to support the enforcement of the restrictive covenants.

In January 2015, after acquiring the company for which defendants worked, the defendants entered into confidentiality and non-solicitation agreements with Stericycle. Their agreements prohibited the defendants from disclosing confidential information to third parties or soliciting Stericycle customers or employees for a period of 12 months following the termination of their employment. The consideration offered to the employees for entering into the agreements was “employment.”

The defendants worked for Stericycle for approximately 13 months, resigned and began working for one of Stericycle’s competitors in positions similar to those they had held at Stericycle. In addition, Stericycle alleged that the defendants took confidential information, including information regarding pricing and customers, informed Stericycle customers about their move and solicited at least one other Stericycle employee to join their new employer.

When Stericycle filed suit, defendants moved to dismiss the breach of contract count, arguing that 13 months of continued employment is insufficient as a matter of law to serve as consideration for a restrictive covenant. Focusing on the fact that the defendants had resigned after 13 months of employment, Judge Tharp found that there was sufficient consideration to enforce the agreements. The court recognized that Illinois courts require that consideration based on at-will employment continue for a “substantial period” after an employee signs a restrictive covenant, but determined that the Illinois Supreme Court would reject a bright-line two-year rule and apply a fact-specific approach in assessing consideration.

In reaching this conclusion, the court relied on several Illinois appellate court opinions in which those courts looked to the totality of the circumstances in determining the issue of consideration. The court recognized that some Illinois courts have generally held that two years or more of continued employment is adequate consideration, but that just because two years or more is sufficient, that does not make it necessary. While the court acknowledged the requirement of a substantial period of continued employment to prevent an employer from locking an at-will employee into a restrictive covenant and then immediately terminating the employee, the court also recognized that employment for a lesser period of time could alleviate that concern under certain circumstances.

In applying the totality of the circumstances approach, the court concluded that “[g]iven the length of their employment and that all three resigned, the court finds that the defendants’ employment continued for a ‘substantial period’ under Illinois law.” In addition, one of the three employees had been provided a grant of stock options, which had never vested, had not been paid out and had been forfeited upon termination. In looking at the totality of circumstances, the court found that in addition to continued employment, the grant of stock options served as adequate consideration as well.  

While the Illinois Supreme Court has yet to rule on the issue of how much employment constitutes adequate consideration to support a restrictive covenant, the majority of Illinois appellate courts and Illinois federal courts have adopted the totality of circumstances approach. Regardless, employers should consider what consideration they can give to their employees, beyond employment or continued employment, to ensure that their restrictive covenants are enforced. 

In our last post, we talked about what insider threats are and why it is so important to consider them as you construct your data security policies.  The heart of an effective strategy to minimize risks from insider threats is the concept of access controls – limiting users’ privileges to the minimum necessary – but access controls alone are not enough.

As you consider these five recommended steps, it is important to remember that an insider is one who has access, whether physical or electronic, to a company’s data. Insiders are most commonly thought of as employees but also include any third parties that can access a company’s systems, such as business partners or maintenance contractors.

1. The first step is to map your data. Understand what data you have and where it is. Do you need all of the data that you have? The rest of the steps won’t be fully effective if you fail to map your data and therefore fail to include, for example, an old server, an orphaned database or a back-up drive before undertaking the following steps.
2. Categorize your data so that appropriate permissions can apply to each type of data. For example, some data is “strictly confidential,” and the highest security will apply. Still other data is confidential or simply sensitive. What category of data is at issue will determine whether to encrypt the data, who has access to it and who needs permission to access the data.
3. Now that you know what you have and how confidential it is, rigorous access controls are the next step as well as policies and procedures to enforce the controls. Use the Policy of Least Privilege, which refers to the concept that users should receive the minimum privileges and entitlements necessary to do their jobs. Implement a similar concept in your technological systems – only let user-facing applications access the back-end systems and databases that are necessary. Revoke access as employees change responsibilities or leave the organization.

   Once you have set up access controls, enforce them via technology. Limit the ability to exfiltrate data from the system by limiting permissions to install software on their computers or use USB drives. In the Morgan Stanley case we discussed previously, errors in the technology implementing the policies created the vulnerability.

   Where appropriate, consider separating duties so that, for example, one employee might request access to personally identifiable information but a separate employee would have to approve the request.

4. Train everyone on cybersecurity risks and your company’s policies to address them. Make training mandatory and repeat it. Train often enough that employees understand the part they play in keeping the company secure. Run tests to provide feedback to employees who still haven’t internalized the training.
5. Implement a sanctions policy that is universally applied and has a designated individual to enforce it. Policies won’t work if only lower-level employees receive punishments for not following the policies and procedures.  Regulators are also on the lookout for policies and procedures that don’t apply in the C-suite.

Implementing a plan with these concepts in mind will help mitigate your risk from insiders. If you have questions about implementing these concepts or other cybersecurity recommendations, please contact the attorneys in our Privacy & Data Security group.

While the primary data security objective has long been to keep malicious actors out, it is important not to overlook insider threats. According to the IBM Cyber Security Intelligence Index, in 2014, more attacks originated as a result of insiders than outsiders. Moreover, the major cybersecurity enforcement action taken by the Securities and Exchange Commission (SEC) last year involved an insider.

SEC action

In one of the major cybersecurity enforcement actions taken by the SEC, Morgan Stanley agreed to pay a $1 million civil penalty to resolve a case arising out of an employee accessing over 730,000 customer accounts without authorization.

Morgan Stanley had a policy limiting employees to accessing data on clients of the team they supported. It had built a system designed to restrict employees’ access in that manner. However, a Morgan Stanley employee, Galen Marsh, discovered a programming flaw in two areas of the system. After he discovered the flaws, he conducted almost 6,000 searches over a four-year period exploiting the flaws, then transferred the data to his own private server.

The data included customers’ full names, phone numbers, street addresses, account numbers, account balances and securities holdings. Marsh said he performed statistical analysis on the data to try to discover market trends and figure out how other financial advisors were investing in order to become a better advisor to his clients.

Morgan Stanley had installed systems to prevent employees from copying data onto removable storage devices, but its system did not prevent employees from accessing an “uncategorized” website like Marsh’s personal server. His unauthorized access was ultimately discovered when portions of the data began appearing on three websites. It appears that Marsh’s server was hacked, and the third party who hacked into Marsh’s server, believed to be Russian hackers, began posting some of the data online. Morgan Stanley agreed to pay the $1 million penalty despite having a policy in place and despite building a system designed to implement the policy.

Insider threats vary from unintentional to malicious

The Morgan Stanley case nicely demonstrates that insider issues go well beyond malicious insiders. Incidents like the Marsh one are sometimes known as negligent threats because, while Marsh knew he was violating the policies, he didn’t intend to do any harm. Another example of a negligent threat would be an employee who knowingly tries to get around strict file-sharing policies so that he or she can work from home.

Insider threats also encompass the unintentional or accidental, where, unlike a negligent threat, the employee does not even realize he or she is violating a policy or creating a vulnerability. Unintentional insider threats include vulnerabilities such as an employee leaving a laptop in a public place, accidentally posting information to the public portion of the website, or clicking on phishing emails. According to the Verizon 2016 Data Breach Investigations Report, 30 percent of phishing messages in various sanctioned tests were opened by the target, and roughly 12 percent went on to click the malicious attachment or link. Both figures were increases from the previous year.

Malicious threats refer to those where an employee is actively trying to misappropriate data, such as an employee motivated to steal information for financial gain or espionage. According to the data breach report, end users with access to sensitive data were roughly twice as likely as executives or system administrators to be the malicious insider. In short, malicious insiders can be any employee with access to the data. The report also noted that most such incidents are motivated by financial gain or espionage.

It is important to carefully consider insider threats because of the damage a cyberattack can cause, including financial and reputational harm. But it is also important to consider them because regulators are concerned about them as well. In addition to the SEC enforcement action, the Financial Industry Regulatory Authority (FINRA) highlighted insider threats in its 2017 Examination Priorities letter. When I was working on cybersecurity issues as a state regulator, we, too, were focused on the risks from insiders.

In our next post, we’ll cover how to mitigate the risks from insider threats.

Illinois courts have long recognized that an insolvent corporation’s creditors have standing to bring a derivative action on behalf of the corporation against its officers and directors. On June 24, 2016, in a case of first impression in Illinois, the Illinois Appellate Court, First District, in Caulfield v. The Packer Group, Inc. held that shareholders have standing to pursue a shareholder derivative suit against an insolvent corporation. This development offers a means for a corporation to recoup — for the benefit of its shareholders and creditors — assets lost as a result of management’s waste and fiduciary breaches.

Shareholder allegations

The Packer Group (TPG) was a closely held corporation composed of three wholly owned subsidiaries: Packer Engineering Inc. (PEI), Packer Environmental and Facility Consultants Inc., and Packer Technologies International Inc. The two plaintiffs were PEI’s president/chief technical officer and its CEO. They filed a shareholder derivative suit on behalf of TPG and PEI against the inside directors of TPG, alleging that the inside directors misappropriated and wasted TPG’s assets for their own benefit. The inside directors were TPG’s founder and chairman of the board of directors, its executive vice president of finance and secretary of the board and two members of TPG’s board.

The allegations of misappropriation and waste of TPG’s assets included that TPG’s board chairman transferred debt from another business he owned to TPG without the knowledge or approval of the plaintiffs. They also alleged that he sent PEI employees to work at his other business while they were on the PEI payroll and that TPG made payments on behalf of his other business in excess of $1.2 million.

When the suit was filed, TPG companies were insolvent. As a result, the trial court dismissed the shareholder derivative case on the grounds that because TPG companies were insolvent, only their creditors could pursue derivative claims.

As the court explained, a derivative action is an action a corporate shareholder brings on behalf of a corporation to seek relief for injuries done to that corporation, where the corporation cannot or will not assert its own rights. Derivative actions are one of the remedies for situations in which the management — through fraud, neglect of duty or other cause — declines to take the proper and necessary steps to assert the corporation’s rights. The stockholders are then allowed to take the initiative and institute the suit the management should have started.

Insolvency is not a shield

On appeal, the Illinois Appellate Court framed the issue before it as whether a corporation’s insolvency while the shareholder derivative action is pending divests shareholders of standing to pursue that action. As this issue had not been addressed before in Illinois, the court looked to decisions from other jurisdictions, particularly Delaware. The court found that when a corporation becomes insolvent, the nature of the claim brought by a shareholder does not change and a shareholder may maintain a shareholder derivative suit. However, the insolvency does expand the universe of potential plaintiffs that may maintain derivative claims to creditors of the insolvent corporation. Therefore, upon insolvency, both shareholders and creditors may maintain derivative claims.

The court also reminded corporate officers that while they generally owe a fiduciary duty only to the corporation and its shareholders, once a corporation becomes insolvent, the fiduciary duties of the corporate officers also extend to the creditors of the corporation. Therefore, both shareholders and creditors can bring derivative claims for breach of fiduciary duty against corporate officers.

This decision is a reminder to business owners and corporate officers that the insolvency of the corporation is not a shield that will protect them from derivative suits. Rather, it expands the universe of potential plaintiffs who can bring such suits. It offers shareholders and creditors the tool to see through the corporation to pursue assets that officers and directors may have siphoned off as well as the proceeds of D&O policies.

The June 22 announcement of federal charges against 301 medical professionals accused of more than $900 million in fraudulent billing is a significant indication that the government is serious about increasing its pursuit of health care fraud indictments. 

The charges represent the largest number of arrests the Department of Justice’s Medicare Fraud Strike Force has made since it was founded nine years ago. Doctors, pharmacists, physical therapists, home health care providers and other medical professionals were among those arrested. It is also the largest dollar amount, spread over 36 districts.

In the past, many of these kinds of cases were handled through sanctions and settlements, or the corporate entity alone was deemed responsible. However, the new charges indicate the DOJ is following up on its intention to more aggressively pursue criminal cases and direct renewed attention to individuals. (See previous blog entries here and here.) Traditional criminal prosecutorial tactics are being used for the first time on a large scale for Medicaid and Medicare fraud cases, with search warrants on doctors, pharmacists and other medical professionals’ homes and for their emails and text messages.

So, in light of this sea change for health care fraud prosecution and defense, what are the best practices for health care providers to better position themselves for the increased scrutiny?

First, corporations should recognize that the DOJ intends to seek to hold both corporate entities and responsible individuals criminally liable for Medicaid, Medicare or other insurance frauds. The government’s past practice of generally responding to larger health care providers’ health care violations via civil settlements may no longer be the norm. Therefore, training in compliance with applicable laws and regulations must be improved and increased, and all employees, from doctors to technicians, need to understand that participation in such government-sponsored and private insurance programs carries with it serious personal and individual risks.

In addition, providers must adopt a more alert and defensive state of mind regarding applicable legal requirements. Past assumptions that “lesser” violations were somehow acceptable because the government was likely to “forgive” them through a mild response must be abandoned. Gaining government forgiveness for violations will almost certainly be far more unlikely in the future.

Therefore, providers’ plans for responding to instances of alleged violations of applicable legal requirements or the initiation of government investigations should always presume a real risk of a criminal investigation.  Counsel with experience in responding to government investigations involving possible criminal violations should have a role in designing a provider’s response plan and employee training.

Finally, providers’ updated plans to address possible Medicaid, Medicare or other insurance violations and government investigations should identify the in-house people who will lead the response to government requests for information. Then if a full internal investigation is deemed warranted, engage counsel who have the experience and credibility to satisfy the DOJ’s current priorities, including possible criminal charges.

Think twice before requiring at-will, low-wage workers to sign noncompetes

On June 8, the Illinois attorney general filed a lawsuit in Cook County (Illinois) Circuit Court against two Jimmy John’s entities: franchisor Jimmy John’s Franchise LLC and an LLC owning eight Jimmy John’s sandwich shops, Jimmy John’s Enterprises LLC. The lawsuit alleges the sandwich chain engaged in unfair and deceptive acts or practices unlawful under the Consumer Fraud and Deceptive Practices Act. The lawsuit seeks to stop the allegedly unlawful use of noncompetition agreements on at-will, low-wage employees and to ensure that current and former employees are informed that the noncompetition agreements they signed are unenforceable. 

The suit alleges that the Jimmy John’s operations manual provides franchisees with expectations and recommendations for the operations of the stores, including a recommended noncompetition agreement for all store employees, regardless of title or job function.

Jimmy John’s Enterprises, as well as many franchisees using the recommended Jimmy John’s form, require all employees to sign the noncompetition agreements as a condition of employment. The requirement extends to sandwich makers, bike delivery drivers and assistant managers. The noncompetition agreements prohibit the employee — during his or her employment and for the two years following— from having any role, including manager, owner, or employee, in any business that earns more than 10 percent of its revenue from selling sandwiches. The limitation applied to any business within either two or three miles of the store where the employee worked or any other Jimmy John’s sandwich shop in the country. There were over 2,400 Jimmy John’s sandwich shops at the end of 2015.  

Although Jimmy John’s Enterprises purportedly changed its policy in April 2015 to no longer require store employees to sign non-competition agreements after that date, and represented it no longer included the non-competition agreement in its new hire packets, it subsequently advised the attorney general that it never implemented the change in policy. As a result, many employees hired after April 2015 continued to sign noncompetition agreements. Jimmy John’s also represented to the attorney general that it had no intention of enforcing the noncompetition agreements. However, those non-binding intentions were never communicated to current or former employees.

‘No legitimate business interest’

The attorney general seeks a declaratory judgment that the noncompetition agreements are unenforceable. She alleges that Jimmy John’s has no legitimate business interest to justify the use of noncompetition agreements against store employees.

The suit further alleges that the noncompetition agreements contain unfair and onerous terms because the temporal restrictions of two years post-employment is not objectively reasonable, and the geographic scope is unreasonable, unconscionable, unenforceable and an improper restraint of trade under Illinois laws. The attorney general seeks to assess the maximum applicable civil penalty, including a penalty of $50,000 per violation if the court determines that Jimmy John’s has engaged in acts or practices declared unlawful with the intent to defraud.

The lawsuit follows an April 2015 dismissal by the U.S. District Court for the Northern District of Illinois of claims for injunctive and declaratory relief against Jimmy John’s to determine the validity and enforceability of confidentiality and noncompetition agreements. The court held that plaintiffs had not alleged a sufficient injury and did not have standing to bring suit and, even if they had alleged a sufficient injury to confer standing, they could not overcome Jimmy John’s and the franchisee defendants’ sworn intention not to enforce the agreements, thus mooting the claim. These claims were part of the allegations in a putative national class action against Jimmy’s John’s and some franchisees for alleged violations of the Fair Labor Standards Act and Illinois Minimum Wage Law, raising joint employer issues. (Brunner v. Liautaud, N.D. Ill. April 8, 2015).

Illinois is not the first state to investigate Jimmy John’s noncompetition agreements. CNBC reported that, in 2014, U.S. Congressional Democrats asked the U.S. Department of Labor and other agencies to investigate Jimmy John’s noncompetition agreements. In late 2014, news reports stated the New York Attorney General Eric Schneiderman initiated an investigation into, and requested information from, Jimmy John’s and a number of its New York franchisees regarding the noncompetition agreements. He has not yet announced any action.

What this means for franchisors

While most franchisors likely do not require all employees of their franchisees to enter into noncompetition agreements, protecting the trade secrets and confidential information of the franchise system is at the heart of each system. That said, franchisors should be aware that the forms of agreements they recommend to their franchisees could result in liability to the franchisor. 

In some cases a confidentiality agreement may be more appropriate than a noncompetition agreement. Franchisors and franchisees should review their noncompetition agreements to ensure they are reasonable both in time and geographic scope. Furthermore, they should ensure that only those managerial or other employees with access to proprietary information and/or who maintain customer relationships are required to sign the noncompetition agreements.

The case is People v. Jimmy John’s Enterprises, No. 2016-CH-07746 (Ill. Cir. Ct. Jun. 8, 2016). 

A recent decision from the Northern District of Illinois favors the “totality of circumstances” approach to evaluating the sufficiency of consideration necessary to support a restrictive covenant

Another judge from the Northern District of Illinois has thrown his hat into the ring in the debate over what is required to make a non-compete agreement enforceable in Illinois.

Several Illinois appellate courts have found that two years of continued employment are required when the only consideration for a non-compete is continued employment. However, the Illinois Supreme Court has not addressed this issue, and most of the federal courts that have considered it have concluded that there is no “bright line” basic standard for the adequacy of consideration. In Allied Waste Services of North America v. Tibble, 2016 WL 1441449 (N.D. Ill. 2016), Judge Harry Leinenweber joined the majority of other federal courts and declined to follow the two-year bright line rule announced in Fifield v. Premier Dealer Services, Inc.

Siding with four of the five judges in the Northern District of Illinois (and one from the Central District of Illinois) who have addressed this issue, Leinenweber concluded that the Illinois Supreme Court will reject such a bright line approach in favor of a more fact-specific approach.

In Allied Waste, the employee, Tibble, was originally hired as a major account executive. Three years later, he was promoted to regional national account executive and, with that promotion, signed a confidentiality, non-solicitation and non-competition agreement. Tibble was later promoted to sales manager and signed an updated confidentiality, non-solicitation and non-competition agreement. Along with the promotion to sales manager, Tibble’s compensation was changed so that his wages no longer included a commission, but he received an increase in his base salary and an increase in his potential bonus.

Under Tibble’s updated agreement, he agreed not to render a range of services on behalf of Allied Waste’s competitors within his area of responsibility for 12 months after his termination of employment. In addition, he agreed not to use or disclose Allied Marketing’s confidential information for five years after his termination of employment.

However, 15 months after signing the updated agreement, Tibble resigned and went to work for a competing waste management company as a sales manager. Allied Waste filed a complaint against Tibble for breach of the updated agreement. Despite the fact that Tibble quit to compete, he moved to dismiss the complaint, asserting that the updated agreement was not supported by adequate consideration because he had only been employed by Allied Waste for 15 months after he entered into the agreement.

Joining four other judges in the Northern District of Illinois, the Allied Waste court rejected the two-year bright line approach from Fifield, stating that while Illinois courts have found two years of continued employment to be sufficient consideration, that “is very different than saying that anything less than two years is automatically insufficient.”

Instead, the Allied Waste court said that an evaluation of the adequacy of consideration is to ensure that employers cannot lock an at-will employee into a restrictive covenant and then fire the employee shortly thereafter, rendering the consideration of future employment “illusory.” However, this goal may be accomplished through 15 months or 24 months of employment depending upon other circumstances surrounding the signing of the restrictive covenant, the conditions of continued employment and the termination of the employment relationship, among other things.

Denying the motion, the Allied Waste court found that historically Illinois courts have taken a more fact-specific approach to evaluating adequacy of consideration. For example, courts have considered such things as raises and bonuses, whether termination of employment was voluntary and whether the employee received increased responsibilities after signing the restrictive covenants. Applying this more flexible “totality of the circumstances” approach, the court found that Allied Waste had sufficiently alleged adequate consideration, i.e., when Tibble signed the agreement, he received a promotion and an increase in pay. In addition, the Allied Waste court found that Tibble’s voluntary resignation was relevant to the analysis of whether a shorter length of employment was sufficient consideration. As a result, Tibble’s motion to dismiss was denied.

The takeaway for an employer is that it is risky at this time to rely exclusively on continued employment as the consideration for a non-compete for at-will employment. As a result, employers should consider the benefits of providing additional consideration to the employee upon agreeing to restrictive covenants and specifically identify the additional consideration provided in the restrictive covenant agreement. That additional consideration may take many forms, such as a change in position and responsibilities, a change in compensation, a change in benefits and or the payment of some amount of money at the time of signing, among other things. The best practice remains to tailor the restrictions to the employer’s protectable interest and design consideration in addition to continued employment that fits the particular circumstances of both the employee and employer.

The emerging market of 3D printing is primed for trade secrets and the disputes over who “owns” these trade secrets. Shared ideas, broken business deals, and employee mobility fuels most of these disputes. The Defend Trade Secrets Act (DTSA), a newly enacted federal trade secret act, defines the term “owner” as “the person or entity in whom or in which rightful legal or equitable title to, or license in, the trade secret is reposed.”

This means it may be time evaluate your agreements and implement steps to manage risks of trade secret disputes. If you have agreements in place with the companies you do business with, no agreements in place, or you are about to enter into a collaborative relationship where trade secrets are involved, it is time to take another look at exactly how you are addressing the “rightful legal or equitable title” and what unforeseen complications you may have overlooked. They key points to consider while evaluating your agreements are:

• There are no default rules regarding ownership.
• Understand the cycle of innovation before finalizing ownership provisions.
• Understand what rights you need to continue if the collaborative relationship ends.
• Original non-disclosure agreements are necessary, but know the potential pitfalls.
• Analyze “standard” terms and conditions.

A white paper with more information about the Defend Trade Secrets Act and how to manage this risk in collaborative relationships can be found here.