What are the ethical issues when consulting for two competing companies?

Barring contractual terms you may agree to, there aren't any legal mandates that I am aware of that would prevent a security consultant from working for two competing companies. Ethically there isn't really an issue either, provided that you don't reveal information about either client to the other one. In fact, this is a good rule of thumb: Never reveal information to a client about any of your other clients without prior permission, regardless of whether they are competitors.

As a consultant, protecting the confidentiality of your clients' data is one of your prime duties, both legally and ethically. Your consulting contract undoubtedly has non-disclosure terminology that mandates this protection. But even if the contract doesn't contain a legal protection requirement, there is still an ethical mandate to keep the company's data private. It is an essential part of establishing that you are a trustworthy individual who is part of a trustworthy profession.

Protecting your clients' data entails not only not discussing specifics, but also taking active steps to protect any data about the client in your possession. Electronic copies should be encrypted and/or protected with passwords to guard the data if the equipment is stolen. This is also potentially useful if a client tries to use your equipment as a source of industrial intelligence gathering. Similarly, paper copies of confidential information from one client should not be brought to other client sites. If this is unavoidable for some reason, those papers should be kept under lock and key the entire time.

For more information:

• Is vulnerability research ethical? Read more in this Face-Off between Schneier and Ranum.
• Learn more about the ethical requirements of penetration testing.