Modern information technology has revolutionized the way people do business and the way people live their lives around the world. But it has also been accompanied by an intensifying threat that knows no bounds: cyber threats. Those threats of cyber-attacks and breaches operate under a still unknown universe of circumstances and can (and do) occur at any time, in any industry, and at any place. Most sovereigns, including the United States (US), the European Union (EU) and the EU’s member states, have not yet enacted clear laws or standards to mitigate ever-evolving cyber threats.
One common theme has emerged in the US and the EU: combatting cyber threats requires cooperation and sharing of information among businesses that have suffered attacks, businesses that may be vulnerable, companies offering cyber security products and services and the public sector.
In the US, that call for information sharing has been made by President Barack Obama, members of Congress, and industry leaders, to name a few. Indeed, in January 2015, President Obama laid out his proposal for federal legislation that will promote cybersecurity information sharing between the private sector and the government by ‘providing targeted liability protection for companies that share information’.1 In February 2015, the White House is hosting a Summit on Cybersecurity and Consumer Protection, bringing together public and private sector leaders to address such topics as cybersecurity information sharing.
In the EU, in 2013, the European Commission (the Commission) and the High Representative of the European Union for Foreign Affairs and Security Policy published a strategy for “An Open, Safe and Secure Cyberspace” (the EU Strategy) and proposed the adoption of a directive concerning measures to ensure a high common level of network and information security across the Union (NIS Directive).2 Although it is unclear when the NIS Directive will enter into force, the current Latvian Presidency of the European Council is aiming to begin negotiations to finalize the directive with the European Parliament in the coming months. Both the EU Strategy and the NIS Directive involve sharing of cybersecurity information.
This movement toward cybersecurity information sharing, however, is not without its own bounds, including the competition laws of the US and the EU, which have traditionally viewed information sharing - especially among market competitors - with suspicion. The cross-border nature of cyber threats adds additional wrinkles: in the event of a cyber-event, not only are companies subject to the unclear laws of a single sovereign, they will also likely face the varying laws of multiple sovereigns.
A global solution is needed. But, because none currently exists, it is important to understand the individual laws and policies that currently and potentially apply to cybersecurity information sharing.
The US on cybersecurity information sharing
In April 2014, the two US agencies tasked with enforcing the US competition laws—the US Department of Justice (DOJ) and the Federal Trade Commission (FTC) - jointly issued a Policy Statement3 addressing competition issues related to cybersecurity information sharing. The US agencies explained that the competition laws do not, and should not, attach liability to legitimate cybersecurity information sharing among competitors, as long as the sharing does not encroach on competitively sensitive information related to price, cost, or output. Applying ‘rule of reason’ analysis, they found generally that the sharing of cyber threat information, which is typically highly technical in nature, appeared to benefit rather than harm competition. In the same statement, however, the agencies reminded readers that their guidance was merely that, and that the US competition laws could still be triggered depending on the specific facts of each situation.
A few months later, a private US entity offering cybersecurity services tested the fact-intensive application of the US competition laws by formally requesting a ‘business review letter’ from the DoJ. The ‘business review’ process allows entities to ask the agency for its official guidance on proposed actions. In this case, the request asked the agency to assess a proposed cyber threat information-sharing platform. After reviewing the proposal, the agency issued a letter in October 2014, explaining that it did not presently intend to challenge the particular platform under the US competition laws.4 As previewed in the April 2014 Policy Statement, the agency applied ‘rule of reason’ analysis, focusing primarily on three factors:
- Business Purpose and Nature: The proposed platform appeared to benefit competition because it sought to facilitate sharing of cyber-security information among private entities to protect networks and deter cyber-attacks.
- Type of Information Shared: The platform sought to facilitate the anonymous sharing of highly technical cyber data that would be unlikely to further price or other competitive coordination among competitors.
- Safeguards against Disclosure of Competition Information: The platform will require, as a condition of membership, that all users not share any competitively sensitive information related to prices, costs, output or capacity.
The affirmative stance that US authorities have taken on cybersecurity and US competition laws reflects the overall push in the United States to aggressively combat cyber threats. The April 2014 Policy Statement and October 2014 Business Review Letter, however, only offer non-binding guidance. The US agencies still have the authority, as they have warned, to challenge cybersecurity information exchanges at any time, including the recently proposed platform, if they raise competition concerns.
The US competition authorities are not the only ones with the ability to police cybersecurity information sharing. In June 2014, the Securities and Exchange Commission, the US agency that regulates public companies, urged companies to disclose cyber security breaches to investors and the public. While US securities laws do not specifically address cybersecurity, they do require companies to disclose information that is ‘material’ to a company’s profits. Problems can therefore arise when those formal disclosures do not include cyber-related information or are inconsistent with information that a company has shared on a cybersecurity platform or exchange, which could lead to potential agency action.
As demonstrated above, much of the action in this area in the US has come in the form of non-binding guidance. While most of the US states have enacted laws of varying nature to govern an entity’s notification and information sharing obligations in the event of a cyber-breach, no US federal law exists to govern this area. That means that, just within the US, an entity affected by a cyber-breach could be subject to nearly 50 different laws. This void may soon be filled, as highlighted in President Obama’s recent remarks proposing a federal law that will standardize breach notification by requiring companies to notify consumers within 30 days of a cyber-breach.5 US leaders have also proposed laws that would limit liability related to the private sector’s sharing of cyber information with the government and use of cybersecurity technologies in defending against cyber-attacks. But these proposed laws, subject to the legislative process and an unclear timeline, are just that, proposals that have no controlling effect. Companies operating in the US should nevertheless keep an eye out for agency and legislative activity in the cyber arena, as these issues continue to intensify in the US and abroad.
The EU on cybersecurity information sharing
As noted above, the EU has published the EU Strategy and the NIS Directive to combat cyber threats, and both initiatives call for cybersecurity information sharing. From an antitrust perspective, information exchange may give rise to significant concerns under EU law. Unlike the US agencies, the Commission has not provided specific guidance on the treatment of information sharing to promote cybersecurity. However, the Commission has provided fairly detailed guidance on the assessment of information exchanges under EU competition law in its guidelines on the applicability of Article 101 of the Treaty on the Functioning of the European Union (TFEU) to horizontal co-operation agreements of 2011 (the Horizontal Guidelines).6
The EU Strategy
Among other things, the EU Strategy proposes to establish common minimum requirements for network and information security (NIS) at national level; to set up coordinated prevention, detection, mitigation, and response mechanisms; and to improve the preparedness and engagement of the private sector. The EU Strategy proposes that the private sector should develop, at technical level, its own cyber resilience capacities and ‘share best practices across sectors’. Further exercises are planned, including the Commission asking the industry to develop best practices and information sharing at sector level.
The NIS Directive
The NIS Directive aims to ensure a high level of NIS in the EU. For that purpose, the NIS Directive lays down minimum obligations for all Member States concerning the prevention and handling of and the response to risks and incidents affecting networks and information systems, creates a cooperation mechanism between Member States, and establishes security requirements for market operators and public administrations.
As regards information sharing, the NIS Directive provides for cooperation and information exchange between the Commission and the Member States and between the private and public sectors. The Commission’s Explanatory Memorandum accompanying the proposed NIS Directive and Recital 28 of the NIS Directive mention that competent authorities should pay due attention to preserving informal and trusted channels of ‘information-sharing between market operators’.7 ‘Market Operator’ is defined as (1) a provider of information society services, which enable the provision of other information society services and (2) an operator of critical infrastructure that is essential for the maintenance of vital economic and societal activities in the fields of energy, transport, banking, stock exchanges and health. Recital 15 of the NIS Directive further stipulates that “[m]arket operators should be encouraged to pursue their own informal cooperation mechanisms to ensure NIS”.
Sensitive to the potential antitrust issues such cooperation mechanisms may raise, the European Parliament has proposed to clarify in Recital 15 that market operators should not be exposed to, inter alia, competition law risks as a result of their activities under the directive.8 It is unclear whether the final NIS Directive will include the European Parliament’s proposed language, but in any case the NIS Directive is unlikely to provide industry participants with any binding protection from liability for potential antitrust violations.
Information exchange in the Horizontal Guidelines
The Horizontal Guidelines note that information exchanges can benefit competition, for example, companies may improve their internal efficiency through bench-marking against each other’s best practices. However, in certain situations information exchanges can also lead to restrictions of competition, in particular when they make competitors aware of one another’s market strategies. Except for information exchanged in connection with an agreement, concerted practice, or decision fixing prices or quantities, or information on intended future prices or quantities, exchanges of information among competitors are not treated as illegal per se (by object), but may be caught by the prohibition of Article 101(1) of the Treaty on the Functioning of the European Union (TFEU) based on an analysis similar to the US rule-of-reason approach (by effect).
The main competition concerns pertaining to information exchanges are identified in the Horizontal Guidelines as follows:
- Collusive outcome: By artificially increasing transparency in the market, the exchange of strategic information can facilitate coordination of companies’ competitive behaviour and result in restrictive effects on competition.
- Anti-competitive foreclosure: An exclusive exchange of information can lead to anti-competitive foreclosure on the market where the exchange takes place. It may also lead to anti-competitive foreclosure of third parties in a related market.
Whether an exchange of information can be caught by Article 101(1) TFEU depends to a large extent on whether the information is competitively sensitive. What information is competitively sensitive depends on the facts and circumstances and the party or parties to whom it is disclosed. The information most likely to be considered competitively sensitive includes strategic data (e.g. information related to prices and quantities), individualized data (e.g. information that enables identifying a specific competitor or a specific transaction) and information that is indicative of competitors’ future conduct.
An exchange of information that would otherwise violate Article 101(1) TFEU may be permitted where it offers efficiency gains, any restriction of competition is indispensable to the gains, and such conduct benefits consumer without affording the undertakings concerned the possibility of eliminating competition in respect of a substantial part of the market in question.
In many cases, it can be expected that exchanges of cyber security information, whether under the EU Strategy or NIS Directive or pursuant to private sector initiatives, will not be caught by Article 101(1) TFEU, for instance because the information in question is not competitively sensitive, or will benefit from an exemption because of the related efficiencies. However, the legality of proposed information exchanges must be assessed on a case-by-case basis to determine whether the information in question is competitively sensitive and if so whether the benefits from the exchange outweigh the potential restriction of competition.
Although US government initiatives and the EU Strategy acknowledge the need for sharing information to combat cyber security threats and to ensure a high level of NIS, neither the US nor the EU currently provide specific statutory protection from liability for the exchange of competitively sensitive information. Companies involved in cyber security initiatives will need to think carefully about whether information they plan to exchange is competitively sensitive, and if so, whether its disclosure could violate antitrust or competition laws.
Although the exchanges contemplated in US and EU governmental measures or private sector initiatives are unlikely to involve the most obviously sensitive categories of information - such as recent, current and future pricing - other types of information can also be competitively sensitive. For example, the exchange of technical information relating to the development of industry standards can raise particularly difficult issues. Difficult issues can also be expected to arise where exchanges of information involve competitors developing or offering cyber-security products and services. Companies participating in cyber security-related initiatives will need to examine carefully the categories of information to be exchanged and to satisfy themselves that the information exchanged does not go beyond permissible boundaries.