On April 10, the Department of Justice (“DOJ”) and the Federal Trade Commission (“FTC”) released a joint policy statement that cyber threat information sharing is not likely to violate the antitrust laws. According to FTC Chairwoman Edith Ramirez, the policy statement “should help private businesses by making it clear that antitrust laws do not stand in the way of legitimate sharing of cybersecurity threat information.”
The DOJ and FTC issued statements that private information sharing is essential to defending against the economic and national security risks posed by cyber threats, but acknowledge that businesses may be hesitant to share information out of concern that doing so will raise antitrust issues. Deputy Attorney General James Cole attempted to ease this concern saying, “[p]rivate parties play a critical role in mitigating and responding to cyber threats, and this policy statement should encourage them to share cybersecurity information.”
The policy statement provides the agencies’ analytical framework for reviewing cyber threat information sharing, but stops short of offering blanket immunity. According to the statement, “properly designed sharing of cybersecurity threat information is not likely to raise antitrust concerns,” meaning information sharing could trigger antitrust liability if it falls outside the scope of activity described in the statement.
These statements, however, may not be sufficient to encourage risk-averse companies, and their general counsels, to share cybersecurity risk information. The policy statement does not address the possibility of private antitrust suits brought as a result of cybersecurity information sharing, nor does it prevent State Attorneys General from pursuing enforcement action in situations in which there has been a failure to comply with state laws or regulations.
Furthermore, the policy statement warns that whether information sharing is subject to antitrust enforcement remains “intensely fact-driven.” It identifies three characteristics of cyber threat information sharing that reduce the likelihood it will raise antitrust concerns, for the Federal enforcement agencies, at least. First, sharing cyber threat information serves a valuable purpose in that it “can improve efficiency and help secure our nation’s networks of information and resources.” Second, cyber threat information is typically technical in nature and is thus very different from the type of competitively sensitive information likely to raise antitrust concerns. Third, the dissemination of cyber threat information is “unlikely in the abstract” to harm competition. (Emphasis added.)
For further guidance on the agencies’ analytical framework, the policy statement directs businesses to consult the business review letter issued to Electric Power Research Institute, Inc. in October 2000. (This is the only instance in which the DOJ has reviewed and formally commented upon a proposed cybersecurity information sharing arrangement.) According to that business review letter, as long as businesses strictly limit the information exchanged to cybersecurity issues, such exchanges are unlikely to violate the antitrust laws, and may offer procompetitive benefits.