Echoing guidance previously given to a nonprofit organization looking to exchange certain cybersecurity information, including exchanging actual real-time cyber threat and attack information, and others planning to exchange information concerning remediating the Y2K problems, the Department of Justice (“DOJ”) and Federal Trade Commission (“FTC”) recently released a joint “Antitrust Policy Statement on Sharing of Cybersecurity Information” (“Statement”).
In his prepared remarks announcing the release of the Statement, Assistant Attorney General Bill Baer rightly stated: “This is an antitrust no-brainer: Companies who engage in properly designed cyber threat information sharing will not run afoul of the antitrust laws. This means that as long as companies don’t discuss competitive information such as pricing and output when sharing cybersecurity information, they’re okay.”
So, what do you need to do if you want to share your technical cyber threat information with your neighbors? According to the Statement, the first thing you need to do is make sure the information sharing arrangement is not “being used as a cover to fix prices, allocate markets, or otherwise limit competition.” If it is, you have a big problem. That said, you should be in the clear if the sharing arrangement is limited to technical cyber threat information, e.g., threat signatures and IP address or target ports of a Denial of Service attack. “The sharing of this type of information” the Statement says, “is very different from the sharing of competitively sensitive information such as current or future prices and output or business plans which can raise antitrust concerns.”