The Israel Antitrust Authority (IAA) released a Draft Opinion Paper for public comment concerning cybersecurity information-sharing between private entities.
As threats to information security have increased, information-sharing between organizations has also grown as a means of strengthening resilience against cyber attacks. Israel has established a National Cyber Event Readiness Team (CERT) for dealing with cyber threats and a system for sharing information among government agencies. In anticipation of future private information-sharing initiatives, the IAA has released a Draft Opinion Paper presenting the agency's analysis of such private information sharing frameworks. The Draft Opinion is open for public comment until April 5, 2017.
The Draft Opinion presents a framework for permitting information sharing between private entities. In general, the position of the IAA is that information concerning cyberthreats should not constitute a "restrictive trade practice" under the Antitrust Law1988, provided that the information does not touch on the commercial activities of the parties or contain information that would be sensitive from a competition perspective, such as information regarding pricing or future business plans. As such, private entities should be able to share information regarding vulnerabilities and threats, as well as information concerning defensive measures and tools, without concern for prosecution under Israeli antitrust laws. However, the Draft Opinion may not shield the sharing of recommendations concerning information security equipment or vendors.
The Draft Opinion also addresses the question of access to private information sharing frameworks. According to the Draft Opinion, participation in such frameworks may not be unreasonably denied to entities that would find access to such information relevant. Threat information frameworks that are not open to all participants could be seen as constituting a cartel under Israeli antitrust laws.
The approach of the Draft Opinion is not surprising, especially in light of international developments concerning cybersecurity information sharing. In the United States, for example, 2015 saw the passage of the Cybersecurity Information Sharing Act (CISA) which provides a general exemption from federal and state antitrust liability for the sharing of cybersecurity information.
The position of the Draft Opinion concerning participation in information sharing frameworks is consistent with prior guidance provided by the IAA. In particular, Draft Opinion 3/14 of the IAA requires that participation in industry associations be open to entities on an equal basis, according to set objective standards. Such frameworks cannot set up unreasonable criteria for membership, such as unreasonably high membership fees, and cannot condition membership on approval by existing members.
As the Draft Opinion provides only guidelines concerning antitrust law, the Opinion does not address other questions that may be raised in the course of cybersecurity information sharing, such as questions regarding privacy law and whether private entities may (or may be required) to share cyberthreat information with government regulators. We expect additional guidance to be issued on these topics in the future by other regulatory agencies, including the Israel Law, Information and Technology Authority and the National Cyber Bureau.