The DOJ and FTC issued a joint press release yesterday and a policy statement indicating that properly designed cyber threat information sharing is not likely to raise antitrust concerns and can help secure the nation’s networks of information and resources. The policy statement provides the agencies’ analytical framework for information sharing among private entities and is designed to reduce uncertainty for those who want to share ways to prevent and combat cyberattacks.
“Cyber threats are increasing in number and sophistication, and sharing information about these threats, such as incident reports, indicators and threat signatures, is something companies can do to protect their information systems and help secure our nation’s infrastructure,” said Assistant Attorney General Bill Baer in charge of the Department of Justice’s Antitrust Division. “With proper safeguards in place, cyber threat information sharing can occur without posing competitive concerns.” FTC Chairwoman Edith Ramirez added: “Because of the FTC’s long experience promoting data security, we understand the serious threat posed by cyberattacks. This statement should help private businesses by making it clear that antitrust laws do not stand in the way of legitimate sharing of cybersecurity threat information.”
As the press release makes clear, the policy statement recognizes that the federal antitrust agencies realize that the sharing of cyber threat information has the potential to improve the security, availability, integrity and efficiency of the nation’s information systems. The policy statement also emphasizes that the legitimate sharing of cyber threat information is very different from the sharing of competitively sensitive information such as current or future prices and output or business plans, which may raise antitrust concerns. Cyber threat information is typically technical in nature and covers a limited type of information, and disseminating that information appears unlikely to raise competitive concerns.
As the press release indicates, the joint Department of Justice/Federal Trade Commission “Antitrust Guidelines for Collaborations Among Competitors” provide an overview of the agencies’ analysis of information sharing as a general matter. The new DOJ/FTC policy statement indicates that the agencies will consider under a rule of reason analysis whether the relevant agreement sharing cyber threat information likely harms competition by increasing the ability or incentive to raise price above or reduce output, quality, service or innovation below what likely would prevail in the absence of the relevant agreement. In some cases, the nature of the agreement may indicate a lack of competitive harm. In examining the nature of the agreement, the agencies will take into account its business purpose. If competitive harm seems likely, the Agencies will analyze the agreement in more depth to evaluate countervailing efficiencies.