Department of Justice Clears Cybersecurity Information Sharing Platform
Last week the Antitrust Division of the Department of Justice (“DOJ”) issued a business review letter in response to a request by CyberPoint International LLC (“CyberPoint”). At issue in the request was whether a proposed cyber threat information sharing system among possible competitors (“the TruSTAR platform”) raised antitrust concerns. Following a review, DOJ announced in the letter that it had no intention of challenging the TruSTAR platform under antitrust laws.
The TruSTAR letter is significant for multiple reasons. First, the letter generally reaffirms the joint “Antitrust Policy Statement on Sharing of Cybersecurity Information,” set forth by the DOJ and Federal Trade Commission (FTC) earlier this year on April 10. In fact, in a press release accompanying the TruSTAR letter, the DOJ cited to the Policy Statement to emphasize that the “antitrust laws are not an impediment to legitimate private-sector initiatives to share specific information about cyber incidents and mitigation techniques.”
We previously analyzed the Policy Statement and concluded that “[w]hile the Policy Statement is a significant development, it does not provide antitrust immunity[,]” as enforcement actions are necessarily judged on the facts of any particular case. To this end, the TruSTAR letter carries additional importance in that it illustrates how the Policy Statement will be applied in practice.
In accordance with the Policy Statement, DOJ employed a flexible “rule of reason” analysis to evaluate TruSTAR’s request. Under this rubric, DOJ “focuses on the state of competition with, as compared to without, the relevant [cyber information sharing] agreement,” in deciding whether to pursue an individual case of information sharing among competitors as a possible antitrust violation. In evaluating the TruSTAR program, DOJ looked to three factors (all of which were also mentioned in the Policy Statement): (1) the business purpose and nature of the proposed information sharing agreement; (2) the type of information that would be shared; and (3) the safeguards implemented to minimize the risk that competitively sensitive information would be disclosed.
In applying these factors, several features of the TruSTAR information sharing agreement carried particular salience:
The purpose of the proposed TruSTAR platform would be to protect networks and deter cyber-attacks.
TruSTAR membership would be broadly open to all firms in good standing with a Dun and Bradstreet number, who also committed not to share competitively sensitive information.
The nature of the information that would be shared under the agreement would not be competitively sensitive (e.g, TruSTAR would not report on recent, current, or future prices, cost data, output levels, etc.).
All members of the information sharing agreement in a particular industry sector would be afforded equal treatment under the agreement.
All members of the information sharing agreement would be able to share, communicate, and use information anonymously.
All members of the information sharing agreement could communicate securely, by employing encrypted communications.
While none of these facts is individually dispositive, they collectively offer some initial markers for future antitrust enforcement policy in the realm of cybersecurity information sharing agreements—an enforcement area that is only growing in importance.