DOJ Issues First Business Review Letter Following Agencies’ Joint Policy Statements on Cybersecurity
On October 2, 2014, the U.S. Department of Justice (DOJ) issued its first business review letter since issuing jointly with the Federal Trade Commission (FTC) the Agencies’ Antitrust Policy Statement on Sharing of Cybersecurity Information in April 2014 (the Policy Statement). The Policy Statement recognized that sharing cyber threat information is integral to defending against cyber-attacks. It states that cyber information sharing will be reviewed under a rule of reason analysis that focuses on the improved efficiency and security of cyber networks, the nature of the cyber information to be shared, and whether the information exchange is likely to harm competition.
CyberPoint International, LLC, requested the business review letter for its cyber intelligence data-sharing platform called TruSTAR. The TrueStar platform collects incident reports, anonymously submitted, that include technical information, targets of the attack, contextual information and remediation solutions, which help members analyze their organization’s risk and current defenses. The platform also contains a members-only forum where members can anonymously interact with the member that submitted a particular incident report, but requires as a prerequisite for participation a certification that members will not exchange “competitively sensitive information—such as recent, current, and future prices, cost data, or output levels—or otherwise attempt price or other coordination.” Members must also have a Dun and Bradstreet D-U-N-S number, be in good standing with local, state and federal government and agencies, as well as satisfy minimum technical performance criteria.
In analyzing the proposed data-sharing platform, the DOJ found significant that “the business purpose and nature of the information sharing agreement does not suggest competition or consumers will be harmed.” Notably, “the nature of the information that will be shared is unlikely to facilitate tacit or explicit price or other competitive coordination among competitors,” because “[t]he information to be shared through incident reports and the collaboration forum are very technical and is the type of information sharing contemplated by the . . . Policy Statement.” Specifically, “no competitively sensitive information about recent, current, and future prices, cost data, output levels, or capacity will be exchanged,” and “CyberPoint will obtain commitments from members that competitively sensitive information won’t be exchanged.” Therefore, the DOJ concluded that competitive harm was unlikely and that consumers would likely benefit from the lower cost and more efficient means of establishing network security.
The business review letter is available here.