January 18, 2020

January 17, 2020

Subscribe to Latest Legal News and Analysis

January 16, 2020

Subscribe to Latest Legal News and Analysis

January 15, 2020

Subscribe to Latest Legal News and Analysis

DOJ Will Not Challenge Cyber Security Data Sharing Platform

On October 2, 2014, the U.S. Department of Justice announced that a cyber intelligence data-sharing platform known as TruSTAR, developed by CyberPoint International, LLC, passed antitrust muster.  The TruSTAR platform allows members to share threat and incident data along with cyber-attack information, and to develop remediation solutions to facilitate more effective cyber-attack prevention strategies.  The DOJ’s business review letter also reiterated antitrust guidelines applicable to information exchanges by business organizations such as industry trade associations.

Earlier this year, DOJ and the Federal Trade Commission issued a joint policy statement recognizing that the ability of private entities to share cyber threat information is an important component to identifying and combating cyber attacks.[1]  In that Policy Statement, the agencies emphasized that the antitrust laws are not an impediment to legitimate private-sector initiatives to share specific information about cyber incidents and mitigation techniques to defend against cyber attacks.  The DOJ concluded that the TruSTAR information sharing platform was consistent with the type of information sharing identified by the agencies as not raising competitive concerns and offered procompetitive benefits by offering members an efficient means of reducing cyber-security costs.

The DOJ noted that competitor collaborations to share cyber-threat information are typically analyzed under the rule of reason.[2]  DOJ explained that the rule of reason analysis “is a flexible inquiry that focuses on those factors necessary to evaluate the overall competitive impact of an agreement.”[3]  It noted that the factors pertinent to the evaluation of the TruSTAR platform were:  (1) the business purpose and nature of the agreement; (2) the type of information shares; and (3) safeguards implemented to minimize the risk that competitively sensitive information will be disclosed.

DOJ concluded that the business purpose and nature of the information sharing arrangement did not suggest that competition or consumers would be harmed.  The purpose of the TruSTAR arrangement is to allow private entities to share cyber-security information to protect networks and deter cyber attacks.  DOJ explained that the type of information to be exchanged is unlikely to facilitate tacit or explicit price or other competitive coordination among competitors.[4]  It noted that the information proposed to be shared would consist of highly technical information and the type contemplated to be exchanged in the DOJ/FTC Cyber Security Policy Statement.[5]  The agencies noted that the sharing of cyber threat information “is very different from the sharing of competitively sensitive information” and “can improve efficiency to help secure our nation’s networks of information and services.”[6]

DOJ noted that while the exchange of competitively sensitive information could raise anticompetitive concerns under the rule of reason, the TruSTAR platform, as proposed, will not involve the sharing of competitively sensitive information such as recent, current or future pricing, cost data, output levels or capacity.[7]  TruSTAR members will commit that they will not use the TruSTAR platform to share such information.[8]  Because the TruSTAR platform implements sufficient safeguards to prevent the exchange of competitively sensitive information, DOJ concluded that competitive harm was unlikely.

[1] See Antitrust Policy Statement on Sharing of Cyber Security Information (April 10, 2014) (the “DOJ/FTC Cyber Security Policy Statement”).

[2] Id.

[3] DOJ Business Review Letter (October 2, 2014), p. 3.

[4] Id., p. 1

[5] Id.

[6] Id., citing DOJ/FTC Cyber Security Policy Statement.

[7] DOJ Business Review Letter, p. 4.

[8] Id.

Copyright © 2020, Sheppard Mullin Richter & Hampton LLP.


About this Author

The Antitrust and Trade Regulation practice currently encompasses matters involving mergers and structural issues, criminal grand jury proceedings, international antitrust enforcement, pricing practices, product distribution, joint ventures, class actions based on federal and state antitrust and unfair competition laws, among many other areas. We represent clients in a wide variety of industries, including healthcare, pharmaceuticals, financial services, aerospace, energy, technology, publishing, distribution, courier and food services.

The firm's Antitrust lawyers both write and...