October 2014

DOJ Letter on Cybersecurity Offers Guidance for Association-Sponsored Information Exchanges

4 min

On October 2, 2014 the U.S. Department of Justice (DOJ) issued a business review letter advising CyberPoint International LLC that its True Security Through Anonymous Reporting (TruSTAR) cyber intelligence data-sharing program does not raise antitrust concerns.1 Although focused on the company's cybersecurity service, the DOJ letter provides a helpful reminder to trade and professional associations of the need to be cognizant of and review any proposed information exchange or benchmarking program for potential antitrust risk.

Although such programs offer numerous benefits for participating industry members and the public, any association-sponsored exchange of competitively sensitive information will draw heightened antitrust scrutiny because of the risk that the sharing of information can lead to anticompetitive agreements. We provide below a brief summary of the DOJ letter and recommended best practices for any trade or professional association interested in managing a similar program.

The DOJ's Business Review Letter

Under the federal Sherman Act and the Federal Trade Commission Act, information exchanges are analyzed under the rule of reason, which balances the procompetitive benefits of the conduct against the potential anticompetitive harm to determine the likely overall effect on competition. The main competitive concern with information exchanges is the potential for participating industry members to use the information exchanged to further a price-fixing or other anticompetitive conspiracy.

In reviewing CyberPoint's TruStar program, the DOJ applied the standard "rule of reason" analysis by reviewing (1) the business purpose and nature of the program, (2) the type of information shared, and (3) the safeguards implemented to minimize the risk that participants (members) will exchange competitively sensitive information. With respect to the first two points, the DOJ found that the focus of the program was procompetitive – it allows members to share accurate and timely intelligence on potential cyber threats, best practices, and remediation solutions. In addition, the TruStar program offers members a "community forum" that allows them to discuss cyber threats and collaborate on best practices. In this regard, the DOJ noted that CyberPoint had implemented procedures to obtain commitments from members that they would not share competitively sensitive information.

Thus, for all three factors, the DOJ found that the TruStar program was procompetitive and unlikely to raise antitrust concerns.

Recommended Best Practices for Information Exchanges

The DOJ business review letter, along with a prior joint DOJ/Federal Trade Commission statement on a similar cybersecurity proposal,2 reinforces that properly structured information exchanges and benchmarking programs can provide significant procompetitive benefits. To minimize potential risk, any trade or professional association seeking to develop such a program should keep the following safeguards in mind:

  • The proposed exchange should be reviewed by antitrust counsel in advance.
  • Clearly articulate the purpose and procompetitive benefits of the information exchange, and keep it closely focused on those criteria.
  • Participation should be voluntary, and the program should include instructions cautioning participants on potential antitrust risk and prohibiting discussions of competitively sensitive information with other participants.
  • For programs that involve the exchange of data, participants should not be involved in the collection or compilation of the data. In addition:
    • Any data provided by participants should be at least three months old (no current or future information). Data should be provided by a minimum of five participants, with no individual participant's data representing more than 25% on a weighted basis.
    • The trade or professional association or third party managing the program should treat specific data provided by participating members as confidential and not disclose it in its raw form to any other participant or third party.
    • The program should not identify the individual members who participated in the survey/exchange.
    • Any data published should be in aggregate form only.
    • Joint discussion and analysis of the data should be avoided. Each participant should separately analyze the data and make independent business decisions based on the data.

Please contact the authors of this alert if you have any questions.

[1] http://www.justice.gov/atr/public/busreview/309071.htm.

[2] Department of Justice and Federal Trade Commission: Antitrust Policy Statement on Sharing of Cyber Security Information (April 10, 2014), available at http://www.justice.gov/atr/public/guidelines/305027.pdf.