On April 10, 2014, the U.S. Department of Justice (“DOJ”) and the Federal Trade Commission (“FTC”) issued a joint “Antitrust Policy Statement on Sharing of Cybersecurity Information.”

Information sharing between the government and the private sector and among private sector entities has been a major consideration in ongoing legislative and executive branch efforts to address cybersecurity, and the statement released by DOJ and the FTC is a significant development that should advance the private sector’s efforts to address cybersecurity threats.  In particular, concerns have permeated the business community regarding whether private-to-private information-sharing with respect to cybersecurity threats might pose antitrust concerns for the entities involved, and some legislative proposals have included exemptions from antitrust liability for companies that share cybersecurity information.  The latest announcement makes clear that, from the government’s perspective, sharing of cyber-related threat information should generally not implicate antitrust concerns.  

In a press release accompanying the joint Policy Statement, DOJ and FTC officials addressed the antitrust liability concerns.  FTC Chairwoman Edith Ramirez explained that the Policy Statement “should help private businesses by making clear that antitrust laws do not stand in the way of legitimate sharing of cybersecurity threat information.”  Deputy Attorney General James M. Cole added that the Policy Statement “should encourage [private parties] to share cybersecurity information.”

The Policy Statement describes how the DOJ and FTC analyze cyber threat information sharing, referencing other agency documents, including the joint DOJ/FTC Antitrust Guidelines for Collaboration Among Competitors.  The Guidelines explain that the Agencies will typically analyze information sharing under a rule of reason analysis to assess the “overall competitive effect of an agreement.”  As applied to sharing of cyber threat information–defined as “information about cybersecurity threats, such as incident or threat reports, indicators, threat signatures, and alerts”–the Policy Statement explains:

(1) Sharing of cyber threat information “is virtually always likely to be done in an effort to protect networks and the information stored on those networks, and to deter cyber attacks”;

(2) Cyber threat information is “typically very technical in nature,” and thus “very different from the sharing of competitively sensitive information such as current or future prices and output or business plans which can raise antitrust concerns”; and

(3) The Agencies will consider whether the information sharing “is likely to harm competition,” recognizing that sharing cyber threat information “appears unlikely in the abstract to increase the ability or incentive of participants to raise price or reduce output, quality, service, or innovation.”

The Policy Statement discusses a business review letter regarding cybersecurity information sharing that DOJ’s Antitrust Division issued to the Electronic Power Research Institute, Inc. (“EPRI”) in 2000.  The letter approved a specific information-sharing proposal, and the Policy Statement affirms the ongoing relevance of the letter’s analysis.  The Statement concludes that “the Agencies’ guidance establishes that properly designed sharing of cyber threat information should not raise antitrust concerns,” unless such sharing is used as a “cover to fix prices, allocate markets, or otherwise limit competition.”

While the Policy Statement is a significant development, it does not provide antitrust immunity.  The agencies preserve their ability to pursue enforcement actions if warranted by the facts in a particular case.  Further, even in circumstances where the government will not bring an antitrust challenge, the guidelines are not binding either on private plaintiffs who might bring an antitrust claim or on the courts that would adjudicate those claims.  Accordingly, it remains prudent for companies sharing information with competitors to seek antitrust advice in this context as it is more generally.

Updated April 14, 2014.