The Federal Trade Commission (“FTC”) and the Department of Justice (“DOJ”) recently issued a policy statement on the sharing of cybersecurity information that “makes clear that properly designed cyber threat information sharing is not likely to raise antitrust concerns and can help secure the nation’s networks of information and resources.”
The policy statement is intended to address a long-recognized roadblock to the aspirational goal of combating cyber threats by encouraging private entities to share confidential threat awareness information. To date, this objective has been thwarted by the realistic concern that the sharing of non-public information between competitors could violate antitrust laws or trigger an antitrust review.
FTC Chairwoman Ramirez notes that “[t]his statement should help private businesses by making it clear that antitrust laws do not stand in the way of legitimate sharing of cybersecurity threat information.” Sharing this viewpoint, Deputy Attorney General James M. Cole recognized that “[p]rivate parties play a critical role in mitigating and responding to cyber threats, and this policy statement should encourage them to share cybersecurity information.”
Although a step in the right direction, the policy statement is unlikely to materially impact the practices of many businesses because of its lack of specificity. Rather than provide a clear set of guidelines, the policy is merely an analytical framework to be used by the antitrust agencies to determine if the sharing of information crosses the line from permissible to impermissible. For example, the policy notes that “[t]he Agencies do not believe that antitrust is – or should be – a roadblock to legitimate cybersecurity information sharing” and their “primary concern in this context is that the sharing of competitively sensitive information – such as recent, current, and future prices, cost data, or output levels… .”
In the absence of a uniform legislative solution by Congress, businesses should view the policy statement’s invitation to share cyber threat information with caution. Given the number of employees at the FTC and DOJ, their varying personalities, individual agendas, and autonomy, the subjective “analytical framework” will most likely not be applied in a uniform or predictive fashion.