On April 10, 2014, the U.S. Department of Justice (“DOJ”) and the Federal Trade Commission (“FTC”) issued an Antitrust Policy Statement on Sharing of Cybersecurity Information explaining that competitors can share legitimate threat information so long as appropriate safeguards are in place to limit the exchange of competitively-sensitive information.1 The Cybersecurity Policy Statement recognizes that private parties play an important role in preventing cyber-attacks and that sharing cybersecurity information has the potential to “improve security, integrity, and efficiency of the nation’s information systems.”2
Key Takeaways
-
U.S. antitrust authorities generally view the sharing of cybersecurity information as valuable to protecting companies’ networks against cyber-attacks, and, thus, regulators likely will not investigate such information sharing for antitrust violations.
-
Authorities largely consider unobjectionable the sharing of technical, cybersecurity information that enables firms to secure their networks or to deter cyber-attacks. Examples include:
-
Threat signatures (i.e., characteristics of certain cyber threats used to identify, detect, and/or interdict those threats);
-
Threat indicators (i.e., elements that comprise a threat signature such as file hashes, computer code, malicious URLs, source email or IP addresses, and target ports of a Denial of Service attack); and
-
Threat alerts (i.e., notifications of security threats or activity).
-
Companies should not otherwise share confidential business information that might facilitate coordination to restrain competition in price, output, quality, service, or innovation.
-
Apart from the antitrust implications, when sharing cybersecurity information, companies that maintain or handle sensitive consumer data or other personally identifiable information must be mindful of their data protection and privacy obligations under International, Federal, and State law to secure such information.
Companies that are unsure of whether certain information sharing could result in potential liability should consult legal counsel.
1 U.S. Dep’t of Justice & Fed. Trade Comm’n, Antitrust Policy Statement on Sharing of Cybersecurity Information (Apr. 10, 2014), available at http://www.ftc.gov/system/files/documents/public_statements/297681/140410ftcdojcyberthreatstmt.pdf [hereinafter Cybersecurity Policy Statement].
2 Press Release, Fed. Trade Comm’n, FTC, DOJ Issue Antitrust Policy Statement on Sharing Cybersecurity Information (Apr. 10, 2014), available at http://www.ftc.gov/news-events/press-releases/2014/04/ftc-doj-issue-antitrust-policy-statement-sharing-cybersecurity.
