On October 2, 2014, the U.S. Department of Justice announced that a cyber intelligence data-sharing platform known as TruSTAR, developed by CyberPoint International, LLC, passed antitrust muster. The TruSTAR platform allows members to share threat and incident data along with cyber-attack information, and to develop remediation solutions to facilitate more effective cyber-attack prevention strategies. The DOJ’s business review letter also reiterated antitrust guidelines applicable to information exchanges by business organizations such as industry trade associations.
Earlier this year, DOJ and the Federal Trade Commission issued a joint policy statement recognizing that the ability of private entities to share cyber threat information is an important component to identifying and combating cyber attacks.[1] In that Policy Statement, the agencies emphasized that the antitrust laws are not an impediment to legitimate private-sector initiatives to share specific information about cyber incidents and mitigation techniques to defend against cyber attacks. The DOJ concluded that the TruSTAR information sharing platform was consistent with the type of information sharing identified by the agencies as not raising competitive concerns and offered procompetitive benefits by offering members an efficient means of reducing cyber-security costs.
The DOJ noted that competitor collaborations to share cyber-threat information are typically analyzed under the rule of reason.[2] DOJ explained that the rule of reason analysis “is a flexible inquiry that focuses on those factors necessary to evaluate the overall competitive impact of an agreement.”[3] It noted that the factors pertinent to the evaluation of the TruSTAR platform were: (1) the business purpose and nature of the agreement; (2) the type of information shares; and (3) safeguards implemented to minimize the risk that competitively sensitive information will be disclosed.
DOJ concluded that the business purpose and nature of the information sharing arrangement did not suggest that competition or consumers would be harmed. The purpose of the TruSTAR arrangement is to allow private entities to share cyber-security information to protect networks and deter cyber attacks. DOJ explained that the type of information to be exchanged is unlikely to facilitate tacit or explicit price or other competitive coordination among competitors.[4] It noted that the information proposed to be shared would consist of highly technical information and the type contemplated to be exchanged in the DOJ/FTC Cyber Security Policy Statement.[5] The agencies noted that the sharing of cyber threat information “is very different from the sharing of competitively sensitive information” and “can improve efficiency to help secure our nation’s networks of information and services.”[6]
DOJ noted that while the exchange of competitively sensitive information could raise anticompetitive concerns under the rule of reason, the TruSTAR platform, as proposed, will not involve the sharing of competitively sensitive information such as recent, current or future pricing, cost data, output levels or capacity.[7] TruSTAR members will commit that they will not use the TruSTAR platform to share such information.[8] Because the TruSTAR platform implements sufficient safeguards to prevent the exchange of competitively sensitive information, DOJ concluded that competitive harm was unlikely.
[1] See Antitrust Policy Statement on Sharing of Cyber Security Information (April 10, 2014) (the “DOJ/FTC Cyber Security Policy Statement”).
[2] Id.
[3] DOJ Business Review Letter (October 2, 2014), p. 3.
[4] Id., p. 1
[5] Id.
[6] Id., citing DOJ/FTC Cyber Security Policy Statement.
[7] DOJ Business Review Letter, p. 4.
[8] Id.