On October 2, 2014, the Department of Justice’s Antitrust Division announced through a business review letter CyperPoint International, LLC’s cyber intelligence data-sharing platform known as TruSTAR, as proposed, does not raise antitrust concerns that would warrant a challenge.
Earlier this year, the DOJ and the Federal Trade Commission issued a joint policy statement recognizing that private entities may share cyber threat information without running afoul of the antitrust laws. In that policy statement, the agencies emphasized what competent antitrust counsel already knows — that the antitrust laws are not an impediment to legitimate private-sector initiatives to share specific information about cyber incidents and mitigation techniques to defend against cyber attacks.
The TruSTAR information sharing platform allows members to share threat and incident data along with cyber-attack information. It allows members to develop remediation solutions to facilitate more effective cyber-attack prevention strategies.
DOJ’s Business Review Letter
The DOJ’s letter concludes that the TruSTAR information sharing platform is consistent with the type of information sharing identified by the agencies as not raising competitive concerns. The DOJ’s letter also indicates that the platform appears to offer procompetitive benefits by offering members an efficient means of reducing cyber-security costs.
The DOJ letter explains that competitor collaborations to share cyber-threat information are typically analyzed under the rule of reason. The rule of reason analysis balances the precompetitive benefits of the collaboration versus any potential anticompetitive harm. The DOJ letter focuses on the following factors to evaluate the TruSTAR platform were:
(1) the business purpose and nature of the agreement;
(2) the type of information shares; and
(3) safeguards implemented to minimize the risk that competitively sensitive information will be disclosed.
After focusing on these factors, the DOJ concludes that the business purpose and nature of the information sharing arrangement does not suggest that competition or consumers will be harmed. The purpose of the TruSTAR arrangement is to allow private entities to share cyber-security information to protect networks and deter cyber attacks. The information proposed to be shared consists of highly technical information and not competitively sensitive information such as recent, current or future pricing, or cost data. Moreover, the TruSTAR platform implements safeguards to prevent the exchange of competitively sensitive information. Therefore, the TruSTAR platform as proposed is unlikely to harm competition.
Given the joint policy statement from earlier this year that the antitrust agencies do not believe that antitrust is—or should be—a roadblock to legitimate cybersecurity information sharing, the conclusions in this business review letter were expected. Threat reports, indicators, malware signatures, and other similar type of information are highly technical and have nothing to do with prices, terms of sale, territories, or other price- and output-related subjects that can create antitrust concerns. The Antitrust Division’s business review letter lays out the same analysis that has existed for years. Indeed, competent antitrust counsel knows that this type of information sharing does not violate the antitrust laws. That being said, this business letter reminds corporate and antitrust counsel that anytime there is a question to whether an information sharing agreement may raise an antitrust concern, businesses can seek advice from the DOJ through the business review letter procedure.