DOJ, FTC on antitrust, cybersecurity: solution in search of problem?
Way back in 2000, the Electric Power Research Institute, a non-profit funded by utility companies, asked the Justice Department’s Antitrust Division for guidance on a proposal to help its members pool information to ward off cyber attacks. EPRI told Justice that companies across the energy sector wanted to exchange information about how best to conduct vulnerability assessments, install anti-hacking protections and formulate restoration plans in case of breaches. EPRI asked for the department’s assurance that this kind of industry-wide collaboration would not violate antitrust laws.
In a letter to EPRI, then antitrust chief Joel Klein said it would not, as long as the companies kept EPRI’s promise not to use the information exchange to impede competition. The companies could not, for instance, swap details of negotiations with specific anti-hacking service providers. But as long as they avoided talking specifically about prices or other competition-sensitive topics, they’d be fine. “The proposed interdictions on price, purchasing and future product innovation discussions should be sufficient to avoid any threats to competition,” Klein wrote. “Indeed, to the extent that the proposed information exchanges result in more efficient means of reducing cyber-security costs, and such savings redound to the benefit of consumers, the information exchanges could be procompetitive in effect.”
That perfectly reasonable advice was the Justice Department’s last word on the antitrust consequences (or lack thereof) for companies that collaborate to thwart cyber attacks. There’s a very simple reason for the resounding 14-year silence: No one else asked for guidance. Since EPRI’s request all those years ago, no other company or industry group thought it necessary to get clearance before collaborating across a sector on cybersecurity strategies. In fact, according to comments by Assistant Attorney General William Baer at a press conference Thursday, there shouldn’t really have been any uncertainty about the legality of that sort of information sharing.
But the Justice Department and the Federal Trade Commission believed there was. They jointly announced Thursday a new policy statement to “make it clear that they do not believe that antitrust is — or should be — a roadblock to legitimate cybersecurity information-sharing,” the new guidance said. “Cyber threat information typically is very technical in nature and very different from the sharing of competitively sensitive information such as current or future prices and output or business plans,” the guidance said. “Properly designed sharing of cybersecurity threat information is not likely to raise antitrust concerns.”
What’s a bit odd about the statement is that it’s not clear who was clamoring for guidance. In his prepared remarks, Deputy Attorney General James Cole said that “some companies” told the Justice Department that “concerns about antitrust liability (have) been a barrier to being able to openly share cyber threat information with each other.” Baer was even more vague in his introductory remarks. After calling the policy statement “a no-brainer,” he said, “If there ever was any uncertainty out there about the kind of information that can be shared, this policy statement should make it abundantly clear that with the proper safeguards in place, cyber threat information-sharing can occur without antitrust risk.”
Reporters at the press conference announcing the joint statement picked right up on the question of whose uncertainty it’s supposed to address. (I wasn’t at the press conference in Washington but my Reuters colleague Diane Bartz was, and she shared her recording of the presser with me.) In the second question from reporters, Cole was asked for specific examples of companies that have hesitated to share cybersecurity information for fear of the antitrust consequences.
“That’s going to be hard to do,” Cole responded. “I can’t think of one, a specific one.” He said what he’s heard are more general expressions of concern at various roundtables with business leaders. “A lot of lawyers raise these issues,” he said. “The more we can poke holes in some of those myths the more sharing we can encourage.” When another reporter asked why, if these concerns are so prevalent, no one has come to Justice for guidance since 2000, Cole said, “That’s a question you’ll have to ask the companies.”
In a third attempt by reporters to ascertain who the new statement is supposed to help, Cole was asked if he could at least say which industries had complained about antitrust fears. Was it retail chains? Telecom providers? “It’s been across the board,” Cole said. “I’ve heard this from a number of different companies.” And that was as specific as the deputy AG was willing to be.
The Justice Department and the FTC are, of course, within their rights to issue policy statements even when there’s no demand for them. I’m sure it’s helpful for businesses that may be interested in developing joint cyber-security products, along the lines of the example Baer gave at the press conference, to have guidance, even if that guidance is just what everyone already thought anyway.
But I suspect that the new policy may be aimed at a different audience than private industry. Cole said at a couple of different points in the press conference that members of Congress have invoked antitrust fears in opposing cybersecurity legislation. “That’s an issue they say has been raised with them and they want to deal with,” he said.
When he was asked flat out if Congress ought to pass a cybersecurity law, Cole was blunt. “Yes,” he said. “There’s a lot of need out there for cyber legislation.” He listed some of the White House’s priorities for a new cybersecurity law, including nationwide rules for reporting data breaches, enhanced criminal penalties for hackers and clearer authority for the civil seizure of servers and domain names.
None of these has anything to do with antitrust guidance. But the executive branch seems to believe that its policy statement on antitrust and cybersecurity may move it a little closer to realizing its actual goals.
For more of my posts, please go toÂ WestlawNext Practitioner Insights