Cybersecurity Framework Does Apply to Associations
letter on cybersecurity offers guidance for association-sponsored information
Jeffrey S. Tenenbaum and Andrew E. Bigart
On October 2, 2014, the U.S.
Department of Justice (DOJ) issued a business review letter advising CyberPoint
International LLC that its True Security Through Anonymous Reporting (TruSTAR)
cyber intelligence data-sharing program does not raise antitrust concerns. The
DOJ letter provides a helpful reminder to trade and professional associations
of the need to be cognizant of and review any proposed information exchange or
benchmarking program — regardless of topic — for potential antitrust risk.
Although association-sponsored information
exchange and benchmarking programs cover a range of topics, any exchange of
competitively sensitive information will draw heightened antitrust scrutiny
because of the risk that the sharing of information can lead to anticompetitive
agreements. Here is a brief summary of the DOJ letter as a bridge to discussing
recommended best practices for any trade or professional association interested
in managing an information exchange or benchmarking studys.
The DOJ's Business Review Letter
Under the federal Sherman Act and
the Federal Trade Commission Act, information exchanges are analyzed under the
rule of reason, which balances the procompetitive benefits of the conduct
against the potential anticompetitive harm to determine the likely overall
effect on competition. The main competitive concern with information exchanges
is the potential for participating industry members to use the information
exchanged to further a price-fixing or other anticompetitive conspiracy.
In reviewing CyberPoint's TruStar
program, the DOJ applied the standard "rule of reason" analysis by
- The business purpose and nature of the program.
- The type of information shared.
- The safeguards implemented to minimize the risk that participants
(members) will exchange competitively sensitive information.
With respect to the first two
points, the DOJ found that the focus of the program was procompetitive — it allows
members to share accurate and timely intelligence on potential cyber threats,
best practices, and remediation solutions. In addition, the TruStar program
offers members a "community forum" that allows them to discuss cyber
threats and collaborate on best practices. In this regard, the DOJ noted that
CyberPoint had implemented procedures to obtain commitments from members that
they would not share competitively sensitive information.
Thus, for all three factors, the
DOJ found that the TruStar program was procompetitive and unlikely to raise
Recommended Best Practices for Information Exchanges
The DOJ business review letter,
along with a prior joint DOJ/Federal Trade Commission statement on a similar
reinforces that properly structured information exchanges and benchmarking
programs involving cyber threats can provide significant procompetitive
benefits. The same is true for similar programs across a range of issues,
including association surveys of existing home sales, compensation practices in
an industry, or retail sales of a particular commodity. To minimize potential
risk, however, any trade or professional association seeking to develop such a
program should keep the following general safeguards in mind:
- The proposed exchange
should be reviewed by antitrust counsel in advance.
- Clearly articulate the purpose and procompetitive
benefits of the information exchange, and keep it closely focused on those
- Participation should be voluntary, and the program
should include instructions cautioning participants on potential antitrust
risk and prohibiting discussions of competitively sensitive information
with other participants.
- For programs that involve the exchange of data,
participants should not be involved in the collection or compilation of
the data. In addition:
- Any competitively
sensitive data provided by participants (e.g.,
prices) should be at least three months old (no current or future information).
Note that cyber threat information generally does not present the same degree
of risk and may be shared on a real-time basis per the guidelines of the DOJ
business review letter.
- Data should be provided
by a minimum of five participants, with no individual participant's data representing
more than 25 percent on a weighted basis.
- The trade or
professional association or third party managing the program should treat
specific data provided by participating members as confidential and not
disclose it in its raw form to any other participant or third party.
- The program should not
identify the individual members who participated in the survey/exchange.
- Any data published
should be in aggregate form only.
- Joint discussion and
analysis of the data should be avoided. Each participant should separately
analyze the data and make independent business decisions based on the data.
course, it goes without saying that an association that implements these
procedures must follow them consistently. Doing so will help the association
function effectively and to the benefit of its industry or profession while
minimizing potential antitrust risk.
Jeffrey S. Tenenbaum is a partner, and Andrew E. Bigart is an
associate in Venable’s Washington, DC office.