<< Return

Yes, Cybersecurity Framework Does Apply to Associations - 10/29/2014 -

Tenenbaum            Bigart

Yes, Cybersecurity Framework Does Apply to Associations

DOJ letter on cybersecurity offers guidance for association-sponsored information exchanges.

By Jeffrey S. Tenenbaum and Andrew E. Bigart

On October 2, 2014, the U.S. Department of Justice (DOJ) issued a business review letter advising CyberPoint International LLC that its True Security Through Anonymous Reporting (TruSTAR) cyber intelligence data-sharing program does not raise antitrust concerns. The DOJ letter provides a helpful reminder to trade and professional associations of the need to be cognizant of and review any proposed information exchange or benchmarking program — regardless of topic — for potential antitrust risk.

Although association-sponsored information exchange and benchmarking programs cover a range of topics, any exchange of competitively sensitive information will draw heightened antitrust scrutiny because of the risk that the sharing of information can lead to anticompetitive agreements. Here is a brief summary of the DOJ letter as a bridge to discussing recommended best practices for any trade or professional association interested in managing an information exchange or benchmarking studys.

The DOJ's Business Review Letter

Under the federal Sherman Act and the Federal Trade Commission Act, information exchanges are analyzed under the rule of reason, which balances the procompetitive benefits of the conduct against the potential anticompetitive harm to determine the likely overall effect on competition. The main competitive concern with information exchanges is the potential for participating industry members to use the information exchanged to further a price-fixing or other anticompetitive conspiracy.

In reviewing CyberPoint's TruStar program, the DOJ applied the standard "rule of reason" analysis by reviewing:

  1. The business purpose and nature of the program.
  2. The type of information shared.
  3. The safeguards implemented to minimize the risk that participants (members) will exchange competitively sensitive information.

With respect to the first two points, the DOJ found that the focus of the program was procompetitive — it allows members to share accurate and timely intelligence on potential cyber threats, best practices, and remediation solutions. In addition, the TruStar program offers members a "community forum" that allows them to discuss cyber threats and collaborate on best practices. In this regard, the DOJ noted that CyberPoint had implemented procedures to obtain commitments from members that they would not share competitively sensitive information.

Thus, for all three factors, the DOJ found that the TruStar program was procompetitive and unlikely to raise antitrust concerns.

Recommended Best Practices for Information Exchanges

The DOJ business review letter, along with a prior joint DOJ/Federal Trade Commission statement on a similar cybersecurity proposal,[1] reinforces that properly structured information exchanges and benchmarking programs involving cyber threats can provide significant procompetitive benefits. The same is true for similar programs across a range of issues, including association surveys of existing home sales, compensation practices in an industry, or retail sales of a particular commodity. To minimize potential risk, however, any trade or professional association seeking to develop such a program should keep the following general safeguards in mind:

  1. The proposed exchange should be reviewed by antitrust counsel in advance.
  2. Clearly articulate the purpose and procompetitive benefits of the information exchange, and keep it closely focused on those criteria.
  3. Participation should be voluntary, and the program should include instructions cautioning participants on potential antitrust risk and prohibiting discussions of competitively sensitive information with other participants.
  4. For programs that involve the exchange of data, participants should not be involved in the collection or compilation of the data. In addition:

  • Any competitively sensitive data provided by participants (e.g., prices) should be at least three months old (no current or future information). Note that cyber threat information generally does not present the same degree of risk and may be shared on a real-time basis per the guidelines of the DOJ business review letter.
  • Data should be provided by a minimum of five participants, with no individual participant's data representing more than 25 percent on a weighted basis.
  • The trade or professional association or third party managing the program should treat specific data provided by participating members as confidential and not disclose it in its raw form to any other participant or third party.
  • The program should not identify the individual members who participated in the survey/exchange.
  • Any data published should be in aggregate form only.
  • Joint discussion and analysis of the data should be avoided. Each participant should separately analyze the data and make independent business decisions based on the data.

Of course, it goes without saying that an association that implements these procedures must follow them consistently. Doing so will help the association function effectively and to the benefit of its industry or profession while minimizing potential antitrust risk.

Jeffrey S. Tenenbaum is a partner, and Andrew E. Bigart is an associate in Venable’s Washington, DC office.

[1] Department of Justice and Federal Trade Commission: Antitrust Policy Statement on Sharing of Cyber Security Information (April 10, 2014), available at http://www.justice.gov/atr/public/guidelines/305027.pdf.


© Copyright 2017, Association Media and Publishing. All rights reserved.