Federal regulators released guidance in the first half of 2014 that should provide comfort to businesses that are considering sharing information relating to cybersecurity risks with other companies and the government. Although these advisory opinions are nonbinding and do not carry the force of law, they provide strong indications of the priorities of the U.S. Department of Justice (DOJ) and Federal Trade Commission (FTC) with respect to facilitating the ability of businesses to engage in cybersecurity risk mitigation. Notably, under the recent guidance, the federal regulators suggest that antitrust and electronic communications privacy concerns, which may have previously made businesses hesitant to share certain information relating to cybersecurity risks, should not preclude business-to-business or business-to-government information sharing that is tailored to mitigate these risks.
Joint Policy Statement on Antitrust Implications of Cybersecurity Risk Information Sharing
On April 10, 2014, the DOJ and FTC1 issued a joint policy statement to make clear to businesses that properly designed and appropriate sharing of cybersecurity risk information is unlikely to raise antitrust concerns.2 Noting that private sector entities play a “critical” role in the fight to mitigate and respond to cyber threats, Deputy Attorney General James M. Cole argued that this joint policy statement “should encourage [businesses] to share cybersecurity information.” Until the statement, federal antitrust regulators had not weighed in on antitrust considerations relating to cybersecurity information sharing since the DOJ Antitrust Division issued specific guidance to the Electric Power Research Institute in 2000, in which the DOJ confirmed that it did not intend to take enforcement action as a result of the company’s proposal to exchange certain cybersecurity information, including exchanging actual real-time cyber threat and attack information. In the joint policy statement, the DOJ and FTC reiterated that the advice the DOJ gave to Electric Power Research Institute remains valid: in reviewing any cybersecurity risk information sharing, the antitrust regulators will examine the business purpose, nature, and likely competitive effect of information exchanges and, as set forth in the Competitor Collaboration Guidelines, will evaluate the information sharing arrangements under a rule of reason analysis to determine the overall competitive effect of the agreement in a relevant market.
In the joint policy statement, the DOJ and FTC explained that the agencies recognize that the sharing of cybersecurity risk information has the potential to enhance the security, availability, integrity, and efficiency of information systems in the U.S.3 The statement makes clear that “[t]he [DOJ and FTC] do not believe that antitrust is—or should be—a roadblock to legitimate cybersecurity information sharing” and suggests that firms have been overly conservative with respect to sharing data relating to cyber threats in part because of a fear that sharing information between competitors could raise antitrust concerns. If handled appropriately, however, the DOJ and FTC view the “sharing of cyber threat information . . . [as] highly unlikely to lead to a reduction in competition” that would raise antitrust concerns. The joint policy statement cautions, however, that the legitimate sharing of cyber threat information is very different from the sharing of competitively sensitive information (e.g., pricing or output data, or business plans), which would tend to generate antitrust concerns. To the FTC and DOJ, permissible information sharing as contemplated under the joint policy statement would be limited to data that is typically technical in nature and limited in scope to cybersecurity risks. The joint policy statement, although it does not foreswear enforcement action on the basis of cybersecurity information sharing, suggests that “antitrust concerns should not get in the way of sharing cybersecurity information.”4
Department of Justice White Paper on Stored Communications Act Compliance
The Department of Justice followed the joint policy statement in May 2014 with a white paper that clarifies the DOJ’s views regarding certain privacy implications of sharing cyber threat information.5 The DOJ explains that companies have pressed for guidance on the permissibility of sharing communications information pertaining to cybersecurity risks with law enforcement authorities, and that the white paper should reduce the potential that “[o]verly expansive views of what information is prohibited from voluntary disclosure could unnecessarily prevent the sharing of important information that would be used to enhance cybersecurity.” In this white paper, the DOJ focused on the application of the Stored Communications Act (SCA), 18 U.S.C. § 2701 et seq., in the context of voluntarily sharing aggregated data with the government to protect information systems.
Under the SCA, a provider of an “electronic communications service” (ECS)6 or a “remote computing service” (RCS)7 to the public is barred from knowingly divulging a record or other non-content information pertaining to one of its subscribers or customers to the government (or any other entity, in many instances) unless a statutory exception applies.8 Violations of these prohibitions could result in civil liability under the SCA, 18 U.S.C. § 2707. Because of certain ambiguities in the SCA, ECS, and RCS, providers asked the DOJ whether non-content aggregate information falls within these restrictions on sharing. After evaluating the SCA’s text, structure, purpose, and legislative history, as well as the scope of other federal statutes that regulate the disclosure of customer information by telecommunications companies,9 the DOJ concluded in the white paper that the SCA does not prohibit such disclosures.
The DOJ further explained that it does “not believe that the SCA prohibits a provider of ECS or RCS to the public from sharing aggregated non-content data with governmental entities, as long as that aggregated data does not reveal information about a particular customer or subscriber. Reading the SCA to bar communications service providers from disclosing to the government all aggregated data related to providing such services would effectively read out the limitation that the prohibition on disclosure does not cover all records or other information, but only those ‘pertaining to a subscriber to or customer of such service.'”
Nevertheless, the DOJ qualified its opinion in the white paper to stress that, if aggregated information still contains granular details that pertain to particular subscribers or customers, the exemption described in the white paper would not apply and the SCA would prohibit such a disclosure to the government. As an example, the DOJ noted that an ECS or RCS provider could “report to a governmental entity an anomalous swell in certain types of internet traffic traversing its network or a significant drop in in Internet traffic, which could be harbingers of a serious cyber incident,” but that this reporting would not be permitted if it contained “aggregated information about the total network traffic to or from a particular static IP address assigned to a customer . . . because that information would reveal facts about that particular customer.”10
Implications for Businesses
To a certain extent, the joint policy statement and white paper reflect the evolving cybersecurity risk management landscape. As the DOJ and FTC note in the statement, “some private-to-private cyber threat information sharing is taking place, both informally and through formal exchanges or agreements, such as the many sector-specific Information Sharing Analysis Centers (ISACs) that have been established to advance the physical and cybersecurity of critical infrastructures.”11 Likewise, the retail industry recently announced the development of a cybersecurity information sharing platform, developed in consultation with the Financial Services ISAC.12 Further, the federal government, through efforts spearheaded by the White House, has pushed businesses in recent years to improve their defenses against cybersecurity threats, although administration and congressional efforts have generated concern in the businesses community about potential exposure to liability as a result of information sharing. The joint policy statement and white paper may alleviate some of these concerns, and hasten a more widespread adoption of the National Institute of Standards and Technology’s February 2014 cybersecurity framework by relevant industry stakeholders.13
Businesses that are contemplating how they may share information relating to cybersecurity risks should also be mindful of the potential that Congress may soon enact federal cybersecurity legislation. In late July, the Senate Intelligence Committee approved a draft bill, the Cybersecurity Information Sharing Act of 2014 (CISA) (S. 2588), that has significant bipartisan support.14 Among other things, CISA would authorize companies to monitor their own computer networks and those of their consenting customers for cyber threats and to implement countermeasures to block those threats. CISA also would authorize businesses to engage in voluntary sharing of cyber threat information with each other and with the government. Under the current draft form of CISA, business would have a defense against liability for cybersecurity information sharing, provided that the information sharing: (i) follows procedures outlined in CISA; and (ii) is not grossly negligent or an act of willful misconduct. It remains to be seen whether CISA will become law, but it has the potential to further expand the ability of businesses to share risk intelligence with one another.
1 Michael Daniel, the White House Cybersecurity Coordinator, echoed the sentiments of the joint policy statement on the White House blog. See Michael Daniel, “Getting Serious about Information Sharing for Cybersecurity,” The White House Blog, April 10, 2014, http://www.whitehouse.gov/blog/2014/04/10/getting-serious-about-information-sharing-cybersecurity. Daniel noted that, in addition to executive action, the Obama administration will work with Congress and the business community to improve cybersecurity in the public and private sectors.
2 DOJ & FTC, Antitrust Policy Statement on Sharing of Cybersecurity Information, April 10, 2014, http://www.justice.gov/atr/public/guidelines/305027.pdf.
3 As the joint policy statement makes clear, the DOJ and FTC would evaluate the impetus underlying information sharing, the nature of the information shared, and whether the information shared would be likely to harm competition in its rule of reason analysis to determine whether information sharing is appropriate. Although the joint policy statement notes that this is an “intensely fact-driven” inquiry, the agencies imply that the normal sharing of cybersecurity risk information—without the inclusion of additional information relating to pricing, output, business strategies, or other information that is more likely to lead to collusion—will generally be viewed as non-harmful to competition.
4 James M. Cole, Dep’y Att’y Gen., Press Conference to Announce Joint Antitrust Policy Statement on Sharing of Cybersecurity Information, April 10, 2014.
5 DOJ, White Paper: Sharing Cyberthreat Information Under 18 USC §2702(a)(3), May 9, 2014, http://www.justice.gov/criminal/cybercrime/docs/guidance-for-ecpa-issue-5-9-2014.pdf.
6 An ECS is defined to mean “any service which provides to users thereof the ability to send or receive wire or electronic communications.” 18 U.S.C. § 2510(15); see id. § 2711(1).
7 An RCS is defined to mean “the provision to the public of computer storage or processing services by means of an electronic communications system.” 18 U.S.C. § 2711(2).
8 See 18 U.S.C. § 2702(a)(1)-(3).
9 Specifically, the DOJ reviewed the Telecommunications Act of 1996 and the Cable Communications Privacy Act of 1984, which permit the disclosure of non-identifiable, aggregate information, as well as decisions by other federal regulators to exclude aggregated data from information sharing prohibitions (e.g., the decision by the FTC to exclude aggregate data from the definition of personally identifiable financial information in its rulemaking under the Gramm-Leach-Bliley Act. See Privacy of Consumer Financial Information, 65 Fed. Reg. 33646 (May 24, 2000) (“An example in § 313.3(o)(2)(ii)(B) clarifies that aggregate information or blind data lacking personal identifiers is not covered by the definition of ‘personally identifiable financial information.’ The Commission agrees with those commenters who opined that such data, by definition, do not identify any individual.”)).
10 The white paper notes, however, that “determining when data does not pertain to a subscriber or customer will be a highly fact-specific inquiry. A provider of ECS or RCS to the public that is making disclosures of non-content/non-customer records to the government should seek legal guidance from its own counsel for specific disclosure determinations to ensure that it is acting consistent with the SCA.”
11 See DOJ & FTC, Antitrust Policy Statement on Sharing of Cybersecurity Information 3.
12 See National Retail Federation, National Retail Federation Announces Information-Sharing Platform, April 14, 2014, https://nrf.com/media/press-releases/national-retail-federation-announces-information-sharing-platform.
13 See National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity (Version 1.0), February 12, 2014, http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf.
14 Similar legislation has been proposed in previous years, but failed to pass.