The Federal Trade Commission and Department of Justice brought its cybersecurity rules into the 21st Century this week when they issued a policy statement assuring companies that share information between themselves about cyber threats will not face consequences under anti-trust laws.
From a joint news release:
“Cyber threats are increasing in number and sophistication, and sharing information about these threats, such as incident reports, indicators and threat signatures, is something companies can do to protect their information systems and help secure our nation’s infrastructure,” said Assistant Attorney General Bill Baer in charge of the Department of Justice’s Antitrust Division. “With proper safeguards in place, cyber threat information sharing can occur without posing competitive concerns.”
The guidance to companies (and lawyers) updates and makes stronger similar language issued in "business review letter" to the Electric Power Research Institute (EPRI) back in 2000. Obviously business-cyber world has become more perilous in the ensuing years, making it even more important for companies to be able to communicate among themselves about the latest threats and attacks and how to thwart them.
BRT said in a news release Thursday that even with the Administration's important policy statement, Congress should still pass legislation on cybersecurity that include liability protections for companies.
A year ago the House of Representatives passed H.R. 624, the Cyber Intelligence Sharing and Protection Act (CISPA), that would accomplish those goals. Business Roundtable President John Engler explained its importance: "Real-time, two-way information sharing between business and government is the critical missing piece in more effective cybersecurity protection."
Unfortunately, the Senate has yet to act on the House bill or its own legislation.
More ...
- Prepared remarks by Deputy Attorney General James M. Cole
- Statement by Sen. Jay Rockefeller, chairman of the Senate Commerce Comittee
- Business Journals, "Feds to business: It's OK to share cybersecurity threat information," noting comments by Ajay Banga, CEO of Mastercard and chair of BRT's Information and Technology Committee.
- Corporate Counsel, "Feds Hit 'Like' on Sharing Cyberthreat Data," which also quotes Banga: "“Addressing this antitrust issue is a helpful step in encouraging effective, robust cybersecurity information sharing, a key component of the practice of cybersecurity.”
- FCW, "Justice, FTC offer new encouragement for information sharing"