Feds: Companies can share information to prevent hacks

The Department of Justice and the Federal Trade Commission announced Thursday that private companies can share information to prevent hacks without violating antitrust laws.

According to the agencies' officials, companies looking to share information about cyber threats with each other are often worried that cooperating with competitors will violate antitrust laws. 


"Some companies have told us about concerns about antitrust liability and that this has been a barrier to being openly share cyber threat information with each other," Deputy Attorney General James Cole said during a press event Thursday. 

"This guidance responds to those concerns [and] lets everyone know that antitrust concerns should not get in the way of sharing cybersecurity information." 

The antitrust agencies issued a policy statement making clear that companies can share information about cyber threats without violating antitrust laws that keep competitors from sharing information and provided the framework used to determine whether information sharing between competitors violates antitrust law "to reduce uncertainty for those who want to share ways to prevent and combat cyberattacks," the agencies said.

Bill Baer, head of the DOJ's Antitrust Division, called the policy statement "an antitrust no-brainer."

"As long as companies don't discuss competitive information like pricing and future output when sharing cyber security information, they're OK," he said. 

Cole pointed to the recent high-profile data breach at retail giant Target, which put at risk the personal and financial information of tens of millions of consumers, as a "reminder of how far-reaching the cyber threat has become."

FTC Chairwoman Edith Ramirez echoed Cole. "Recent data breaches remind us that cyber criminals seek to exploit vulnerabilities to get access to sensitive consumer data," she said.

Earlier this year, the White House released a cybersecurity framework after failed attempts at getting cybersecurity legislation through Congress. That framework provides a roadmap of best practices for companies looking to establish or boost their efforts to prevent and combat hacks.

White House adviser Rand Beers said information sharing is critical as private companies move forward with best practices.

"This whole process depends on information sharing," he said. "Without it, an attacker can send the same 'spear phishing' method to numerous companies, some of which may catch it and some of which will not." 

Beers added that antitrust laws are just one of the perceived barriers for companies looking to share cybersecurity information.

"Over the next year, we will continue to knock down [other] barriers, real or perceived," he said. 

The officials repeated their calls on Congress to enact cybersecurity legislation.

"Congress should pass cybersecurity legislation," Cole said, pointing to the administration's cybersecurity goals.

"We need to have provisions for information sharing between the government and private parties," he said. "It can be done to a certain degree, but we need some legislation that can make that a little easier and a little more efficient."

Ramirez — echoing testimony she has given to Congress in recent weeks — called for legislation to establish requirements for data requirements and breach notification.

"The need for such legislation has never been greater than it is today," she said.