Nonprofits, Cybersecurity And Antitrust Rules

The Department of Justice Antitrust Division and the Federal Trade Commission recently ruled a private information exchange focused on cybersecurity did not violate antitrust laws. While the exchange in question was run by a for-profit company, “This is a good opportunity to remind professional associations of the importance of antitrust laws,” said Andrew Bigart, an associate in the law firm Venable’s regulatory practices group.

Bigart, along with Venable partner Jeffrey Tenenbaum, authored a nonprofit alert regarding the DoJ’s and FTC’s ruling on CyberPoint’s TruSTAR program, a platform which allows members of the program to anonymously report threats to cybersecurity.

The specific ruling is “more of a private sector initiative but has to do with exchanging information between competitors,” said Bigart. “Those types of information exchanges and benchmarking are something trade associations do all the time. Associations across a lot of different industries conduct surveys of their members on best practices or even certain competitively sensitive info, such as wages and salaries across an industry. They collect this kind of information from their members to provide useful resources for the industry.”

Sharon Moss, Ph.D., chief research officer for ASAE/Center of Association Leadership, an umbrella group of associations, said it carries out a number of benchmarking studies and strives to conduct them with antitrust regulations in mind. She said ASAE’s members take their cues from the organization in regards to best practices.

Benchmarking “is essentially a pretty widespread survey that allows us to look at different practices and behaviors and conditions and provide measurement of organizations’ performance against the norms of other similar organizations,” said Moss. “We do share this information in aggregate form. The specific data are not so narrowly presented so that our members would be in any violation of antitrust regulations.”

Bigart and Tenenbaum recommend a number of measures organizations can take in to run afoul of antitrust laws:

  • Have antitrust counsel review the proposed exchange;
  • Participation must be voluntary;
  • Participating companies and nonprofits should not be involved in the collection or compilation of data;
  • Data collected should be historic, not current or projected;
  • Data published should be in aggregate; and,
  • The program should not identify individual participants.

“If a nonprofit is sponsoring an information exchange, they need to make sure it’s structured so the information exchanged can’t be used for anticompetitive purposes,” said Bigart. “The enforcement agencies have issued a safety zone for conducting these kinds of exchanges, so when an association sponsors this type of activity, they can do so without antitrust risk.”