Etiam pulvinar consectetur dolor sed malesuada. Ut convallis
euismod dolor nec pretium. Nunc ut tristique massa.
Nam sodales mi vitae dolor ullamcorper et vulputate enim accumsan.
Morbi orci magna, tincidunt vitae molestie nec, molestie at mi. Nulla nulla lorem,
suscipit in posuere in, interdum non magna.
Politics is too often about making promises elected officials may be unable to (or even know they cannot) deliver. Yet where law enforcement is concerned — especially antitrust, which directly affects the economic future of our country — politics typically yields subjective and biased results. So it is with much irony that competitors of Google recently began a very public political offensive aimed at pressuring the Federal Trade Commission to sue the Web search giant for unlawful monopolization.
This is not the first such initiative, just the most unprincipled and wrong-headed. Citing anonymous sources, the Washington Post reported recently that the nearly two-year antitrust investigation by the FTC of competitor complaints against Google would end soon with a settlement “without addressing the most serious charge” of alleged “search bias.” Those same competitors have, in response, dramatically accused the FTC of abandoning its “institutional integrity” and begun actively shopping for a more receptive audience at the U.S. Department of Justice’s Antitrust Division, saying they “are losing faith that the FTC will act forcefully on their complaints.”
Every competition lawyer can repeat the maxim that the antitrust laws protect competition, not competitors. That means hitting competitors where it hurts is a good thing because it helps consumers. So media leaks, revealing that — despite a committed chairman and the hiring of a high-profile litigator to bring a case against Google to trial — the FTC uncovered no evidence that any “manipulation” of search results actually harmed consumers, are revealing. Revealing the absence of legitimate grounds to file a search monopolization case against Google, that is. A settlement that does not include restrictions on Google’s Web search activities is not one which fails to “address” that serious charge, however, but instead one that eschews politicized antitrust enforcement in favor of following the evidence. When there is no compelling proof of a legal violation, prosecutors should and, absent outside interference usually will, stand down.
This author has said before that the idea of “search neutrality” — positing some objective standard for search engine results — is an oxymoron and an invalid basis for antitrust liability. What the search complainants and their lawyers, like Silicon Valley’s outspoken Gary Reback, do not get is that governmental intervention in a dynamic, rapidly evolving industry, in which the dominant firm of today was hardly a speck merely a decade ago and has no power to force anyone to use its services, smacks of subjectivity. Are the antitrust lawyers and economists in the federal government supposed to function as a Federal Search Commission? Should the FTC ask federal judges and juries to determine when search result rankings are “fair” and, if so, how could anyone possibly make that determination?
Even apart from the reality that the settled legal elements of monopolization are totally absent when applied to Google (market share, monopoly power over prices, barriers to entry, network effects, etc.), that has always been the Achilles’ Heel of the complaining competitors like Yelp and their FairSearch.org coalition. Google’s search algorithms represent its secret sauce and crown jewels, the code that tumbled Yahoo and long-forgotten firms like Alta Vista from their perch as erstwhile Web search leaders. Looking under the search hood would effectively put the federal government in the position of confiscating, or at least deflating the value, of those trade secrets. To do so under the guise of “fairness” is doubly misguided; the Supreme Court has definitively ruled that firms have no duty of fairness nor to assist rivals, and that even the most malicious attacks against individual competitors do not, without adverse consequences to broader market competition, give rise to an antitrust offense.
The media reports indicating that its antitrust investigation found no evidence of consumer harm in search or search advertising simply show that the FTC has done the right thing. As FTC Commissioner Thomas Rosch remarked, it is “not embarrassing” for the agency to vote not to bring a case, because the commission is “just doing its job.” No amount of taunting from competitors will or can change that fact. Far from a cop out, this is what we pay these public officials to do, in a dispassionate and principled manner. Keeping an open mind until the facts are collected and sorted through is commendable for public law enforcement officials, the opposite of an abdication of responsibility.
In this context, turning to the Justice Department in the face of the FTC’s conclusions is unseemly. Justice reviewed and approved Google’s earlier acquisition of travel software provider ITA, imposing competition conditions but pointedly not accepting FairSearch’s claims that the antitrust laws compel search neutrality. The FTC and DOJ agreed that the former would conduct the broader federal investigation into Google’s search practices. Unlike the Microsoft antitrust case of 1998, where the FTC was frozen into inaction by a deadlock, here the FTC appears to have at least a majority, if not unanimity, against a monopolization prosecution. It is Mr. Reback and his clients who should be embarrassed by their brazen forum-shopping, not the FTC and its chairman, which have conducted a thorough and careful investigation. That competitors do not like the result is sour grapes, rather than a failure of will by the antitrust agencies. Governmental prudence toward search neutrality represents wisdom, not capitulation.
Glenn Manishin is an antitrust partner with Troutman Sanders in Washington, D.C. He represented MCI in the United States v. AT&T antitrust case and several competitive software trade associations in the United States v. Microsoft case. He does not represent Google.
Late Friday afternoon, several stories appeared quoting unnamed sources that the Federal Trade Commission (FTC) has received a staff memo recommending an antitrust prosecution of Google. Now, in a letter just days ago to FTC Chairman Jon Leibowitz, Colorado Rep. Jared Polis — founder of bluemountain.com and ProFlowers.com — counseled that an FTC monopolization case against Google could lead to legislative blowback.
I believe that application of antitrust against Google would be a woefully misguided step that would threaten the very integrity of our antitrust system, and could ultimately lead to congressional action resulting in a reduction in the ability of the FTC to enforce critical antitrust protections in industries where markets are being distorted by monopolies or oligopolies.
Meanwhile, commentators are whacking each other silly. Sam Gustin observed in TimeBusiness that “Microsoft and its anti-Google allies have spent untold millions waging an overt and covert campaign designed to persuade regulators to hobble the search leader. Perhaps if these companies spent a little less time complaining and a little more time innovating, they’d have a better chance of competing in the marketplace.” In response, John Paczkowski at AllThingsDigital noted the Polis letter’s “fortuitous timing” and implied that it “seems a bit odd” for a junior legislator to threaten a sitting FTC chairman, concluding that “maybe we should all wait and see the FTC’s evidence and the merits of its case — if there is one — before threatening to limit the agency’s authority.”
It is clear to any objective observer that there is a case in the works and that the FTC, which on background leaked that four of five commissioners are already on board, sent a trial balloon out through the press last week. Paczkowski is naive if he believes the timing of the stories last Friday was also not “fortuitous” or that the “merits” of the FTC’s case may not properly be a matter of policy and political debate. Having witnessed this same pas de deux for years in connection with United States v. Microsoft Corp., it’s just business as usual in Washington, DC. That may not make it right or courteous, but it does make it completely unexceptional.
[This series of posts dissects the threatened FTC antitrust case against Google and concludes that a monopolization prosecution by the federal government would be a very bad idea. We divide the topic into five parts, one policy and four legal. Check out Part I, Part II, Part III and Part IV.]
There have been hints by the FTC that it may rely on Section 5 as the basis for a potential case against Google. This strategy could have serious repercussions because the FTC’s use of unfair competition as a surrogate for what the antitrust laws do not or cannot reach would be unbounded from the rigorous Sherman Act standards of unlawful monopolization. The FTC has never won a pure Section 5 lawsuit before.
5. A “Pure” Section 5 Case Would Almost Certainly Lose, And Should
There is one point of law on which everyone agrees. As the Supreme Court held, Section 5 can reach business conduct that is not, of itself, violative of the antitrust laws. But exactly how far the statute extends beyond the Sherman Act is unclear; in the FTC’s 2008 public workshop on Section 5 As A Competition Statute there was much debate on that issue. Here’s how the FTC described the problem:
The precise reach of Section 5 and its relationship to other antitrust statutes has long been a matter of debate. The Supreme Court observed in Indiana Federation of Dentists that the “standard of ‘unfairness’ under the FTC Act is, by necessity, an elusive one, encompassing not only practices that violate the Sherman Act and the other antitrust laws but also practices that the Commission determines are against public policy for other reasons.” In the early 1980s, however, lower courts were critical of efforts by the FTC to enforce a reading of Section 5 that captured conduct falling outside the Sherman Act. In striking down the FTC’s orders, the Second Circuit in its “Ethyl” decision expressed concern that the Commission’s theory of liability failed “to discriminate between normally acceptable business behavior and conduct that is unreasonable or unacceptable.”
The vast majority of non-merger FTC cases enforce the Sherman Act. However, beginning in the early 1990s the Commission reached a number of consent agreements involving invitations to collude, practices that facilitate collusion or collusion-like results in the absence of an agreement, and misconduct relating to standard setting. Because the complaints in these cases did not allege all the elements of a Sherman Act violation, the Commission’s theory of liability rested on a broader reach of Section 5. As consent decrees, none of these cases was reviewed, let alone endorsed, by the courts.
And that’s the rub. Take “invitations to collude” for instance. Under Section 1 of the Sherman Act, an agreement among competitors, whether express or tacit, is the predicate to illegality. This has been interpreted to mean attempts at price-fixing are not unlawful unless the other company says “yes.” Famously, the Justice Department initially lost, but then won on appeal, a 1982 challenge to American Airlines’ overt attempt at fixing airfare rates using an antitrust theory of attempted joint monopolization, fashioned to end-run the requirement of a horizontal agreement. That case presented unique market circumstances (American and Braniff sharing dominance of Dallas “hub” flights) and unequivocally anticompetitive behavior that lacked any efficiency or competitive justification. Most antitrust scholars and practitioners thus generally agree that an invitation to fix prices is something the FTC should, as it has in the past, prosecute pursuant to Section 5, because the underlying conduct itself has no economic legitimacy other than to override marketplace competition.
Hence the problem where Google is concerned. First, there is a recognized basis under Section 2 for attacking unilateral attempts to monopolize a relevant market. Absent the necessary dangerous probability of success, something woefully lacking here, an unfair competition case premised on conduct by a dominant firm that falls short of attempted monopolization is very likely to receive the same hostile judicial reaction the Commission acknowledged in 2008. Second, as private unfair competition cases (which may only be brought under state law, not Section 5) have explained, the absence of legitimate business justification can support an inference of anticompetitive behavior. Yet, in organizing and structuring its organic search results, no one disputes that Google has a real business justification to deliver better results to users and thus more eyeballs to advertisers: in other words to make money. Without the predatory sacrifice of short-run profits — i.e., with normal, profit-maximizing behavior — there is real economic legitimacy to the conduct forming the basis for a case against Google.
[This series of posts dissects the threatened FTC antitrust case against Google and concludes that a monopolization prosecution by the federal government would be a very bad idea. We divide the topic into five parts, one policy and four legal. Check out Part I, Part II and Part III.]
To make out a monopolization case, any plaintiff, FTC or otherwise, must not only show monopoly power in a relevant market, but also that anticompetitive practices led to (obtained) or protected (maintained) that power. Antitrust lawyers dub this the “conduct” element of Section 2. It’s what differentiates lawful monopolies, earned by innovation and business skill, from unlawful acts of monopolization.
Exclusionary or anticompetitive conduct — the terms are the same — is something other than competition on the merits. A colloquial definition which basically matches the judicial one is that anticompetitive conduct is business behavior that defeats competing firms on a basis other than efficiency. Likewise, conduct that sacrifices short-run profits in order to “recoup” those relative losses with higher future prices is not rational business behavior and is thus regarded by the law as presumptively predatory, the most egregious form of anticompetitive behavior.
4. Google Has Not Engaged In Exclusionary Practices
Try as they might, the proponents of an FTC case against Google have not made a credible showing anything Google has done meets these accepted tests for exclusionary conduct. The fallacy of their critique is summed up with a Web ad running now asking whether we can “trust” Google. Neither trust nor fairness have anything to do with the antitrust laws. Monopolization is not unfair competition, it is illegal competition.
Unfairness represents a qualitative judgment that has nothing to do with current antitrust law. As the modern Supreme Court has written:
Even an act of pure malice by one business competitor against another does not, without more, state a claim under the federal antitrust laws; those laws do not create a federal law of unfair competition or “purport to afford remedies for all torts committed by or against persons engaged in interstate commerce”…. The success of any predatory scheme depends on maintaining monopoly power for long enough both to recoup the predator’s losses and to harvest some additional gain.
In sum, marketplace competition is not boxing and there are no Marquess of Queensberry Rules governing how firms must fight “fairly”. Anything goes in our market system so long as it pits product against product and is not illegal — in other words, so long as the challenged practices do not use the power of a monopoly position to drive out equally-efficient competitors.
[This series of posts dissects the threatened FTC antitrust case against Google and concludes that a monopolization prosecution by the federal government would be a very bad idea. We divide the topic into five parts, one policy and four legal. Check out Part I and Part II.]
Antitrust law is characterized by rigorous, fact-intensive analysis, so much so that the prevailing jurisprudence holds that market definition (explored in Part II) generally should not be resolved on the “pleadings” alone, in other words without factual discovery. Nothing typifies the demanding analytical framework of antitrust more than monopoly power, part of the first element of a Section 2 monopolization case — possession of monopoly power in the relevant market. With respect to monopoly power, the potential case of FTC v. Google, Inc. will likely run into some especially significant barriers, no pun intended.
3. Google Has No Monopoly Power, Even In Internet Search/Advertising
There’s precious little room in a relatively brief blog series to expound on all the various elements that factor into a judicial finding of monopoly power. The basic principle is that a high market share (typically 70% or more), coupled with barriers to entry, allows an inference of monopoly power to be drawn. But like nearly all legal inferences that’s merely a rebuttable, prima facie construct, as direct proof of the “power to control price or exclude competition” is the best evidence of monopoly. (It’s just hard to find.)
This author has written elsewhere about The Fantasy Google Monopoly, in which I noted that “the reality is that Google neither acts like nor is sheltered from competition like the monopolists of the past, something the company’s critics never claim because they just can’t.”
Like the Red Queen in Through the Looking Glass, Google succeeds only by running faster than its competitors — merely to stay in the same place. There’s nothing about Internet search that locks users into Google’s search engine or its many other products. Nor is new entry at all difficult. There are few, if any, scale economies in search and the acquisition of data in today’s digital environment is relatively cost free. Microsoft’s impressive growth of Bing in a mere two or so years shows that new competition in search can come at any time.
While that sums up, rather cogently I must say, the antitrust analysis, let’s go to the coaches’ tape and break it down.
No Bottleneck or “Gateway” Control. Ten years ago, when the FCC and FTC both believed America Online — which boasted a very high share of dial-up Internet access — had monopoly power, the (fleeting) conclusion rested on the fact that AOL controlled access by its customers to the Internet and thus competing Internet content. Much like the pre-divestiture AT&T Bell System, the concern was that AOL held a “bottleneck” through which consumers had to pass to reach rivals. Yet Google does not own the Internet’s tramsission lines or 4G spectrum, and is thus not a bottleneck. Regardless of search share or volume, the reality is that Google has no control over the content its search users can access on the Internet. Web search is one of many ways, together with links, URLs, browser bookmarks, directories, QR codes, email marketing and uncountable others, for Internet sites to drive traffic and hits. Google is not a gateway so much as it is a highly and quickly searchable index of the Web. When there’s a host of other ways to find a page, the index itself is just a convenience, as much for bound books as for Web sites.
No Power Over Price. Whether search ad rates are the price of search or alternatively the relevant antitrust market itself, they fail on the central monopoly power criterion of control over price. As micro-economics teaches, a monopolist can increase prices above marginal costs, resulting in a “deadweight” loss to consumer welfare. Yet Google’s search ads are priced via an auction system — the highest bidder for an advertising keyword buys the ads (as many or as few as it wants) at the winning bid price. Certainly, there are ways to game any auction to favor some bidders over others or to exert indirect influence on the wining auction price. But so far as we can tell, such a theory of pricing power is not involved in the FTC’s threatened monopolization claim against Google. And if it were, that case would be even harder to prove than this overview analysis concludes.
No Network Effects. Nothing symbolizes modern antitrust so much as an emphasis on so-called “network effects.” Network effects exist when the value of a product increases in proportion to the number of other users of the product, hence a name which originated in telephone antitrust cases, where subscriber demand for service rose in proportion to the number of interconnected telephone companies (and thus other telephone subscribers) the end user could call. Network effects are in part a barrier to entry, by increasing requirements for scale economies by new firms, and a source of power to exclude rivals, by allowing the dominant network effects firm to deny competitors critical mass. Yet there is no, or at least precious little, evidence that with respect to search users and search advertisers, there are any network effects at all involved with Google. That you may conduct Web searches using Google’s engine makes it no more likely that me or any other Web users will select Google for search. That Sears may buy some AdWords keywords for search advertising makes it only slightly if at all more likely (and a consequence of retail competition, not Google) that Macy’s will purchase search ads via a Google auction.
No Entry Barriers. A monopoly in a market in which entry by new competitors is unlimited cannot be sustained for long. Thus, as noted antitrust law couples market share with barriers to entry in assessing monopoly power. It is difficult if not impossible to make a serious case that there are substantial entry barriers in Internet search or advertising. Web page indexing — the key input to search — is a product of raw computing horsepower and storage capacity. Both are commodities with steadily falling prices, per Moore’s law, in today’s Internet economy. That Facebook is planing to launch its own search product says it all: entry into search only requires investment capital, which the antitrust laws rightfully do not regard as an entry barrier. As the UK’s Daily Mail wrote, “Facebook is looking to tackle Google by making search a much more prominent part of it social network.” The Red Queen strikes again.
“Data” Is Not a Search Entry Barrier. Proponents of a Google monopolization prosecution have recently refined their analysis, suggesting that the wealth of demographic data assembled by Google from users’ Web searches is a barrier to entry. That’s a smokescreen. Data about consumer preferences and behavior — aggregated and (much to the annoyance of privacy advocates) individualized — is also a commodity in our modern economy. Whether credit and commercial transaction data via the “big three” credit reporting agencies, product preference and consumer satisfaction data from J.C. Power and the like, or the emerging “big data” marketplace, data can easily be bought, in bulk, for cheap. (The U.S. legal presumption that a company owns, and thus can sell, data about its customers plays into this point, but is not relevant for antitrust purposes.) The corollary to this argument is that economies of scale pose a barrier to entry, an even more subtle concept which, unlike network effects, has not been recognized by mainstream antitrust courts as a dispositive Section 2 factor — every large-scale business enjoys scale economies, after all. Suffice it to say, the FTC would have to make new antitrust law if it relies on this novel theory, which seems to contradict the factual realities of the ubiquitous availability of inexpensive data and data storage on consumer preference and behavior today.
To sum up, claims that Google enjoys monopoly power in Internet search or search advertising fail in the face of the recognized criteria for that crucial Section 2 monopolization factor. Without monopoly power, unilateral (as opposed to concerted among competitors) action by a single firm is of no antitrust significance. Indeed, an implicit — and sometimes articulated — presumption in the arguments in favor of an FTC monopolization case is that Internet search is a “natural monopoly,” one dictated and preordained by the economic structure of the market. As an antitrust lawyer who while with the DOJ in the 1980s railed against the proposition that cable TV represented a natural monopoly — something satellite television and IPTV have at long last conclusively disproven — this author abhors that construct.
Even if they are correct, the parties pressing for government antitrust action against Google cannot claim the courts have ever recognized the concept of natural monopoly as a surrogate for the United States v. Grinnell Corp.requisite demonstration of actual monopoly power, willfully obtained or sheltered by exclusionary practices. We’ll turn to that question, whether Google has engaged in conduct antitrust law deems anticompetitive, next.
Last week I participated in a “parliamentary” debate, sponsored by TechFreedom, on the Federal Trade Commission’s anticipated lawsuit against Google for monopolization. The dialog is interesting, if I say so myself!!
[This series of posts dissects the threatened FTC antitrust case against Google and concludes that a monopolization prosecution by the federal government would be a very bad idea. We divide the topic into five parts, one policy and four legal. Check out Part I.]
Section 2 of the 1890 Sherman Act (15 U.S.C. § 2) makes “monopolization” unlawful. As every antitrust practitioner can recite by heart, this means that being a monopoly is not illegal, rather it is illegal to obtain or maintain monopoly power in a “relevant market” by exclusionary or anticompetitive means.
The most famous articulation of this basic principle comes from the case of United States v. Grinnell Corp. (“Grinnell“), 384 U.S. 563 (1966), in which the U.S. Supreme Court explained that a monopoly position reached as a result of a “superior product, business acumen or historic accident” is different from one achieved by the “willful acquisition or maintenance of that power.” That slightly schizophrenic approach reflects the basic conflict within antitrust itself. The law encourages, and permits, firms with market power (typically a synonym for monopoly power, although economists disagree at the margins) to compete aggressively on the merits, and even to eliminate competitors. Yet to tame the results of unbridled capitalism, Section 2 constrains companies from creating or defending monopoly power with anticompetitive practices.
2. Internet Search and Search Advertising are Not Relevant Antitrust Markets
The starting point for every antitrust case is market definition — outlining the contours of a market, in which the defendant participates, in order to assess whether the firm possesses monopoly power in that market. In defining the relevant antitrust market, courts determine which products compete with the defendant’s product and thus limit or prevent the exercise of market power. Typically, this process involves examining substitutability of products (both from a demand and a supply perspective) to find whether consumers and rivals could switch to another source (or sources) if the defendant firm were to raise price or restrict output. For example, in the 1950s chemical innovator duPont was charged with monopolizing the cellophane market, a product it invented, but the courts ruled that the relevant antitrust market could not be so narrowly limited because cellophane was interchangeable with other food wrapping materials. The “great sensitivity of customers in the flexible packaging markets to price or quality changes” prevented duPont from exerting monopoly control over price.
The more broadly the relevant antitrust market is defined, the less likely it is the defendant has the ability to exercise monopoly power in that market. As a corollary, if the targeted firm does not have monopoly power in the relevant market, there generally cannot be Section 2 liability. Many recent antitrust cases, including the FTC’s controversial attempt to block Whole Foods’ acquisition of Wild Oats and the Justice Department’s challenge to the Oracle-PeopleSoft merger, have turned on market definition.
With that background, let’s look at the purported “Internet search” market. That’s obviously the core proposition in any attack on Google for unlawful monopolization, because the necessary premise is that Google’s dominant share — estimated at from 65 to 80% — of Web searches is the foundation of its alleged monopoly. But here the antitrust analysis begins to break down. Internet search is a free product in which the consumers (Internet users) are charged nothing, with the service supported by advertising revenues. Since monopoly power is the “power to control price or exclude competition,” one must necessarily ask whether Google’s high “market share” reflects any market power at all. More importantly, search users are just like broadcast television viewers; they are an input into a different product — search advertising — in which consumers themselves are effectively sold by virtue of advertising rates based largely on impressions and click-throughs. Just as NBC, ABC, CBS and Fox compete for television eyeballs in order to sell more advertising (hence profiting) to sponsors, so too do Internet search engines monetize the service by selling eyeballs to advertisers.
Google’s share of search by itself is therefore almost meaningless. Even if the relevant market is confined to search, moreover, there is nothing that enables Google to prevent users from switching, instantaneously, to another of the scores of search engine providers on the Internet. (It should go without saying that even the government does not contend that Google displaced Yahoo!, Alta Vista, Ask.com and the many former search giants that dominated the Internet in the 1990s with anything other than better, more useful, search results, a consequence of better algorithms — the epitome of Grinnell’s “superior product.”) So the relevant market analysis must therefore focus on the area where Google in fact competes with other search engine providers, namely in the sale of search advertising. We all know that the links displayed alongside so-called “organic” search results are paid, listed conspicuously as “sponsored” results. Without search advertising, in today’s Internet economy there would be no free search engine services.
So much media attention was paid to the spectacular collapse of U.S. Senate deliberations on a cybersecurity bill in August — and the Obama Administration’s controversial move to fashion an Executive Order on the subject — that few if anyone focused on the biggest change affecting the data protection landscape. The Securities & Exchange Commission (SEC) guidelines on disclosure of cyber attacks by publicly traded corporations have become de facto rules for at least six companies, including Google Inc. and Amazon.com Inc., according to recent agency enforcement letters.
Last fall, the SEC completed a long process of issuing staff “guidance” on when cybersecurity risks must be disclosed in public company securities filings (annual reports, 10Qs, etc.). The sensible conclusion was that if a hack or intrusion would be “material” to an ordinary investor, corporations need to disclose the cyber risk and discuss their actions to ameliorate or prevent it. Unlike Y2K, however, these guidelines, released by the SEC’s corporate finance section, did not come with a “safe harbor” for disclosing companies. In 1999, congressional legislation created a legal safety zone for Y2K disclosures, avoiding liability under the Securities Act of 1934, that has not been replicated with respect to more general cybersecurity risks.
The recent SEC enforcement steps also have taken place at the corporate finance division level, but presumably with the informal approval at least of SEC Chair Mary Schapiro. In these cases, the agency “requested” that a number of large Internet companies clarify or modify their SEC filings to disclose cyber incidents that previously had not been reported to investors. In April, the SEC asked Amazon to disclose in its next quarterly filing that hackers had raided its Zappos.com unit, stealing addresses and some credit card digits from 24 million customers in January, which Amazon did. Google likewise agreed in May to put a previously disclosed cyber atack in its formal earnings report. AIG, Hartford Financial Services Group, Eastman Chemical and Quest Diagnostics were also asked to improve disclosures of cyber risks, according to agency staff correspondence reported by Bloomberg News.
We note your disclosure that if your security measures are breached, or if your services are subject to attacks that degrade or deny the ability of users to access your products and services, your products and services may be perceived as not being secure, users and customers may curtail or stop using your products and services, and you may incur significant legal and financial exposure. We also note your Current Report on Form 8-K filed January 13, 2010 disclosing that you were the subject of a cyber attack. In order to provide the proper context for your risk factor disclosures, please revise your disclosure in your next quarterly report on Form 10-Q to state that in the past you have experienced attacks. Please refer to the Division of Corporation Finance’s Disclosure Guidance Topic No. 2 at http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm for additional information.
The difference between fall 2011 and spring 2012 is that, irrespective of the formal legal effect of staff guidance, the SEC is using its administrative processes to produce a disclosure result not specifically compelled by the agency’s rules for corporate securities filings. That in itself is not surprising, since the securities laws and implementing SEC regulations are broad enough to encompass any factor, whether financial or otherwise, that could affect stock prices. Here, the SEC staff opined in its guidance that basic SEC rules about market manipulation, insider trading and misleading shareholders (e.g., Rule 10b-5) required disclosure of cyber incidents and cybersecurity risks by any business potentially affected by hacking. And that’s obviously not confined to online retailers or Web-centric businesses.
The bigger question is how businesses can protect themselves from the embarrassment of such compelled, government-mandated cyber disclosures and the even greater potential for fines and formal enforcement actions the SEC may utilize in the IT security realm going forward. Here are a few pointers:
Do not assume that merely because your business is not online, cybersecurity cannot affect the company. Hundreds of “brick and mortar” retailers, for instance, have had consumer credit card records breached.
Treat data security just like your securities lawyers treat any other risk to the business’s future, since that is how federal regulators view cyber risks.
Do not assume the SEC’s focus on cybersecurity is limited to public companies, because the underlying rules cited by its corporate finance division apply just as much to private placements as they do to proxy solicitations and 10K reports.
When disclosing IT security risks, make sure they are balanced by something concrete and proactive to prevent, or diminish the severity of, cyber attacks. Otherwise diclosures may have the opposite effect of encouraging shareholder class action litigation.
Work closely with compliance counsel, IT technology experts and your insurance carriers to develop workable cybersecurity assessment and intrusion notification regimes, internally and externally. This should not only reduce legal exposure, but going forward lower the company’s costs for cyber insurance. Periodic outside reviews should provide both comfort and legal protection to CEOs or CFOs signing SEC submissions.
These SEC staff actions were balanced by the traditional caveat that “our comments or changes to disclosure in response to our comments do not foreclose the Commission from taking any action with respect to the company or the filings and the company may not assert staff comments as a defense in any proceeding initiated by the Commission or any person under the federal securities laws of the United States.” But the chances the full SEC would prosecute a public company for following staff suggestions are remote. On the other hand, for public corporations that ignore this lesson, and fail to disclose cybersecurity risks, we suspect only pain and expense — most likely in a Commission prosecution or fine — lie in their SEC futures. So rules are really rules, even when they are not.
Note: Originally written for and reposted with permission of my law firm’s Information Intersection blog.
People have been talking, and pontificating, about a coming “Internet of Things” since 1999. The idea is that the many sensors, actuators and digital data recorders in the environment around us — like the electronic control units (ECUs) in modern automobiles — will be uniquely identified and connected via IP to each other and to the world. This would allow instantaneous supply chain fulfillment, green initiatives like demand-side management and smart refrigerators, as well as simply cool stuff that puts remotely programming one’s DVR from a smartphone app to shame. As McKinsey & Co. noted in 2010:
The physical world itself is becoming a type of information system… When objects can both sense the environment and communicate, they become tools for understanding complexity and responding to it swiftly. What’s revolutionary in all this is that these physical information systems … work largely without human intervention.
So what’s going on? Two things. The obvious one is that more than a decade later (and despite the fact that by 2008 there were already more “things” connected to the Internet than people in the world) we are still not “there” yet. Refrigerators cannot detect when the last soda can is used, let alone order more autonomously; HVAC systems largely cannot interact with electricity genitors in real time to consume more energy when rates are lower, and vice-versa; and suitcases cannot communicate with airport luggage systems to tell the machines onto which flight they should be loaded (except with barcode readers). Partially, that’s because technologists frequently overstate adoption projections for new networks by 10 years or more. Less obvious is that there’s been a quiet push in the European Union (EU) to regulate the IoT even before it is fully gestated and born.
A European Commission “consultancy” on the Internet of Things was launched in 2008. By 2009 the EU had already issued an Action Plan for Europe for the IoT, which concluded:
Although IoT will help to address certain problems, it will usher in its own set of challenges, some directly affecting individuals. For example, some applications may be closely interlinked with critical infrastructures such as the power supply while others will handle information related to an individual’s whereabouts. Simply leaving the development of IoT to the private sector, and possibly to other world regions, is not a sensible option in view of the deep societal changes that IoT will bring about.
As a result, libertarian business groups such as the European-American Business Council and TechAmerica Europe have this summer come out in opposition to the EU’s approach, pressing for industry-led standards and application of existing measures, like the existing EU data protection rules (which already exceed the United States’ by a wide margin), “in lieu of a new regulatory structure.”
This is a scary prospect. That the EU would even consider crafting a regulatory scheme now for a technology revolution that realistically remains years away, requires immense levels of cooperation among industries, and holds the potential to transform business and life as we know it, is remarkable. Remarkable because such a philosophy is so alien to American economic values and to the spirit of innovation and entrepreneurship that launched the commercial Internet and Web 2.0 revolutions.
This article is not the place to debate the conflicts, trade-offs and differing views of government animating current technology policy issues like net neutrality, privacy and cybersecurity, copyright and the like. The reality though, is that issues such as those are generally being assessed within a spectrum of solutions, worldwide, which reflect known risks and benefits, some proposals of course being more interventionist than others. But that is far different from allowing a single bureaucratic monolith to dictate the shape of an industry and technology that remains embryonic. How is it even possible to develop fair rules for the IoT when no one has any real idea what or when it will be?
More than 15 years ago, this writer worked for one of his corporate clients on a legislative amendment offered by Rep. Anna Eshoo (D-Cal.) to the Telecommunications Act of 1996. The so-called “Eshoo Amendment,” designed to limit the role of the Federal Communications Commission in mandating standards for emerging, competitive digital technologies like home automation, passed. The irony, of course, is that at the time Congresswoman Eshoo analogized home automation to a future world like that of The Jetsons. Now 16 years down the road, we are barely closer to George, Elroy and their flying cars, robotic maids and the like than we were then.
But that ’96 effort illustrated a fundamental difference between the United States and the European Union about the proper role of government with respect to innovation. The EU subsidizes research, sets agendas and looks to intervene in the marketplace in order to establish rules of the road even before new industries are launched. The US sits back, lets the private sector innovate, and generally intervenes only when there has been a “market failure.” That’s a philosophy largely embraced by both major American parties regardless of the increasingly polarized political landscape in Washington, DC.
This basic difference in world views between the home of the Internet and European regulators — as true today as in 1996, if not more so — could doom the Internet of Things. So if you are a fan of future shock, then it’s clear you should not react to the EU’s efforts to shape the IoT with a viva la difference attitude. The difference is dangerous to innovation and especially dangerous to disruptive innovation. It’s no wonder that few real digital innovations have come from Europe. Don’t expect many in the future unless the EU finds a way to decentralize and privatize its bureaucratic tendency towards aggrandizing government in the face of what IoT experts anticipate will be “a small avalanche of disruptive innovations.”
When Google’s proposed acquisition of Motorola Mobility was announced in 2011, the business press focused mainly on the extension of Google’s core business from Internet search into hardware. But from a legal perspective, the treatment given the deal by competition authorities in the United States, the EU and China raises intriguing questions about the scope and objectives of merger policy in emerging technology markets.
The acquisition represents a classic case of downstream vertical integration into complementary markets. Since Google’s aborted launch of its own “Nexus One” smartphone in 2010, Google’s presence in the wireless handset and other hardware markets has been minimal. Merger reviews typically focus on horizontal concentration in a relevant product market; namely, to evaluate the risk that an increase of concentration post-transaction may produce a rise in prices or other so-called “coordinated effects.” There has been virtual unanimity among antitrust scholars and enforcement authorities for several decades that vertical integration typically presents little or no antitrust risk.
That is a principal result of the Chicago School antitrust revolution, ushered into American antitrust law and policy byGTE Sylvania in 1977. Under this approach, vertical restrictions and other relationships between manufacturers, distributors and retailers are presumptively procompetitive by increasing incentives for interbrand competition. Although technically classified as a “rule of reason” analysis, in reality the leniency of American antitrust law to vertical restraints has been such that there are almost no significant examples (with a few exceptions, like the Microsoft monopolization case of 1998-2000) of vertical restraints or mergers being judged to violate the Clayton Act or the Sherman Act.
So it should come as little surprise, therefore, that from an antitrust perspective Google’s proposal to acquire Motorola Mobility raised very few eyebrows. Yet just weeks ago it was announced that Google had received final approval to close the deal from the new China Competition Authority (the Ministry of Commerce, Anti-Monopoly Bureau ), contingent on one important concession. The Chinese required that Google pledge to maintain its Android operating system (OS) on a free basis for all wireless device manufacturers for the next five years.
The evident competition concern here is behavioral, not structural. That is, there is no risk that post-merger, Google’s share of either its own markets or Motorola’s markets will exacerbate coordinated affects or give it enhanced unilateral market power. To the contrary, the competitive risk potentially feared by antitrust regulators or competitors is that once it has a presence in wireless device manufacturing, Google might favor its own financial and competitive interests downstream by beginning to charge device manufacturing rivals for the Android OS.
This presents two provocative issues. First, should merger enforcement policy be grounded in a prediction of the post-transaction business incentives of the merging parties? While merger analysis must necessarily be based on a prediction of future effects, projecting the future business behavior of any one firm is far more problematic and unreliable than the kind of structural market analysis informed by HHI and oligopoly economics. And in most if not all antitrust regimes, even if the merger itself is accorded clearance by competition authorities, governments and competitors still have the opportunity to challenge actual post-merger conduct as a violation of the antitrust laws. Especially in rapidly changing technology markets — of which wireless handsets are undoubtedly a leading example — the risk of error in basing merger policy on predictions of future business behavior seems rather high.
The second issue raised by Chinese approval of the Google-Motorola deal is whether antitrust enforcers can or should dictate price. Typically, it is assumed that antitrust policy relies upon marketplace competition to produce the most efficient allocation of resources and “correct” pricing. Even in per se illegal price-fixing cases, the government never independently decides what the “right” price should be, but rather steps in to redress cartels or other restraints that limit the ability of market forces to set price based upon supply and demand.
“Open source” software, however, seems to be an emerging exception to that settled rule. In Oracle’s 2009 acquisition of Sun Microsystems, competitive concerns were raised about whether Oracle might begin charging for Sun’s open source mySQL database software. In Google’s 2010 acquisition of ITA, a travel software developer, the U.S. Justice Department required as part of a consent decree settlement that Google agree to maintain ITA pricing to travel service rivals and to continue R&D for the software itself. While ITA represents proprietary, paid software, the same vertical pricing concerns animated the government’s response to that deal as well.
But who is to decide whether an OS, or any other software, must or should be offered for free? The business model case for open source — dating back to that pioneered by Netscape in the late 1990s, where the Web upstart offered its browsing software for free in order to capture share and profits from the sale of server software — has been that companies offer free products in order to monetize their investment at another level (typically upstream) of the distribution chain. Economics would therefore teach that, if as seems correct, Google could make more money from handset profits than licenses for its Android OS, its rational business incentives would be to maintain Android as a free, open source product.
There’s still a big difference between legacy command-and-control economies like China, despite its recent liberalizations, and the market-oriented economy of the United States. Yet with increasing globalization these sorts of conflicting world views are likely to become more prominent. Whether the OS wants to be free could become less important than whether some government or enforcement agency – probably not in the U.S., one hopes – makes it their job to supplant the marketplace and dictate the answer.