Antitrust issues surrounding CSI obtained from vertically integrated firms are becoming increasingly important because (1) the U.S. antitrust enforcement agencies appear set to increase the rigor with which they investigate business conduct generally, and vertical mergers specifically; and (2) information transfer issues have been featured prominently in recent agency merger enforcement discussions. Now, more than ever, in-house counsel will need to identify CSI in the context of vertical mergers, discern whether sharing CSI among certain business units within a vertically integrated firm would support an alleged violation of the antitrust laws, and provide practical guidance and solutions, such as reasonable firewalls, to ensure that these principles are understood and confidentiality of CSI maintained by the businesses they counsel.
Increased Scrutiny of Vertical Merger Issues
Vertical transactions combine firms at different levels of a supply or commercial chain. While the primary antitrust focus in horizontal mergers is on the effects on competition from the elimination of a competitor (whether in the form of increased prices or reduced product quality, innovation, or service), the primary focus in vertical mergers is on whether the acquisition of an upstream or downstream firm will result in anticompetitive increases in rivals’ costs (e.g., by foreclosing or otherwise discriminating against rivals with respect to their access to necessary goods or services) or facilitate collusion.
Recent bipartisan support for increased antitrust enforcement has resulted in increased scrutiny of vertical mergers at both the FTC and DOJ. Just last month, the FTC withdrew its approval of the June 2020 Vertical Merger Guidelines (the “VMG”) and the VMG Commentary. Although the DOJ continues to use the VMG, it has signaled a willingness to work with the FTC to formulate revised guidelines.
While forthcoming changes in agency guidance are likely to focus on the economic analysis of the merged firm’s competitive incentives, we expect that the VMG guidance on intra-firm sharing of CSI will not change significantly:
In some circumstances, the merged firm can use access to a rival’s competitively sensitive information to moderate its competitive response to its rival’s competitive actions. For example, it may preempt or react quickly to a rival’s procompetitive business actions. Under such conditions, rivals may see less competitive value in taking procompetitive actions. Relatedly, rivals may refrain from doing business with the merged firm rather than risk that the merged firm would use their competitively sensitive business information as described above. They may become less effective competitors if they must rely on less preferred trading partners, or if they pay higher prices because they have fewer competing options.
The VMG also emphasize the potential for coordinated effects:
Coordinated effects may also arise . . . when changes in market structure or the merged firm’s access to confidential information facilitate (a) reaching a tacit agreement among market participants, (b) detecting cheating on such an agreement, or (c) punishing cheating firms.
To highlight this concern, the VMG provide an example of a vertical merger raising coordinated effects concerns:
Example 8: Vertical merger raising coordinated effects issues
Situation: A merger combines a manufacturer of components and a maker of final products.
Discussion: Where the component manufacturer supplies rival makers of final products, it will have information on the rival’s volume of final product, and thus will be better able to detect cheating on a tacit agreement to limit the output of final products. As a result, the merger may make an agreement to limit supply more effective.
The FTC’s commentary to the VMG emphasized its concerns regarding CSI in vertical transactions:
A transaction may harm competition in a relevant market if the transaction gives the combined firm access to and control of sensitive business information about its upstream or downstream rivals that was unavailable to it before the merger. This may create a disincentive for those upstream or downstream firms to attempt procompetitive initiatives. The threat of the merged firm’s access to proprietary information also might cause rival firms to end their trade relationships with the merged firm and accept lower quality or more expensive goods or services as substitutes, resulting in harm to downstream customers. Additionally, access to competitively sensitive information about its rivals may also facilitate or cause reduced competitive responses from the merged firm that harm consumers.
As data and technology increasingly drive the competitive landscape, investigations of CSI-sharing within vertically integrated firms may become more frequent. The agencies recognize that technological advances and the ability to access vast amounts of information within seconds “have the potential to make data more competitively significant and strategically valuable to a firm, and thus to augment the intensity of competition between that firm and its market rivals.” Thus, while there is no question that strategic vertical mergers may lead to procompetitive results, the antitrust agencies have signaled that they will also examine whether obtaining CSI may give vertically integrated firms the ability and incentive to harm competition. Firms seeking to vertically integrate therefore need to be prepared for potential investigations and recourse because antitrust enforcers will want to ensure that CSI does not lessen competition after a firm merges with a partner in the supply chain.
Agency Firewall Requirements
Traditionally, the antitrust agencies have addressed the potential harms arising from a vertically integrated firm accessing CSI by requiring information firewalls as a condition to closing. These firewalls prevent the flow of CSI between certain personnel and business units in the firm, thereby reducing the possibility of collusion and inhibiting unilateral anticompetitive conduct.
A properly constructed firewall will, for example, prevent the flow of CSI among those employees who negotiate and set prices in competition with the competitor providing the CSI, who are responsible for marketing/advertising competing products, or who are responsible for supply or distribution arrangements. At the same time, it will permit CSI to flow to those on the side of the business that is upstream or downstream from the CSI provider, as well as those responsible for important legal or regulatory functions, including corporate governance, finance, tax, budgets, and other key roles. Although in more recent times federal regulators have expressed greater skepticism regarding behavioral remedies in vertical cases generally, firewalls will continue to be an important component of remedial relief in those cases in which the regulator is willing to agree to a conduct-based fix.
The U.S. antitrust agencies may increasingly require firewall provisions to ensure that competitors’ pricing and other CSI is shared only with certain personnel of the merged or acquiring company. An information firewall prevents the flow of CSI between certain personnel to reduce the possibility of collusion and to inhibit unilateral anticompetitive conduct. It thus can preserve competition while allowing for significant efficiencies from vertical integration.
The most recent firewall guidance from the FTC can be found in Sycamore Partners II, L.P., in which the agency required Staples to erect a firewall as a condition to clearing its acquisition of Essendant. Under the terms of the consent, Staples (a national retailer of office products) and Essendant (a wholesale distributor) were required to establish a firewall separating Staples’ business-to-business end customer selling functions from Essendant’s wholesale selling function. The firewall permitted only Staples employees performing wholesale, legal and regulatory, or shared services, or members of a management oversight group, to have access to Essendant’s commercially sensitive business information relating to its reseller customers and related end-customers. Several years earlier, in PepsiCo, Inc., the FTC required PepsiCo, Inc. to implement a firewall before allowing it to acquire two of the largest independent bottlers and distributors. In that Order, CSI was defined to include all information provided, disclosed, or otherwise made available by Dr Pepper to PepsiCo that is not in the public domain, including but not limited to information related to the research, development, production, marketing, advertising, promotion, pricing, distribution, sales, or after-sales support of the products at issue. PepsiCo was not permitted to share Dr Pepper’s CSI with employees responsible for setting PepsiCo’s competing prices, formulating new and existing products, marketing and advertising the products, or determining when price promotions and newspaper advertisements would be placed for the products.
These consent decrees demonstrate the agencies’ view that a wide variety of CSI, including pricing and other strategic and proprietary information, must be carefully safeguarded and shared only with those who are authorized within the newly merged firm. This ensures that competition will not be stifled and that a merged firm cannot use certain data to unfairly gain a competitive advantage.
Practical Advice for General Counsel
There is no one-size-fits-all approach to identifying CSI or designing a compliance plan to secure the flow of CSI within a vertically integrated firm. Every firm and industry have unique business factors, systems and environments where information can be used, stored, maintained and processed. It is therefore critical for in-house counsel to understand fully the particular nature of the CSI that the firm will be receiving, the client’s business plans, the client’s organizations and data management structure, and how CSI may be used in a manner consistent with antitrust laws.
We offer below some practical guidance that will enable in-house counsel to properly handle CSI within a vertically integrated firm.
1. Identify the types of CSI the vertically integrated firm will be receiving.
Neither the VMG nor the Commentary specifically identify or define what the antitrust agencies believe constitutes CSI. However, a review of the recent matters investigated by the agencies shows that the following categories of information would generally be considered CSI:
- Non-public pricing information;
- Proprietary research and development information; and
- Non-public customer information, including non-price but proprietary information relating to future purchases, capacity, output, or planned shutdowns.
CSI generally does not include information about the acquired entity’s customers that is presented in a format that is aggregated (where information and identities of individual customers are not revealed) and/or anonymized (where identities of individual customers are not revealed).
Accordingly, as a threshold matter, in-house counsel should identify what information needs to be safeguarded. To do this effectively, counsel should discuss this information with both members of the incumbent firm and members of the newly integrated firm. Some key questions to ask include:
- What information does the acquired firm receive from competitors/customers that is non-public?
- How is that information used in the competitive marketplace?
- Can the information be used in a manner to increase prices to customers or otherwise to adversely affect competition?
- Would customers/competitors likely complain if the information was disseminated in the vertically integrated unit?
- Is there a way to aggregate or anonymize the information so that it can be used by other business units?
Fully understanding the nature of the information and how its use may affect competition will enable in-house counsel to determine as a threshold whether the information is CSI.
2. Identify the business units or personnel who may seek access to CSI and understand whether and why they need it.
Information firewalls prohibit certain personnel within vertically integrated firms from obtaining or sharing CSI with their colleagues in order to maintain arms-length competition between the acquired company and third parties, and to reduce the risk that information is being inappropriately shared within the firm post-merger. Generally, an information firewall assures that CSI will be accessible only to those personnel who:
- Do not have decision-making responsibility for setting prices, or marketing or advertising of the merged firm’s competing products; and either
- Need to know the information to carry out supply or distribution contracts, or for some other procompetitive purpose; or
- Are otherwise responsible for certain necessary reporting functions.
Upon the acquisition of a vertical business, in-house counsel will immediately be confronted with managing potential CSI, and requests by various business groups within the consolidated firm for such information. After identifying what types of CSI are most critical in an integration, counsel will often have to identify which business units or personnel are likely to seek access to the CSI and understand why they want it. Simply stated, if granting access to CSI to a particular business unit or personnel would potentially lead to an anticompetitive outcome (e.g., by allowing for anticompetitive coordination with competitors or undue access to competitive intelligence that may result in reduced competition), then the CSI should not be shared with that business unit/personnel. If, however, there are procompetitive purposes, such as innovating products or gaining efficiencies, or competitively neutral reasons, such as financial reporting, then CSI may be able to be shared so long as, on balance, the likely procompetitive effects outweigh any anticompetitive risks. Understanding the rationale and usage of the CSI is an important step so that, if challenged, there is a well-reasoned contemporaneous and procompetitive business justification for sharing the information.
To ascertain the rationale for sharing CSI across different business units, we suggest asking the following questions to both the newly integrated unit that holds the CSI as well as the incumbent unit that wishes to access the CSI:
- What is the information currently used for?
- What is the rationale for providing the information to the incumbent unit?
- How will the incumbent unit use the information?
- If the incumbent unit uses the information, how might it affect competition?
- Will use of the information affect purchasers of the consolidated companies’ products, including by increasing prices or reducing competition in any way?
- If the third-party provider of the CSI knew that the information was being shared within the vertically integrated firm, how might that provider react?
A non-legal consideration that should also be evaluated in this step is whether there are any third-party business relationships that may be affected by information sharing. Stated otherwise, would customers or suppliers be upset if they knew that their information might be disseminated within the fully integrated firm. Often, business personnel seeking CSI will not fully ascertain the competitive concerns associated with using this information. They simply see competitive advantages gained from accessing the information, and they may not be in tune with the external business partner who feels disadvantaged in the marketplace. In-house counsel can help explain these concerns in practical terms to business leaders.
3. Understand the flow of information among business units.
Once it is determined that CSI needs to be contained within certain business units or groups and not accessible to others, it is imperative to understand the relationships and data management systems among the business units that receive the CSI and those units prohibited from accessing it. This requires a full understanding of the job functions and reporting requirements of personnel within each of the business units and with whom they communicate in performing their jobs. For example, does the marketing team obtain pricing information from the sales team? What information is needed for financial reporting? In order to effectively restrict the flow of CSI, in-house counsel must identify the units within the firm that share information, understand why the information needs to be shared, and how the information will be used. Only then can a proper information firewall be practically designed, explained, and administered.
Relatedly, in-house counsel needs to understand how the firm’s information technology (IT) system works. In a world in which electronic data storage typically far exceeds tangible data storage, in-house lawyers must be able to work with their IT departments to develop appropriate measures for segregation and management of data systems containing CSI. Among the questions to be answered: Will a newly acquired firm’s data be migrated onto a firm-wide network or cloud-hosted solution that is accessible to employees in multiple business units? How will security protocols and firewalls be implementable, demonstrable and auditable to ensure that any investigation of how CSI transverses the IT system will reveal how the data was shared or made secure? If CSI resides on such integrated systems, can safeguards such as passwords or segregated files be implemented to effectively limit access? With the explosion of collaborative IT tools in companies’ operating systems, this task of “firewalling” data has become far more complex than when data could easily be separated by physical walls and locked doors.
In short, if challenged or investigated, in-house counsel needs to be able to show that adequate firewall safeguards were designed and implemented in order to prevent the free-flow of CSI.
4. Make the firewall understandable to employees.
The last (and perhaps most critical) step in creating an effective firewall to safeguard CSI is to create an understandable communication initiative and training for the firm’s employees. This should be accomplished in the first instance through written, clearly-stated and understandable guidance from the legal or compliance department (or even CEO level) to relevant personnel. There must be clear and unambiguous “buy-in” from the firm’s senior-level management about the importance of adherence to antitrust laws generally, and to firewall protocols specifically. Moreover, there should be effective communication and training with applicable business units and individual employees to explain the importance of the firewall and why it must be maintained. Employees must be made aware of the important repercussions if the firewall is not properly maintained. These include the potential for costly and time-consuming government investigations as well as possible legal actions by antitrust enforcement agencies, customers, or competitors seeking to unwind the vertical integration and/or to collect monetary damages.
The importance of training employees to be aware of and identify CSI and abide by company firewalls cannot be emphasized enough. These are the individuals who, on a nearly daily basis, will need to make decisions regarding information flow. They are likely the ones who will receive the front-line requests to share CSI. Without proper training, these businesspeople may not be in position to determine when information may or may not be shared, or even when to seek guidance from the legal department. In-house counsel play an important role in this training and education in order create the compliance culture needed to maintain firewalls, while also appropriately minimizing the number of questions directed to legal staff.
5. Set clear and defined terms with customers/competitors.
From both a legal and business perspective, it is important that the firm’s suppliers, customers and competitors know that the vertically integrated firm is taking seriously its obligations to safeguard CSI that could potentially be used in an anticompetitive manner. To that end, the firm should anticipate questions from its industry partners regarding how it will protect their information and should take purposeful care in its negotiations with its customers or suppliers who are competitors so that all parties have confidence that proper antitrust compliance protocols will be followed. The risk of improper information sharing, especially with respect to potential conspiracy claims, is a risk borne by both parties. In-house counsel thus should not be surprised when these issues are raised by industry partners, and should understand that transparent and documented safeguards can protect both parties.
This protection can be accomplished in part, for example, by having both parties acknowledge and agree that CSI exchanged during the course of their business transactions may include information that would not normally be exchanged between competitors, and that those receiving such information agree to take measures to restrict access to the information to appropriate personnel. The parties should also take steps to manage their interactions appropriately, including agreeing in advance on meeting agendas, incorporating review of such agendas by counsel, clearly identifying meeting participants, providing those participants with antitrust guidance, and clearly documenting meetings, all in a manner similar to best antitrust practices used while attending trade association meetings.
Conclusion
Obtaining CSI from suppliers, customers and competitors through a vertical integration can cause great tension within a growing firm—on the one hand, business units naturally want as much information as possible to achieve efficiencies and synergies; on the other hand, firms must not share CSI in a manner that is potentially anticompetitive and can lead to harm to consumers or liability for the firm. The antitrust principles implicated by vertical integration are not always readily understood or welcomed by business personnel, particularly because they may seem to frustrate efforts to maximize efficiencies and increase profits.
It is not simple to design or implement an effective firewall that accomplishes the twin purposes of permitting the flow of CSI to certain business units for procompetitive utilization while maintaining safeguards consistent with antitrust law to prevent CSI from being provided to other units. However, the perils of not implementing appropriate safeguards surrounding the use of CSI are severe. In-house counsel need to fully understand the scope and usage of the CSI so that the necessary firewalls can be implemented. In broad terms, in-house counsel must be sure that procompetitive reasons justify sharing CSI along the vertical chain and educate their colleagues on the implications of these dynamics between procompetitive and anticompetitive justifications. They must also help design practical firewalls and safeguards to prevent anticompetitive uses of CSI. These distinctions are important and have real consequences that affect how the vertically integrated firm operates. When accomplished deliberately and with forethought, these safeguards will operate smoothly, these twin purposes will be accomplished, and the in-house counsel will have delivered real value to their clients’ business objectives while managing increasing antitrust risks.
