How it Impacts Cybersecurity Law
The Loper Bright decision has yielded impactful results: the Supreme Court has overturned forty years of administrative law, leading to potential litigation over the interpretation of ambiguous laws previously decided by federal agencies. This article explores key questions for cybersecurity professionals and leaders as we enter a more contentious period of cybersecurity law.
Background
What is the Loper Bright Decision?
The Loper Bright decision by the U.S. Supreme Court overruled the Chevron deference, stating that courts, not agencies, will decide all relevant questions of law arising on review of agency action. The Court held that because the Administrative Procedure Act (APA)’s text is clear, agency interpretations of statutes are not entitled to deference. The ruling emphasized that courts must exercise independent judgment in deciding whether an agency has acted within its statutory authority. This decision shifts the power of statutory interpretation from federal agencies to the judiciary.
What was the Chevron Deference?
The Chevron deference required courts to defer to federal agencies’ reasonable interpretations of ambiguous statutes. It originated from the 1984 Supreme Court case Chevron U.S.A., Inc. v. Natural Resources Defense Council. Under Chevron, if a statute was ambiguous, courts would defer to the agency’s interpretation if it was reasonable. This deference shaped administrative law for nearly 40 years.
What immediate steps should companies consider taking now to ensure compliance with cybersecurity regulations that might be challenged in court?
Nothing has changed, yet. However, to ensure compliance with cybersecurity regulations that might now be challenged in court, companies should:
- Assess existing cybersecurity requirements to ensure they align with current regulations that are supported by clear statutory authority.
- Stay updated on court rulings and regulatory changes. The removal of Chevron deference means courts will scrutinize agency interpretations more closely.
- Be prepared to update compliance programs if regulatory or legal requirements change as a result of jurisprudence.
- Work with legal experts to navigate the evolving regulatory landscape.
Effective cybersecurity controls are deployed when they are mapped to one or more agreed-upon risks, which can include regulatory or legal requirements as well as external threats. Companies should consider updating or removing controls in light of any future jurisprudence based on Loper Bright only if those controls exclusively existed for regulatory purposes and did not mitigate additional risks. Companies should ensure that their controls have clear traceability to requirements so that they can quickly assess the effects of any future regulatory changes.
How will the Loper Bright decision impact the enforcement of existing cybersecurity regulations under the FTC, SEC, and others?
The Loper Bright decision will likely make cybersecurity regulations more vulnerable to legal challenges. Courts will no longer defer to agency interpretations of ambiguous statutes and will exercise their independent judgment. This shift may lead to more frequent legal challenges, increased scrutiny of regulations, and delays. A partial list of agencies that may be affected by litigation post-Loper Bright follows:
- FTC: Recent FTC rulemaking under Section 5 includes the Health Breach Notification Rule and proposed changes to the Children’s Online Privacy Protection rule could be challenged.
- SEC: The Securities and Exchange Acts of 1933 and 1934 do not mention cybersecurity, which could result in a challenge to the SEC’s requirement of cybersecurity disclosures within four days of determining materiality.
- GLBA: Regulators have recently expanded their rules with a range of cyber incident reporting requirements for financial institutions
- TSA: TSA’s emergency amendments in 2022 for cybersecurity requirements for passenger and freight railroad carriers, as well as airport and aircraft operators, may be challenged.
- CISA: The Cybersecurity Infrastructure and Security Agency’s (CISA) proposed rule for implementing the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which has broad interpretations and could be contested under new judicial scrutiny.
How could the Loper Bright decision affect the consistency of cybersecurity regulations and enforcement across different jurisdictions?
The Loper Bright decision may impact the consistency of cybersecurity regulations and enforcement across different jurisdictions. By eliminating the Chevron deference, courts now have more ability to interpret statutes independently, which could lead to varied interpretations and applications of cybersecurity laws. This inconsistency might force businesses to adapt their compliance programs more frequently due to varying interpretations across jurisdictions.
How will the removal of the Chevron deference potentially influence the development of future cybersecurity regulations?
The removal of the Chevron deference will likely create a more fragmented and inconsistent regulatory environment for cybersecurity. Federal agencies will need to provide more compelling justifications and details for their rulemaking decisions. This shift may lead to increased judicial scrutiny of existing regulations and proposed rules, making it harder for agencies like the FTC and CISA to quickly adapt to new threats.
Courts will consider the persuasive power of agency interpretations, giving weight to their expertise only if it is especially informative and based on thorough, consistent reasoning. This shift is likely to result in increased legal challenges to existing cybersecurity regulations and new rulemakings, complicating compliance efforts.
What role may judicial interpretation play in defining the scope of cybersecurity regulations post-Loper Bright?
Judicial interpretation will play a significant role in defining the scope of cybersecurity regulations post-Loper Bright. Courts will independently assess the statutory authority of agencies, leading to potentially more fragmented and inconsistent regulatory environments. This change necessitates a reevaluation of regulatory compliance and advocacy approaches.
Ultimately, the decision underscores the need for Congress to provide clearer statutory guidance for cybersecurity regulations to withstand judicial review.
Note: This article is expertly written and contributed by Kayne McGladrey, Field CISO at Hyperproof.