US Supreme Court ruling likely to cause chaos in cyber regulation

The U.S. Supreme Court has issued a decision that could overturn all federal cybersecurity laws, moving final regulatory approval to courts rather than regulatory agencies. A slew of likely lawsuits could strip the Biden administration of a series of cybersecurity incident reporting requirements and other recent cybersecurity regulatory actions.

In a surprising reversal of almost 40 years of regulatory law, Loper Bright Enterprises v. RaimondoThe court voted six to three last week to strike down a legal precedent known as Chevron respect. It was ruled in a 1984 Supreme Court case, Chevron required lower courts to defer to expert opinions from regulatory agencies in cases requiring an interpretation of Congress’s intent.

IN DrifterThe Supreme Court has ruled that courts, not regulatory agencies, are the final arbiters of congressional law, undermining thousands of federal regulations that affect virtually every aspect of society, from environmental safety to financial fraud.

Chief Justice John Roberts wrote for the majority in Loper: “Courts must exercise their independent discretion in deciding whether an agency acted within its statutory authority.”

Roberts also said courts can’t defer to an agency’s interpretation of the law simply because the statute passed by Congress is ambiguous. The court’s decision doesn’t invalidate previous lawsuits that relied on Chevron, although challengers can relitigate those cases.

This decision could weaken all federal cybersecurity laws.

Although the Court’s decision could weaken or significantly change every federal agency cybersecurity requirement ever adopted, a number of cybersecurity regulatory initiatives implemented over the past four years could become particularly subject to legal challenges. Parties that previously opposed these initiatives, but were perhaps reluctant to fight them because of Chevron’s compliance, will likely be encouraged to challenge these regulations.

While all existing regulations remain in effect, the result for CISOs is almost certainly a degree of uncertainty as legal challenges begin. A slew of conflicting decisions in different U.S. circuits could lead to confusion in compliance programs until the smoke clears.

Chief information security officers should expect some court rulings to weaken or eliminate many existing cybersecurity regulatory requirements.

Latest cybersecurity regulations likely to be challenged

Many recent cyber laws are likely to be challenged following the Court’s ruling, but several recent laws stand out as leading candidates for litigation. Among them are:

SEC Cyber ​​Incident Reporting Requirements:In 2023, the U.S. Securities and Exchange Commission (SEC) adopted rules requiring registrants to disclose material cybersecurity incidents they experience within four days of determining their materiality, as well as material disclosures about cybersecurity risk management, strategy, and governance each year. However, as the Center for Cybersecurity Law and Policy noted, the securities and exchange laws on which the SEC based its rules do not directly address cybersecurity.

FCC Data Breach Reporting Policy:In 2023, the U.S. Federal Communications Commission (FCC) updated and strengthened its data breach notification rules for communications service providers to protect against the misuse or disclosure of customer data. In issuing the new rules, the FCC significantly expanded its enforcement authority under the Communications Act, which focused on protecting a very narrow class of customer data called customer proprietary network information (CPNI), rather than the much broader scope of customer data covered by the Commission’s rules.

CISA Cyber ​​Incident Reporting Requirements:In April 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) proposed a rule implementing the cyber incident reporting requirements under the Cyber ​​Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). The rule is not expected to be finalized until 2025. However, CISA had to interpret CIRCIA broadly in developing the rule.

TSA Pipeline Regulations: In 2023, the Transportation Security Administration issued a security directive requiring natural gas and liquids pipelines and liquefied natural gas facilities to improve cybersecurity practices and mitigation measures.

TSA Cybersecurity Requirements for Passenger and Freight Rail Carriers: In 2022, the Transportation Security Administration (TSA) issued a new cybersecurity directive regulating the activities of designated rail carriers engaged in the transportation of passengers and freight to increase their preparedness and resilience to cyberattacks.

TSA Cybersecurity Requirements for Airport and Aircraft Operators: The Transportation Security Administration (TSA) has issued a new emergency cybersecurity rule amendment that will cover the security programs of specific airport and aircraft operators subject to TSA regulations.

TSA Cybersecurity Requirements for Surface Transportation Owners and Operators:In 2021, the Transportation Security Administration (TSA) issued two new security directives and additional guidance on voluntary measures to strengthen cybersecurity across the transportation sector.

Gramm-Leach-Bliley Act Requirements: In December 2021, the Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System (Board), and the Office of the Comptroller of the Currency (OCC) issued a joint final rule establishing computer security incident notification requirements for banking organizations and their banking service providers. The FDIC invoked its authority under the Gramm-Leach-Bliley Act (GLBA) of 1999. Under the GLBA, the National Credit Union Administration and the Commodities Futures Trading Commission also adopted their own incident reporting rules, while the Federal Trade Commission adopted a “Safeguard Rule” for financial institutions to protect customer data.

Pending actions and even old regulations may be nullified

This list does not include several significant pending regulatory actions that, while not yet finalized, are well on their way to being implemented and could be significantly changed by Drifter decision.

For example, pending Coast Guard regulations update maritime security regulations with provisions specifically aimed at establishing minimum cybersecurity requirements for U.S.-flagged vessels. Another rule still in the works, pending FCC requirements related to the security risks of the Border Gateway Protocol, may have to change its trajectory in light of the Court’s decision.

In addition, litigants could seek to challenge long-standing cybersecurity requirements associated with regulatory agencies, such as the Critical Infrastructure Protection (CIP) rules established by the North American Electric Reliability Corporation. The Federal Energy Regulatory Commission gave those rules regulatory force in 2008. Utilities and utility trade groups have routinely challenged the breadth and depth of those requirements.

It is conceivable that the rules established by the Nuclear Regulatory Commission in March 2009 to protect digital computer and communications systems related to the safety of nuclear power plants from cyberattacks could be subject to renewed judicial review in a post-Chevron world.

The court’s ruling is also likely to derail other administration cybersecurity efforts, even if they don’t involve regulation. For example, federal efforts to harmonize various cybersecurity incident reporting requirements will likely be put on hold.

Current regulations remain in force, but prepare for turbulence

All existing cybersecurity regulations are already in place, but the status quo could change quickly, given that conservative groups and business interests have likely assumed for months that the Court would get rid of Chevron and may now be preparing lawsuits.

“I will say it remains to be seen how this plays out over time,” says CSO Harley Geiger, general counsel at Venable. “But the most likely immediate impact could be legal challenges to the regulations.

Many federal cybersecurity laws come from reinterpretations of older statutes and laws that weren’t necessarily designed with new technologies in mind, Geiger says. “Agencies trying to keep up with the threat landscape have had to apply laws designed to protect consumers or protect security to new attacks, like ransomware, that didn’t exist a decade ago or weren’t as prevalent a decade ago.”

“The new Supreme Court ruling means that if and when these rules are challenged in court, there will be less deference to agency findings and more independence for courts to modify or overturn agency interpretations of the law,” Geiger says. “And that will apply to both existing and future rules.”

The devastation from the court’s decision will extend to an increasingly fractious U.S. Congress that seems incapable of writing clear and unambiguous laws. “I think it’s devastating for Congress as well, not just for regulatory agencies,” Geiger says.

CISOs should prepare to survive the regulatory earthquake

Chief information security officers will have to wait and see how the ruling pans out, especially since a divided Congress is eager to pass openly ambiguous laws and use vague language as a way to achieve political consensus while relying on agency experience to fill in the gaps.

“It’s become a much riskier approach than it used to be for both Congress and the agencies, because the judicial branch now has more power to modify, overturn or create its own interpretations,” Geiger says. “And the judicial branch tends to have less technical expertise and staff resources than federal agencies.”

Geiger says CISOs should be prepared to weather this regulatory earthquake. “I think the bottom line for CISOs is that the likely outcome of regulatory litigation is deregulation. But beyond that, we could see inconsistent interpretations or inconsistent application of regulation across jurisdictions.”

Ultimately, this could mean that chief information security officers (CISOs) managing compliance across jurisdictions “may have to consider regulatory requirements that vary by jurisdiction, and may have less certainty about whether laws and regulations will change as a result of lawsuits.”