How this affects cybersecurity law

August 5, 2024Hacker newsCybersecurity Law / Data Protection

The Loper Bright decision produced significant results: the Supreme Court overturned forty years of administrative law that opened up potential litigation over the interpretation of ambiguous regulations previously issued by federal agencies. This article discusses key questions for cybersecurity professionals and leaders as we enter a more contentious period of cybersecurity law.

Background

What is the Loper Bright decision?

The U.S. Supreme Court’s decision in Loper Bright overturned the Chevron deference rule, holding that courts, not agencies, would decide all substantive legal issues arising from agency review. The court held that because the text of the Administrative Procedure Act (APA) is clear, agencies’ interpretations of statutes are not subject to the deference rule. The ruling emphasized that courts must exercise independent judgment in deciding whether an agency acted within its statutory authority. This decision shifts the authority to interpret statutes from federal agencies to the courts.

What was the Chevron Deference?

The Chevron Rule required courts to defer to reasonable interpretations of ambiguous statutes by federal agencies. It originated in the 1984 Supreme Court case Chevron USA, Inc. v. Natural Resources Defense Council. Under the Chevron Rule, if a statute was ambiguous, courts would defer to the agency’s interpretation if it was reasonable. This rule shaped administrative law for nearly 40 years.

What immediate steps should businesses consider to ensure compliance with cybersecurity regulations that could be challenged in court?

Nothing has changed yet. But to comply with cybersecurity regulations that could now be challenged in court, companies should:

• Assess existing cybersecurity requirements to ensure they are compliant with applicable regulations supported by clear statutory provisions.
• Stay up to date on court rulings and regulatory changes. The removal of the Chevron rule means courts will scrutinize agency interpretations more closely.
• Be prepared to update your compliance programs if regulatory or legal requirements change as a result of case law.
• Collaborate with legal experts to navigate the changing regulatory environment.

Effective cybersecurity controls are implemented when they are mapped to one or more agreed risks, which may include regulatory or legal requirements as well as external threats. Firms should consider updating or removing controls in light of future Loper Bright-based jurisprudence only if those controls existed solely for regulatory purposes and did not mitigate additional risks. Firms should ensure that their controls have clear traceability to requirements so that they can quickly assess the impact of any future regulatory changes.

What impact will the Loper Bright decision have on enforcement of existing cybersecurity laws by the FTC, SEC, and other agencies?

The Loper Bright decision will likely make cybersecurity laws more susceptible to legal challenges. Courts will no longer defer to agency interpretations of ambiguous statutes and will exercise their independent judgment. This change could lead to more frequent legal challenges, increased regulatory scrutiny, and delays. Below is a partial list of agencies that could be affected by litigation following Loper Bright:

• FTC: The FTC’s latest Section 5 rule includes health breach notification provisions, and proposed changes to children’s online privacy laws could be challenged.
• KNOT: The Securities and Exchange Acts of 1933 and 1934 do not mention cybersecurity, which may result in a challenge to the SEC requirement to disclose cybersecurity information within four days of a materiality determination.
• GLOBE: Regulators have recently expanded their regulations to include a number of cyber incident reporting requirements for financial institutions.
• TSA: Emergency changes made by the TSA in 2022 to cybersecurity requirements for rail carriers transporting passengers and freight, as well as airport and aircraft operators, could be challenged.
• CISA: The Cybersecurity Infrastructure and Security Agency’s (CISA) proposed regulations implementing the Critical Infrastructure Cybersecurity Incident Reporting Act of 2022 have a broad interpretation and could be challenged under new judicial oversight.

How might the Loper Bright ruling impact the consistency of cybersecurity laws and enforcement across jurisdictions?

The Loper Bright decision could impact the consistency of cybersecurity laws and enforcement across jurisdictions. By eliminating Chevron deference, courts now have greater scope to interpret statutes independently, which could lead to varying interpretations and applications of cybersecurity laws. This inconsistency could force companies to more frequently adjust their compliance programs due to differing interpretations across jurisdictions.

How will the abolition of the Chevron mark potentially impact the development of future cybersecurity regulations?

Removing the Chevron designation will likely create a more fragmented and inconsistent regulatory environment for cybersecurity. Federal agencies will be required to provide more compelling justifications and details for their rulemaking decisions. This change could lead to increased judicial review of existing regulations and proposed rules, making it harder for agencies like the FTC and CISA to quickly adapt to new threats.

Courts will consider the persuasiveness of agency interpretations, giving weight to their expertise only when it is particularly illuminating and based on thorough, coherent reasoning. This shift will likely lead to increased legal challenges to existing cybersecurity laws and new regulations, complicating compliance efforts.

What role can judicial interpretation play in defining the scope of cybersecurity law after Loper Bright?

Judicial interpretation will play a significant role in defining the scope of cybersecurity regulations after Loper Bright. Courts will be independently evaluating agencies’ statutory authority, which could lead to potentially more fragmented and inconsistent regulatory environments. This shift requires a reassessment of regulatory compliance and advocacy approaches.

Ultimately, this decision underscores the need for Congress to provide clearer statutory guidance on cybersecurity regulation so that it can withstand judicial scrutiny.

Note: This article was written by expert Kayne McGladrey, field CISO at Hyperproof.