The Loper Bright decision produced dramatic results: the Supreme Court overturned forty years of administrative law, leading to potential litigation over the interpretation of ambiguous laws previously enacted by federal agencies. This article explores key questions for cybersecurity professionals and leaders as we enter a more contentious period of cybersecurity legislation.
Background
What is Loper Bright’s solution?
The decision of the US Supreme Court in the case of Loper Bright was overturned Chevron is honored, stating that the courts, not the agencies, will decide all relevant questions of law that arise when reviewing agency actions. The court held that because the text of the Administrative Procedure Act (APA) is clear, agencies’ interpretations of the laws are not entitled to deference. The ruling emphasized that courts must exercise independent discretion in deciding whether an agency acted within its statutory authority. This decision transfers the power to interpret the law from federal agencies to the judiciary.
What was Chevron’s tribute?
Chevron deference required courts to follow federal agencies’ reasonable interpretations of ambiguous laws. It arose out of the 1984 Supreme Court case Chevron USA, Inc. v. Natural Resources Defense Council. Under Chevron, when a statute was ambiguous, courts would defer to the agency’s interpretation if it was reasonable. This respect has shaped administrative law for nearly 40 years.
What immediate steps should companies take now to ensure compliance with cybersecurity regulations that could be challenged in court?
So far nothing has changed. However, to ensure compliance with cybersecurity regulations, which may now be challenged in court, companies must:
- Assess existing cybersecurity requirements to ensure they are consistent with current regulations supported by clear legislative authority.
- Stay up-to-date on court decisions and regulatory changes. Overturning Chevron’s deference means courts will scrutinize agency interpretations more closely.
- Be prepared to update compliance programs if regulatory or legal requirements change as a result of case law.
- Work with legal experts to navigate the changing regulatory landscape.
Effective cybersecurity controls are deployed when in place is matched against one or more agreed risks, which may include regulatory or legal requirements, as well as external threats. Companies should consider updating or removing controls in light of any future case law based on Loper Bright only if those controls existed solely for regulatory purposes and did not mitigate additional risks. Companies should ensure that their controls have a clear tracking of requirements so that they can quickly assess the impact of any future regulatory changes.
How will the Loper Bright decision affect enforcement of existing cybersecurity regulations by the FTC, SEC, and others?
The Loper Bright decision is likely to make cybersecurity regulations more vulnerable to legal challenges. Courts will no longer defer to agencies’ interpretations of ambiguous laws and will exercise independent judgment. This shift could lead to more frequent legal challenges, more scrutiny of regulations and delays. A partial list of agencies that may be affected by the post-Loper Bright litigation is below:
- FTC: Recent FTC rulemakings under Title 5 include the Health Breach Notification Rule, and proposed changes to the Children’s Online Privacy Protection Rule may be challenged.
- SEC: The Securities and Exchange Acts of 1933 and 1934 do not mention cybersecurity, which could lead to challenges to the SEC’s cybersecurity disclosure requirements within four days of a materiality determination.
- GLBA: Regulators recently expanded their rules with a number of cyber incident reporting requirements for financial institutions
- TSA: The TSA’s 2022 emergency amendments to the cybersecurity requirements of passenger and freight rail carriers, as well as airport and aircraft operators, could be challenged.
- CISA: The Cybersecurity and Security Infrastructure Agency’s (CISA) proposed rule for the Critical Infrastructure Cyber Incident Reporting Act of 2022 has broad interpretations and could be challenged under new judicial review.
How might the Loper Bright decision affect the consistency and enforcement of cybersecurity regulations across jurisdictions?
The Loper Bright decision could affect the consistency of cybersecurity regulations and their enforcement across jurisdictions. By overturning Chevron deference, courts now have more leeway to independently interpret laws, which can lead to different interpretations and applications of cybersecurity laws. This inconsistency may force businesses to adapt their compliance programs more often due to different interpretations in different jurisdictions.
How will removing Chevron’s deference potentially affect the development of future cybersecurity regulations?
Removing Chevron’s deference would likely create a more fragmented and inconsistent regulatory environment for cybersecurity. Federal agencies will need to provide more compelling rationales and details for their rulemaking decisions. This shift could lead to increased judicial scrutiny of existing regulations and proposed regulations, making it more difficult for agencies like the FTC and CISA to quickly adapt to new threats.
Courts will consider the persuasive force of agencies’ interpretations, giving weight to their expertise only if it is particularly informative and based on careful, consistent reasoning. This shift will likely lead to increased legal challenges to existing cybersecurity regulations and new regulations, complicating compliance efforts.
What role might judicial interpretation play in determining the scope of cybersecurity regulations after Loper Bright?
Judicial interpretation will play a significant role in determining the scope of cybersecurity regulations after Loper Bright. Courts will independently evaluate agencies’ statutory powers, leading to a potentially more fragmented and inconsistent regulatory environment. This change requires a reassessment of regulatory compliance and advocacy approaches.
Ultimately, the decision underscores the need for Congress to provide clearer legislative guidance on cybersecurity regulations to withstand judicial review.
