The recent U.S. Supreme Court decision in Loper Bright Enterprises v. Raimondo threw a wrench into the realm of cybersecurity regulation. The Court's decision effectively overturned the Chevron Doctrine, a longstanding principle that gave deference to federal agencies' interpretations of ambiguous laws. Cybersecurity leaders are now scrambling to understand the implications for regulating the threat landscape—already a moving target.
The Chevron Doctrine was a key principle in administrative law that gave deference to federal agencies' interpretations of statutes when the language is ambiguous. Under Chevron, courts would defer to an agency's application of a statute if the interpretation was considered "reasonable."
In the rapidly evolving field of cybersecurity, this doctrine has significant implications. Some cybersecurity experts argue that the Chevron Doctrine allowed agencies such as the Federal Trade Commission (FTC) and the Cybersecurity and Infrastructure Security Agency (CISA) to respond quickly to new threats and technologies. These agencies could interpret and enforce cyber regulations without waiting for new legislation.
Alan Cohn, former Assistant Secretary for Strategy, Planning, Analysis & Risk at the U.S. Department of Homeland Security, commented that the ruling represents a significant shift in the balance of power between the judicial and executive branches. He expressed concern that the decision could lead to a more fragmented and inconsistent regulatory environment, where courts, rather than expert agencies, interpret complex laws. This shift, according to Cohn, might hinder the ability of federal agencies to effectively address emerging challenges, such as cybersecurity threats and national security issues, which require specialized knowledge and swift action.
Hemanth Tadepalli, Cybersecurity and Compliance Engineer at May Mobility, has been researching the Chevron Doctrine and the implications of the Supreme Court's decision. May Mobility is a pioneering company dedicated to revolutionizing mobility through cutting-edge autonomous vehicle technology. The topic hits home for Tadepalli as someone working in compliance.
"For professionals in our field, this change necessitates a reevaluation of how we approach regulatory compliance and advocacy," said Tadepalli, who will be speaking on Securing Autonomous Vehicles: Unveiling Emerging Threats from Technological Advances and Effective Mitigation Strategies at SecureWorld Detroit on September 18. "The Chevron Doctrine has provided a framework for courts to defer to federal agencies' interpretations of ambiguous statutes. This deference allowed agencies like CISA to issue guidelines and regulations with a degree of predictability and stability."
Jennifer Granick, surveillance and cybersecurity counsel at the ACLU, warned that the Supreme Court's decision undermines the expertise of federal agencies that are better equipped to handle technical and specialized matters. She suggested that the ruling could disrupt critical regulatory frameworks that protect public health, safety, and privacy. Granick argued that courts might lack the necessary expertise to make informed decisions on complex issues, such as data privacy and surveillance regulations, which could lead to less effective protections for individuals' rights.
"The Supreme Court's Loper decision, jettisoning Chevron and upending the longstanding core of administrative law, has major implications for cyber and privacy regulations that are promulgated and enforced by federal agencies, such as CISA, the FTC, and SEC," said Myriah Jaworski, Member, Clark Hill Law. "Courts are no longer required to defer to these agencies' interpretation of their own rules, and may instead substitute their own judgement in an area that is particularly vulnerable to challenge under Loper—where old laws are leveraged to address new security and privacy risks."
"With Chevron no longer in play, we can anticipate a surge in legal challenges to agency regulations, leading to increased uncertainty. Cybersecurity compliance professionals must now brace for a more unexpected regulatory changed environment," Tadepalli said. "This could mean more frequent changes to compliance requirements as courts take a more active role in interpreting statutes directly. I think what's important is being side by side of legal developments and building close relationships with legal counsel; this will be more crucial than ever."
Paul Rosenzweig, former Deputy Assistant Secretary for Policy at the U.S. Department of Homeland Security, pointed out that the ruling could lead to increased judicial activism and politicization of regulatory interpretations. He noted that by removing deference to agencies' expertise, courts might make decisions based on judges' personal policy preferences, rather than on technical and scientific understanding. Rosenzweig expressed concern that this could result in a less predictable regulatory environment, where businesses and individuals face greater uncertainty regarding compliance with federal regulations.
"Most at peril is the FTC, the agency that has, under Commissioner Khan, taken an expansive view of its Section 5 unfair competition authority. Recent FTC rulemaking under Section 5 includes the Health Breach Notification Rule and proposed changes to the Children's Online Privacy Protection rule," Jaworksi said. "The proposed CISA rule to implement the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) is more vulnerable to legal challenge and overturn, and the volume of lawsuits challenging this and other rules are likely to increase dramatically."
"And last, the SEC's authority has been doubly impacted by this year's SCOTUS term," Jaworski said. "Losing Chevron deference, the SEC also saw its administrative proceedings process struck down in Jarskey. In a Loper and Jarskey world, administrative agencies have lost not just the longstanding Chevron deference to their technical interpretations but also limits in their enforcement abilities."
[RELATED: HHS Mandates Patient Notification After Change Healthcare Data Breach]
With the Chevron Doctrine gone, courts will now have a more prominent role in interpreting cybersecurity regulations. There could be delays in issuing regulations, as agencies navigate the legal landscape, and potentially inconsistent interpretations across different jurisdictions.
"Without Chevron deference, agencies may adopt a more cautious approach in their rule-making, potentially slowing down the issuance of new regulations," Tadepalli said. "For cybersecurity and compliance professionals, this could mean a delay in the implementation of necessary safeguards and protocols, particularly in response to emerging threats such as well defined controls for organizations. Going forward, I think organizations should consider adopting more flexible compliance strategies, building in the capacity to quickly adjust to new legal interpretations and regulatory changes. This might involve investing in technologies and training programs that can be rapidly updated to align with the latest legal standards."
"As someone who has served and been appointed to government task forces, and playing a crucial role in government advocacy, the same concept applies here," Tadepalli said. "Cybersecurity professionals, along with industry groups, will need to play a more active role in shaping legislation and regulatory policies. Engaging with lawmakers and participating in public comment periods for proposed regulations can really ensure that the unique challenges of cybersecurity are adequately addressed."
Several possibilities exist to address the regulatory uncertainty created by the Chevron ruling.
The future of U.S. cybersecurity regulation remains uncertain. The Supreme Court's decision in Loper Bright has undoubtedly created significant challenges. However, it also presents an opportunity for Congress, regulatory agencies, and the cybersecurity industry to collaborate on developing a more effective approach to regulating cyber risks in a rapidly evolving digital landscape.
It's important to note that this is a developing situation, and the full impact of the Chevron Doctrine's overturn will likely take time to unfold. Keeping a close eye on future legislative and regulatory actions, as well as court rulings, will be crucial for cybersecurity professionals and businesses alike.
For more information on the Chevron doctrine reversal and cybersecurity and data privacy regulations, watch our recent webcast on the topic, available on-demand here.