renaschild - Fotolia

The US courts may have thrown a wrench into cyber regulation

A recent decision by the US Supreme Court to overrule the longstanding Chevron Deference has serious implications for global cyber security regulation

The United States Supreme Court recently stymied recent cyber security regulations and plans. To fight the proliferation of cyber security threats, President Biden’s administration has relied on creative uses of existing laws to protect critical infrastructure from cyber security threats. However, the Supreme Court has now blunted that tool in the administration’s toolbox, and the future of US cyber security regulations in the near term is murky. 

In Loper Bright Enterprises v. Raimondo, the Supreme Court overruled its well-known precedent in Chevron v. National Resources Defense Council, where it created the doctrine known as the Chevron Deference.

The Chevron Deference required courts to defer to a federal agency’s reasonable interpretation of an ambiguous issue or question. Where the agency was specifically empowered by Congress to fill the gaps in legislation, it was a tough standard. Agency decisions were binding on the courts unless procedurally defective, arbitrary or capricious in substance, or manifestly contrary to the statute. Not any longer.

In a 6-3 decision along party lines, the Loper Court ruling eliminated the requirement that courts defer to an agency’s reasonable interpretation of the law. The Supreme Court cited the court’s “traditional role” to “say what the law is.”

While Loper’s majority opinion does not explicitly provide a new framework for judicial review of agency interpretations, it suggested that when reviewing a challenge to an agency action, a court may consider the agency’s interpretation if it “has the power to persuade,” but cannot rely on it alone, and ultimately must come to an independent judgment.

Whether Chevron was right or wrong, and it had its critics, the Loper ruling undoubtedly shifts the balance of power between the branches of the American government, taking power from the executive branch and giving it to the judiciary and Congress. The decision will likely lead to a more fragmented and inconsistent regulatory framework.

The Loper decision will affect current and future cyber security regulations

The Loper ruling may hinder the ability of US federal agencies to effectively address emerging technology matters, such as cyber security threats and artificial intelligence (AI), which require specialised knowledge and swift action.

The executive branch has spent years creatively interpreting existing laws and applying them to cyber security, rather than waiting for a divided Congress to legislate cyber security.

The Chevron Deference was a pillar that empowered federal agencies to interpret vague US laws based on their subject matter expertise and create and enforce regulations. Its demise may unsettle federal cyber security regulations, transferring ultimate regulatory authority from agencies to the courts.

The end of the Chevron Deference will fuel an increase in litigation and complicate cyber security compliance and harmonisation. Before Loper, courts typically deferred to agency decisions, and businesses faced long odds for successful litigation challenges. Now, with an easier path, it’s likely to see more companies turn to litigation and race to the courthouse, which will create chaos by creating splits in the courts and a less predictable regulatory environment.

Some examples of at risk agency rules include:

  • Cybersecurity and Infrastructure Security Agency (CISA). CISA rules implementing the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which creates requirements for critical infrastructure to notify the government when they have been breached. Its goals include compiling data, analysing threats and creating actionable intelligence to better prepare for and respond to cyber security threats. Congress directed CISA to undertake the rulemaking process to define the law and fill in numerous interpretative gaps. CISA’s proposed rules have been published and commented on, with final rules expected next year. Expect challenges to the final rules, including the who, what, when, where and how of the reporting.
  • Securities and Exchange Commission (SEC). Relying on old statutes to tackle cyber security, in July 2023, the SEC established requirements that public companies report material cyber incidents within four days of determining materiality, as well as requirements that public companies disclose their cyber risk management strategies in annual reports. These requirements are now expected to be challenged in court.
  • Federal Trade Commission (FTC). The agency has relied on decades-old unfair competition and deceptive trade practices laws over the years to craft regulations, including proposing sweeping data privacy and security rules. Existing and proposed rules are expected to be subjected to heavy scrutiny.

The private sector will become crucial in setting standards 

Due to uncertainty, the private sector will now become much more crucial in shaping cyber security standards and norms beyond federal policy. Organisations should strengthen their cyber security posture, to protect against uncertain regulatory requirements. They will need to bolster their legal teams to analyse and help shape the cyber security regulatory landscape.

 The private sector should now work more closely with the government on cyber security regulations, pushing Congress to act decisively to protect critical services. Organisations should also scrutinise proposed rules to ensure clarity and Congressional intent.

Possible global ramifications in cyber 

The US often plays a lead role in setting international norms and standards and as its regulations and standards become widely adopted, other countries may follow suit. However, if US federal regulations are disrupted by the courts, it may cause uncertainties in the international community about the US’ ability to lead.

One of the pillars of President Biden’s 2023 National Cybersecurity Strategy is to foster international collaboration. Given the cross-board nature of business today, it is critical that the world works together to harmonise on cyber security matters. If the US is too slow or ambiguous, other countries and the private sector may be forced to take a leading role.

Brian Arnold is director of legal affairs at managed security services provider and threat research specialist Huntress. He began his career in b2b software development before transitioning to law in the mid-2000s, specialising in intellectual property law at a number of US firms. Prior to joining Huntress, he served as lead counsel specialising in innovation, IT, telemedicine, data privacy and cyber for a major healthcare provider.

Read more on Regulatory compliance and standard requirements