On June 28, the Supreme Court struck down a long-standing precedent on the power of federal agencies to interpret and clarify the laws they enforce. The ruling will likely have a sweeping effect on regulations, including cybersecurity rules, in every sector.

The Supreme Court ruling in Loper Bright Enterprises v. Raimondo reversed its seminal decision in Chevron v. Natural Resources Defense Council – the 1984 precedent that called for judges to give deference to federal agencies’ interpretation of laws passed by Congress. This was also known as “Chevron deference” or the “Chevron doctrine.”

This post outlines the implications of this new legal landscape on cybersecurity regulatory efforts, enforcement, and policymaking. 

Chevron, inverted

For decades, the Chevron doctrine shaped how courts analyzed legal challenges to federal agency regulations. When Congress enacts an ambiguous law – which is quite often –  this legal principle required courts to defer to an agency's permissible interpretation of that law. As a result, agencies had significant discretion to expound upon unclear or broad statutes through regulations and enforcement, and agencies regulated accordingly.

No longer! In a 6-3 ruling, the Supreme Court held that the responsibility to decide questions of law and resolve ambiguity in statutes belongs to the courts. Going forward, courts across the country will have greater ability to modify or overturn regulations and enforcement decisions, and courts will not defer to an agency’s interpretation of the law simply because a statute is unclear.

The ruling will be used by courts in deciding cases that challenge whether a regulation exceeds Congressional authority. The ruling applies to both existing and future regulations. While the full impact will unfold over time, it is apparent that industries accustomed to navigating legal frameworks shaped by agency interpretations now confront a landscape where judicial scrutiny will alter the consistency and scope of regulatory guidance and enforcement actions. 

Impact of the ruling on security regulations

The ruling is likely to have a seismic effect on regulatory enforcement and policymaking across sectors. This includes digital security, where many federal regulations involve interpretations of older statutory authorities that pre-date modern cybersecurity practices and threats.

With Chevron deference overturned, existing cybersecurity regulations are more vulnerable to court challenge, inconsistent court rulings will make cross-jurisdiction compliance more complex, and effective future policymaking on cybersecurity will require more clarity from Congress to survive litigation intact.

Below we provide three impacts of the decision on security regulations and policymaking.

1. Existing security regulations are now vulnerable to challenge

The U.S. cybersecurity legal framework relies heavily on federal agency interpretation of laws that are often unclear regarding their application to new technologies. The cyber threat landscape evolved significantly over the past decade, but legislation has not kept pace. As a result, agencies applied older statutory mandates to protect consumers and ensure safety to newer attacks such as ransomware. More recently, the White House had declared that it was pursuing a “creative approach” to agency authority to regulate critical infrastructure cybersecurity rather than seeking new mandates from Congress.

That approach is now more perilous. Where agencies have extrapolated prescriptive system and data security requirements from ambiguous statutes, those interpretations are more prone to being struck down or modified by courts as exceeding Congressional authorization. How this occurs depends on the case that is brought, as well as the court reviewing the case, but potential examples include:

• SEC rules regarding cybersecurity disclosures – In 2023, the SEC established requirements that public companies report material cyber incidents within four days of determining materiality, as well as requirements that public companies disclose their cyber risk management strategies in annual reports. However, the Securities and Securities Exchange Acts do not directly reference cybersecurity.
  
• GLBA incident reporting rules – The Gramm-Leach-Bliley Act (GLBA) charges agency regulators with creating standards relating to the security and confidentiality of customer records and to protect against anticipated threats or hazards. Since 2022, GLBA regulators expanded their rules with a range of cyber incident reporting requirements for financial institutions. 
• TSA cybersecurity regulations – Beginning in 2022, TSA issued a series of cybersecurity requirements for airport and aircraft operators, as well as for passenger and freight railroad carriers. These amendments, made on an emergency basis, included detailed cybersecurity measures.
  

2. Current and future rulemakings must be clearer about reflecting Congress’ intent

Federal agencies are engaged in an array of proposed cybersecurity rules and regulatory efforts. These rulemakings and initiatives must now account for potential judicial review without Chevron deference. This means proposed rules must closely reflect statutory authority and Congress’ intent to be best positioned to survive litigation in judicial venues across the country. 

Some ongoing regulatory efforts have taken broad approaches to the scope of rulemaking. While it remains to be seen whether agencies will regroup and issue narrower final rules, examples of potentially impacted initiatives include: 

• CISA proposed rule under CIRCIA – In April 2024, the Cybersecurity Infrastructure and Security Agency (CISA) proposed a rule to implement the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). The proposed rule makes several broad interpretations of CIRCIA’s statutory language, requiring extensive reporting of cyber incidents from a large number of entities in critical infrastructure sectors.
• Hospital security rules – White House officials have repeatedly signaled their intention to issue new baseline cybersecurity requirements for hospitals and other healthcare organizations. These rules were anticipated to tie adherence to security standards to reimbursements under the Centers for Medicare and Medicaid Services (CMS).
• EPA water system cybersecurity requirements – In October 2023, in the face of both significant backlash and multi-state litigation, the EPA withdrew planned cybersecurity audits from its requirements for water utilities. The rules had been tied to state water sanitation surveys. Any efforts to revive these requirements will likely be more difficult.
  

3. A wave of litigation may complicate cybersecurity compliance and harmonization 

The Supreme Court’s reversal of Chevron likely sets up an influx of cases challenging agency decisions. Litigation can take place in numerous districts and courts may reach different conclusions regarding how a question of law should be interpreted. 

The outcome may be less consistency in the application of regulations across jurisdictions. Industry compliance programs may evolve to account for cybersecurity regulatory requirements that change more frequently due to litigation. Executive branch efforts to harmonize cybersecurity regulations without explicit Congressional authority may lose steam, forcing industry compliance to continue grappling with a patchwork of security rules.

If the overall effect of court challenges is deregulation, there may be a greater emphasis on efforts to encourage industry to voluntarily strengthen cybersecurity, while other actors may be less compelled to ensure their security practices keep pace with cyber threats.

Needed: Congressional clarity, targeted rules, judicial expertise, industry leadership

With the reversal of Chevron, Congress can no longer pass vaguely worded legislation with the expectation that agencies will have license to fill in the gaps and adapt old laws to changing technologies. Clarity of language and intention are crucial in Congress’ actions on system and data security.

Federal agencies have the difficult task of administering cybersecurity regulations, guidance, and initiatives in a highly dynamic digital threat environment. Narrowly targeted rules with sound statutory backing will help ensure this work is not upended by newly empowered litigants.

The judiciary now has greater independence to second guess security regulations, yet cybersecurity is a highly technical discipline. Judicial education, understanding, and expertise in emerging technology and cybersecurity will be key to balanced decisions in the complicated cases likely to face courts in the future.

Perhaps now more than ever, private sector initiatives to voluntarily adopt effective cyber risk management programs are needed to strengthen the resilience of consumers, enterprises, and society.

‍