Supreme Court Ruling Threatens the Framework of Cybersecurity Regulation

A recent Supreme Court ruling has shifted regulatory enforcement from the federal agencies to the judicial system.

On June 28, 2024, the Supreme Court struck down a legal principle known as the Chevron Doctrine (or Deference). This doctrine dates to a 1984 Supreme Court ruling (Chevron v Natural Resources Defense Council) that allows federal agencies to use their own expertise to interpret ambiguities in the law.

It became the foundation for the federal system of regulation through federal agencies: agency rules, intended to clarify and implement statutory intentions, could be enforced by the agencies themselves. This applied technical expertise and relative speed to the application of law. But the latest SCOTUS ruling abandons the need for courts to show deference to agency expertise, overruling the forty-years-old practice. From SCOTUS,

The courts need no longer defer to the Chevron Doctrine in cases that involve agency rulings on agencies’ own rules. Since much US cybersecurity regulation is delivered through different federal agencies (such as the FDA, the SEC, and the DHS) rather than directly from acts of Congress, this will have a major effect on the determination and enforcement of cyber regulation in the US.

“This landmark decision from the US Supreme Court will likely have tectonic and long-lasting consequences for administrative rulemaking in the US,” comments Ilia Kolochenko, attorney-at-law with Platt Law LLP and CEO at Immuniweb. “By overruling the 40-year-old Chevron doctrine, the Supreme Court gave significantly more judicial power and leeway to courts in the interpretation of federal law that may be (and often is) vague, unclear or just silent on certain elements, such as cybersecurity, privacy or data breach disclosure.”

Cutting to the chase, if a business appeals an agency decision, the courts need no longer defer to the agency’s opinion on the matter. This could lead more companies to appeal agency decisions, and well-funded companies to treat US regulations in the same way they treat EU regulations: masses of paperwork, dozens of lawyers, and appeal after appeal.

“Many are now projecting a tsunami of litigation for federal agencies and/or officials, who will now be able to be sued in perpetuity for decisions made,” comments Ken Dunham, director of cyber threat at Qualys TRU. 

Speaking to Scott Detrow at NPR, Harvard Law School professor Jody Freeman, adds, “It’s a massive power shift back to the courts and away from agencies. And to put this in context, this is part of a series of cases in which the Supreme Court has made it harder for agencies to do their job.”

Cloud & Data Security Summit | Virtual Event

Kolochenko goes further: “If a court believes that an administrative rule is inconsistent with an implied purpose of the statute… the court may now simply invalidate the rule. SEC rules on cybersecurity and breach disclosure, or the proposed CISA’s rules relating to critical national infrastructure drafted under CIRCIA, and many other rules and regulations, may possibly be invalidated by court.”

CISA’s CIRCIA implementation may be under particular threat. As recently as April 4, 2024, CISA published a Notice of Proposed Rulemaking (NPRM). The Center for Cybersecurity Policy and Law says, “The proposed rule makes several broad interpretations of CIRCIA’s statutory language, requiring extensive reporting of cyber incidents from a large number of entities in critical infrastructure sectors.” On any appeal, the courts no longer need to defer to agencies’ ‘broad interpretations’.

“This change will likely result in more regulatory actions being challenged and ultimately overturned, leading to legal uncertainty for regulatory bodies and the industries they oversee,” adds Jason Porter, VP and CTO at Optiv + ClearShark.

Such thoughts are of course pessimistic. We have yet to see how the SCOTUS ruling will play out over time, and there are potentially some more optimistic outcomes. “I see both pros and cons to the recent Supreme Court ruling overturning Chevron deference,” comments Aaron Rose, office of the CTO at Check Point Software. The primary benefit is that it could force Congress to draft more detailed and better defined legislation and ensure that the agencies base their regulations on the letter of the law rather than their own (albeit it more expert) wishlist.

“Additionally,” he adds, “increased judicial oversight means that courts will interpret laws rather than agencies, potentially resulting in more consistent and fair rulings based on established legal principles.”

The cons he sees are similar to other people’s concerns. “With the rapid evolution of technology, particularly in cybersecurity, timely adaptation is critical. The Supreme Court’s decision could slow down the implementation of necessary measures, leaving gaps for hackers and bad actors to exploit. While agencies can still create their own rules and regulations to adapt to emerging threats, there is legal uncertainty as to whether these rules will be upheld in courts.”

He concludes, “The need for detailed laws could make regulations clearer and more specific to avoid legal challenges, but it might slow down the response to emerging threats and create legal uncertainties.” 

Laws are written by politicians who are not technology experts. They are interpreted and enforced by judges who are not technology experts. The only experts in the field are the agencies, but they have been muzzled by SCOTUS. It is difficult to see who benefits from this development. It’s the blind leading the blind, while neutering the guide dog.

RelatedHow to Align Your Incident Response Practices With the New SEC Disclosure Rules

RelatedFDA Announces New Cybersecurity Requirements for Medical Devices

RelatedDo Privacy and Data Protection Regulations Create as Many Problems as They Solve?

RelatedCyber Insights 2023 | Regulations