The Roper-Bright decision was impactful: the Supreme Court overturned 40 years of administrative law and opened the door to potential litigation over federal agencies’ interpretations of vague statutes previously decided. In this article, we explore key questions for cybersecurity professionals and leaders as we enter a period of heightened cybersecurity law contention.
background
What is the Roper-Bright decision?
The U.S. Supreme Court’s Loper Bright decision overturned Chevron deference and stated that all relevant legal questions arising in a review of an agency’s actions are to be decided by the courts, not the agency. The Supreme Court ruled that the language of the Administrative Procedure Act (APA) is clear and therefore an agency’s interpretation of the statute should not be deferred to. The decision emphasized that courts must exercise independent judgment when determining whether an agency acted within its statutory authority. The decision transfers the power to interpret statutes from federal agencies to the judiciary.
What is Chevron Difference?
Chevron deference required courts to defer to federal agencies’ reasonable interpretations of ambiguous statutes. It originated in the 1984 Supreme Court case Chevron USA, Inc. v. Natural Resources Defense Council. In Chevron, when a statute was ambiguous, courts were to defer to the agency’s interpretation if it was reasonable. This deference influenced administrative law for nearly 40 years.
What immediate steps should businesses consider now to ensure compliance with cybersecurity regulations that may be challenged in court?
Nothing has changed yet. However, to ensure compliance with cybersecurity regulations that may be challenged in court, companies should:
- Evaluate existing cybersecurity requirements to ensure they comply with current regulations supported by clear legal authority.
- Stay up to date on court decisions and regulatory changes. The elimination of Chevron deference means that courts will scrutinize agency interpretations more closely.
- Be prepared to update your compliance program if regulatory or legal requirements change as a result of legal doctrine.
- Collaborate with legal experts to navigate the changing regulatory environment.
Effective cybersecurity controls are deployed when they are mapped to one or more agreed-upon risks, such as regulatory or legal requirements or external threats. Companies should consider updating or removing controls only if they exist for regulatory purposes only and do not mitigate additional risk, taking into account future case law under Loper Bright. Companies should ensure that controls are clearly traceable to requirements so that the impact of future regulatory changes can be quickly assessed.
How will the Loper Bright decision affect the enforcement of existing cybersecurity regulations by the FTC, SEC, and others?
The Roper-Bright decision will likely make cybersecurity regulations more susceptible to litigation. Courts will no longer follow agency interpretations of ambiguous statutes but will instead make their own judgments. This change could lead to more frequent litigation, increased regulatory scrutiny, and delays. Some of the government agencies that could be affected by post-Roper-Bright litigation include:
- FTC: Recent FTC rulemaking under Section 5 includes the Health Breach Notification Rule, and proposed changes to the Children’s Online Privacy Protection Rule may be subject to challenge.
- SEC: Because the Securities Exchange Acts of 1933 and 1934 do not mention cybersecurity, the SEC’s requirement for cybersecurity disclosures within four days of a materiality determination could be challenged.
- GLBA: Regulators have recently expanded the scope of cyber incident reporting requirements for financial institutions.
- TSA: The TSA’s emergency 2022 reforms to cybersecurity requirements for passenger and freight rail carriers and airport and aircraft operators could be challenged.
- CISA: Certification: The Cybersecurity and Infrastructure Security Agency’s (CISA) proposed rules implementing the Critical Infrastructure Cyber Incident Reporting Act of 2022 are broadly interpreted and could be subject to new judicial review.
How will the Roper Bright decision affect the consistency of cybersecurity regulation and enforcement across different jurisdictions?
The Loper Bright decision could impact the consistency of cybersecurity regulation and enforcement across different jurisdictions. By eliminating Chevron deference, courts have greater power to interpret statutes independently, which could lead to more diverse interpretations and application of cybersecurity laws. This inconsistency could force companies to adjust their compliance programs more frequently as interpretations vary across jurisdictions.
How might the removal of Chevron deference affect future cybersecurity regulatory developments?
If Chevron deference were eliminated, the cybersecurity regulatory environment would likely become more fragmented and inconsistent. Federal agencies would have to provide more compelling justification and detail for their rulemaking decisions. This change could lead to increased judicial scrutiny of existing and proposed rules, making it harder for agencies like the FTC and CISA to respond quickly to new threats.
Courts will consider the persuasive strength of agency interpretations and will give weight to expertise only if that expertise is particularly helpful and based on thorough and consistent reasoning. This shift could lead to increased legal challenges to existing cybersecurity regulations and new rulemaking, complicating compliance efforts.
What role will judicial interpretation play in defining the scope of cybersecurity regulation following Roper Bright?
Judicial interpretation will play a key role in defining the scope of cybersecurity regulation post-Roper-Bright. Courts will be left to evaluate agencies’ statutory authority on their own, and the regulatory environment may become more fragmented and inconsistent. This shift will require a reevaluation of regulatory compliance and advocacy approaches.
Ultimately, this decision highlights the need for Congress to provide clearer statutory guidance to ensure cybersecurity regulations can withstand judicial review.
