The Glorious Loper Decision: How It Affects Cybersecurity Law

05 Aug 2024Hacker NewsCybersecurity / Data Privacy Act

The Loper Bright decision produced influential results: the Supreme Court overturned forty years of administrative law, which led to litigation over the interpretation of vague statutes that had decided first by government agencies. This article explores important questions for cybersecurity professionals and leaders as we enter a controversial era of cybersecurity law.

Rear end

What is Loper Bright’s Decision?

The Loper Bright decision by the United States Supreme Court denied Chevron deference, stating that courts, not agencies, would decide all relevant questions of law that arise in the review of an action. of the institution. The court stated that because the text of the Administrative Procedure Act (APA) is clear, the agency’s interpretations of the rules are not entitled to deference. That decision emphasized that courts must use independent judgment to determine whether an agency has acted within its legal authority. This decision shifts the power of statutory interpretation from federal agencies to the judiciary.

What was Chevron Deference?

The Chevron decision required courts to give federal agencies reasonable interpretations of ambiguous statutes. It originated in the 1984 Supreme Court case Chevron USA, Inc. v. Natural Resources Defense Council. Under Chevron, if the law was ambiguous, courts would reject the agency’s interpretation if it made sense. This honor has established administrative law for nearly 40 years.

What immediate steps should companies consider taking now to ensure compliance with cybersecurity regulations that may be challenged in court?

Nothing has changed, however. However, to ensure compliance with cybersecurity regulations that can now be challenged in court, companies should:

• Review existing cybersecurity requirements to ensure compliance with current regulations supported by clear legal authority.
• Stay informed about court decisions and regulatory changes. The removal of Chevron deference means that courts will scrutinize corporate explanations more carefully.
• Be prepared to update compliance programs if regulatory or legal requirements change as a result of legislation.
• Work with legal professionals to keep up with the changing regulatory landscape.

Effective cybersecurity controls are used when mapping one or more agreed risks, which may include regulatory or legal requirements as well as external threats. Companies should consider updating or removing controls in accordance with any future regulations based on Loper Bright as long as those controls were for regulatory purposes only and did not mitigate other risks. Companies should ensure that their systems have a clear compliance process so that they can quickly assess the impact of any future regulatory changes.

How will the Loper Bright decision affect the enforcement of existing cybersecurity regulations under the FTC, SEC, and others?

Loper Bright’s decision may leave cybersecurity regulations vulnerable to legal challenges. Courts will no longer interpret ambiguous statutory bodies and will exercise their own independent judgement. This change can lead to frequent legal challenges, increased regulatory scrutiny, and delays. A partial list of organizations that may be affected by post-Loper Bright cases follows:

• FTC: The FTC’s latest regulations under Section 5 include the Privacy Notice Act and proposed changes to the Children’s Online Privacy Protection Act may be challenged.
• SEC: The Securities and Exchange Act of 1933 and 1934 does not address cybersecurity, which could pose a challenge to the SEC’s requirement of cybersecurity disclosures within four days of acquisition.
• GLBA: Regulators have recently expanded their regulations with a range of online event reporting requirements for financial institutions.
• TSA: The TSA’s emergency amendments in 2022 for cybersecurity requirements for passengers and freight train drivers, as well as airports and airline operators, could be challenged.
• CISA: The Cybersecurity and Security Agency’s (CISA) proposed rule to implement the Cyber ​​Incident Reporting Act for the Critical Infrastructure Act of 2022, which contains broad definitions and may be contested under new judicial review.

How might the Loper Bright decision affect the consistency of cybersecurity regulations and enforcement in different jurisdictions?

Loper Bright’s decision could affect the consistency of cybersecurity regulations and enforcement in various jurisdictions. By eliminating Chevron’s deference, courts now have more discretion to interpret the law, which can lead to different interpretations and applications of cybersecurity laws. This inconsistency can force businesses to adapt frequently due to different definitions in all regions.

How might Chevron’s repeal affect the development of future cybersecurity regulations?

Chevron’s deregulation may create a fragmented and unstable regulatory environment for cyber security. Federal agencies will need to provide strong reasons and evidence for their rulemaking decisions. This change could lead to increased judicial scrutiny of existing regulations and proposed laws, making it difficult for agencies like the FTC and CISA to quickly adapt to new threats.

Courts will consider the persuasive power of agency interpretations, giving weight to their expertise as long as it is specialized and based on clear, consistent reasoning. This change is likely to create additional legal challenges to existing cybersecurity regulations and new regulations, complicating compliance efforts.

What role might judicial interpretations play in defining the scope of cybersecurity regulations post-Loper Bright?

Judicial interpretation will play an important role in defining the scope of cybersecurity regulations post-Loper Bright. Courts will independently review the legal authority of organizations, leading to a potentially fragmented and inconsistent regulatory environment. This change requires a re-examination of administrative rules and advocacy methods.

Finally, the decision highlights the need for Congress to provide clear legislative guidance for cybersecurity regulations to withstand judicial review.

Note: This article is beautifully written and contributed by Kayne McGladrey, Field CISO at Hyperproof.