The Loper Bright decision has yielded impactful results: the Supreme Court has overturned forty years of administrative law, leading to potential litigation over the interpretation of ambiguous laws previously decided by federal agencies. This article explores key questions for cybersecurity professionals and leaders as we enter a more contentious period of cybersecurity law.
The Loper Bright decision by the U.S. Supreme Court overruled the Chevron deference, stating that courts, not agencies, will decide all relevant questions of law arising on review of agency action. The Court held that because the Administrative Procedure Act (APA)’s text is clear, agency interpretations of statutes are not entitled to deference. The ruling emphasized that courts must exercise independent judgment in deciding whether an agency has acted within its statutory authority. This decision shifts the power of statutory interpretation from federal agencies to the judiciary.
The Chevron deference required courts to defer to federal agencies’ reasonable interpretations of ambiguous statutes. It originated from the 1984 Supreme Court case Chevron U.S.A., Inc. v. Natural Resources Defense Council. Under Chevron, if a statute was ambiguous, courts would defer to the agency’s interpretation if it was reasonable. This deference shaped administrative law for nearly 40 years.
Nothing has changed, yet. However, to ensure compliance with cybersecurity regulations that might now be challenged in court, companies should:
Effective cybersecurity controls are deployed when they are mapped to one or more agreed-upon risks, which can include regulatory or legal requirements as well as external threats. Companies should consider updating or removing controls in light of any future jurisprudence based on Loper Bright only if those controls exclusively existed for regulatory purposes and did not mitigate additional risks. Companies should ensure that their controls have clear traceability to requirements so that they can quickly assess the effects of any future regulatory changes.
The Loper Bright decision will likely make cybersecurity regulations more vulnerable to legal challenges. Courts will no longer defer to agency interpretations of ambiguous statutes and will exercise their independent judgment. This shift may lead to more frequent legal challenges, increased scrutiny of regulations, and delays. A partial list of agencies that may be affected by litigation post-Loper Bright follows:
The Loper Bright decision may impact the consistency of cybersecurity regulations and enforcement across different jurisdictions. By eliminating the Chevron deference, courts now have more ability to interpret statutes independently, which could lead to varied interpretations and applications of cybersecurity laws. This inconsistency might force businesses to adapt their compliance programs more frequently due to varying interpretations across jurisdictions.
The removal of the Chevron deference will likely create a more fragmented and inconsistent regulatory environment for cybersecurity. Federal agencies will need to provide more compelling justifications and details for their rulemaking decisions. This shift may lead to increased judicial scrutiny of existing regulations and proposed rules, making it harder for agencies like the FTC and CISA to quickly adapt to new threats.
Courts will consider the persuasive power of agency interpretations, giving weight to their expertise only if it is especially informative and based on thorough, consistent reasoning. This shift is likely to result in increased legal challenges to existing cybersecurity regulations and new rulemakings, complicating compliance efforts.
Judicial interpretation will play a significant role in defining the scope of cybersecurity regulations post-Loper Bright. Courts will independently assess the statutory authority of agencies, leading to potentially more fragmented and inconsistent regulatory environments. This change necessitates a reevaluation of regulatory compliance and advocacy approaches.
Ultimately, the decision underscores the need for Congress to provide clearer statutory guidance for cybersecurity regulations to withstand judicial review.
