In the two weeks since the U.S. Supreme Court struck down a 40-year-old precedent that gave federal agencies wide latitude in interpreting the laws they enforce, there has been widespread concern that an activist judiciary will thwart regulators’ efforts to protect public health and safety.
In a Center for Cybersecurity Policy and Law blog post, Harley Geiger, Ines Jordan-Zoob and Tanvi Chopra said the ruling in Loper Bright Enterprises v. Raimondo that overturned the 1984 Chevron v. Natural Resources Defense Council precedent “is likely to have a seismic effect on regulatory enforcement and policymaking across sectors. This includes digital security, where many federal regulations involve interpretations of older statutory authorities that pre-date modern cybersecurity practices and threats.”
They cited the SEC’s cybersecurity incident disclosure rule, Gramm-Leach-Bliley Act (GLBA) information security requirements for non-banking financial institutions, and TSA transportation cybersecurity requirements as regulations that could be challenged. And pending rules like CISA’s proposed implementation of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) could be narrowed as a result of the SCOTUS Chevron ruling.
SCOTUS Chevron Ruling Doesn’t Stop Many Cybersecurity Laws
In an interview with The Cyber Express, Ilia Kolochenko, an attorney in the Platt Law cyber law practice and CEO of ImmuniWeb, said public health and environmental agencies like the EPA may be impacted by the ruling, but he thinks the effect on cybersecurity regulation will be minimal.
“We don’t have a lot of cybersecurity rules, and the ones we have are pretty lenient,” Kolochenko said. “I don’t think we’ll see a lot of litigation.”
Federal agencies have largely relied on cybersecurity guidance, assistance and frameworks rather than strict regulations, he said. And he thinks companies will likely choose to avoid the negative publicity and suspicions that would come from challenging cyber regulations. Most businesses tend to settle FTC complaints rather than fight them in court, he notes. Investors might lose faith in a company challenging the SEC rules, for example, and consumers might wonder “what are you hiding?”
He cites the long-running case of LabMD v. FTC as an example of how a lawsuit can backfire – LabMD might have won the case, but it went out of business in the process, and FTC has been working on clearer security regulations since. “Be careful what you ask for, because you might get it,” Kolochenko quipped.
But perhaps more importantly, there are so many state, private and global cybersecurity requirements – such as the California Consumer Privacy Act (CCPA), the EU’s General Data Protection Regulation (GDPR) and the credit card industry’s PCI DSS, that there might not be much to gain by challenging a federal agency’s authority.
“We won’t see tectonic changes” because of all those issues, he said.
A National Data Privacy Law Would Help
In fact, it’s that patchwork of state privacy and security laws that Kolochenko would most like to see addressed – those myriad requirements that make it “extremely expensive to comply,” he said.
Kolochenko would like to see a U.S. national data privacy law to preempt state laws and make compliance easier, but those efforts stalled in Congress once again this year – and could become even more challenging in the future, as the Supreme Court’s ruling will mean that Congress will need greater expertise and precision in drafting legislation. Kolochenko said Congress may need a formal cybersecurity committee to deal with those challenges.
There’s a White House-led effort to harmonize cybersecurity regulations and policies that could help – but ironically, the Supreme Court’s ruling could slow that down too. A House bill to help that process along was unveiled yesterday, but likely won’t get very far with an election and new Congress looming.
Put it all together – the relative leniency of federal regulations; tougher state, private and international laws that companies must comply with anyway; the reluctance of businesses to sue; and a gridlocked Congress – and you begin to see why the SCOTUS Chevron ruling might not change much in cybersecurity regulations, at least not any time soon.