Cybersecurity Policymaking Post-Chevron

5 min

On June 28, 2024, the Supreme Court issued its long-awaited decisions in Loper Bright Enterprises v. Raimondo and Relentless v. Department of Commerce. The opinions overturned the long-standing "Chevron doctrine," under which courts previously deferred to agency interpretations of ambiguous laws. The ruling will likely result in increased judicial scrutiny over regulatory decisions, directly affecting cybersecurity rules and enforcement actions by agencies like the Federal Trade Commission (FTC) and critical infrastructure regulators.

Venable's Government Division provided a post with general thoughts on this development, and the Center for Cybersecurity Policy and Law published an analysis of the decision's impact on cybersecurity regulation and policymaking. This post covers additional reactions to the post-Chevron legal environment for cybersecurity.

While digital security regulations won't disappear, they are now more prone to court challenges where agency interpretations have unclear statutory backing. Future rulemakings and enforcement actions will need to be more narrowly scoped to statutory authority to be best positioned to avoid judicial modifications.

Cybersecurity policymaking

The cybersecurity threat landscape is dynamic and always evolving, but legislation has not kept the same pace. For example, ransomware was not nearly as prevalent a threat until the mid-2010s, prior to which many cybersecurity rules were an offshoot of privacy and the protection of sensitive information from theft. With the emergence of ransomware as a major risk, the focus of cybersecurity regulatory action shifted to include operational disruption and system availability.

Yet Congress took relatively little action to establish security requirements in most industry sectors over the past decade, seemingly leaving it to agencies to take action. As a result, federal agencies have often turned to older statutory mandates to update security regulations. Particularly with regard to critical infrastructure security, this has sometimes prompted agencies to take a "creative approach" to addressing modern threats on a sector-by-sector basis.

Post-Chevron, this approach to policymaking is more perilous. Some of the effects we anticipate include

  • Existing cybersecurity regulations are more vulnerable to legal challenge, especially where an agency has had to adapt ambiguous or outdated statutes to fit new security practices and threats. Lawsuits against agency cybersecurity rules and enforcement actions are likely to jump.
  • Current and future rulemakings, such as the proposed rule to implement the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), must now proceed under the shadow of increased threat of litigation where there is not clear statutory backing. This may result in narrower, less effective, or fewer rules.
  • There is greater onus on Congress to write laws that clearly express its intent, particularly where Congress delegates agency action. Critical infrastructure cybersecurity and cross-sector harmonization of security rules are recognized as major priorities, but Congress has not acted in a holistic or decisive manner on these issues.
  • The new legal landscape will likely have a deregulatory effect on cybersecurity, but the threat of cyberattack will continue to grow.

FTC and CFPB implications

Loper Bright also creates issues for the FTC and CFPB, both of which have taken an expansive view of their regulatory authority in and outside of the privacy space.

The FTC has pushed forward with a steady stream of rulemakings since 2020. This includes the Health Breach Notification Rule and proposed changes to the Children's Online Privacy Protection rule. Perhaps the best example of where Loper Bright might have the biggest impact is the FTC's Non-Compete Clause Rule, generally imposing a future ban on non-compete agreements with workers, regardless of position, title, or status. Several parties rushed to bring an APA challenge of the rule, the first to file being Ryan, LLC v. Federal Trade Commission, No. 3:24-cv-986 (N.D. Tex.). There, the plaintiff alleges in relevant part that the FTC has no statutory authority to promulgate the Non-Compete Rule, and that the rule was based on arbitrary and capricious decision making. Viewed through the Loper Bright lens, the FTC will face a more difficult battle without courts deferring to an agency's interpretation of its own rule. Perhaps foretelling of these difficulties is the court's July 3 order preliminarily enjoining the Non-Compete Rule.

Separately, as we've recently discussed, the CFPB has made a practice to regulate by way of "circulars" or general policy statements. While these statements don't take the form of binding law as formal rules would, these policy statements shed little light or guidance on how industry can comply with laws and rules that the CFPB enforces. Loper Bright now opens the door to minimizing the impact these guidance documents may have on courts' interpretation of CFPB rules.

Business takeaways

Business compliance will likely need to evolve to account for uneven application of cybersecurity laws across jurisdictions. Litigation can take place in multiple venues, and courts can reach inconsistent conclusions. Compliance efforts may need to adapt to more frequent modification of security regulations as lawsuits work through the court system. Companies should stay informed of related litigation and any potential regulatory changes and be adaptive in their risk management strategies.

As lawmakers focus on reducing ambiguity in legislation to avoid judicial intervention, federal agencies will need to administer more narrowly scoped cybersecurity regulation with sound statutory backing. While engaging with these efforts, companies should collaborate with their attorneys to ensure clear and intentional legislation is developed, and that any regulations closely reflect statutory authority and congressional intent. Comment letters and other engagements that address these issues during congressional markup and agency proposed rulemaking may be increasingly important.

Venable has experienced attorneys, policy professionals, and technical experts who can help you prepare for and manage cyber incidents and breaches. Venable's Cybersecurity Services Group is available to assist with any questions on this decision or other cybersecurity law and policy matters.

* Ines Jordan-Zoob, Cybersecurity Services Program Manager and Tanvi Chopra, Senior Cybersecurity Services Analyst in Venable's Washington DC office, co-authored this post.