The Supreme Court’s Loper Bright decision has overturned forty years of administrative law, leading to potential litigation over the interpretation of ambiguous laws previously decided by federal agencies. This article explores key questions for cybersecurity professionals and leaders as we enter a more contentious period of cybersecurity law.
What is the Loper Bright Decision?
The Loper Bright decision by the U.S. Supreme Court overruled the Chevron deference, stating that courts, not agencies, will decide all relevant questions of law arising from agency action reviews. The Court held that the Administrative Procedure Act (APA)’s text is clear, so agency interpretations of statutes are not entitled to deference. Courts must exercise independent judgment in deciding whether an agency has acted within its statutory authority, shifting the power of statutory interpretation from federal agencies to the judiciary.
What was the Chevron Deference?
The Chevron deference required courts to defer to federal agencies’ reasonable interpretations of ambiguous statutes. Originating from the 1984 Supreme Court case Chevron U.S.A., Inc. v. Natural Resources Defense Council, it mandated that if a statute was ambiguous, courts would defer to the agency’s reasonable interpretation. This deference shaped administrative law for nearly 40 years.
What immediate steps should companies consider taking now to ensure compliance with cybersecurity regulations that might be challenged in court?
While nothing has changed yet, to ensure compliance with cybersecurity regulations that might now be challenged in court, companies should:
Assess existing cybersecurity requirements to ensure they align with current regulations supported by clear statutory authority.
Stay updated on court rulings and regulatory changes. The removal of Chevron deference means courts will scrutinize agency interpretations more closely.
Be prepared to update compliance programs if regulatory or legal requirements change due to new jurisprudence.
Work with legal experts to navigate the evolving regulatory landscape.
Effective cybersecurity controls are deployed when mapped to one or more agreed-upon risks, including regulatory or legal requirements and external threats. Companies should consider updating or removing controls in light of any future jurisprudence based on Loper Bright only if those controls exclusively existed for regulatory purposes and did not mitigate additional risks. Companies should ensure their controls have clear traceability to requirements to quickly assess the effects of any future regulatory changes.
Cybersecurity Law
How will the Loper Bright decision impact the enforcement of existing cybersecurity regulations under the FTC, SEC, and others?
