The Supreme Court's decision to overturn the Chevron Doctrine is reshaping the regulatory landscape, with some serious implications for national cybersecurity.
On June 28, 2024, the U.S. The Supreme Court overruled the landmark Chevron Doctrine from the landmark 1984 Chevron v. Natural Resources Defense Council case. In their first ruling, courts were required to use the relevant agency’s interpretation of a statute when trying to come to an understanding of an ambiguous law. By striking down the doctrine, the Supreme Court is instructing courts to depend on their own understandings of an ambiguous law when interpreting uncertain statutes - instead of the federal agency’s interpretation. This gives the judicial system more power over the applications and enforcement of regulatory laws.
Though the Chevron Doctrine may not have been particularly well known by the general population, it held significant weight in government law (with over 18,000 citations from federal courts). This new ruling has caused widespread uncertainty about the future of administrative law, with Justice Elena Kagan saying that it “will cause a massive shock to the legal system.”
While many federal agencies are worried about the impact of the Supreme Court’s decision, those who are responsible for the nation’s cyber strategy are especially concerned. Instead of being directly legislated by Congress, a significant portion of cybersecurity regulation in the US is implemented by various federal agencies like the FDA, the SEC, and the DHS. Because of this, courts may be more likely to rule cyber regulations as inconsistent and then invalidate them.
Even if a law manages to avoid invalidation, there is still danger of repeated appeals. If a business challenges an agency decision on a cyber law they may want to contest, the courts are no longer required to give priority to the agency's viewpoint. This could encourage rounds of appeals, further drawing out the legislation process on cyber regulations which may already be too slow for today’s rapid advancements in technology.
Already, the Supreme Court ruling is casting shadows on proposed rules. The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) requires certain entities to report significant cyber incidents within 72 hours, and to report a ransom payment within 24 hours. CIRCIA has only recently reached the congressional rulemaking stage, and many critical infrastructure organizations have expressed doubts about the act, with even the Senate Homeland Security Committee Chair Gary Peters saying “the proposed rule is overbroad and needs additional clarity,” during the public commenting period. Many others pointed out their confusion about the terminology in CIRCIA, which could spell serious trouble when courts have to interpret the rule in the future.
The Department of Health and Human Services (HHS) is also considering a rule that would incentivize hospitals to meet cybersecurity requirements, but objections to the mandate could also mean legal trouble in the future. Even cyber regulations that are already established, like the SEC’s cyber incident reporting rules could also be up for new interpretations.
The U.S. The Supreme Court's recent decision to overturn the Chevron Doctrine has undoubtedly sent shockwaves through the legal and regulatory landscape. The implications of this decision are particularly alarming for the cybersecurity sector, but it’s still a bit early to know exactly how this will all pan out. With uncertainties surrounding both proposed and existing cyber regulations, stakeholders across various sectors, including critical infrastructure and healthcare, are preparing for potential disruptions and challenges.