Back Back

Supreme Court Ruling on Chevron Doctrine May Upend Future Cybersecurity Regulation

Information Security
4 min read
2 July, 2024

Supreme Court ruling on Chevron doctrine may upend future cybersecurity regulation

Experts expect new legal challenges against numerous agency cybersecurity requirements, including incident reporting mandates and rules governing critical infrastructure sectors.

The U.S. Supreme Court ruling Friday to overturn the Chevron doctrine could have major implications on the cybersecurity regulatory landscape at a time when federal agencies have enacted significant requirements designed to strengthen incident reporting and meet baseline security standards.

The ruling will likely lead to new legal challenges against recent cybersecurity regulatory measures, including the 2023 cyber incident reporting requirements from the Securities and Exchange Commission, according to the Center for Cybersecurity Policy and Law.

The Supreme Court ruling could impact rulemaking on the Cyber Incident Reporting for Critical Infrastructure Act, too, according to the CCPL. Officials see the potential for the ruling to impact baseline requirements for the healthcare industry or future efforts by the Environmental Protection Agency to mandate cybersecurity rules for drinking and wastewater treatment utilities.

The Chevron doctrine stems from a 1984 case, Chevron U.S.A. v. Natural Resources Defense Council, which set the precedent for courts to yield to the expertise of federal agencies to interpret ambiguities in a statute.

The Supreme Court ruling involved Loper Bright Enterprises v. Raimondo and alongside a second case, Relentless v. Department of Commerce.

The U.S. Chamber of Commerce called the Supreme Court ruling an “important course correction” that will help create a more stable and predictable business environment.

SEC cyber rules in the hot seat

The SEC rule passed in 2023 requires publicly traded companies to report cybersecurity incidents to the agency within four business days of determining their materiality. Companies must file annual updates that outline their strategies for how to mitigate cyber risk.

In October, the SEC also filed suit against SolarWinds alleging the company and its CISO defrauded investors by failing to disclose its true cybersecurity risk leading up to the 2020 supply chain hacks by state-linked hackers.

The Chamber of Commerce and Business Roundtable filed briefs in the SolarWinds case arguing the SEC had expanded its authority in the case far beyond the original intent of Congress.

Legal and cybersecurity experts are still evaluating what the impact of the Chevron doctrine ruling will be on future regulations. However, Brandon Pugh, director of cybersecurity and emerging threats at the R Street Institute, said the ruling will force federal officials to rethink how they approach future cyber regulations to make sure they don’t create an overly burdensome environment for critical infrastructure and industry partners.

“I think it may give agencies more pause to think about their legal justification, and perhaps look to Congress for more authority in the cases of ambiguity,” Pugh said in an interview.

Officials from the SEC and the Office of the National Cyber Director declined to comment for the story.

Correction: This story has been updated to reflect the Supreme Court case was Chevron U.S.A. v. Natural Resources Defense Council.

Quote

“I think it may give agencies more pause to think about their legal justification, and perhaps look to Congress for more authority in the cases of ambiguity.”

Brandon Pugh Director of Cybersecurity & Emerging Threats at the R Street Institute

David Jones, Reporter

David Jones is a reporter for Cybersecurity Dive. He has been a reporter and editor for more than 25 years, covering business travel, real estate and more recently fintech. When not working he travels overseas. The New York native is a diehard fan of the Mets and the Pittsburgh Steelers. He is a graduate of Northwestern University.

Reshared from CyberSecurityDive.com

Share in the Social
Let’s Get Started!

By simplifying IT complexities, we empower enterprises to thrive in today's evolving technology landscape. Let us guide your journey forward.

CONTACT US

Related Articles

Information Security
6 min read
The Crucial Role Of Browser Context In Modern Cybersecurity
6 min read
Information Security
7 min read
A CISO’s Guide to Avoiding Jail After a Breach
7 min read
Information Security
5 min read
280 Million Google Chrome Users Installed Dangerous Extensions, Study Says
5 min read