The US Supreme Court has issued a decision that could upend all federal cybersecurity regulations, moving ultimate regulatory approval to the courts and away from regulatory agencies. A host of likely lawsuits could gut the Biden administration’s spate of cyber incident reporting requirements and other recent cyber regulatory actions.

In a stunning reversal of nearly 40 years of regulatory law, in Loper Bright Enterprises v. Raimondo, the US Supreme Court voted six to three last week to gut a legal precedent known as the Chevron deference. Decided in a 1984 Supreme Court case, Chevron instructed lower courts to defer to expert regulatory agencies in cases requiring interpretation of congressional intent.

In Loper, the Supreme Court ruled that courts — not regulatory agencies — are the ultimate arbiters of what governing congressional law says, casting into doubt thousands of federal regulations affecting virtually all aspects of society, from environmental safety to financial fraud.

Chief Justice John Roberts wrote for the majority in Loper: “Courts must exercise their independent judgment in deciding whether an agency has acted within its statutory authority.”

Roberts also said that courts may not defer to an agency’s interpretation of the law simply because a statute enacted by Congress is ambiguous. The Court’s decision does not overturn previous court cases that relied on Chevron although challengers are free to relitigate these cases.

The decision could weaken all federal cybersecurity regulations

While the Court’s decision has the potential to weaken or substantially alter all federal agency cybersecurity requirements ever adopted, a series of cyber regulatory initiatives implemented over the past four years could become the particular focus of legal challenges. Parties who previously objected to these initiatives but were possibly reluctant to fight due to the Chevron deference will likely be encouraged to challenge these regulations.

Although all existing regulations are still in effect, the upshot for CISOs is almost certainly some degree of uncertainty as the legal challenges get underway. A host of conflicting decisions across the various judicial circuits in the US could lead to confusion in compliance programs until the smoke clears.

CISOs should expect some court cases to water down or eliminate many existing cybersecurity regulatory requirements.

Recent cyber regulations are most likely to be challenged

A host of recently adopted cyber regulations will likely be challenged following the Court’s ruling, but some recent regulations stand out as leading candidates for litigation. Among these are:

SEC cyber incident reporting requirements: In 2023, the US Securities and Exchange Commission (SEC) adopted rules requiring registrants to disclose material cybersecurity incidents they experience within four days of determining their materiality and to disclose material information regarding their cybersecurity risk management, strategy, and governance every year. However, as the Center for Cybersecurity Law and Policy has noted, the Securities and Securities Exchange Acts upon which the SEC relied for its rules do not directly reference cybersecurity.

FCC data breach reporting rules: In 2023, the US Federal Communications Commission (FCC) updated and strengthened its data breach notification rules for communications providers to protect against improper use or disclosure of customer data. In issuing its new regulations, the FCC significantly expanded upon its enforcement authority under the Communications Act, which dealt with protections for a very narrow class of customer data called customer proprietary network information (CPNI) and not the much broader range of customer data reflected in the Commission’s rules.

CISA cyber incident reporting requirements: In April 2024, the US Cybersecurity and Infrastructure Security Agency (CISA) proposed a rule to implement the cyber incident reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). The rule is not slated to be finalized until 2025. However, in developing its rulemaking, CISA had to interpret CIRCIA broadly.

TSA pipeline regulations: In 2023, the Transportation Security Administration issued a security directive requiring liquid and natural gas pipelines and liquefied natural gas facilities to improve cybersecurity practices and mitigations.

TSA passenger and freight railroad carriers cybersecurity requirements: In 2022, the Transportation Security Administration (TSA) issued a new cybersecurity security directive regulating designated passenger and freight railroad carriers to enhance their cybersecurity preparedness and resilience.

TSA cybersecurity requirements for airport and aircraft operators: The Transportation Security Administration (TSA) issued a new cybersecurity amendment on an emergency basis to the security programs of particular TSA-regulated airport and aircraft operators.

TSA cybersecurity requirements for surface transportation owners and operators: In 2021, the Transportation Security Administration (TSA) issued two new security directives and additional guidance for voluntary measures to strengthen cybersecurity across the transportation sector.

Gramm-Leach-Bliley Act Requirements: In December 2021, the Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System (Board), and the Office of the Comptroller of the Currency (OCC) issued a joint final rule to establish computer-security incident notification requirements for banking organizations and their bank service providers. The FDIC relied upon its authorities under the Gramm-Leach-Bliley Act (GLBA) of 1999. Under GLBA, the National Credit Union Administration and the Commodities Futures Trading Commission also subsequently adopted their incident reporting rules, while the Federal Trade Commission adopted a “safeguard rule” for financial institutions to protect customer data.

Pending actions and even old regulations could be derailed

Not included in this list are several significant pending regulatory actions that, while not finalized, are well along the path of development and could be significantly altered by the Loper decision.

For example, pending Coast Guard rules update maritime security regulations by adding regulations specifically focused on establishing minimum cybersecurity requirements for US-flagged vessels. Another rule still in the works, the pending FCC requirements related to the security risks of the Border Gateway Protocol, might have to alter its trajectory given the Court’s decision.

Moreover, litigants could try to pry open old cybersecurity requirements tied to regulatory agencies, such as the critical infrastructure protection (CIP) rules established by the North American Electric Reliability Corporation. The Federal Energy Regulatory Commission gave these rules regulatory teeth in 2008. Utilities and utility trade groups have routinely challenged the breadth and depth of these requirements.

It’s conceivable that rules established by the Nuclear Regulatory Commission in March 2009 to ensure that digital computer and communication systems associated with a nuclear power plant’s safety and security are protected from cyberattacks could be subject to fresh judicial review in a post-Chevron world.

The Court’s ruling will also almost certainly throw a monkey wrench into other administration cybersecurity actions, even if they don’t involve regulations. For example, federal efforts to harmonize the various cyber incident reporting requirements will likely halt.

Existing regulations remain in effect, but prepare for turbulence

All existing cyber regulations are in effect, but the status quo could change quickly, given that conservative groups and business interests had likely assumed for months that the Court would jettison Chevron and could now be in the final process of readying their lawsuits.

“I’ll say that it remains to be seen how this will unfold over time,” Harley Geiger, Counsel at Venable, tells CSO. “But the most likely immediate effect could well be legal challenges to regulations.

Many federal cybersecurity regulations were derived from reinterpretations of older statutes and laws not necessarily created with emerging technology in mind, Geiger says. “Agencies trying to keep pace with the threat landscape have had to apply statutes created for consumer protection or safety to new attacks like ransomware, which did not exist a decade ago or were not nearly as prevalent a decade ago.”

“The new Supreme Court ruling means that if and when those regulations are challenged in court, there will be less deference to agency determinations and more independence from the courts to modify or overturn agency interpretations of law,” Geiger says. “And this will apply to both regulations already on the books and regulations to come.”

The havoc created by the Court’s decision will extend to the increasingly fractious US Congress, which seems incapable of producing clear and unambiguous laws. “I think this is disruptive for Congress as well, not just regulatory agencies,” Geiger says.

CISOs should prepare to ride the regulatory earthquake

CISOs will have to wait and see the outcome of the ruling, especially with a divided Congress comfortable passing openly ambiguous laws and somewhat vague language as a means of reaching political consensus while relying on the expertise of agencies to fill in the gaps.

“That has become a much riskier approach than it used to be for both Congress and agencies because the judiciary now has greater power to modify, overturn, or make its own interpretations,” Geiger says. “And the judiciary tends to have less technical expertise and staffing resources than federal agencies.”

Geiger says that CISO should be prepared to ride out this regulatory earthquake. “I think for CISOs, the bottom line is the effect of the likely litigation against regulations will be deregulation. However, in addition to that, we may see inconsistent interpretations or inconsistent application of regulations across jurisdictions.”