What is the Impact on The Supreme’s Chevron Decision on Cybersecurity?
Let me give you the answer up front – we won’t know the full extent of it for years.
Okay, first what is Chevron?
In the last days of this year’s Supreme Court term, the court issued a ruling that says that the forty year old Supreme Court ruling, Chevron, the court said that lower courts should give deference to agency experts in interpreting what Congress really meant when they create regulations that are not explicitly called out in a law.
This is because Congress knew that 500 lawyers, many of whom had to ask their interns to show the how to use Zoom during the pandemic, figured that experts were probably better at figuring out the specifics of what needed to happen to implement a particular law.
In the stroke of a quill, Chief Justice John Roberts figured that 9 lawyers, aged 50 to 75, were much better at interpreting what Congress meant when it passed a cybersecurity law than a bunch of domain experts.
In fairness, I have said for a long time that it would be much better if Congress did its job. After all, isn’t that what we are paying them to do? However, I do not anticipate that happening.
So what is going to happen? No one knows but a couple of things are likely:
- People who are unhappy with federal regulations will file lawsuits referencing the Supreme Court decision and claiming that agency ‘X’ does not have authority to create regulation ‘Y’.
- A trial court judge (venue shopping) who is predisposed, will sign an injunction preventing the enforcement of regulation ‘Y’.
- The government or the unhappy resident will file an appeal. The appeal will go one way or the other. Then one side will appeal to the Supremes.
- The Supremes will need to decide which cases to take and which ones not to take.
- For the ones that they take, there will be hearings and, if it is anything like this year’s court, they won’t actually decide anything. They will wave their hands a lot and send the cases back down to the lower courts.
- Rinse and repeat.
Obviously, this will be incredibly profitable for law firms. For example, the law firms that handled the Elon Musk pay package case asked the judge to approve a fee of $7 billion. By the way, that is $370,000 for each and every billable hour of the team. That is a strong motivation for lawyers to encourage this.
Some very likely targets of opportunity are:
- The SEC cyber incident reporting requirements
- The FCC data breach reporting rules
- The CISA cyber incident reporting requirements
- The TSA pipeline security regulations
- The TSA passenger and freight railroad carriers cybersecurity requirements
- The TSA requirements for airport and aircraft operators
- The TSA cybersecurity requirements for surface transportation owners and operators
- The GLBA 2021 joint rule for computer security incident notification
And probably thousands more.
The benefit of attacking these rules is that if the plaintiffs can find a sympathetic judge, they can block any rule from being enforced.
It also will likely overwhelm the court system with hundreds or thousands of complex cases with very little precedent, taking a lot of time and costing everyone billions of dollars in the aggregate.
Congress could (but likely won’t) cut down on these cases by creating clearly defined laws. But most Congress critters are lawyers and it is against their training to make anything clear, so don’t count on that. It is, of course, what needs to happen.
But here is a thought. What will NOT be affected by this is state laws because unless they conflict with federal laws, they are not the purview of the federal court system. Expect state legislatures, at least in some states, to create a hodge podge of vague and unclear laws because those staffers have even less expertise and less expertise than federal legislators. Just look at the Florida and Texas laws that the Supremes struck down last week as an example of rules 1 through 6 above.
In part, one of the reasons for agencies to stretch regulations is because many laws were created decades ago, before the digital age and Congress has not had the desire to update them.
Unfortunately, for corporate IT staff, CISOs and inside counsel, expect a rocky road. Also expect to spend more on outside legal fees in an effort to get more clarity.
For the eternal optimists out there, maybe this will put pressure on Congress, just a little bit, to do their jobs.
Alternatively, Congress can continue to fund China, Russia, North Korea and other despotic regimes through their inaction. Voters have the power to affect that.
Credit: CSO Online and Cyberscoop