the chevron deference is dead. now what banner

The Chevron Deference is Dead. Now What?

This summer saw the end of a 40-year legal doctrine that promises to have significant ramifications for cybersecurity—and many other sectors. What is it, and what does its rescission mean?

The Chevron Deference, which dates back 40 years, describes the latitude that federal agencies have to interpret their own policies when regulating.

Congress updated the Clean Air Act in 1977, forcing organisations to install pollution control technology whenever they made technical changes at their facilities.

Laws like these are made by the legislative branch of the U.S. government (Congress), but they require the executive branch (federal agencies) to enforce them through regulation. In this case, the Environmental Protection Agency’s job was to ensure that polluters made the changes. Under the Carter administration at the time (this was the president who installed solar panels on the White House roof), the EPA would likely have enforced them strongly.

However, when the administration changes, so too do the regulators’ attitudes, thanks to political appointments in the agencies’ leadership. In the early eighties, oil giant Chevron made some changes at one of its plants, but by that time, the EPA – was under the more conservative Reagan government (Reagan was the president who removed those solar panels).

Reagan’s EPA interpreted its regulation to treat power plants as a single unit rather than focusing on individual pieces of equipment. That allowed Chevron to update equipment at its plant without installing extra air scrubbers.

The Natural Resources Defense Council (NRDC) sued the EPA, arguing that it should have interpreted its rules more strictly. The Supreme Court reasoned that federal agencies should get to interpret their own rules rather than the judicial courts as long as the interpretation doesn’t conflict with the language of the regulation.

From then on, any trial court ruling on a case involving federal regulation would have to defer to the federal agency when interpreting the regulation. The rationale was that the agency had more expertise than federal judges.

That is, until now. On June 28, the Supreme Court ruled on another case, Loper Bright Enterprises v. Raimondo. Loper Bright is a New England fishing company that wanted to challenge a decision by the National Marine Fisheries Service (NMFS). Under the Magnuson-Stevens Act, which imposes fishing limits, the NMFS required fishing boats to appoint government inspectors to monitor their catches at the fishing companies’ cost.

Loper Bright had contested the NMFS’s ability to impose that regulation in district court, which applied the Chevron Deference to let the NMFS decide. The case went to the Supreme Court, which overturned the decision, effectively cancelling the Chevron Deference.

What This Means For Cybersecurity

This decision once again allows district courts to decide how federal agencies should interpret legal statutes, which experts worry is tantamount to letting judges decide policy. The NRDC, which ended up welcoming the Chevron Deference as a means of providing certainty in disputes over federal policy, calls a post-Deference legal landscape “tantamount to throwing a dart at a lower-court dartboard”.

“[There are] more than ten different circuits, each with multiple judges,” argues John Walke, a senior advocate in the organisation’s Environmental Health program. “Each with the ability to decide which reasonable interpretation is their preferred reasonable interpretation.”

What does this have to do with cybersecurity? This is a relatively young discipline that is still thrashing out federal policy. The worry now is that leaving policy decisions to a panel of district and circuit judges with differing opinions will muddy the waters.

Federal agencies are becoming more aggressive in regulating cybersecurity, but with a Congress that is less productive than ever, they are increasingly relying on adding regulations to older statutes that don’t reference cybersecurity, say, Harley Geiger, Ines Jordan-Zoob, and Tanvi Chopra at the Center for Cybersecurity Policy.

The Center’s specialists worry that the Chevron Deference’s demise could affect multiple recent regulatory changes, including the SEC’s requirement that organisations rapidly report cybersecurity incidents, along with 2022 revisions to the Gramm-Leach-Bliley Act that required financial institutions to report cybersecurity incidents. The statutes upon which these regulations are based didn’t contain any explicit cybersecurity language. Without the Chevron Deference’s protection, they could face legal challenges in district courts.

The Center worries that this will make it more difficult for organisations to get a clear, country-wide set of rules on cybersecurity policy.

“The outcome may be less consistency in the application of regulations across jurisdictions,” the authors say. “Executive branch efforts to harmonise cybersecurity regulations without explicit Congressional authority may lose steam, forcing industry compliance to continue grappling with a patchwork of security rules.”

The Center’s authors also worry that new laws on cybersecurity issues will have to be less ambiguous, leaving regulators with less latitude for interpretation in a fast-evolving technology sector. This could make future cybersecurity laws more difficult to pass, the authors warn.

One legal test remains in place that allows courts to defer to federal agencies on policy issues. Called the Skidmore Doctrine, it stems from a 1944 case that lets courts defer to an agency’s interpretation based on “the power to persuade, if lacking the power to control.” However, how well an agency persuades is presumably still the opinion of a trial or appellant judge.

What Should You Do?

Where does this leave companies trying to comply with cybersecurity regulations?

“Perhaps now more than ever, private sector initiatives to voluntarily adopt effective cyber risk management programs are needed to strengthen the resilience of consumers, enterprises, and society,” say the Centre for Cybersecurity Policy authors.

Luckily, there are plenty of robust frameworks, including ISO 27001 and the NIST cybersecurity framework, upon which companies can base their cybersecurity efforts. These leave companies more likely to comply with federal regulations, and also provide more protections against cybersecurity incidents. In a more volatile legal environment, robust voluntary compliance offers a level of certainty and demonstrates that organisations have complied with the spirit, rather than just the letter, of the law.

Streamline your workflow with our new Jira integration! Learn more here.