Chevron, Cybersecurity, and What Comes Next...

On June 28, 2024, the Supreme Court overturned the longstanding Chevron Doctrine.  This change will undoubtably have significant impacts on many industries, and analysts were quick to claim doom and gloom.  The cybersecurity industry was no different.  While there will be some impact, it will be less significant than many predict.  Other factors will be far more significant in changing cybersecurity rules in this country.

WHAT WAS THE CHEVRON DOCTRINE?

First, what is the Chevron Doctrine?  Basically, when interpreting a vague statute, courts gave deference to agency interpretations within that agency’s area of expertise.  This has had significant, far-reaching implications.  One, it allowed Congress to make general policy prescriptions instead of making hard decisions when passing laws.  Two, it gave significant power to executive agencies.  Third, agency interpretation of a law could change with administrations, meaning that regulated entities had no long term certainty on what a particular law meant, with net neutrality being a significant example.  Regardless of one’s thoughts on the Chevron Doctrine (and opinions were highly divisive), it was a foundational piece of the administrative state.

WHY A LOT OF THE ANALYSIS IS OVERBLOWN

So why do I think such a fundamental change in administrative law is overblown in cybersecurity?  There are a lot of reasons, some of which I’ll lay out below.  But cybersecurity law has evolved differently than a lot of other regulatory law, so many of the more general analyses of Chevron’s demise don’t apply.  Also, cybersecurity regulation will rapidly change in the near future, so while the demise of the Chevron doctrine may have some impacts on the margin, it won’t be a significant driver.

FTC Enforcement Doesn’t Implicate Chevron

The major player in general cybersecurity regulation has been the FTC.  And the FTC is unlikely to be impacted by changes in the Chevron doctrine.

The FTC does not base its authority to regulate cybersecurity in an interpretation of a vague statute.  In fact, in the Wyndham case in the Third Circuit, the court expressly disclaimed any reliance on the Chevron doctrine and instead interpreted the relevant statute directly.  “The relevant question is not whether Wyndham had fair notice of the FTC’s interpretation of the statute, but whether Wyndham had fair notice of that the statute itself requires.”  This is in keeping with court decisions in other contexts that see a duty to maintain reasonable cybersecurity as a natural extension of an existing duty and not a new obligation.

Congress has also codified the authority that the FTC relies on to pursue consumer facing companies through the FTC Act Amendments of 1994, making it highly unlikely that a court will overturn the FTC’s authority to regulate cybersecurity as an unfair business practice.

Many of the FTC’s enforcement actions trace their basis back to negligence.  For example, the 11^th Circuit noted that “[t]he law of negligence, the Commission’s action implies, is a source that provides standards for determining whether an act or practice is unfair, so a person, partnership, or corporation that negligently infringes a consumer interest protected against unintentional invasion may be held accountable under Section 5(a).”  Negligence is discussed more below, but the main point is that it comes from common law and is not subject to the Chevron Doctrine.

Finally, the FTC has focused on companies with particularly egregious cybersecurity programs.  The Wyndham case includes an analogy that says, “were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall.”  Courts are more likely to avoid interpretive issues when the company complaining is so far from an edge case.

As a result of these and other factors, the FTC will be able to continue regulating cybersecurity regardless of changes in the Chevron Doctrine.

Negligence Is a Powerful Tool

Negligence is a common law cause of action, meaning that it does not rely on a Congressional statute.  As mentioned above, at least one Circuit has examined FTC enforcement actions as negligence actions.  Consumers, employees, and others harmed by poor cybersecurity hygiene have successfully used negligence to hold companies accountable.

Agencies have an important role to play in establishing the norms that underpin negligence, especially in specialized industries.  Negligence verdicts also incentivize companies to establish more robust cybersecurity programs even in the absence of regulatory action.

The recent CrowdStrike incident will certainly result in significant litigation, much of which will involve negligence and related common law claims.  Even if CrowdStrike did not violate any cybersecurity regulations, it will subject to significant fall out.

Judgment Trends

Courts have shown more of an inclination to hold companies liable for cybersecurity breaches.

The earliest data breach cases were often dismissed for lack of standing, but courts shifted their view as time went on by becoming more accepting of theories of harm from consumers.  Plaintiffs also learned lessons that allowed them to better plead harm, resulting in more cases proceeding to discovery, which meant more large settlement offers.

This shift from a reluctance to permit litigation in a data breach to a willingness to hold corporations accountable for loss of personal data shows that courts may be willing to grant regulatory agencies more freedom in the data breach context than others.

Some Agencies Were Already Re-Evaluating Their Approach

One of the earliest federal agencies to regulate cybersecurity was Health and Human Services, pursuant to HIPAA.  HHS is currently under pressure from Congress to do more with health care cybersecurity, but a couple of court rulings have undermined long-standing policies in HIPAA enforcement.  These cases pre-dated any changes to the Chevron Doctrine and already showed that how we regulate protection of patient data needed to change.  HHS and Congress are both working through these issues.  Changes in the Chevron Doctrine won’t change that, although they may encourage Congress to more explicitly grant interpretive powers to HHS.

The Government as a Customer Is Not Impacted

Lately, the federal government has been using its purchasing power to influence both supply chain security and cybersecurity requirements.  This includes security for IOT devices, removal of certain companies from the supply chain, and general cybersecurity requirements.  The government’s ability to define these standard contract terms is not reliant on Chevron deference, and Congress often gets directly involved, which also minimizes the impact of the Chevron Doctrine.  It also has significant impact on the broader economy, as the government’s ability to define certain markets is extensive.

WHAT WILL HAPPEN?

The elimination of the Chevron doctrine is unlikely to have a significant impact on cybersecurity regulations.  That said, changes are coming.  Several rules are in draft form.  There is pressure from both the public and Congress for stricter cybersecurity regulations.  Criminals and nation states continue to increase the pressure on our digital infrastructure.  Changes in the Chevron Doctrine won’t impact these pressures.

To get ready, companies should have a cybersecurity policy in place that is informed by a risk assessment.  The company should test that policy through tabletop exercises.  These are foundational pieces for any cybersecurity program.  Anything more specific will be context dependent.  Should your company need assistance with these foundational pieces or identifying the more specific areas of need, we are standing by to assist.