ARTICLE
1 August 2024

Navigating The New Cybersecurity Regulatory Landscape Post-Chevron

SM
Sheppard Mullin Richter & Hampton

Contributor

Sheppard Mullin Richter & Hampton logo
Sheppard Mullin is a full service Global 100 firm with over 1,000 attorneys in 16 offices located in the United States, Europe and Asia. Since 1927, companies have turned to Sheppard Mullin to handle corporate and technology matters, high stakes litigation and complex financial transactions. In the US, the firm’s clients include more than half of the Fortune 100.
Explore
On June 28, 2024, in a landmark decision, the Supreme Court overruled the four decade old case Chevron v. Natural Resources Defense Council.
United States Technology
Photo of Townsend L. Bourne
Photo of Jordan Mallory
Photo of Nikole Snyder
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

On June 28, 2024, in a landmark decision, the Supreme Court overruled the four decade old case Chevron v. Natural Resources Defense Council. This pivotal decision should spur businesses to recalibrate their existing relationship with federal agencies. Indeed, we have already seen industry groups begin to use the overruling to influence agency rulemaking, signaling a future of significant shifts in the regulatory landscape. For those operating in regulated industries—including government contractors, and particularly those navigating the complex world of cybersecurity regulation—understanding the implications of the decision is crucial.

Overview of the Ruling

The overruling of Chevron and the end of "Chevron Deference" (the doctrine of judicial deference given to administrative actions) stems from a June 28, 2024 Supreme Court decision on two cases: Loper Bright Enterprises v. Raimondo, Secretary of Commerce and Relentless, Inc. v. Department of Commerce (collectively, the "Ruling"). Prior to the Ruling, Chevron Deference required courts to defer to agencies' reasonable interpretation of an ambiguous issue or question related to legislation that delegated authority to that agency. This involved a two-step process. First, the Court had to determine whether Congress had spoken directly on the issue under review. Second, if Congress's intent was not clear, courts were to defer to the agency's interpretation, provided it was reasonable.

The Ruling eliminates the second step such that courts will no longer be required to defer to the agency's interpretation. While the Ruling's majority opinion does not explicitly provide a replacement framework for judicial review of agency interpretations, it strongly suggests a return to the language of the Administrative Procedure Act ("APA") and Skidmore v. Swift & Co.1 The APA does not direct courts to give any deference to agency interpretation, but it also does not prohibit courts from doing so.2 This aligns with the decision in Skidmore, which permits courts to consider—but not be bound by—an agency's "body of experience and informed judgment."3 Now, when reviewing a challenge to an agency action, a court may consider the agency's interpretation, but cannot rely on it alone, and ultimately must come to an independent judgment.

Effect of the Ruling

The Ruling undoubtedly shifts the balance of power between the three branches of government, pulling power from the Executive Branch and giving it (or returning it) to Congress and the Judiciary. And while these shifts certainly are interesting from an academic perspective, there are myriad practical effects as well, including:

  • Regulatory Caution: Agencies are likely to exercise more caution in their rulemaking, with a heightened need to bolster the reasoning behind policy decisions to withstand judicial scrutiny. Agencies will be less likely to look for creative interpretations of statutes. This will be especially important for cybersecurity regulations, which make up a relatively new area of law and sometimes are viewed based on novel interpretations of dated statutes.
  • Legislative Precision: The Ruling likely will motivate Congress to draft more detailed and precise legislation, minimizing ambiguity that Congress could previously rely on agencies to interpret when that interpretation would be given deferential treatment. For the last four decades, because of Chevron, Congress had been able to use ambiguity to pass legal interpretation issues on to agencies.
  • Litigation Surge: The end of Chevron deference likely will fuel an increase in litigation. Because the first step of Chevron was such a low bar, more often than not, courts ultimately would defer to agency decisions and businesses faced very long odds for success through litigation. Now, with a more viable path forward, we likely will see more businesses turn to litigation as an option, and we could even see races to the courthouse to set precedent for future agency action.

Navigating the Post-Chevron Regulation Landscape

The Ruling caused another major shift by potentially giving more power to businesses and industry. For government contractors and any regulated industry, the Ruling will provide new opportunities for engaging with agencies and challenging agency action. For example, businesses might use the Ruling to engage in the following actions.

  1. Challenge Final Rules: The Ruling empowers contractors to challenge rules that they believe overstep or misinterpret legislative intent. For instance, CMMC is the progeny of Section 1648 of the National Defense Authorization Act (NDAA) for 2020, which provides broad strokes for the CMMC framework. As such, contractors could rely on the Ruling to challenge the Department of Defense's interpretation of the NDAA language after a final rule is issued.
  2. Influence Rulemaking through Comments: Contractors have an opportunity to more effectively influence the rulemaking process by providing comments and identifying where regulators may have stepped beyond the scope of a statute. For example, a business could push against a Proposed Rule, arguing that the Proposed Rule extends beyond the authorities granted under its Congressional authorization and runs counter to Congressional intention.
  3. Litigate Over Legislative Uncertainty: If collaboration during rulemaking fails or a business receives an unfavorable agency decision, businesses should now have much better odds for successful litigation. For example, the SEC's cybersecurity rules require reporting of cybersecurity incidents within four days, but the Securities and Securities Exchange Acts make no reference to cybersecurity at all. A business may consider challenging a penalty issued under this rule on the grounds that the rule itself is not a valid interpretation of those statutes.

Regardless of whether the overruling of Chevron is viewed as a welcome increase in oversight of agencies or more as judicial usurpation of administrative law, the Ruling undoubtedly creates more opportunity for businesses to influence and challenge agency rulemaking. For businesses, especially those regularly dealing with regulators (and in particular government contractors), the Ruling heralds a time of both ambiguity and opportunity. Businesses can engage legal counsel to more heavily impact regulatory outcomes, particularly with respect to cybersecurity, and those businesses may find more leeway in navigating the changing regulatory environment.

Footnotes

1. Skidmore v. Swift & Co., 323 U.S. 124 (1944).

2. APA, 5 U.S.C. § 706.

3. Skidmore, 323 U.S. at 140. Skidmore was cited five times throughout the majority opinion. The opinion also refers to United States v. Moore, and the requirement to give "respectful consideration" to agency actions. United States v. Moore, 95 U.S. 760, 763 (1877).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Townsend L. Bourne
Townsend L. Bourne
Photo of Jordan Mallory
Jordan Mallory
Photo of Nikole Snyder
Nikole Snyder
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More