Cybersecurity Implications For Ending Chevron Deference

Note: Not a LinkedIn lawyer, this is just intellectual food for thought for cybersecurity practitioners about possible changes in 2024 that impact our profession.

The Chevron deference, often referred to as the Chevron rule, is a legal principle in the United States that stems from a Supreme Court case called Chevron U.S.A., Inc. v. Natural Resources Defense Council, Inc. (1984). The Chevron deference is a doctrine that guides how courts should review agency interpretations of statutes (laws).

Since 1984, the Chevron deference has faced criticism as bureaucratic overreach by unelected government officials, but it also has defenders who argue that it promotes pragmatism and efficiency in the administration of complex regulatory schemes. In 2024, the United States Supreme Court took on the debate over the legitimacy of the Chevron deference with two cases (Loper Bright v. Raimondo and Relentless v. Department of Commerce). Current speculation is that the US Supreme Court is going to do away with the Chevron rule in 2024 and this has fascinating implications for cybersecurity compliance.

The Chevron deference is based on the idea that agencies have expertise in their respective areas and should be given some leeway in interpreting ambiguous statutes, as long as their interpretations are reasonable. This principle is often applied in administrative law cases involving challenges to agency regulations or decisions.

What Is The Chevron Deference?

The Chevron deference has two main steps:

1. Courts must determine whether the statute is clear and unambiguous. If the court finds that the statute is clear, it must give effect to the plain language of the statute, and no deference is given to the agency's interpretation.
2. If the statute is found to be ambiguous or silent on the specific issue, the court defers to the agency's reasonable interpretation of the statute. Courts are instructed to defer to the agency's interpretation as long as it is reasonable, even if the court might have interpreted the statute differently.

What Is The Problem With The Chevron Deference?

The Chevron deference has faced various challenges and criticisms over time. Some of the key challenges include:

• Separation of Powers Concerns: Critics argue that Chevron deference undermines the separation of powers by giving too much interpretive authority to administrative agencies. They contend that it allows agencies to effectively make and interpret laws, a role that is constitutionally assigned to the legislative branch.
• Inconsistency in Application: Critics also point out that the Chevron deference has been applied inconsistently by different courts. This lack of consistency creates challenges for regulated entities and individuals trying to understand and comply with the law.
• Concerns about Accountability: Critics express concerns that Chevron deference reduces the accountability of agencies to the public. By allowing agencies to interpret statutes with less scrutiny from the courts, there is a potential for less oversight and accountability in the regulatory process.
• Statutory Interpretation Arguments: Critics argue that Chevron deference may not align with traditional principles of statutory interpretation, particularly the idea that courts should be the final arbiters of statutory meaning. They contend that courts should not defer to agency interpretations when interpreting statutes.
• Calls for Judicial Restraint: Critics argue that courts should take a more active role in interpreting statutes without deferring to agency interpretations. They believe that the judiciary should independently determine the meaning of statutes.

What Are Cybersecurity Implications For Chevron Deference?

Chevron deference has implications for the interpretation and enforcement of cybersecurity laws, particularly when administrative agencies are involved in regulating and implementing these laws. Here are some ways in which Chevron deference directly affects cybersecurity compliance initiatives (e.g., FTC Act Article 5, the SEC’s new cybersecurity reporting rules, the Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC), etc.):

• Agency Rulemaking and Interpretation: Administrative agencies, such as the Federal Trade Commission (FTC) or the Federal Communications Commission (FCC), often play a role in developing and implementing cybersecurity regulations. When these agencies issue rules or interpret statutes related to cybersecurity, courts can currently apply Chevron deference to determine the reasonableness of the agency's interpretation.
• Flexibility in Regulatory Approach: Chevron deference currently provides agencies with a degree of flexibility in interpreting and applying cybersecurity laws. This flexibility primarily benefits the government in the rapidly evolving field of cybersecurity, allowing agencies to adapt their regulatory approaches to new technologies and emerging threats. This can lead to “regulatory overreach” issues, such as the significant heartburn many cybersecurity practitioners expressed with the recently proposed rule for CMMC, as well DoD’s making up of “FedRAMP equivalency” requirements.
• Clarity in Statutory Language: The clarity or ambiguity of statutory language becomes crucial in the context of cybersecurity laws. If a statute is clear and unambiguous, courts may not defer to agency interpretations under Chevron and may instead apply the plain language of the law. However, there is often ambiguity. For example, the 2020 National Defense Authorization Act (NDAA) Section 1648 is a statutory requirement for the DoD to create a “framework to enhance cybersecurity” of the US Defense Industrial Base (DIB). Within section 1648(C)(2), which is not one of the nine elements of section 1648 but a “matter of consideration,” it mentions the pilot program of CMMC along with “risk-based methodologies, standards, metrics, and tiered cybersecurity requirements” for the DIB. CMMC is not “clear and unambiguous” where it is only included as a “matter of consideration.” Within the scope of section 1648, CMMC does not constitute the “comprehensive framework” since it only addresses part of the scope (e.g., it ignores classified and Uncontrolled Unclassified Information (UUI), while only focusing on Controlled Unclassified Information (CUI)).?
• Potential for Judicial Review: Critics of Chevron deference argue that it may limit the extent of judicial review and oversight of agency actions. In the cybersecurity context, this could impact the ability of affected parties to challenge regulations or enforcement actions in court.
• Consistency and Predictability: The application of Chevron deference can contribute to unpredictability in the enforcement of cybersecurity laws. This unpredictable nature hurts smaller organizations far more than larger organizations.

What Does It Mean If Chevron Is Repealed

As with anything on the statutory and/or regulatory side, the lawyers win. If the US Supreme Court eliminates the Chevron deference, then it will undoubtedly lead to legal challenges for regulatory overreach. In certain cases that will not be a bad thing. It would likely force Congress to have to provide more granularity within statutes to overcome the inability for regulatory agencies to fill in blanks.

It's worth noting that the impact of Chevron deference on cybersecurity laws may vary depending on the specific agency involved, the nature of the regulations, and the statutory framework in question. ?

?

About The Author

If you have any questions about this, please feel free to reach out. Tom Cornelius is the Senior Partner at ComplianceForge, an industry leader in cybersecurity and privacy documentation. He is also the founder of the Secure Controls Framework (SCF), a not-for-profit initiative to help companies identify and manage their cybersecurity and privacy requirements.