Key Biden administration regulatory efforts in the area of cybersecurity could potentially be impacted by the U.S. Supreme Court’s recent decision to strike down the so-called Chevron test that gave deference to government agencies interpreting an ambiguous statute, legal analysts said.
The Federal Trade Commission and Securities and Exchange Commission are among federal regulators that have taken aggressive actions on cybersecurity in recent years without explicit authority from Congress, triggering cries of government overreach in some cases.
One example is a pending FTC move to craft sweeping data privacy and security rules under Section 18 of the FTC Act.
“To the extent that the FTC were to go forward with the rule, it would be much more susceptible to being reversed by a court given the new decision,” Daniel Kaufman, a partner at law firm BakerHostetler, said in an interview.
The Supreme Court’s 6-3 decision in Loper Bright Enterprises v. Raimondo held that courts do not need to defer to a federal agency’s interpretation of the law simply because the statute the agency administers may have gaps or be unclear.
“The Court’s decision is not surprising, given its dual embrace of a textualist approach to statutory interpretation and steady march away from the Chevron doctrine in recent years,” Scott Kimpel, a partner at law firm Hunton Andrews Kurth, said via email.
The ruling could have significant ramifications for agencies such as the FTC and SEC that rely on old statutes to tackle modern policy issues such as cybersecurity, according to Michelle Kallen, a Jenner & Block partner.
“Part of the challenge has been that Congress has been relatively slow to act, especially when it comes to modern technology, and so, agencies have tried to come up with creative approaches to solve these problems,” Kallen said in an interview.
The FTC announced in August 2022 that it was exploring rules to crack down on “harmful commercial surveillance and lax data security.” In an advance notice of proposed rulemaking at the time, the agency requested public feedback on whether such rules were needed.
While the FTC has long been active as a data privacy and security law enforcer, its role has primarily been limited to case-by-case enforcement of the FTC Act’s broad prohibition on “unfair or deceptive acts or practices,” according to a 2022 Congressional Research Service report. The commission’s plan to adopt regulations that articulate specific data privacy and security requirements or prohibitions would be a “notable change,” the report said.
The agency has so far made little visible progress on its rulemaking initiative.
“You must act now to protect the public at large, and do so regardless of any federal data privacy protections being discussed in Congress,” a coalition of more than 30 public interest and advocacy groups said in a letter to the FTC last month. “We have waited long enough to prevent deceptive and unfair uses of data.”
A group of Senate Republicans, including Marco Rubio of Florida, criticized the effort in a November 2022 letter to the FTC, urging the agency to “leave the task of creating data privacy and security rules to the elected officials in Congress.”
Congressional Republicans have also been critical of cybersecurity rules adopted by the SEC last year. The rules, promulgated under federal securities laws, require public companies to report a “material” cybersecurity incident to the SEC in an Item 1.05 Form 8-K within four days of determining the breach is material, among other requirements.
“This cybersecurity disclosure rule is a complete overreach on the part of the SEC and one that is in direct conflict with congressional intent,” Rep. Andrew Garbarino of New York, said in a November press release announcing a House resolution to overturn the rules.
A companion resolution was introduced in the Senate by Republican Thom Tillis of North Carolina.
The proposal has drawn a veto threat from President Joe Biden.
“Reversing the SEC’s rulemaking would not only disadvantage investors who deserve to have a clear understanding of the cyber risk underlying their investment but would also cause companies to undervalue investments in cyber programs to the detriment of our economic and national security,” the Office of Management and Budget said in a Jan. 31 statement outlining the administration’s position on the proposal.
Meanwhile, the SEC has also come under fire for taking the position in recent cases that a cybersecurity failure can be punished as an “internal accounting controls” violation under Section 13(b)(2)(B) of the Securities Exchange Act.
In the latest example, the SEC announced in June that R.R. Donnelley & Sons Co., a global provider of business communication and marketing services, agreed to pay about $2.1 million to settle commission charges that it violated Section 13(b)(2)(B) in connection with the company’s response to a 2021 ransomware attack.
The SEC included similar allegations in a case against Austin, Texas-based software provider SolarWinds. The litigation is currently pending before the U.S. District Court for the Southern District of New York.
In February, the U.S. Chamber of Commerce and the Business Roundtable filed a joint amicus brief backing a SolarWinds motion to dismiss the lawsuit. The commission has increasingly used the provision to go after companies that allegedly failed to comply with controls that had nothing to do with the accuracy of their financial statements, the industry groups said in their brief.
“By treating Section 13(b)(2)(B) as a grant of generalized monitoring authority, the SEC has attempted to position itself as a superenforcer of corporate behavior well beyond the bounds of federal securities laws,” they said.
