This audio is automatically generated. Please let us know if you have any comments.
The Biden administration’s key regulatory efforts in the area of cybersecurity could be hurt by the U.S. Supreme Court’s recent decision to eliminate the so-called Chevron test that gave deference to government agencies interpreting an ambiguous statute, legal analysts said.
The Federal Trade Commission and the Securities and Exchange Commission are among federal regulators that have taken aggressive action on cybersecurity in recent years without explicit authority from Congress, prompting cries of government overreach in some cases.
One example is a pending move by the FTC to craft broad data privacy and security rules under Section 18 of the FTC Act.
“To the extent that the FTC were to go forward with the rule, it would be much more susceptible to being overturned by a court given the new decision,” Daniel Kaufman, a partner at the law firm. BakerHostetlerhe said in an interview.
The Supreme Court’s 6-3 decision in Loper Bright Enterprises v. Raimondo held that courts should not defer to a federal agency’s interpretation of the law simply because the statute the agency administers may be flawed or unclear.
“The Court’s decision is not surprising, given its dual embrace of a textualist approach to statutory interpretation and its steady departure from the Chevron doctrine in recent years.” Scott Kimpel, a partner at the law firm Hunton Andrews Kurth, said via email.
The ruling could have significant ramifications for agencies like the FTC and SEC that rely on old statutes to address modern policy issues like cybersecurity, according to Jenner & Block partner Michelle Kallen.
“Part of the challenge has been that Congress has been relatively slow to act, especially when it comes to modern technology, and so agencies have tried to come up with creative approaches to solving these problems,” Kallen said in an interview.
The FTC announced in August 2022 that it was exploring rules to crack down on “harmful commercial surveillance and lax data security.” In an advance notice of the proposed rulemaking at the time, the agency sought public comment on whether such rules were necessary.
Although the FTC has long been active as an enforcer of data privacy and security law, its role has been primarily limited to case-by-case enforcement of the Act’s broad prohibition FTC on “unfair or deceptive acts or practices,” according to a 2022 Congress. Investigative Service Report. The commission’s plan to adopt regulations articulating specific data security and privacy requirements or prohibitions would be a “remarkable change,” the report said.
The agency has so far made little visible progress on its regulatory initiative.
“You must act now to protect the general public, and do so regardless of any federal data privacy protections being debated in Congress,” a coalition of more than 30 public interest and advocacy groups said in a letter to the FTC last month. “We have waited long enough to prevent misleading and unfair use of the data.”
A group of Senate Republicans, including Florida’s Marco Rubio, criticized the effort in a November 2022 letter to the FTC, urging the agency to “leave the task of creating data security and privacy rules to officials elected to Congress”.
Republicans in Congress have also criticized the cybersecurity rules adopted by the SEC last year. The rules, promulgated under federal securities laws, require public companies to report a “material” cybersecurity incident to the SEC on a Form 1.05 8-K within four days of determining that the breach is material, among other requirements.
“This cybersecurity disclosure rule is a complete overreach by the SEC and one that is in direct conflict with the intent of Congress,” Rep. Andrew Garbarino of New York said in a November press release announcing a resolution of the Chamber to annul the rules.
Republican Thom Tillis of North Carolina introduced a companion resolution in the Senate.
The proposal has prompted a veto threat from President Joe Biden.
“Reversing the SEC’s rules would not only harm investors who deserve to have a clear understanding of the cyber risk underlying their investment, but would also cause companies to undervalue investments in cyber programs to the detriment of our economic and national security.” , said the Office of Management. and Budget said in a Jan. 31 statement outlining the administration’s position on the proposal.
Meanwhile, the SEC has also been criticized for taking the position in recent cases that a cybersecurity failure may be sanctioned as a violation of “internal accounting controls” under Section 13(b)(2)(B) of the Securities Exchange Act.
In the latest example, the SEC announced in June that RR Donnelley & Sons Co., a global provider of business marketing and communications services, agreed to pay about $2.1 million to settle fees that violated Section 13 (b)(2)(B) in connection with the Company’s response to a 2021 ransomware attack.
The SEC included similar allegations in a case against Austin, Texas-based software vendor SolarWinds. The litigation is currently pending in the United States District Court for the Southern District of New York.
In February, the US Chamber of Commerce and the Business Roundtable filed a joint amicus brief supporting a motion by SolarWinds to dismiss the suit. The commission has increasingly used the provision to go after companies that allegedly failed to comply with controls that had nothing to do with the accuracy of their financial statements, industry groups said in their filing.
“By treating Section 13(b)(2)(B) as a grant of blanket surveillance authority, the SEC has sought to position itself as a superenforcer of corporate behavior well beyond the bounds of the federal securities laws “, said.
