Regulation Turmoil Ahead?

Earlier this year, the Supreme Court of the United States overturned the decades-old case often referred to as Chevron deference—setting the stage for potential impactful changes to federal agency regulations that utilities must adhere to for current and future cybersecurity regulations. The original 1984 ruling of Chevron U.S.A. v. Natural Resources Defense Council required federal courts to defer to federal agency interpretations of laws or statutes. With this recent 2024 Supreme Court ruling, federal courts will no longer have to defer and can interpret laws and regulations.

So, how will this all impact utilities and their cybersecurity efforts? We sat down with Harley Geiger, a cybersecurity law and policy expert from Venable LLP law firm, to discuss the impacts of the ruling on past, current and future cybersecurity regulations.

CURTIS MARQUARDT JR.:
So before we get into the Chevron ruling, can you talk about the cybersecurity policy making landscape for the critical infrastructure segment?

Harley Geiger:
There has been a quickly increasing amount of attention on the cybersecurity risks associated with critical infrastructure in the United States and abroad. For the most part, those critical infrastructure sectors have been regulated on a sector-by-sector basis. And in many cases, there is not a specific statutory authority or a specific law passed by Congress that requires cybersecurity for a given critical infrastructure sector.

But there have been a lot of sprints, voluntary initiatives and public-private partnerships to try to strengthen security in these sectors. In some instances, there have been attempts at direct regulation by agencies. One area of importance for utilities is cyber incident reporting.

As you probably know, several critical infrastructure areas have cyber incident reporting requirements in place. In addition to those sector regulations, there is a cross-sector cyber incident reporting law that will take effect in late 2025 or early 2026. This law is called the Cyber Security Incident Reporting for Critical Infrastructure Act, also known as CIRCIA.

This law was passed by Congress a couple of years ago, and the law requires the Critical Infrastructure and Security Agency (CISA) to develop rules and regulations to implement the law. Right now we are in the phase where CISA is finalizing the rule. The rule would essentially require entities in critical infrastructure sectors to report cybersecurity incidents to CISA.

Many of us are familiar with data breach notification. Something that makes cyber incident reporting different is that the incidents that must be reported are much broader than just breach of personal information. Organizations could be in situations where they would have to report a cybersecurity incident as well as notify under breach notification requirements.

The way that CISA’s proposed rule is structured, any active participant in a critical infrastructure sector will have to report a cybersecurity incident to CISA within 72 hours. Ransomware payments must be reported within 24 hours. This covers the critical infrastructure sectors that were identified by the federal government— the 16 sectors we’re all pretty familiar with. But, it’s not limited to the owners and operators of critical infrastructure assets. It’s every active participant in the sector, which is very broad.

CISA is planning to finalize that rule in late 2025, though they could propose the final rule sooner.

CURTIS MARQUARDT JR.:
So does the recent Supreme Court Chevron ruling impact this rule?

Harley Geiger:
Yes, it has an impact on a few components of the proposed rule. But before I get into those, let’s first, let’s talk about the Chevron ruling.

On June 28, 2024, the Supreme Court issued its long-awaited decisions in Loper Bright Enterprises v. Raimondo and Relentless v. Department of Commerce. The opinions overturned the long-standing “Chevron doctrine,” under which courts previously deferred to agency interpretations of ambiguous laws. The ruling will likely result in increased judicial scrutiny over regulatory decisions, directly affecting cybersecurity rules and enforcement actions by agencies like the Federal Trade Commission (FTC) and critical infrastructure regulators.

While digital security regulations won’t disappear, they are now more prone to court challenges where agency interpretations have unclear statutory backing. Future rulemakings and enforcement actions will need to be more narrowly scoped to statutory authority to be best positioned to avoid judicial modifications.

To explain, when Congress passes a law that has some ambiguity—which happens all the time— agencies have to make a judgment about their interpretation and about what that law gives the agency authority to do. And, prior to this most recent ruling, the Chevron doctrine meant that courts would defer to the agency’s interpretation of what Congress wanted.

So this meant the agency interpretation would be upheld in court. With the Chevron doctrine struck down, the courts now have greater flexibility and power to not defer to agency interpretations and instead make their own judgments about what Congress intended. And this ultimately means that the likelihood of regulations being modified or reversed will increase.

In the case of the critical infrastructure landscape, this makes it more difficult for agencies to adapt older statutes focused on safety or consumer protection for the purposes of cybersecurity because it is more difficult to argue that Congress specifically intended for those statutes to cover cybersecurity. So when an agency creates or enforces a cybersecurity regulation without clear Congressional backing, and that regulation or enforcement action is challenged in court, then the court may now be more likely to rule that the agency has overstepped its authority.

So, how does this impact CIRCIA? As I mentioned, the rule is very broad because the reporting requirements apply to any active participant in a critical infrastructure sector. Additionally, the proposed rule also has a broad definition of reportable cyber incident, and does relatively little to harmonize with other cyber incident reporting requirements.

In fact, members of Congress have already written to CISA that the proposed rule is broader than what Congress intended when they passed the law. That puts CIRCIA at greater risk of being reversed or modified now that Chevron deference is no longer in effect. The effect of the loss of Chevron deference not only affects CIRCIA, but also existing regulations and future regulations—in every sector.

CURTIS MARQUARDT JR.:
So what sort of recommendations do you have for utilities in this critical infrastructure segment on how to move forward into this new landscape?

We are advising our clients not to make any big changes at this time. The real effect of the post-Chevron environment will not really manifest until court cases have worked their way through the system—and that will take some time.

Because it is more likely that a court could overturn or modify a regulation, regulated organizations may need to be prepared for uneven compliance requirements in different jurisdictions. Lawsuits can happen in any jurisdiction, so the law in one circuit might not necessarily be the law in another circuit—unless the Supreme Court weighs in or Congress passes a law.

The other thing to note is that we will probably see more narrow or fewer rules from regulators. They will be more constrained in their ability to get creative with their regulatory authority now. With that said, there are industries that do want clarity and harmonization from regulators in different sectors in the form of a consistent national standard. But unfortunately for those who do want that, it will now be more difficult to achieve without express grants of authority from Congress.

CURTIS MARQUARDT JR.:
I want to touch more on that from a cybersecurity perspective. Our readers have varying business models. We have smaller entities where one employee wears several hats, one of which being the cybersecurity hat. We also have readers who work for organizations who have operations across a dozen or more states and have cybersecurity teams. As it relates to the Chevron deference ruling, what sort of approaches should each be thinking about as future changes occur?

Harley Geiger:
Organizations should continue to comply with current laws and don’t assume that laws are suddenly going to evaporate overnight. But, over time, it is likely that there will be a broad deregulatory effect in different areas, not just cybersecurity.

So, for any organization, it is going to be a key strategy to stay on top of those developments to ensure that your organization is staying in compliance. In looking toward the future of cybersecurity regulation in this space, there is still great interest in strengthening the cybersecurity of utilities because of the risks of a disruption to society as a whole. With the loss of the Chevron deference, accomplishing this means that it will have to be done in a landscape that now includes a patchwork of laws and voluntary efforts.

CURTIS MARQUARDT JR.:
That’s a perfect segway to my next question. What will the cybersecurity policy landscape look like in the next five or ten years?

As utilities continue to modernize and adopt digital technologies, cyber threats actors will do their best to exploit those and threaten the operations of critical infrastructure providers. We already see this today and I don’t believe that trend will change anytime soon.

As a result, there will continue to be a drumbeat for security in critical infrastructure sectors that come from policymakers, civil, society and others. However, it is difficult to envision, in the current environment, Congress coming to consensus on cross-sector critical infrastructure, cybersecurity regulation.

So my prediction is that we’ll have a patchwork. Agencies will have less discretion to put out baseline rules for cybersecurity and utilities. And I think that we may see more action on this in the states and in non-U.S. jurisdictions such as Europe. This is the pattern we saw with privacy laws as well.

Some people and organizations may see not consistent federal security requirements across sectors as a benefit. But there is also another perspective, which is that it will be burdensome to have to potentially comply with many different rules in different states and rules in non-U.S. jurisdictions as opposed to just complying with a single federal standard.