Loper: How the Overturning of Chevron can Materially Affect Cybersecurity
Every security podcast I listen to and every conference I have attended in the last year has at least once raised the subject of “What is materiality?” As an industry, we have been trying to figure this out because the new Securities and Exchange Commission (SEC) rule requires publicly traded companies to disclose a material breach within 48 hours. Even more than a year later, we are unsure about the meaning of materiality. And now, the US Supreme Court (SCOTUS) has decided to add a chainsaw to our juggling act.
Specifically, Loper Bright Enterprises v. Raimondo. If that doesn’t sound familiar, you may have heard it as the overturning of Chevron Deference. The reason Loper is important is because:
- You have a stronger leg to stand on if you fight regulating agencies on their rules
- It also might mean that the agency might not have been allowed to make those rules at all
- It can lead to greater consistency in rule interpretation
In the case of materiality, we will potentially have a better understanding of what that means.
Administrative Law
First, let me explain administrative law to you a little. Think of me as your very own personal Schoolhouse Rocky:
When the Congress makes up laws,
Even though the laws have flaws,
They can create an agency
To implement and oversee.
The agency then regulates—
This is the “administrative state”
But, sometimes, words ambiguous
Cause tensions that are arduous
On businesses that are trying
To make money while complying.
So they fight administration
But, and here’s the complication,
The same agency would adjudicate
The cases that were brought to it.
Congress can create laws and then hand them off to an agency to create rules and then adjudicate them because of a law called the Administrative Procedures Act (APA), passed in 1946. It allows administrative agencies created by Congress to create rules. The APA has many sections and subsections affecting how rules are created and administered. We want to focus on this:
- Section 10 (a) Judicial Review: —Any person suffering legal wrong because of any agency action or adversely affected or aggrieved by such action within the meaning of any relevant statute shall be entitled to judicial review thereof.
Chevron
Here is where Chevron mattered. In 1984, SCOTUS decided that when an administrative body was reading its own regulations to administer a finding, if that case were then appealed to a court, the court would have to accept the administration’s own interpretation of its regulations as long as that interpretation was reasonable. In a way, Chevron negated the Administrative Procedures Act by allowing agencies to review their own rules and deliver judgment on cases. As long as the interpretation was reasonable, the courts had to give the agency deference in interpretation.
Impact of Chevron
Now, some of you may wonder, “So what?” And, really, that’s a good question. But think about how complex the English language is. Do you know that the word SET has the most definitions? 430, to be precise. Can you imagine how many interpretations a law can have if it uses the word “set” in it? Remember, until the 1990’s, none of us even questioned if we knew what the word “is” is1.
So, when interpreting law, a judge can, and does, many things.2 But, that is a judge’s purpose: to interpret the law.
Now, I am not trying to say that the agencies created by Congress are not the beacons of fairness. But, if an agency can make its own regulations and then interpret the regulations within each case it oversees, it has the ability to side on its own behalf. And, if judges then have to agree with that interpretation of the law as long as it makes sense—even if it wasn’t the intent of the law—well, that can, and did, lead to weird and conflicting case law.
Materiality
“OK, Hadas, this is more interesting than I expected, but I still don’t see why I should care as a cybersecurity expert.”
Back to the SEC’s materiality rule:
General Rules and Regulations of the SEC define “material”: “The term ‘material,’ when used to qualify a requirement for the furnishing of information as to any subject, limits the information required to those matters to which there is a substantial likelihood that a reasonable investor would attach importance in determining whether to buy or sell the securities registered.” (17 cfr 240.12b-2)
This raises significant questions for cybersecurity practitioners.
What is the industry you are in? Realistically, no two breaches are similar, and investors within industries are different.
What is a reasonable investor? If you’re nerdy like me, here’s a paper discussing the amorphous blob that is a reasonable investor.3
How much of a likelihood makes likelihood substantial? One year after the Target breach was uncovered, Target stocks recovered to their pre-breach levels. A sophisticated investor might have thought that would happen and invested when the stocks were down to make a mint. Or the investor might have sold off. There is no real way to know. And some investors might have just held and seen where things went. Some investors want all the information and use that information in concert with all other information to make decisions. Some investors use insider information (illegally) to leverage themselves. Here’s the rub. All information is potentially useful. How do we know if it would have a substantial likelihood to be useful to an investor?
Some problems can arise with the disclosure of breaches:
- If we disclose more frequently, it can create a greater likelihood of investor impact than if we do not disclose.
- It’s possible that too much disclosure will minimize the importance of disclosures. Then, nothing will be substantially likely to impact a person’s behavior, negating the materiality of ANY breach disclosure.
This was confounding all of us because it is vague, ambiguous, and confusing.
Loper
Here is where Loper comes in (as well as a bunch of doctrines in legal interpretation that we will skim the surface of).
With Loper, the Supreme Court overturned Chevron. From now on, if you fight an agency on a rule, and they decide in their own favor—and you appeal it to a court—the court is not required to agree with the agency’s interpretation of the rule.
There’s more to Loper:
When administrative agencies make rules that are not directly within their purview—within the text of the law they work under—a court can overrule the rule outright.
“The Administrative Procedure Act requires courts to exercise their independent judgment in deciding whether an agency has acted within its statutory authority, and courts may not defer to an agency interpretation of the law simply because a statute is ambiguous.” Loper Bright Enterprises et al. v. Raimondo, Secretary of Commerce, et al., 603 U.S. _____(2024); emphasis added.
So, not only is there no longer a deference to the agency regarding what the rules should mean, but the court can decide whether the agency even had a right to create rules that Congress had not specifically legislated.
Taken to one extreme, it might be a viable claim that the SEC doesn’t have any right to create cybersecurity requirements unless Congress passes a law specifically granting them that right.
Defining Materiality for Your Company
“Hadas, I get it. What you are saying is:
Agencies still get to write
Rules that companies get to fight.
But, when there is a situation
Requiring an interpretation
Loper and SCOTUS now support
Interpretation by the court,
Instead of potential abuse of power
That Chevron had allowed to flower.
But what do I do about it?”
Well, first off, good rhyming and summarizing. Secondly, as a recovering attorney, I do not give reliable legal advice. So, take the following with a grain of salt (and then go ask an actual attorney):
- If you can fight the SEC (have the means, the wherewithal, and the advice of legal counsel), you likely have more chances of winning. And also, you should: we should all expect better, more understandable rules.
- Stay updated on court rulings and regulatory changes. The removal of Chevron’s deference means courts will scrutinize agency interpretations more closely.
- Be prepared to update compliance programs if regulatory or legal requirements change due to jurisprudence.
In the interim, talk to your peers about what they are doing. Also, keep an eye on legal cases/decisions that are made based on materiality (or other rules).
Because these cases will have to go through courts, we might not have any decisions for years.
Until then, as a security practitioner, I recommend you and your risk and legal organization get together and define materiality for your company. Then, you should determine what events and at what level of breaches you meet materiality. I would put all of that in your incident response plan and vet it when you do your tabletop testing. Acting with fiduciary responsibility to your business and customers and in line with how your industry behaves is a pretty good safe harbor.
Bonus Round full of initialisms and acronyms (really, what would cybersecurity or government regulations be without them?):
- If you are a covered entity under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), keep an eye on CIRCIA’s final rules from CISA, expected around October 2025. Due to Loper, CISA may be more apt to listen to the feedback on these rules.
- Federal Trade Commission (FTC): Recent FTC rulemaking under Section 5 includes the Health Breach Notification Rule, and proposed changes to the Children’s Online Privacy Protection Act (COPPA) rule could be challenged.
- Graham Leach Bliley Act (GLBA): Regulators have recently expanded their rules with a range of cyber incident reporting requirements for financial institutions.
- Transportation Security Administration (TSA): TSA’s emergency amendments in 2022 for cybersecurity requirements for passenger and freight railroad carriers, as well as airport and aircraft operators, may be challenged.
- For those not familiar, a brief synopsis: Bill Clinton said there “is” no relationship with Monica Lewinsky which was technically true at the time he made the statement. ↩︎
- For example, an originalist will look at what the words meant at the time of writing the law. A contextualist will take a look at what the words mean in context of the law. A judge may use stare decisis and look at how other cases came out when interpreting the law. Or, a judge may look at all of these things and what makes sense within the realm of the facts of the case. ↩︎
- In economics, the “economic man” is a construct that represents a person who is rational and self-interested in economic situations. Also known as the “rational man” or “homo economicus.” This concept was introduced by Scottish economist Adam Smith in the 18th century. But behavioral economics shattered this concept. We are not reasonable. We do behave in self-interest, but we also behave according to external pressures, our mores and ethics, and a slew of other pokes and prods. ↩︎
Hadas Cassorla, JD, MBA, CISSP has a lot of letters after her name, but the three letters she cares the most about are Y-E-S. Marrying her improv and legal background into technology and business, she helps organizations build strong, actionable and implementable security programs by getting buy-in from investors, the boardroom and employees. She has founded her own business, Scale Security Group, and has built corporate security offices from ground-up.