Cybersecurity regulations like the HIPAA Privacy Rule and the GLBA’s CFR Part 314 have long served as guideposts, providing much-needed direction in a complex landscape. These rules were made possible by the Chevron Doctrine, a framework that allowed agencies to interpret ambiguous laws and establish standards. However, on June 28, 2024, the Supreme Court overturned this doctrine, ushering in an era of uncertainty—but also an opportunity to redefine how we approach cybersecurity regulation with clarity and purpose.
Today’s cybersecurity regulations are piecemeal and largely reactive, often placing undue burdens on businesses without creating motivation or incentives for identifying and addressing root causes. Worse, individual organizations with charters that involve multiple areas of cybersecurity concern can find themselves subject to multiple, sometimes conflicting, cybersecurity expectations. A recurring example is higher education: universities must juggle cybersecurity demands and priorities from the FTC, HHS, and the payment card industry, because they broker financial relationships, handle student and staff healthcare data, and accept credit card payments across multiple departments. This means that they need to comply with a matrix of controls, reporting, and audits, while managing their core, critical, mission of providing education within a safe environment. The result is a tangled web of conflicting rules, forcing more attention and investment in compliance, and less focus and resources for real security.
The speed of advancement in technology and threat makes it obvious why Congress hasn’t kept pace or provided clearer guidance. Today, as we look ahead, the challenge of defining rules with appropriate statutory authority is finally on the table in a way that may allow our industry to cut the Gordian cybersecurity knot created through the past 30 years of tech, threat, and countermeasure recommendations. Finally, we have the opportunity for a new, bold, actionable approach—one akin to the sea-change in food safety that followed the 1906 Pure Food and Drug Act, which revolutionized safety standards in the meatpacking industry following public outcries and irresistible momentum for change.
Imagine a framework for cybersecurity that was as robust on internetworking as the FDA has become for our food and pharmaceutical suppliers. We’d see:
- Meaningful standards for secure software development and supply chain management.
- Certifications to assure and announce product and service security.
- Intelligent assignment of liability to hold creators of software accountable.
In this new system, exploits and breaches, along with their costs, could be more clearly assigned to the appropriate parties. Victims of criminals exploiting insecure software or misconfigured utilities, like hospitals or small businesses, would not be villainized, and instead, would be incentivized to choose only secure products and proven reliable service providers. More substantial and informed legislation would move our disclosure from blaming these victims to educating them on trustworthy providers and encouraging vendors to prioritize cybersecurity through market differentiation on these lines.
This clarity would transform the technology industry, enabling businesses to innovate safely and consumers to trust the technology they depend on. Unlike the world of the last century, cybersecurity is now foundational to our lives—just like safe food, clean water, and reliable transportation. With a new, evergreen, and consistent standard of care, we can move beyond the current patchwork of rules to a system that rewards diligence and punishes negligence with one voice.
The end of the Chevron Doctrine is a wake-up call—and perhaps, the catalyst we need to build a better, safer digital world.
Have questions about the impact of these regulatory changes on your organization? Don’t hesitate to reach out—we’re here to help.
Want more insights like this? Subscribe to our blog for the latest updates, expert perspectives, and actionable guidance to navigate the evolving cybersecurity landscape.
Included Topics
