On July 25, Missouri, Arkansas, and Iowa (the states), along with intervenors American Water Works Association and National Rural Water Association (the water associations), petitioned the Eighth Circuit to review the U.S. Environmental Protection Agency’s (EPA) new rule requiring states to review and report cybersecurity threats to their public water systems (PWS).

In August 2022, the EPA provided a report to Congress describing its plan and prioritization framework for addressing the cybersecurity needs of the public water system. The EPA then issued an “implementation memo” in March 2023 that laid the groundwork for the EPA’s plan to combat cybersecurity risk. The memorandum requires states to incorporate an evaluation of the cybersecurity of operational technology used by a PWS when conducting its sanitary surveys. A sanitary survey is a review of a PWS to assess its capability to supply safe drinking water, and the EPA is including cybersecurity as a potential deficiency. In a press release announcing the memo, EPA Assistant Administrator for Water Radhika Fox said, “Cyber-attacks against critical infrastructure facilities, including drinking water systems, are increasing, and public water systems are vulnerable. Cyber-attacks have the potential to contaminate drinking water, which threatens public health.” In early July 2023, the Eighth Circuit blocked implementation of the rule while the legal challenge is ongoing.

The states’ brief argues that the EPA’s Cybersecurity Rule unlawfully imposes new legal requirements on states and PWSs, and that the rule exceeds the EPA’s statutory authority by ignoring congressional actions limiting cybersecurity requirements to large PWSs and changing the criteria for sanitary surveys through a memorandum. The states also assert that the rule is arbitrary and capricious because the EPA (i) failed to acknowledge or explain it had changed policies relating to amending the minimum criteria or the scope of sanitary surveys and (ii) failed to consider important aspects of the rule, including that the state agencies responsible for conducting the surveys lack the level of cybersecurity expertise necessary to complete the evaluations expected by the EPA, and the frequency with which sanitary surveys occur (every three to five years) will not ensure PWSs address new threats in a timely fashion.

In a separate brief, the water associations argued that the Cybersecurity Rule exceeds the EPA’s authority under the Safe Drinking Water Act, which provides the EPA with limited authority to address cybersecurity vulnerabilities, and Congress did not intend for the EPA to use the act to impose sanitary surveys, regulate smaller water systems, or force states to collect sensitive information and evaluate cybersecurity at PWSs. The water associations argued that the rule “contravenes Congress’s thoughtful policy preference that cybersecurity in smaller PWSs be addressed with assistance, not regulation, from EPA.” They specifically contend that Congress knew these smaller systems would lack the operational and financial capacity to undertake requirements like those included in the Cybersecurity Rule and that such requirements would strain those systems’ limited budgets and staff without providing proportionate benefits. The public disclosure of PWS cybersecurity information through states’ public records laws is also a concern.

If the new rule becomes a binding requirement, as the EPA intends, the states and their PWSs will face legal obligations that, if ignored, could potentially cause them to lose control over Safe Drinking Water Act programs and compromise federal funding.

Why It Matters

While the EPA’s new rule is presently being challenged by the states, it is clear that the cybersecurity landscape is shifting. The EPA’s new rule is consistent with efforts across the federal government to bolster the cybersecurity framework that protects critical infrastructure. The states’ challenge to the EPA rule may ultimately be successful, but new regulations and legislation to address the same concerns are likely in a world that increasingly relies on complex technology that is susceptible to attack by bad actors.

Utilities across the U.S. with significant technical debt need to be mindful of new legal and regulatory requirements relating to cybersecurity to ensure compliance. The same is true for vendors of critical infrastructure facilities who may share responsibility for cybersecurity. Failure to stay abreast of, and in compliance with, rapidly evolving cybersecurity obligations may place utilities and vendors in the crosshairs of regulators, and risk the loss of public funding or being compelled to comply with current requirements before the utility is permitted to continue operations. While compliance may seem impossible for entities that have fallen behind in modernizing cybersecurity platforms, assistance programs like the State and Local Cybersecurity Grant Program may provide important resources to offset some of the burden.

Troutman Pepper State Attorneys General Team

Ashley Taylor – Co-leader and Firm Vice Chair
Ashley is a partner in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group and co-leader of the State Attorneys General practice. He focuses primarily on federal and state government regulatory and enforcement matters involving state attorneys general, the Consumer Financial Protection Bureau (CFPB), and the Federal Trade Commission (FTC). Drawing upon his experience as a deputy attorney general, Ashley has developed an extensive consumer practice with regard to the consumer financial services industry.
Clay Friedman – Co-leader
Clay is a partner in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group and co-leader of the State Attorneys General practice. Informed by nearly a decade in a state attorneys general office, and more than 25 years in private practice, Clay spends much of his time representing clients in singular or multistate regulatory actions. Clay has repeatedly led teams before all 50 state attorneys general and also handles matters with the Federal Trade Commission, the Consumer Financial Protection Bureau, and other local, state and federal agencies.
Judy Jagdmann
Judy is a partner in the firm’s Regulatory Investigations, Strategy and Enforcement (RISE) practice, based in the Richmond office. She brings experience serving as chair and commissioner of the Virginia State Corporate Commission (VSCC) from 2006 through 2022, which includes regulating the utilities, insurance, banking, and securities industries. She also served as Virginia’s attorney general from 2005-2006.
Stephen Piepgrass
Stephen represents clients interacting with, and being investigated by, state attorneys general and other enforcement bodies, including the CFPB and FTC, as well as clients involved with litigation, particularly in heavily regulated industries.
Avi Schick
A former deputy attorney general of New York, Avi applies his experience in bet-the-company matters, representing clients in criminal and civil investigations and enforcement actions before state and federal regulators, prosecutors and enforcement agencies.
Michael Yaghi
Michael handles high-profile state attorneys general, FTC, and CFPB investigations by advising clients through these complex government inquiries. He assists clients through the entire life cycle of investigations, from regulatory enforcement through formal litigation.
Ketan Bhirud
As a former government official at the state and federal level, Ketan leverages extensive experience in the public and private sectors to skillfully represent client interests.
Tim Bado
Tim is an attorney in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group, with a primary focus on financial services litigation.
Chris Carlson
Chris represents clients in regulatory, civil and criminal investigations and litigation. In his practice, Chris regularly employs his prior regulatory experience to benefit clients who are interacting with and being investigated by state attorneys general.
Natalia Jacobo
Natalia is an associate in the firm’s business litigation practice. She recently received her J.D from the University of California, Davis School of Law.
Namrata Kang
Namrata is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group, based in the Washington, D.C. office. Her work includes advising clients in regulatory investigations and compliance matters, in addition to representing clients in civil litigation matters.
Michael Lafleur
Michael is an associate in the firm’s Regulatory Investigations, Strategy, and Enforcement Practice Group. Based out of the firm’s Boston office, Mike has deep experience in litigation, investigations, and other regulatory matters involving state-level regulators and state attorneys general.
Susan Nikdel
Susan is an associate in the firm’s Consumer Financial Services Practice Group, and focuses her practice on consumer financial services matters. She has defended several of the nation’s largest and most influential financial institutions in individual and class action litigation involving the Telephone Consumer Protection Act (TCPA), Fair Credit Reporting Act (FCRA), Fair Debt Collection Practices Act (FDCPA), and other consumer privacy statutes. Susan also represents banks, fintechs, and financial services companies in connection with regulatory examinations and investigations brought by the CFPB, state attorneys general, and the California Department of Financial Protection and Innovation.
John Sample
John represents clients in a wide variety of general and complex litigation matters, shareholder disputes, products liability, and privacy claims.
Whitney Shephard
Whitney is an attorney in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group. She represents clients facing state and federal regulatory investigations and enforcement actions, as well as related civil litigation.
Trey Smith
Trey is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement practice. His experience includes serving as a summer associate at the firm in 2021.
Daniel Waltz
An experienced litigator, Daniel advises and represents regional, national and international companies, financial institutions and insurers in all facets of business, complex commercial and insurance coverage litigation. He is committed to working with his clients to find creative solutions to meet their needs.
Stephanie Kozol
Stephanie is Troutman Pepper’s senior government relations manager in the state attorneys general department.