The U.S. Environmental Protection Agency (EPA) has formally withdrawn cybersecurity rules it promulgated in March requiring that states report cybersecurity threats to their public water systems (PWS). The reversal comes in the wake of lawsuits filed in the Eighth Circuit in July by Missouri, Arkansas, and Iowa (the states), along with intervenors American Water Works Association and National Rural Water Association (the water associations). As a result of the withdrawal, the states and water associations filed to dismiss their suits.
The states argued that the EPA’s Cybersecurity Rule unlawfully imposed new legal requirements on states and PWSs, and that the rule exceeded the EPA’s statutory authority by ignoring congressional actions limiting cybersecurity requirements to large PWSs and changing the criteria for sanitary surveys through a memorandum. The states also asserted that the rule was arbitrary and capricious because the EPA (i) failed to acknowledge or explain it had changed policies relating to amending the minimum criteria or the scope of sanitary surveys and (ii) failed to consider important aspects of the rule, including that the state agencies responsible for conducting the surveys lack the level of cybersecurity expertise necessary to complete the evaluations expected by the EPA, and the frequency with which sanitary surveys occur (every three to five years) will not ensure PWSs address new threats in a timely fashion.
In a separate brief, the water associations argued that the rule exceeded the EPA’s authority under the Safe Drinking Water Act, which provides the EPA with limited authority to address cybersecurity vulnerabilities, and that Congress did not intend for the EPA to use the Act to impose sanitary surveys, regulate smaller water systems, or force states to collect sensitive information and evaluate cybersecurity at PWSs. The water associations asserted that the rule “contravenes Congress’s thoughtful policy preference that cybersecurity in smaller PWSs be addressed with assistance, not regulation, from EPA.” They specifically contended that Congress knew these smaller systems would lack the operational and financial capacity to undertake requirements like those included in the Cybersecurity Rule and that such requirements would strain those systems’ limited budgets and staff without providing proportionate benefits. The public disclosure of PWS cybersecurity information through states’ public records laws is also a concern.
The EPA action was intended to address increasing cybersecurity threats to public infrastructure around the U.S. In response to the withdrawal, the Biden administration stated that they will pursue a “Plan B,” which will involve lobbying Congress to pass similar legislation.
Relatedly, in June, a bipartisan coalition of representatives introduced the Cybersecurity for Rural Water Systems Act of 2023 to provide cybersecurity funding and technical assistance to rural water and wastewater systems. The water associations are supporting this effort.
The EPA’s attempt at cybersecurity regulation also corresponds to other, recent federal agency actions addressing cybersecurity. On October 27, the Federal Trade Commission (FTC) announced a new rule requiring financial institutions subject to the authority of the FTC to notify the agency as soon as possible but no later than 30 days after discovery of an unauthorized acquisition of unencrypted customer information impacting 500 or more customers. In June, the SEC adopted rules requiring public companies to disclose material cybersecurity incidents and to disclose material information regarding their cybersecurity risk management, strategy, and governance, on an annual basis.
Companies can expect the continued proliferation of federal cybersecurity regulations in the near future as the Biden administration is mandating that all federal agencies adopt minimum cybersecurity standards for organizations under their respective umbrellas.