The Arkansas, Missouri, and Iowa Attorney Generals (collectively “Arkansas AG”) filed on April 17th a Petition for Review (“Petition”) in the Federal Eighth Circuit Court of Appeals addressing a March 3rd Memorandum issued by the United States Environmental Protection Agency (“EPA”) titled:
Addressing PWS Cybersecurity in Sanitary Surveys or an Alternate Process (“Memorandum”)
See previous March 9th post describing the Memorandum.
The Petition is styled States of Missouri, Arkansas, Iowa v. Michael Regan, In His Official Capacity as Administrator of the U.S. Environmental Protection Agency, et al., 23-1787.
The EPA Memorandum expressed concern that some public water systems (“PWS”) had failed to adopt basic cybersecurity best practices. It purported to clarify that states must:
. . . evaluate the cybersecurity of operational technology used by a PWS when conducting PWS sanitary surveys or through other state programs.
The Memorandum provided what EPA characterized as “various approaches” to include cybersecurity in PWS sanitary surveys or other state programs.
The Arkansas AG’s Petition initially states that:
. . . EPA’s March 3, 2023 Cybersecurity Rule requires States to change how they conduct sanitary surveys under the Safe Drinking Water Act and imposes increased technology costs on small (and rural) Public Water Systems. EPA’s new authority springs from re-“interpreting” the words “equipment” and “operation” for a physical on-site inspection to include cybersecurity infrastructure even though the words “cybersecurity” or “internet” are absent from the 2019 guidance. And EPA uses its new power to require a mandatory enforcement scheme that burdens States and rural Public Water Systems.
The Petition argues that the Memorandum is in fact a rule that was promulgated without the required public notice procedures.
Additional arguments include:
- The scheme by which Congress intended to regulate cybersecurity under America’s Water Infrastructure Act (“AWIA") of 2018 requires only community water systems serving over 3,300 people to, among other actions, assess the risk and resilience of electronic, computer, or other automated systems, including the security of such systems.
- Per the AWIA, for PWSs serving over 3,300 people no community water system is required under state or local law to provide an assessment to any state, region, or local governmental entity solely by reason set forth and certain cited authorities that the system submit a certification to the EPA Administrator
- The Memorandum intrudes on States’ authority
A copy of the Petition can be downloaded here.
The Between the Lines blog is made available by Mitchell, Williams, Selig, Gates & Woodyard, P.L.L.C. and the law firm publisher. The blog site is for educational purposes only, as well as to give general information and a general understanding of the law. This blog is not intended to provide specific legal advice. Use of this blog site does not create an attorney client relationship between you and Mitchell Williams or the blog site publisher. The Between the Lines blog site should not be used as a substitute for legal advice from a licensed professional attorney in your state.