Latest from Iowa Cybersecurity Law Blog

Payment card system breaches can cause millions of dollars in damages. Consumer losses are generally minimal, because Regulation E obliges card issuing banks to generally reimburse consumers for fraud. There are nevertheless millions of dollars of damages associated with responding to payment card breaches in the form of fraud reimbursements and card re-issuance costs. These damages are apportioned among the various banks and card networks involved in processing credit and debit card payments. That was the…
Well-intentioned organizations trying to implement cybersecurity best practices can quickly become discouraged by the ocean of rules, guidance, and standards. The National Institute of Science and Technology (“NIST”), the Federal Financial Institutions Examination Council (“FFIEC”), National Association of Insurance Commissioners (“NAIC”), and the New York Department of Financial Services (“NYDFS”), to name a few, all have cybersecurity rules and guidance. While many of the recommendations and requirements among this alphabet soup of agencies overlap each…
One of the easiest ways to prevent a cybersecurity incident is to ensure that software patches are implemented. Despite this straightforward technical advice, many organizations still fail to routinely and regularly implement software patches. The New York Times recently reported on one of the consequences of that failure when it reported on the City of Baltimore’s three-week long ransomware attack. According to the Times, a key component of the malware attack is an exploit first…
Cybersecurity incidents routinely grab headlines, and for good reason. These incidents often lead to exposure of large volumes of sensitive data, or significant monetary losses. For example, this blog previously discussed how fraudster access to online banking platforms could lead to lawsuits between banks and customers over who is ultimately liable for unauthorized transfers. There is no doubt that the internet has made it easier for fraudsters to target organizations from afar. However, even though…
Ever since the New York Department of Financial Services (“NYDFS”) enacted its cybersecurity regulation for financial institutions and related organizations, other states have started to enact cybersecurity regulations of their own. South Carolina became the latest state to enact a version of the National Association of Insurance Commissioners (“NAIC”) model cybersecurity law, which is based on the NYDFS regulation. The model NAIC law applies to organizations that are required to comply with state insurance laws.…
  The Department of Health and Human Services (“HHS”) has released the “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” guide. The publication contains a comprehensive summary of cybersecurity threats for the healthcare industry, and technical details for mitigating those cybersecurity risks. The technical volumes in the publication are particularly helpful because they reference specific sections of the cybersecurity standards published by the National Institute of Standards and Technology (“NIST”). Organizations that are trying…
Many organizations are surprised to learn in the wake of a cyber-incident that their “cyber” insurance does not cover their losses. Very often this is because fraudsters’ method for committing fraud may not have been the type of risk that a particular policy covers. A case involving National Bank of Blacksburg (“NBB”) in Virginia illustrates how fraudsters’ method for committing fraud can create serious coverage issues for insured organizations. NBB experienced two related cyber-incidents several…
News broke recently that hackers exploited a backdoor to as many as 1 million ASUS computers by compromising the ASUS automatic update system. Hackers planted the malware in the system that pushes out software updates to ASUS computers. Automatic updates, by necessity, have access that bypasses a computer’s security system in order to install the software patches.  These updates frequently patch security flaws. This blog has previously discussed the importance of timely and routinely installing…
Earlier this year, the Tokyo fish market grabbed headlines when a blue fin tuna sold for a record $3 million. Less well publicized was a phish that reeled in $2 million for fraudsters from the city of Farmington, Connecticut in 2016. News stories about cybersecurity incidents involving phishing are routine. However, just because phishing schemes are a well-known attack vector does not lessen the risk that organizations face from these schemes. The town of Farmington,…
A common trope is that technology is evolving too fast for the law to keep up. Companies like Uber, Tesla, and Coinbase race forward while ignoring whether their technologies or activities are covered by any existing regulatory framework. Many of these companies have had a rude awakening. A list of Uber’s legal disputes reads like a bucket list of state and international jurisdictions to visit. Tesla’s head landed in hot water with the SEC after…