As of March 1, 2012, all companies storing the personal information of Massachusetts residents with a third-party service provider must contractually require the service provider to maintain data security measures “consistent” with the Massachusetts data security regulations. (You can read our overview of these regulations here.) Among other things, those regulations—most of which took effect in … Continue Reading
The Federal Trade Commission has announced that it will host a workshop on April 26, 2012, to discuss mobile payments. In addition to exploring payment technologies and business models, the workshop will likely cover consumer protection issues such as the risks of financial loss, the need for information disclosures, data protection concerns, and the remedies … Continue Reading
The U.S. Department of Commerce’s National Institute of Standards and Technology on Tuesday released a final version of its guidelines for how organizations — particularly federal agencies — should manage security and privacy concerns when considering the use of public cloud-computing services. Public cloud services, unlike private clouds, require users to store their data on … Continue Reading
Just under a year has passed since the California Supreme Court ruled that asking for a customer’s ZIP code during a credit card transaction violates California’s Song-Beverly Credit Card Act. According to media reports, the court’s decision in Pineda v. Williams-Sonoma Stores, Inc. has spurred more than 200 suits against California retailers. A roundup of … Continue Reading
As we previously reported, the Video Privacy Protection Act reform bill sponsored by Rep. Bob Goodlatte (R-VA) passed the House. And now the Senate Judiciary Committee’s Subcommittee on Privacy, Technology and the Law has scheduled a hearing on video privacy, to be held next Tuesday, January 31. The VPPA has come under scrutiny in recent … Continue Reading
Following more than two years of consultations and intense speculation in recent weeks, the European Commission today proposed comprehensive measures to reform the European data protection framework. We currently are analysing the proposed reforms in detail, but it appears that the proposal for a General Data Protection Regulation largely mirrors earlier leaked drafts. For example, … Continue Reading
The federal government conducted a search for purposes of the Fourth Amendment when it attached a GPS tracking device to a suspect’s car and used the device to track the suspect’s movements for 28 days, the U.S. Supreme Court ruled Monday. All nine justices voted to uphold the decision by the U.S. Court of Appeals … Continue Reading
The implementing regulations of Mexico’s Federal Law for the Protection of Personal Data (the “Law”) came into effect on 22 December 2011. The regulations have allowed the Law to finally fully enter into force. As reported earlier, Mexico’s privacy law is the first piece of federal legislation to regulate how businesses handle personal information in … Continue Reading
An Eastern District of Michigan judge held that a personal injury defendant could not discover the plaintiff’s private Facebook content under Rule 26(b) governing the discoverability of evidence. Tompkins v. Detroit Metropolitan Airport, No. 2:10-cv-10413-BAF-RSW (E.D. Mich, Jan. 18, 2012). Although—as the court noted—the private portions of a user’s Facebook account are not generally privileged … Continue Reading
The Ontario Appeals Court last Wednesday recognized—for the first time in Canada—the intrusion upon seclusion privacy tort. In Jones v. Tsige, 2012 ONCA 32, the plaintiff sued a coworker for looking through her financial records. The motion judge granted summary judgment for the defendant on the ground that Ontario law does not recognize plaintiff’s claim. … Continue Reading
On Wednesday, the United States Supreme Court unanimously held that the Telephone Consumer Protection Act (“TCPA”) allows private citizens to seek relief in federal (in addition to state) court. Overturning an Eleventh Circuit decision that Congress had vested jurisdiction over private TCPA actions exclusively in state courts and disagreeing with numerous other Circuit courts that … Continue Reading
A putative class action was filed on Monday against Amazon.com following an online hacking attack that potentially compromised the personal information of up to 24 million customers of its online shoe retailer Zappos.com. An email sent to customers from Zappos.com’s CEO on Sunday assured users that full credit card information and other payment information was not … Continue Reading
Nearly 200 individuals, businesses, and industry organizations recently filed comments with the Federal Trade Commission on proposed revisions to the Children’s Online Privacy Protection Act (“COPPA”) Rule. COPPA requires operators of certain websites or online services to, among other things, provide notice and obtain parental consent before collecting, using, or disclosing personal information online from … Continue Reading
Denying the motion of the defendant internet service provider, Clearwire, to compel arbitration, the U.S. District Court for the Western District of Washington held last week that Clearwire’s e-mail confirmation to the plaintiffs was inadequate notice of the terms of service. This e-mail confirmation included, on the third page of the e-mail, a link to Clearwire’s home page rather than a … Continue Reading
On January 10, the U.S. Supreme Court ruled in CompuCredit Corp. et al. v. Wanda Greenwood et al. that the Credit Repair Organizations Act (“CROA”) does not override arbitration clauses in agreements between consumers and credit repair organizations. The CROA prohibits credit repair organizations (i.e., companies that seek to improve a consumer’s credit history or … Continue Reading
Following more than two years of extensive consultations on the review of the European data protection framework, the European Commission was expected to publish its proposal for a General Data Protection Regulation later this month. As we reported on this blog, an early version of this proposal, which was widely leaked last December, contained several … Continue Reading
Last year, the Federal Financial Institutions Examination Council (FFIEC) released a much-anticipated supplement to its Authentication in an Internet Banking Environment guidance. The supplement updates the FFIEC’s supervisory expectations regarding depository institutions’ customer authentication, layered security, and other controls for Internet banking. Starting this year, FFIEC information technology examinations will include reviews for compliance with … Continue Reading
Law360, the highly respected legal news source covering developments and trends in some two dozen legal practice areas, has named the Covington team as privacy group of the year, one of only five groups so honored among more than 500 surveyed practices. We’re thrilled to be recognized, and thank our clients for bringing us the … Continue Reading
The Office of Information and Regulatory Affairs (OIRA) recently released a model Privacy Impact Assessment (PIA) that federal agencies must use before they employ third-party websites and applications to communicate with the public. The new rules issued by OIRA, an arm of the White House’s Office of Management and Budget (OMB), build on rules the … Continue Reading
Yesterday, the FTC announced that it has settled charges against Upromise, Inc., a company that enables consumers to receive rebates when shopping at partner merchants. (The rebates are placed in college savings accounts—hence Upromise’s name.) According to the Commission’s complaint, Upromise offered online users a toolbar feature, which, when downloaded, would highlight Upromise’s partners in … Continue Reading
As we’ve previously noted (here and here), California and Illinois recently enacted amendments to their data security breach notification laws. The amendments took effect this week. California’s changes are the more notable. For example, businesses that are required by California’s breach notice statute to notify more than 500 California residents now must also notify the state … Continue Reading
Companies considering moving to the cloud sometimes are cautioned that heightened data security risks pose a potential drawback to cloud computing. And it is certainly correct that before making a decision about whether and how to adopt cloud-based computing, companies should carefully consider the security practices of potential cloud service providers or build security into … Continue Reading
Following up on its “Face Facts” workshop that brought together a variety of stakeholders to discuss the privacy issues relating to commercial uses of facial recognition technology, the FTC has announced that it is seeking public comment on the issues raised at the workshop. According to the Commission, these issues include: What are the current … Continue Reading
