Monthly Archives: January 2012

Mass. Data Security Regulation Governing Service Provider Contracts Takes Effect Soon

As of March 1, 2012, all companies storing the personal information of Massachusetts residents with a third-party service provider must contractually require the service provider to maintain data security measures “consistent” with the Massachusetts data security regulations.  (You can read our overview of these regulations here.) Among other things, those regulations—most of which took effect in … Continue Reading

FTC to Explore Mobile Payments

The Federal Trade Commission has announced that it will host a workshop on April 26, 2012, to discuss mobile payments.  In addition to exploring payment technologies and business models, the workshop will likely cover consumer protection issues such as the risks of financial loss, the need for information disclosures, data protection concerns, and the remedies … Continue Reading

NIST Issues Guidelines on Public Cloud Security, Privacy

The U.S. Department of Commerce’s National Institute of Standards and Technology on Tuesday released a final version of its guidelines for how organizations — particularly federal agencies — should manage security and privacy concerns when considering the use of public cloud-computing services. Public cloud services, unlike private clouds, require users to store their data on … Continue Reading

Pineda One Year Later

Just under a year has passed since the California Supreme Court ruled that asking for a customer’s ZIP code during a credit card transaction violates California’s Song-Beverly Credit Card Act.  According to media reports, the court’s decision in Pineda v. Williams-Sonoma Stores, Inc. has spurred more than 200 suits against California retailers.  A roundup of … Continue Reading

Senate Privacy Subcommittee Schedules Video Privacy Hearing

As we previously reported, the Video Privacy Protection Act reform bill sponsored by Rep. Bob Goodlatte (R-VA) passed the House.  And now the Senate Judiciary Committee’s Subcommittee on Privacy, Technology and the Law has scheduled a hearing on video privacy, to be held next Tuesday, January 31. The VPPA has come under scrutiny in recent … Continue Reading

European Commission Proposes Comprehensive Data Protection Reform

Following more than two years of consultations and intense speculation in recent weeks, the European Commission today proposed comprehensive measures to reform the European data protection framework.  We currently are analysing the proposed reforms in detail, but it appears that the proposal for a General Data Protection Regulation largely mirrors earlier leaked drafts.  For example, … Continue Reading

Supreme Court: Attaching GPS Tracker to Suspect’s Car Constitutes Search For Purposes of Fourth Amendment

The federal government conducted a search for purposes of the Fourth Amendment when it attached a GPS tracking device to a suspect’s car and used the device to track the suspect’s movements for 28 days, the U.S. Supreme Court ruled Monday. All nine justices voted to uphold the decision by the U.S. Court of Appeals … Continue Reading

Mexico’s Data Protection Law Fully in Force

The implementing regulations of Mexico’s Federal Law for the Protection of Personal Data (the “Law”) came into effect on 22 December 2011.  The regulations have allowed the Law to finally fully enter into force.  As reported earlier, Mexico’s privacy law is the first piece of federal legislation to regulate how businesses handle personal information in … Continue Reading

Personal Injury Defendant Denied Access to Plaintiff’s Private Facebook Content

An Eastern District of Michigan judge held that a personal injury defendant could not discover the plaintiff’s private Facebook content under Rule 26(b) governing the discoverability of evidence.  Tompkins v. Detroit Metropolitan Airport, No. 2:10-cv-10413-BAF-RSW (E.D. Mich, Jan. 18, 2012).  Although—as the court noted—the private portions of a user’s Facebook account are not generally privileged … Continue Reading

Ontario Recognizes Intrusion Upon Seclusion Privacy Tort for the First Time in Canada

The Ontario Appeals Court last Wednesday recognized—for the first time in Canada—the intrusion upon seclusion privacy tort.  In Jones v. Tsige, 2012 ONCA 32, the plaintiff sued a coworker for looking through her financial records.  The motion judge granted summary judgment for the defendant on the ground that Ontario law does not recognize plaintiff’s claim.  … Continue Reading

Supreme Court Holds That Private Plaintiffs May Bring TCPA Claims In Federal Court

On Wednesday, the United States Supreme Court unanimously held that the Telephone Consumer Protection Act (“TCPA”) allows private citizens to seek relief in federal (in addition to state) court.  Overturning an Eleventh Circuit decision that Congress had vested jurisdiction over private TCPA actions exclusively in state courts and disagreeing with numerous other Circuit courts that … Continue Reading

Class Action Filed Following Zappos Data Breach

A putative class action was filed on Monday against following an online hacking attack that potentially compromised the personal information of up to 24 million customers of its online shoe retailer  An email sent to customers from’s CEO on Sunday assured users that full credit card information and other payment information was not … Continue Reading

Commenters Urge FTC to Streamline COPPA Rule “Multiple Operator” Provision

Nearly 200 individuals, businesses, and industry organizations recently filed comments with the Federal Trade Commission on proposed revisions to the Children’s Online Privacy Protection Act (“COPPA”) Rule. COPPA requires operators of certain websites or online services to, among other things, provide notice and obtain parental consent before collecting, using, or disclosing personal information online from … Continue Reading

Federal Court Holds Terms of Service Disclosed via Link to ISP’s Home Page Not Reasonably Conspicuous

Denying the motion of the defendant internet service provider, Clearwire, to compel arbitration, the U.S. District Court for the Western District of Washington held last week that Clearwire’s e-mail confirmation to the plaintiffs was inadequate notice of the terms of service.  This e-mail confirmation included, on the third page of the e-mail, a link to Clearwire’s home page rather than a … Continue Reading

U.S. Supreme Court Rules CROA Does Not Override Arbitration Clauses

On January 10, the U.S. Supreme Court ruled in CompuCredit Corp. et al. v. Wanda Greenwood et al. that the Credit Repair Organizations Act (“CROA”) does not override arbitration clauses in agreements between consumers and credit repair organizations.  The CROA prohibits credit repair organizations (i.e., companies that seek to improve a consumer’s credit history or … Continue Reading

Publication of the European Commission’s Proposal for a Data Protection Regulation Faces Delay

By Mark Young & Maria-Martina Yalamova Following more than two years of extensive consultations on the review of the European data protection framework, the European Commission was expected to publish its proposal for a General Data Protection Regulation later this month.  As we reported on this blog, an early version of this proposal, which was … Continue Reading

FFIEC Authentication Guidance to be a Hot Topic in 2012

Last year, the Federal Financial Institutions Examination Council (FFIEC) released a much-anticipated supplement to its Authentication in an Internet Banking Environment guidance.  The supplement updates the FFIEC’s supervisory expectations regarding depository institutions’ customer authentication, layered security, and other controls for Internet banking.  Starting this year, FFIEC information technology examinations will include reviews for compliance with … Continue Reading

Covington Named Privacy Group of the Year

Law360, the highly respected legal news source covering developments and trends in some two dozen legal practice areas, has named the Covington team as privacy group of the year, one of only five groups so honored among more than 500 surveyed practices.  We’re thrilled to be recognized, and thank our clients for bringing us the … Continue Reading

OIRA Releases Privacy Impact Assessment for Agency Use of Third-Party Websites

The Office of Information and Regulatory Affairs (OIRA) recently released a model Privacy Impact Assessment (PIA) that federal agencies must use before they employ third-party websites and applications to communicate with the public.  The new rules issued by OIRA, an arm of the White House’s Office of Management and Budget (OMB), build on rules the … Continue Reading

Upromise Settles FTC Privacy Charges

Yesterday, the FTC announced that it has settled charges against Upromise, Inc., a company that enables consumers to receive rebates when shopping at partner merchants.  (The rebates are placed in college savings accounts—hence Upromise’s name.)  According to the Commission’s complaint, Upromise offered online users a toolbar feature, which, when downloaded, would highlight Upromise’s partners in … Continue Reading

Amendments to California, Illinois Data Breach Laws Now in Effect

As we’ve previously noted (here and here), California and Illinois recently enacted amendments to their data security breach notification laws.  The amendments took effect this week.  California’s changes are the more notable.  For example, businesses that are required by California’s breach notice statute to notify more than 500 California residents now must also notify the state … Continue Reading

Planned Virtualized ATMs Highlight Potential Security Benefits of Cloud

Companies considering moving to the cloud sometimes are cautioned that heightened data security risks pose a potential drawback to cloud computing.  And it is certainly correct that before making a decision about whether and how to adopt cloud-based computing, companies should carefully consider the security practices of potential cloud service providers or build security into … Continue Reading

FTC Seeks Comment on Facial Recognition

Following up on its “Face Facts” workshop that brought together a variety of stakeholders to discuss the privacy issues relating to commercial uses of facial recognition technology, the FTC has announced that it is seeking public comment on the issues raised at the workshop.  According to the Commission, these issues include:  What are the current … Continue Reading