July 2012

The Consumer Financial Protection Bureau (CFPB) has issued a final rule to implement its authority under section 1024 of Dodd-Frank to subject “larger participants” in the consumer reporting market to CFPB supervision.  The rule will have significant consequences for companies in the consumer reporting industry.  The final rule follows a proposed rule issued in February 2012 indicating that the CFPB intended to supervise the consumer reporting market as part of the CFPB’s authority to supervise nonbank providers of consumer financial products and services.  The final rule is effective September 30, 2012. 

The final rule defines a “larger participant” in the consumer reporting market as a nonbank covered person that offers or provides consumer reporting and has annual receipts from consumer reporting in excess of $7 million.Continue Reading CFPB Issues Rule to Supervise Larger Participants in Consumer Reporting Market

On July 10, the Federal Financial Institutions Examination Council (FFIEC) issued risk management guidance for depository institutions’ use of cloud computing.  The guidance defines cloud computing generally as “a migration from owned resources to shared resources in which client users receive information technology services, on demand, from third-party service providers via the Internet ‘cloud.’”  The guidance also considers cloud computing to be a form of outsourcing subject to the risk management requirements set forth in the FFIEC Information Technology Examination Handbook for Outsourcing Technology Services.Continue Reading FFIEC Issues Risk Management Guidance for Cloud Computing

On 12 July, 2012, the Justice Select Committee, the body tasked by the UK Parliament’s European Scrutiny Committee to give its opinion on the EU Commission’s proposals to reform EU data protection laws, launched a call for written evidence on the following questions: 

  • Will the proposed Regulation strike the right


Continue Reading UK Parliament Committees Open Consultations on Proposed Data Protection Regulation and Proposed Communications Data Bill

Yesterday, deeming LinkedIn’s motion to dismiss suitable for decision without oral argument, Judge Koh of the U.S. District Court for the Northern District of California dismissed all eight claims in Low v. LinkedIn with prejudice, ending this litigation.  Covington successfully represented LinkedIn in this case, in which plaintiffs alleged that

Continue Reading Low Case Against LinkedIn Dismissed In Its Entirety

Rep. Mary Bono Mack (R-CA) plans to introduce legislation to renew the Federal Trade Commission’s authority to take action against cross-border spam, spyware, and fraud.

Among other provisions, the U.S. SAFE WEB Act of 2006 gave the FTC authority to share information with foreign law-enforcement agencies, to take action against

Continue Reading House to Weigh Reauthorization of FTC’s Cross-Border Enforcement Authority

Mobile security firm Lookout has issued guidelines to help mobile ad providers and app developers standardize privacy practices for app-based mobile ads.  According to Lookout Chief Technology Officer Kevin Mahaffey, the guidelines are intended to provide guidance about what constitutes “acceptable behavior” in the mobile ad ecosystem, and to “fix this problem before it gets so big that it needs regulation.” 

Lookout’s guidelines are built on well-recognized privacy principles such as transparency, individual control, reasonable limits on data collection and retention, and security, but the guidelines also break new ground in that they focus primarily on the obligations of ad providers — i.e., ad networks, ad exchanges, and mobile ad mediation layers that manage ad delivery across a number of different ad networks. Other industry guidelines issued to date have been primarily geared toward app developers (including the EFF’s Mobile User Privacy Bill of Rights, CDT/FPF’s Best Practices for Mobile App Developers, and MMA’s Mobile Application Privacy Policy Framework) or directed at specific practices (such as the CTIA’s Best Practices and Guidelines for Location-Based Services). Continue Reading Company Releases Industry Guidelines for Mobile App Advertising

On July 5, 2012, the U.N. Human Rights Council adopted a resolution on the promotion, protection, and enjoyment of human rights on the Internet.  

The U.N. General Assembly established the Human Rights Council in 2006 to replace the former U.N. Commission on Human Rights.  The Council consists of 47

Continue Reading U.N. Human Rights Council Addresses Human Rights on the Internet

A bank that required a commercial customer to answer “challenge questions” for virtually all online payments and that did not implement other common security measures failed to provide a commercially reasonable level of security, the U.S. Court of Appeals for the First Circuit ruled this week.

The case arose when unknown hackers were able to make large electronic transfers over the course of seven days from Patco Construction’s accounts at Ocean Bank, a southern Maine community bank owned by People’s United Bank.  Patco lost more than $345,000. Patco sued People’s United, alleging that Ocean Bank’s security procedures were not “commercially reasonable,” and therefore the bank was liable for Patco’s loss under the Uniform Commercial Code.Continue Reading First Circuit Finds Bank’s Online-Security Procedures ‘Commercially Unreasonable’

China’s internet regulator, the Ministry of Industry and Information Technology (“MIIT”), has released two draft regulations that could significantly impact how mobile smart device manufacturers (such as smartphones) and internet information service providers (“IISPs”) handle users’ personal information in China.Continue Reading Draft Chinese Rules Target Mobile Smart Devices and Online Content Providers