No Judicial Review of FTC Jurisdiction until the Agency Takes a Final Action

more+
less-

Companies that handle personal data may need to litigate an FTC enforcement action to its conclusion before a court will review the Commission's jurisdiction to commence the enforcement action in the first place.

Earlier this year, the medical testing company LabMD sued the Federal Trade Commission in federal court to enjoinsuch an action based on the argument that the Commission lacked jurisdiction to regulate the data security practices of private entities already regulated by the Department of Health and Human Services under HIPAA. The court recently dismissed the suit without ruling on the question of the FTC's jurisdiction, holding that the Commission's order sustaining its enforcement proceeding was not a final agency action and therefore not ripe for review under the Administrative Procedures Act.

The FTC's stance that it has jurisdiction enjoyed a significant boost in April when a federal court in New Jersey held that the Commission could assert claims against private companies for inadequate data privacy and security practices under Section 5 of the FTC Act. See F.T.C. v. Wyndham Worldwide Corp., No. 12-1887 (D.N.J. Apr. 7, 2014). But LabMD presents a different case in that its data includes protected health information already subject to regulation by HHS under HIPAA. Also, the same judge who dismissed LabMD's federal-court case stated in an order issued during the FTC investigation of the company in 2012 that he found "significant merit" to the company's position that "Section 5 does not justify an investigation into data security practices and consumer privacy issues."

The evidentiary hearing on the FTC's complaint was held as scheduled before an administrative law judge last week, and no final order has been issued yet. Companies will want stay abreast of how LabMD's challenge to the Commission's authority is resolved once a court decides that the issue is ripe for review.

LabMD, Inc. v. F.T.C., No. 1:14-cv-00810-WSD (N.D. Ga. May 12, 2014)

 

 

Topics:  Cybersecurity, Data Protection, Enforcement, Enforcement Actions, FTC, HIPAA, Jurisdiction

Published In: Administrative Agency Updates, Antitrust & Trade Regulation Updates, Civil Procedure Updates, Privacy Updates, Science, Computers & Technology Updates

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Holland & Knight LLP | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »