Companies that handle personal data may need to litigate an FTC enforcement action to its conclusion before a court will review the Commission's jurisdiction to commence the enforcement action in the first place.
Earlier this year, the medical testing company LabMD sued the Federal Trade Commission in federal court to enjoinsuch an action based on the argument that the Commission lacked jurisdiction to regulate the data security practices of private entities already regulated by the Department of Health and Human Services under HIPAA. The court recently dismissed the suit without ruling on the question of the FTC's jurisdiction, holding that the Commission's order sustaining its enforcement proceeding was not a final agency action and therefore not ripe for review under the Administrative Procedures Act.
The FTC's stance that it has jurisdiction enjoyed a significant boost in April when a federal court in New Jersey held that the Commission could assert claims against private companies for inadequate data privacy and security practices under Section 5 of the FTC Act. See F.T.C. v. Wyndham Worldwide Corp., No. 12-1887 (D.N.J. Apr. 7, 2014). But LabMD presents a different case in that its data includes protected health information already subject to regulation by HHS under HIPAA. Also, the same judge who dismissed LabMD's federal-court case stated in an order issued during the FTC investigation of the company in 2012 that he found "significant merit" to the company's position that "Section 5 does not justify an investigation into data security practices and consumer privacy issues."
The evidentiary hearing on the FTC's complaint was held as scheduled before an administrative law judge last week, and no final order has been issued yet. Companies will want stay abreast of how LabMD's challenge to the Commission's authority is resolved once a court decides that the issue is ripe for review.
LabMD, Inc. v. F.T.C., No. 1:14-cv-00810-WSD (N.D. Ga. May 12, 2014)