No Judicial Review Of FTC Jurisdiction Until The Agency Takes A Final Action

HK
Holland & Knight

Contributor

Holland & Knight is a global law firm with nearly 2,000 lawyers in offices throughout the world. Our attorneys provide representation in litigation, business, real estate, healthcare and governmental law. Interdisciplinary practice groups and industry-based teams provide clients with access to attorneys throughout the firm, regardless of location.
Companies that handle personal data may need to litigate an FTC enforcement action before a court will review the Commission's jurisdiction.
United States Privacy

Lynn E. Calkins is a partner and Matthew J. Maddox is an Associate both in our Washington D.C. office.

Companies that handle personal data may need to litigate an FTC enforcement action to its conclusion before a court will review the Commission's jurisdiction to commence the enforcement action in the first place.

Earlier this year, the medical testing company LabMD sued the Federal Trade Commission in federal court to enjoin such an action based on the argument that the Commission lacked jurisdiction to regulate the data security practices of private entities already regulated by the Department of Health and Human Services under HIPAA. The court recently dismissed the suit without ruling on the question of the FTC's jurisdiction, holding that the Commission's order sustaining its enforcement proceeding was not a final agency action and therefore not ripe for review under the Administrative Procedures Act.

The FTC's stance that it has jurisdiction enjoyed a significant boost in April when a federal court in New Jersey held that the Commission could assert claims against private companies for inadequate data privacy and security practices under Section 5 of the FTC Act. See F.T.C. v. Wyndham Worldwide Corp., No. 12-1887 (D.N.J. Apr. 7, 2014). But LabMD presents a different case in that its data includes protected health information already subject to regulation by HHS under HIPAA. Also, the same judge who dismissed LabMD's federal-court case stated in an order issued during the FTC investigation of the company in 2012 that he found "significant merit" to the company's position that "Section 5 does not justify an investigation into data security practices and consumer privacy issues."

The evidentiary hearing on the FTC's complaint was held as scheduled before an administrative law judge last week, and no final order has been issued yet. Companies will want stay abreast of how LabMD's challenge to the Commission's authority is resolved once a court decides that the issue is ripe for review.

LabMD, Inc. v. F.T.C., No. 1:14-cv-00810-WSD (N.D. Ga. May 12, 2014)

Read more about the case here on Holland & Knight's Digital Technology & E-Commerce Blog.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More