Company Disclosed E-mail Addresses of 669 Subscribers to its Prozac Reminder Service
Eli Lilly and Company (Lilly) has agreed to settle Federal Trade Commission charges regarding the unauthorized disclosure of sensitive personal information collected from consumers through its Prozac.com Web site. As part of the settlement, Lilly will take appropriate security measures to protect consumers' privacy.
"Even the unintentional release of sensitive medical information is a serious breach of consumers' trust," said J. Howard Beales, III, Director of the FTC's Bureau of Consumer Protection. "Companies that obtain sensitive information in exchange for a promise to keep it confidential must take appropriate steps to ensure the security of that information."
Lilly, a pharmaceutical company based in Indiana, manufactures, markets, and sells several drugs, including the anti-depressant medication Prozac. Lilly operates the Prozac.com Web site, which the company promotes as "Your Guide to Evaluating and Recovering from Depression." Several of Lilly's Web sites, including www.prozac.com and www.lilly.com, collect personal information from visitors. From March 15, 2000 until June 22, 2001, Lilly offered to consumers the "Medi-messenger" e-mail reminder service. Consumers who used Medi-messenger could design and receive personal e-mail messages to remind them to take or refill their medication. Once a consumer registered for Medi-messenger, the reminder messages were automatically e-mailed from Lilly to the subscriber at the e-mail address she or he had provided, and according to the subscriber's requested schedule. These reminders were individualized e-mails and did not identify any other subscribers to the service.
On June 27, 2001, a Lilly employee created a new computer program to access Medi-messenger subscribers' e-mail addresses and sent them an e-mail message announcing the termination of the Medi-messenger service. The June 27th e-mail message included all of the recipients' e-mail addresses within the "To:" line of the message, thereby unintentionally disclosing to each individual subscriber the e-mail addresses of all 669 Medi-messenger subscribers.
According to the FTC's complaint, Lilly claimed that it employs measures and takes steps appropriate under the circumstances to maintain and protect the privacy and confidentiality of personal information obtained from or about consumers through its Prozac.com and Lilly.com Web sites. For example, Lilly's privacy policies included statements such as, "Eli Lilly and Company respects the privacy of visitors to its Web sites, and we feel it is important to maintain our guests' privacy as they take advantage of this resource."
The FTC complaint alleges that Lilly's claim of privacy and confidentiality was deceptive because Lilly failed to maintain or implement internal measures appropriate under the circumstances to protect sensitive consumer information, which led to the company's unintentional June 27th disclosure of Medi-messenger subscribers' personal information (i.e., e-mail addresses). In fact, according to the complaint, Lilly failed to: provide appropriate training for its employees regarding consumer privacy and information security; provide appropriate oversight and assistance for the employee who sent out the e-mail, who had no prior experience in creating, testing, or implementing the computer program used; and implement appropriate checks and controls on the process, such as reviewing the computer program with experienced personnel and pretesting the program internally before sending out the e-mail. Lilly's failure to implement appropriate measures also violated a number of its own written security procedures.
The proposed settlement would bar misrepresentations about the extent to which Lilly maintains and protects the privacy or confidentiality of any personal information collected from or about consumers. Additionally, Lilly would be required to establish and maintain a four-stage information security program designed to establish and maintain reasonable and appropriate administrative, technical, and physical safeguards to protect consumers' personal information against any reasonably anticipated threats or hazards to its security, confidentiality, or integrity, and to protect such information against unauthorized access, use, or disclosure. Specifically, Lilly would be required to:
- Designate appropriate personnel to coordinate and oversee the program;
- Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of personal information, including any such risks posed by lack of training, and to address these risks in each relevant area of its operations, whether performed by employees or agents, including: (i) management and training of personnel; (ii) information systems for the processing, storage, transmission, or disposal of personal information; and (iii) prevention and response to attacks, intrusions, unauthorized access, or other information systems failures;
- Conduct an annual written review by qualified persons, within ninety (90) days after the date of service of the order and yearly thereafter, which shall monitor and document compliance with the program, evaluate the program's effectiveness, and recommend changes to it; and
- Adjust the program in light of any findings and recommendations resulting from reviews or ongoing monitoring, and in light of any material changes to Lilly's operations that affect the program.
Lilly's security breach was the subject of a July 2001 petition from the American Civil Liberties Union requesting that the FTC investigate and take appropriate action to remedy the breach.
The Commission vote to accept the proposed settlement was 5-0. An announcement regarding the proposed consent agreement will be published in the Federal Register shortly. The agreement will be subject to public comment for 30 days, after which the Commission will decide whether to make it final. Comments should be addressed to the FTC, Office of the Secretary, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580.
NOTE: Consent agreements are for settlement purposes only and do not constitute an admission of a law violation. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of $11,000.
Copies of the complaint and order are available from the FTC's Web site at http://www.ftc.gov and also from the FTC's Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The FTC works for the consumer to prevent fraudulent, deceptive and unfair business practices in the marketplace and to provide information to help consumers spot, stop and avoid them. To file a complaint or to get free information on consumer issues, call toll-free, 1-877-FTC-HELP, or use the complaint form at www.ftc.gov. The FTC enters Internet, telemarketing, identity theft and other fraud-related complaints into Consumer Sentinel, a secure, online database available to hundreds of civil and criminal law enforcement agencies in the U.S. and abroad.
(Matter No. 0123214; Program Code M03)
Office of Public Affairs
Division of Advertising Practices