For Release: January 18, 2002
Eli Lilly and Company (Lilly) has agreed to settle Federal Trade Commission charges regarding the unauthorized disclosure of sensitive personal information collected from consumers through its Prozac.com Web site. As part of the settlement, Lilly will take appropriate security measures to protect consumers' privacy.
"Even the unintentional release of sensitive medical information is a serious breach of consumers' trust," said J. Howard Beales, III, Director of the FTC's Bureau of Consumer Protection. "Companies that obtain sensitive information in exchange for a promise to keep it confidential must take appropriate steps to ensure the security of that information."
Lilly, a pharmaceutical company based in Indiana, manufactures, markets, and sells several drugs, including the anti-depressant medication Prozac. Lilly operates the Prozac.com Web site, which the company promotes as "Your Guide to Evaluating and Recovering from Depression." Several of Lilly's Web sites, including www.prozac.com and www.lilly.com, collect personal information from visitors. From March 15, 2000 until June 22, 2001, Lilly offered to consumers the "Medi-messenger" e-mail reminder service. Consumers who used Medi-messenger could design and receive personal e-mail messages to remind them to take or refill their medication. Once a consumer registered for Medi-messenger, the reminder messages were automatically e-mailed from Lilly to the subscriber at the e-mail address she or he had provided, and according to the subscriber's requested schedule. These reminders were individualized e-mails and did not identify any other subscribers to the service.
On June 27, 2001, a Lilly employee created a new computer program to access Medi-messenger subscribers' e-mail addresses and sent them an e-mail message announcing the termination of the Medi-messenger service. The June 27th e-mail message included all of the recipients' e-mail addresses within the "To:" line of the message, thereby unintentionally disclosing to each individual subscriber the e-mail addresses of all 669 Medi-messenger subscribers.
According to the FTC's complaint, Lilly claimed that it employs measures and takes steps appropriate under the circumstances to maintain and protect the privacy and confidentiality of personal information obtained from or about consumers through its Prozac.com and Lilly.com Web sites. For example, Lilly's privacy policies included statements such as, "Eli Lilly and Company respects the privacy of visitors to its Web sites, and we feel it is important to maintain our guests' privacy as they take advantage of this resource."
The FTC complaint alleges that Lilly's claim of privacy and confidentiality was deceptive because Lilly failed to maintain or implement internal measures appropriate under the circumstances to protect sensitive consumer information, which led to the company's unintentional June 27th disclosure of Medi-messenger subscribers' personal information (i.e., e-mail addresses). In fact, according to the complaint, Lilly failed to: provide appropriate training for its employees regarding consumer privacy and information security; provide appropriate oversight and assistance for the employee who sent out the e-mail, who had no prior experience in creating, testing, or implementing the computer program used; and implement appropriate checks and controls on the process, such as reviewing the computer program with experienced personnel and pretesting the program internally before sending out the e-mail. Lilly's failure to implement appropriate measures also violated a number of its own written security procedures.
The proposed settlement would bar misrepresentations about the extent to which Lilly maintains and protects the privacy or confidentiality of any personal information collected from or about consumers. Additionally, Lilly would be required to establish and maintain a four-stage information security program designed to establish and maintain reasonable and appropriate administrative, technical, and physical safeguards to protect consumers' personal information against any reasonably anticipated threats or hazards to its security, confidentiality, or integrity, and to protect such information against unauthorized access, use, or disclosure. Specifically, Lilly would be required to:
Lilly's security breach was the subject of a July 2001 petition from the American Civil Liberties Union requesting that the FTC investigate and take appropriate action to remedy the breach.
The Commission vote to accept the proposed settlement was 5-0. An announcement regarding the proposed consent agreement will be published in the Federal Register shortly. The agreement will be subject to public comment for 30 days, after which the Commission will decide whether to make it final. Comments should be addressed to the FTC, Office of the Secretary, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580.
NOTE: Consent agreements are for settlement purposes only and do not constitute an admission of a law violation. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of $11,000.
Copies of the complaint and order are available from the FTC's Web site at http://www.ftc.gov and also from the FTC's Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The FTC works for the consumer to prevent fraudulent, deceptive and unfair business practices in the marketplace and to provide information to help consumers spot, stop and avoid them. To file a complaint or to get free information on consumer issues, call toll-free, 1-877-FTC-HELP, or use the complaint form at www.ftc.gov. The FTC enters Internet, telemarketing, identity theft and other fraud-related complaints into Consumer Sentinel, a secure, online database available to hundreds of civil and criminal law enforcement agencies in the U.S. and abroad.
(Matter No. 0123214; Program Code M03)