012 3214

Analysis of Proposed Consent Order
to Aid Public Comment

The Federal Trade Commission has accepted, subject to final approval, an agreement containing a consent order from Eli Lilly and Company ("Lilly").

The proposed consent order has been placed on the public record for thirty (30) days for receipt of comments by interested persons. Comments received during this period will become part of the public record. After thirty (30) days, the Commission will again review the agreement and the comments received, and will decide whether it should withdraw from the agreement and take appropriate action or make final the agreement's proposed order.

Lilly is a pharmaceutical company that manufactures, markets, and sells drugs, including the anti-depressant medication Prozac. To market Prozac, among other things Lilly operates the Prozac.com Web site, which the company promotes as "Your Guide to Evaluating and Recovering from Depression." The Prozac.com site, like Lilly.com and several of Lilly's other product Web sites, collects personal information from visitors.

From March 2000 through June 2001, Lilly offered through Prozac.com a service called "Medi-Messenger," which enabled its subscribers to receive individualized email reminders from Lilly concerning their Prozac medication or other matters. On June 27, 2001, Lilly sent a form email to subscribers to the service, which disclosed all of the subscribers' email addresses to each individual subscriber by including all of their addresses within the "To:" entry of the message.

This matter concerns allegedly false or misleading representations, made through Lilly's privacy policies and during the sign-up process for Medi-Messenger. The Commission's proposed complaint alleges that Lilly claimed that it employs measures and takes steps appropriate under the circumstances to maintain and protect the privacy and confidentiality of personal information obtained from or about consumers through its Prozac.com and Lilly.com Web sites, when in fact Lilly had not employed such measures and had not taken such steps.

As set forth in the complaint, Lilly's unintentional June 27th disclosure of Medi-Messenger subscribers' personal information (i.e., email addresses) resulted from its failure to maintain or implement internal measures appropriate under the circumstances to protect sensitive consumer information. For example, Lilly failed to provide appropriate training for its employees regarding consumer privacy and information security; failed to provide appropriate oversight and assistance for the employee who sent out the email, who had no prior experience in creating, testing, or implementing the computer program used; and failed to implement appropriate checks and controls on the process, such as reviewing the computer program with experienced personnel and pretesting the program internally before sending out the email. Lilly's failure to implement appropriate measures also violated certain of its own written policies.

The proposed consent order contains provisions designed to prevent Lilly from engaging in similar acts and practices in the future.

The proposed order applies to the collection of personal information from or about consumers in connection with the advertising, marketing, offering for sale, or sale of any pharmaceutical, medical, or other health-related product or service by Lilly's USA division.

Part I of the proposed order prohibits misrepresentations regarding the extent to which Lilly maintains and protects the privacy or confidentiality of any personally identifiable information collected from or about consumers.

Part II of the proposed order requires Lilly to implement a four-stage information security program designed to establish and maintain reasonable and appropriate administrative, technical, and physical safeguards to protect consumers' personal information against any reasonably anticipated threats or hazards to its security, confidentiality, or integrity, and to protect such information against unauthorized access, use, or disclosure. Specifically, Part II requires Lilly to:

  • designate appropriate personnel to coordinate and oversee the program;
  • identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of personal information, including any such risks posed by lack of training, and to address these risks in each relevant area of its operations, whether performed by employees or agents, including: (i) management and training of personnel; (ii) information systems for the processing, storage, transmission, or disposal of personal information; and (iii) prevention and response to attacks, intrusions, unauthorized access, or other information systems failures;
  • conduct an annual written review by qualified persons, within ninety (90) days after the date of service of the order and yearly thereafter, which review shall monitor and document compliance with the program, evaluate the program's effectiveness, and recommend changes to it; and
  • adjust the program in light of any findings and recommendations resulting from reviews or ongoing monitoring, and in light of any material changes to Lilly's operations that affect the program.

Parts III through VI of the proposed order are reporting and compliance provisions. Part III requires Lilly's retention of materials relating to its privacy and security representations and to its compliance with the order's information security program. Part IV requires dissemination of the order now and in the future to persons with responsibilities relating to the subject matter of the order. Part V ensures notification to the FTC of changes in corporate status. Part VI mandates compliance reports, including a copy of the initial annual review required by Part II.C within one hundred and twenty (120) days after service of the order. Part VII is a provision "sunsetting" the order after twenty (20) years, with certain exceptions.

The purpose of this analysis is to facilitate public comment on the proposed order. It is not intended to constitute an official interpretation of the agreement and proposed order or to modify their terms in any way.