UNITED STATES OF
In the Matter of
ELI LILLY and COMPANY, a corporation.
DOCKET NO. C-4047
The Federal Trade Commission, having reason to believe that Eli Lilly and Company, a corporation ("respondent") has violated the provisions of the Federal Trade Commission Act, and it appearing to the Commission that this proceeding is in the public interest, alleges:
1. Respondent Eli Lilly and Company is an Indiana corporation with its principal office or place of business at Lilly Corporate Center, Indianapolis, Indiana 46285. Respondent, a pharmaceutical company, has advertised and promoted its anti-depressant medication, Prozac, through the company's Web sites www.prozac.com and www.lilly.com.
2. The acts and practices of respondent as alleged in this complaint have been in or affecting commerce, as "commerce" is defined in Section 4 of the Federal Trade Commission Act.
3. Respondent promotes its Prozac.com Web site as "Your Guide to Evaluating and Recovering from Depression." From March 15, 2000 until June 22, 2001, respondent advertised, promoted, and marketed via www.Prozac.com and www.Lilly.com an email reminder service known as "Medi-messenger." Consumers who utilized the Medi-messenger service could design and receive personal email reminder messages from respondent concerning their medication or other matters. Once a visitor registered for Medi-messenger, the reminder messages were automatically emailed from Prozac.com to the subscriber at the email address s/he provided, and according to the schedule established by the subscriber.
4. Subscribers to the Medi-messenger service registered by providing an email address, a password, the text of the reminder message they wanted to receive, and the schedule for sending the reminder messages. (Complaint Exhibit A, pp.1-4). After providing information to register for Medi-messenger, the subscriber was invited to view the Prozac.com "Privacy Statement" via a hyperlink, which was positioned just above the "Submit" and "Reset" buttons. (Complaint Exhibit A, p.4)
5. Respondent has disseminated or has caused to be disseminated privacy policies on Prozac.com and Lilly.com, including but not necessarily limited to the attached Exhibits B and C. These privacy policies contain the following statements regarding the privacy and confidentiality of personal information collected through respondent's Web sites:
6. On June 27, 2001, at respondent's direction, an Eli Lilly employee sent an email message to Medi-messenger subscribers announcing the termination of the Medi-messenger service. To do this, the employee created a new computer program to access subscribers' email addresses and send them the email. The June 27th email disclosed the email addresses of all 669 Medi-messenger subscribers to each individual subscriber by including all of the recipients' email addresses within the "To:" line of the message. (Complaint Exhibit D, email addresses redacted from original). By including the email addresses of all Medi-messenger subscribers within the June 27th email message, respondent unintentionally disclosed personal information provided to it by consumers in connection with their use of the Prozac.com Web site.
7. The June 27th disclosure of personal information resulted from respondent's failure to maintain or implement internal measures appropriate under the circumstances to protect sensitive consumer information. For example, respondent failed to provide appropriate training for its employees regarding consumer privacy and information security; failed to provide appropriate oversight and assistance for the employee who sent out the email, who had no prior experience in creating, testing, or implementing the computer program used; and failed to implement appropriate checks and controls on the process, such as reviewing the computer program with experienced personnel and pretesting the program internally before sending out the email. Respondent's failure to implement appropriate measures also violated certain of its own written policies.
8. Through the means described in Paragraph 5, respondent has represented, expressly or by implication, that it employs measures and takes steps appropriate under the circumstances to maintain and protect the privacy and confidentiality of personal information obtained from or about consumers through its Prozac.com and Lilly.com Web sites.
9. In truth and in fact, as described in Paragraphs 6 and 7, respondent has not employed measures and has not taken steps appropriate under the circumstances to maintain and protect the privacy and confidentiality of personal information obtained from or about consumers through its Prozac.com and Lilly.com Web sites. Therefore, the representation set forth in Paragraph 8 was, and is, false or misleading.
10. The acts and practices of respondent as alleged in this complaint constitute unfair or deceptive acts or practices in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act.
THEREFORE, the Federal Trade Commission this eighth day of May, 2002, has issued this complaint against respondent.
By the Commission.
Donald S. Clark