Eli Lilly Settles FTC Charges Concerning Security Breach

Company Disclosed E-mail Addresses of 669 Subscribers to its Prozac Reminder Service

Eli Lilly and Company (Lilly) has agreed to settle Federal Trade Commission charges regarding the unauthorized disclosure of sensitive personal information collected from consumers through its Prozac.com Web site. As part of the settlement, Lilly will take appropriate security measures to protect consumers' privacy.

"Even the unintentional release of sensitive medical information is a serious breach of consumers' trust," said J. Howard Beales, III, Director of the FTC's Bureau of Consumer Protection. "Companies that obtain sensitive information in exchange for a promise to keep it confidential must take appropriate steps to ensure the security of that information."

Lilly, a pharmaceutical company based in Indiana, manufactures, markets, and sells several drugs, including the anti-depressant medication Prozac. Lilly operates the Prozac.com Web site, which the company promotes as "Your Guide to Evaluating and Recovering from Depression." Several of Lilly's Web sites, including www.prozac.com and www.lilly.com, collect personal information from visitors. From March 15, 2000 until June 22, 2001, Lilly offered to consumers the "Medi-messenger" e-mail reminder service. Consumers who used Medi-messenger could design and receive personal e-mail messages to remind them to take or refill their medication. Once a consumer registered for Medi-messenger, the reminder messages were automatically e-mailed from Lilly to the subscriber at the e-mail address she or he had provided, and according to the subscriber's requested schedule. These reminders were individualized e-mails and did not identify any other subscribers to the service.

On June 27, 2001, a Lilly employee created a new computer program to access Medi-messenger subscribers' e-mail addresses and sent them an e-mail message announcing the termination of the Medi-messenger service. The June 27^th e-mail message included all of the recipients' e-mail addresses within the "To:" line of the message, thereby unintentionally disclosing to each individual subscriber the e-mail addresses of all 669 Medi-messenger subscribers.

According to the FTC's complaint, Lilly claimed that it employs measures and takes steps appropriate under the circumstances to maintain and protect the privacy and confidentiality of personal information obtained from or about consumers through its Prozac.com and Lilly.com Web sites. For example, Lilly's privacy policies included statements such as, "Eli Lilly and Company respects the privacy of visitors to its Web sites, and we feel it is important to maintain our guests' privacy as they take advantage of this resource."

The FTC complaint alleges that Lilly's claim of privacy and confidentiality was deceptive because Lilly failed to maintain or implement internal measures appropriate under the circumstances to protect sensitive consumer information, which led to the company's unintentional June 27^th disclosure of Medi-messenger subscribers' personal information (i.e., e-mail addresses). In fact, according to the complaint, Lilly failed to: provide appropriate training for its employees regarding consumer privacy and information security; provide appropriate oversight and assistance for the employee who sent out the e-mail, who had no prior experience in creating, testing, or implementing the computer program used; and implement appropriate checks and controls on the process, such as reviewing the computer program with experienced personnel and pretesting the program internally before sending out the e-mail. Lilly's failure to implement appropriate measures also violated a number of its own written security procedures.

The proposed settlement would bar misrepresentations about the extent to which Lilly maintains and protects the privacy or confidentiality of any personal information collected from or about consumers. Additionally, Lilly would be required to establish and maintain a four-stage information security program designed to establish and maintain reasonable and appropriate administrative, technical, and physical safeguards to protect consumers' personal information against any reasonably anticipated threats or hazards to its security, confidentiality, or integrity, and to protect such information against unauthorized access, use, or disclosure. Specifically, Lilly would be required to:

• designate appropriate personnel to coordinate and oversee the program;
• identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of personal information, including any such risks posed by lack of training, and to address these risks in each relevant area of its operations, whether performed by employees or agents, including: (i) management and training of personnel; (ii) information systems for the processing, storage, transmission, or disposal of personal information; and (iii) prevention and response to attacks, intrusions, unauthorized access, or other information systems failures;
• conduct an annual written review by qualified persons, within ninety (90) days after the date of service of the order and yearly thereafter, which shall monitor and document compliance with the program, evaluate the program's effectiveness, and recommend changes to it; and
• adjust the program in light of any findings and recommendations resulting from reviews or ongoing monitoring, and in light of any material changes to Lilly's operations that affect the program.

Lilly's security breach was the subject of a July 2001 petition from the American Civil Liberties Union requesting that the FTC investigate and take appropriate action to remedy the breach.

The Commission vote to accept the proposed settlement was 5-0. An announcement regarding the proposed consent agreement will be published in the Federal Register shortly. The agreement will be subject to public comment for 30 days, after which the Commission will decide whether to make it final. Comments should be addressed to the FTC, Office of the Secretary, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580.

In a concurring statement, Commissioner Orson Swindle stated that he was pleased with the consent agreement that the Commission has reached with Eli Lilly and Company. He said that "Lilly's unfortunate and unintended disclosure of prescription drug users' personal information has given us all the opportunity to evaluate how to improve upon security practices for confidential information. Lilly should be respected for its long-standing efforts in development of its privacy practices, its acceptance of responsibility for the internal failures that resulted in the alleged violation of its privacy policy, and its willingness to take appropriate steps to correct those mistakes." Commissioner Swindle stated that he appreciates the company's leadership in cooperating with the FTC to improve its security measures, and he believes the firm will carry out fully its commitments under the proposed order. "Lilly's responsiveness," he stated, "and its efforts to improve corporate privacy practices can be a model for others to follow."