For Release:
January 18, 2002 Eli Lilly Settles FTC
Charges Concerning Security Breach
Company Disclosed E-mail Addresses of 669
Subscribers to its Prozac Reminder Service
Eli Lilly and Company (Lilly) has
agreed to settle Federal Trade Commission charges regarding the
unauthorized disclosure of sensitive personal information
collected from consumers through its Prozac.com Web site. As
part of the settlement, Lilly will take appropriate security
measures to protect consumers' privacy.
"Even the unintentional release
of sensitive medical information is a serious breach of
consumers' trust," said J. Howard Beales, III, Director of the
FTC's Bureau of Consumer Protection. "Companies that obtain
sensitive information in exchange for a promise to keep it
confidential must take appropriate steps to ensure the security
of that information."
Lilly, a pharmaceutical company
based in Indiana, manufactures, markets, and sells several
drugs, including the anti-depressant medication Prozac. Lilly
operates the Prozac.com Web site, which the company promotes as
"Your Guide to Evaluating and Recovering from Depression."
Several of Lilly's Web sites, including
www.prozac.com and
www.lilly.com, collect personal information from visitors.
From March 15, 2000 until June 22, 2001, Lilly offered to
consumers the "Medi-messenger" e-mail reminder service.
Consumers who used Medi-messenger could design and receive
personal e-mail messages to remind them to take or refill their
medication. Once a consumer registered for Medi-messenger, the
reminder messages were automatically e-mailed from Lilly to the
subscriber at the e-mail address she or he had provided, and
according to the subscriber's requested schedule.
These reminders were individualized e-mails and did not
identify any other subscribers to the service.
On June 27, 2001, a Lilly
employee created a new computer program to access Medi-messenger
subscribers' e-mail addresses and sent them an e-mail message
announcing the termination of the Medi-messenger service. The
June 27th e-mail message included all of the
recipients' e-mail addresses within the "To:" line of the
message, thereby unintentionally disclosing to each individual
subscriber the e-mail addresses of all 669 Medi-messenger
subscribers.
According to the FTC's complaint,
Lilly claimed that it employs measures and takes steps
appropriate under the circumstances to maintain and protect the
privacy and confidentiality of personal information obtained
from or about consumers through its Prozac.com and Lilly.com Web
sites. For example, Lilly's privacy policies included statements
such as, "Eli Lilly and Company respects the privacy of visitors
to its Web sites, and we feel it is important to maintain our
guests' privacy as they take advantage of this resource."
The FTC complaint alleges that
Lilly's claim of privacy and confidentiality was deceptive
because Lilly failed to maintain or implement internal measures
appropriate under the circumstances to protect sensitive
consumer information, which led to the company's unintentional
June 27th disclosure of Medi-messenger subscribers'
personal information (i.e., e-mail addresses). In fact,
according to the complaint, Lilly failed to: provide appropriate
training for its employees regarding consumer privacy and
information security; provide appropriate oversight and
assistance for the employee who sent out the e-mail, who had no
prior experience in creating, testing, or implementing the
computer program used; and implement appropriate checks and
controls on the process, such as reviewing the computer program
with experienced personnel and pretesting the program internally
before sending out the e-mail. Lilly's failure to implement
appropriate measures also violated a number of its own written
security procedures.
The proposed settlement would bar
misrepresentations about the extent to which Lilly maintains and
protects the privacy or confidentiality of any personal
information collected from or about consumers. Additionally,
Lilly would be required to establish and maintain a four-stage
information security program designed to establish and maintain
reasonable and appropriate administrative, technical, and
physical safeguards to protect consumers' personal information
against any reasonably anticipated threats or hazards to its
security, confidentiality, or integrity, and to protect such
information against unauthorized access, use, or disclosure.
Specifically, Lilly would be required to:
- designate appropriate
personnel to coordinate and oversee the program;
- identify reasonably
foreseeable internal and external risks to the security,
confidentiality, and integrity of personal information,
including any such risks posed by lack of training, and to
address these risks in each relevant area of its operations,
whether performed by employees or agents, including: (i)
management and training of personnel; (ii) information systems
for the processing, storage, transmission, or disposal of
personal information; and (iii) prevention and response to
attacks, intrusions, unauthorized access, or other information
systems failures;
- conduct an annual written
review by qualified persons, within ninety (90) days after the
date of service of the order and yearly thereafter, which
shall monitor and document compliance with the program,
evaluate the program's effectiveness, and recommend changes to
it; and
- adjust the program in light of
any findings and recommendations resulting from reviews or
ongoing monitoring, and in light of any material changes to
Lilly's operations that affect the program.
Lilly's security breach was the
subject of a July 2001 petition from the American Civil
Liberties Union requesting that the FTC investigate and take
appropriate action to remedy the breach.
The Commission vote to accept the
proposed settlement was 5-0. An announcement regarding the
proposed consent agreement will be published in the Federal
Register shortly. The agreement will be subject to public
comment for 30 days, after which the Commission will decide
whether to make it final. Comments should be addressed to the
FTC, Office of the Secretary, 600 Pennsylvania Avenue, N.W.,
Washington, D.C. 20580.
In a concurring statement,
Commissioner Orson Swindle stated that he was pleased with the
consent agreement that the Commission has reached with Eli Lilly
and Company. He said that "Lilly's unfortunate and unintended
disclosure of prescription drug users' personal information has
given us all the opportunity to evaluate how to improve upon
security practices for confidential information. Lilly should be
respected for its long-standing efforts in development of its
privacy practices, its acceptance of responsibility for the
internal failures that resulted in the alleged violation of its
privacy policy, and its willingness to take appropriate steps to
correct those mistakes." Commissioner Swindle stated that he
appreciates the company's leadership in cooperating with the FTC
to improve its security measures, and he believes the firm will
carry out fully its commitments under the proposed order.
"Lilly's responsiveness," he stated, "and its efforts to improve
corporate privacy practices can be a model for others to
follow." |