"Even the unintentional release of sensitive medical information
is a serious breach of consumers' trust," said J. Howard Beales,
Director of the FTC's Bureau of Consumer Protection. "Companies
that obtain sensitive information in exchange for a promise to keep
it confidential must take appropriate steps to ensure the security
of that information."
Eli Lilly promotes its site at Prozac.com as "Your Guide to
Evaluating and Recovering from Depression." From 15th March, 2000
until 22nd June, 2001, Lilly offered to consumers the
"Medi-messenger" e-mail reminder service. Consumers who used
Medi-messenger could design and receive personal e-mail messages to
remind them to take or refill their medication. Once a consumer
registered for Medi-messenger, the reminder messages were
automatically e-mailed from Eli Lilly to the subscriber at the
e-mail address she or he had provided, and according to the
subscriber's requested schedule.
In June 2001, an Eli Lilly employee created a new computer
program to access Medi-messenger subscribers' e-mail addresses and
sent them an e-mail message announcing the termination of the
Medi-messenger service. The e-mail message included all of the
recipients' e-mail addresses within the "To:" line of the message,
thereby unintentionally disclosing to each individual subscriber
the e-mail addresses of all 669 Medi-messenger subscribers. Had he
used the "Bcc:" field, the problem would not have arisen.
According to the FTC's complaint, Eli Lilly claimed that it
employs measures and takes steps appropriate under the
circumstances to maintain and protect the privacy and
confidentiality of personal information obtained from or about
consumers through its Prozac.com and Lilly.com web sites. For
example, its privacy policies included statements such as, "Eli
Lilly and Company respects the privacy of visitors to its web
sites, and we feel it is important to maintain our guests' privacy
as they take advantage of this resource."
The FTC complaint alleges that Eli Lilly's claim of privacy and
confidentiality was deceptive because Lilly failed to maintain or
implement internal measures appropriate under the circumstances to
protect sensitive consumer information, which led to the company's
unintentional disclosure of Medi-messenger subscribers' personal
information (i.e., e-mail addresses).
In fact, according to the complaint, Lilly failed to: provide
appropriate training for its employees regarding consumer privacy
and information security; provide appropriate oversight and
assistance for the employee who sent out the e-mail, who had no
prior experience in creating, testing, or implementing the computer
program used; and implement appropriate checks and controls on the
process, such as reviewing the computer program with experienced
personnel and pre-testing the program internally before sending out
the e-mail. Lilly's failure to implement appropriate measures also
violated a number of its own written security procedures.
The proposed settlement would bar misrepresentations about the
extent to which Lilly maintains and protects the privacy or
confidentiality of any personal information collected from or about
consumers. Additionally, Lilly would be required to establish and
maintain a four-stage information security programme designed to
establish and maintain reasonable and appropriate administrative,
technical, and physical safeguards to protect consumers' personal
information against any reasonably anticipated threats or hazards
to its security, confidentiality, or integrity, and to protect such
information against unauthorised access, use, or disclosure.
Eli Lilly's security breach was the subject of a petition from
the American Civil Liberties Union requesting that the FTC
investigate and take appropriate action to remedy the breach.
