Pharmaceutical Company Settles FTC Charges for Unintentional Disclosure of Email Addresses of Consumers
Eli Lilly operates a number of websites, such as "Prozac.com" and "Lilly.com" through which it collects personal information from visitors. Between March 2000 and June 2001, Eli Lilly offered to consumers, through "Prozac.com," an online email reminder service called "Medi-messenger." This service provided email reminders to subscribing consumers to either take or refill medication. The reminder emails were automatically generated and did not identify any other subscribers to the service.
In late June 2001, an Eli Lilly employee designed a new computer program to access the subscribers' email addresses. When Eli Lilly decided to terminate the Medi-messenger system, it used this new program to send an email on June 27, 2001 to all 669 subscribers to the Medi-messenger service to notify them of the termination of the service. The termination notice email, however, unintentionally listed all 669 subscribers in the "To:" line of the email, thus disclosing to each subscriber the email addresses of all other subscribers.
In response to this occurrence, the American Civil Liberties Union requested that the FTC investigate. The FTC did so and issued a proposed complaint against Eli Lilly alleging:
(1) failure to properly maintain or implement appropriate internal measures to protect consumers' personal information (including insufficient training and oversight of employees regarding consumer privacy, information security and proper use of the computer program used to send the termination notice email);
(2) violation of Eli Lilly's own written information security and consumer privacy policies by failing to implement appropriate measures to protect consumers' personal information;
(3) misrepresentation of Eli Lilly's efforts to maintain and protect confidential consumer personal information; and
(4) unfair or deceptive acts or practices in violation of the Federal Trade Commission Act.
Eli Lilly entered into a proposed consent decree with the FTC to settle the allegations against it. Under the principal provisions of the proposed settlement, Eli Lilly is required to:
(1) refrain from misrepresenting the extent to which it maintains and protects the privacy or confidentiality of any personally identifiable information collected concerning consumers;
(2) implement an "information security program" designed to safeguard consumers' personal information against unauthorized disclosure, including:
- designation of personnel to coordinate and supervise the information security program;
- identification of potential internal and external risks to the security, confidentiality and integrity of personal information;
- conduct of an annual written review monitoring and documenting compliance with the information security program, evaluating the effectiveness of the compliance effort, and recommending changes to the program as necessary; and
- adaptation of the program to implement the recommendations arising from reviews and monitoring of the information security program; and
(3) maintain certain records relating to the information security program and Eli Lilly's compliance with such program, and make such records available for inspection and copying by the FTC.
The FTC staff has recommended for approval the agreement between the FTC and Eli Lilly containing this proposed consent decree, and the agreement has been forwarded for a vote by the full Commission. We understand that is the FTC staff's expectation that the settlement agreement will be approved and become final. Such decision should be issued in the near future.
For more information, please contact the professional(s) listed below, or your regular Crowell & Moring contact.