"Even the unintentional release of sensitive medical information is a serious breach of consumers' trust," said J. Howard Beales, Director of the FTC's Bureau of Consumer Protection. "Companies that obtain sensitive information in exchange for a promise to keep it confidential must take appropriate steps to ensure the security of that information."
Eli Lilly promotes its site at Prozac.com as "Your Guide to Evaluating and Recovering from Depression." From 15th March, 2000 until 22nd June, 2001, Lilly offered to consumers the "Medi-messenger" e-mail reminder service. Consumers who used Medi-messenger could design and receive personal e-mail messages to remind them to take or refill their medication. Once a consumer registered for Medi-messenger, the reminder messages were automatically e-mailed from Eli Lilly to the subscriber at the e-mail address she or he had provided, and according to the subscriber's requested schedule.
In June 2001, an Eli Lilly employee created a new computer program to access Medi-messenger subscribers' e-mail addresses and sent them an e-mail message announcing the termination of the Medi-messenger service. The e-mail message included all of the recipients' e-mail addresses within the "To:" line of the message, thereby unintentionally disclosing to each individual subscriber the e-mail addresses of all 669 Medi-messenger subscribers. Had he used the "Bcc:" field, the problem would not have arisen.
According to the FTC's complaint, Eli Lilly claimed that it employs measures and takes steps appropriate under the circumstances to maintain and protect the privacy and confidentiality of personal information obtained from or about consumers through its Prozac.com and Lilly.com web sites. For example, its privacy policies included statements such as, "Eli Lilly and Company respects the privacy of visitors to its web sites, and we feel it is important to maintain our guests' privacy as they take advantage of this resource."
The FTC complaint alleges that Eli Lilly's claim of privacy and confidentiality was deceptive because Lilly failed to maintain or implement internal measures appropriate under the circumstances to protect sensitive consumer information, which led to the company's unintentional disclosure of Medi-messenger subscribers' personal information (i.e., e-mail addresses).
In fact, according to the complaint, Lilly failed to: provide appropriate training for its employees regarding consumer privacy and information security; provide appropriate oversight and assistance for the employee who sent out the e-mail, who had no prior experience in creating, testing, or implementing the computer program used; and implement appropriate checks and controls on the process, such as reviewing the computer program with experienced personnel and pre-testing the program internally before sending out the e-mail. Lilly's failure to implement appropriate measures also violated a number of its own written security procedures.
The proposed settlement would bar misrepresentations about the extent to which Lilly maintains and protects the privacy or confidentiality of any personal information collected from or about consumers. Additionally, Lilly would be required to establish and maintain a four-stage information security programme designed to establish and maintain reasonable and appropriate administrative, technical, and physical safeguards to protect consumers' personal information against any reasonably anticipated threats or hazards to its security, confidentiality, or integrity, and to protect such information against unauthorised access, use, or disclosure.
Eli Lilly's security breach was the subject of a petition from the American Civil Liberties Union requesting that the FTC investigate and take appropriate action to remedy the breach.