Federal Register, Volume 67 Issue 22 (Friday, February 1, 2002)

[Federal Register Volume 67, Number 22 (Friday, February 1, 2002)]
[Notices]
[Pages 4963-4964]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 02-2435]


=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

[File No. 012 3214]


Eli Lilly and Co.; Analysis to Aid Public Comment

AGENCY: Federal Trade Commission.

ACTION: Proposed Consent Agreement.

-----------------------------------------------------------------------

SUMMARY: The consent agreement in this matter settles alleged 
violations of federal law prohibiting unfair or deceptive acts or 
practices or unfair methods of competition. The attached Analysis to 
Aid Public Comment describes both the allegations in the draft 
complaint that accompanies the consent agreement and the terms of the 
consent order--embodied in the consent agreement--that would settle 
these allegations.

DATES: Comments must be received on or before February 19, 2002.

ADDRESSES: Comments filed in paper form should be directed to: FTC/
Office of the Secretary, Room 159-H, 600 Pennsylvania Avenue, NW., 
Washington, DC 20580. Comments filed in electronic form should be 
directed to: [email protected], as prescribed below.

FOR FURTHER INFORMATION CONTACT: Mary K. Engle, Division of Advertising 
Practices, Bureau of Consumer Protection, 600 Pennsylvania Avenue, NW., 
Washington, DC 20580, (202) 
326-3161.

SUPPLEMENTARY INFORMATION: Pursuant to section 6(f) of the Federal 
Trade Commission Act, 38 Stat. 721, 15 U.S.C. 46(f), and Sec. 2.34 of 
the Commission's rules of practice, 16 CFR 2.34, notice is hereby given 
that the above-captioned consent agreement containing a consent order 
to cease and desist, having been filed with and accepted, subject to 
final approval, by the Commission, has been placed on the public record 
for a period of thirty (30) days. The following Analysis to Aid Public 
Comment describes the terms of the consent agreement, and the 
allegations in the complaint. An electronic copy of the full text of 
the consent agreement package can be obtained from the FTC Home Page 
(for January 18, 2002), on the World Wide Web, at ``http://www.ftc.gov/
os/2002/01/index.htm.'' A paper copy can be obtained from the FTC 
Public Reference Room, Room 
130-H, 600 Pennsylvania Avenue, NW., Washington, DC 20580, either in 
person or by calling (202) 326-2222.
    Public comments are invited, and may be filed with the Commission 
in either paper or electronic form. Comments filed in paper form should 
be directed to: FTC/Office of the Secretary, Room 159-H, 600 
Pennsylvania Avenue, NW., Washington, DC 20580. If a comment contains 
nonpublic information, it must be filed in paper form, and the first 
page of the document must be clearly labeled ``confidential.'' Comments 
that do not contain any nonpublic information may instead be filed in 
electronic form (in ASCII format, WordPerfect, or Microsoft Word) as 
part of or as an attachment to e-mail messages directed to the 
following e-mail box: [email protected]. Such comments will be 
considered by the Commission and will be available for inspection and 
copying at its principal office in accordance with Sec. 4.9(b)(6)(ii) 
of the Commission's rules of practice, 16 CFR 4.9(b)(6)(ii)).

[[Page 4964]]

Analysis of Proposed Consent Order to Aid Public Comment

    The Federal Trade Commission has accepted, subject to final 
approval, an agreement containing a consent order from Eli Lilly and 
Company (``Lilly'').
    The proposed consent order has been placed on the public record for 
thirty (30) days for receipt of comments by interested persons. 
Comments received during this period will become part of the public 
record. After thirty (30) days, the Commission will again review the 
agreement and the comments received, and will decide whether it should 
withdraw from the agreement and take appropriate action or make final 
the agreement's proposed order.
    Lilly is a pharmaceutical company that manufactures, markets, and 
sells drugs, including the anti-depressant medication Prozac. To market 
Prozac, among other things Lilly operates the Prozac.com Web site, 
which the company promotes as ``Your Guide to Evaluating and Recovering 
from Depression.'' The Prozac.com site, like Lilly.com and several of 
Lilly's other product Web sites, collects personal information from 
visitors.
    From March 2000 through June 2001, Lilly offered through Prozac.com 
a service called ``Medi-Messenger,'' which enabled its subscribers to 
receive individualized email reminders from Lilly concerning their 
Prozac medication or other matters. On June 27, 2001, Lilly sent a form 
email to subscribers to the service, which disclosed all of the 
subscribers' email addresses to each individual subscriber by including 
all of their addresses within the ``To:'' entry of the message.
    This matter concerns allegedly false or misleading representations, 
made through Lilly's privacy policies and during the sign-up process 
for Medi-Messenger. The Commission's proposed complaint alleges that 
Lilly claimed that it employs measures and takes steps appropriate 
under the circumstances to maintain and protect the privacy and 
confidentiality of personal information obtained from or about 
consumers through its Prozac.com and Lilly.com Web sites, when in fact 
Lilly had not employed such measures and had not taken such steps.
    As set forth in the complaint, Lilly's unintentional June 27th 
disclosure of Medi-Messenger subscribers' personal information (i.e., 
email addresses) resulted from its failure to maintain or implement 
internal measures appropriate under the circumstances to protect 
sensitive consumer information. For example, Lilly failed to provide 
appropriate training for its employees regarding consumer privacy and 
information security; failed to provide appropriate oversight and 
assistance for the employee who sent out the email, who had no prior 
experience in creating, testing, or implementing the computer program 
used; and failed to implement appropriate checks and controls on the 
process, such as reviewing the computer program with experienced 
personnel and pretesting the program internally before sending out the 
email. Lilly's failure to implement appropriate measures also violated 
certain of its own written policies.
    The proposed consent order contains provisions designed to prevent 
Lilly from engaging in similar acts and practices in the future.
    The proposed order applies to the collection of personal 
information from or about consumers in connection with the advertising, 
marketing, offering for sale, or sale of any pharmaceutical, medical, 
or other health-related product or service by Lilly's USA division.
    Part I of the proposed order prohibits misrepresentations regarding 
the extent to which Lilly maintains and protects the privacy or 
confidentiality of any personally identifiable information collected 
from or about consumers.
    Part II of the proposed order requires Lilly to implement a four-
stage information security program designed to establish and maintain 
reasonable and appropriate administrative, technical, and physical 
safeguards to protect consumers' personal information against any 
reasonably anticipated threats or hazards to its security, 
confidentiality, or integrity, and to protect such information against 
unauthorized access, use, or disclosure. Specifically, Part II requires 
Lilly to:
     Designate appropriate personnel to coordinate and oversee 
the program;
     Identify reasonably foreseeable internal and external 
risks to the security, confidentiality, and integrity of personal 
information, including any such risks posed by lack of training, and to 
address these risks in each relevant area of its operations, whether 
performed by employees or agents, including: (i) management and 
training of personnel; (ii) information systems for the processing, 
storage, transmission, or disposal of personal information; and (iii) 
prevention and response to attacks, intrusions, unauthorized access, or 
other information systems failures;
     Conduct an annual written review by qualified persons, 
within ninety (90) days after the date of service of the order and 
yearly thereafter, which review shall monitor and document compliance 
with the program, evaluate the program's effectiveness, and recommend 
changes to it; and
     Adjust the program in light of any findings and 
recommendations resulting from reviews or ongoing monitoring, and in 
light of any material changes to Lilly's operations that affect the 
program.
    Parts III through VI of the proposed order are reporting and 
compliance provisions. Part III requires Lilly's retention of materials 
relating to its privacy and security representations and to its 
compliance with the order's information security program. Part IV 
requires dissemination of the order now and in the future to persons 
with responsibilities relating to the subject matter of the order. Part 
V ensures notification to the FTC of changes in corporate status. Part 
VI mandates compliance reports, including a copy of the initial annual 
review required by Part II.C within one hundred and twenty (120) days 
after service of the order. Part VII is a provision ``sunsetting'' the 
order after twenty (20) years, with certain exceptions.
    The purpose of this analysis is to facilitate public comment on the 
proposed order. It is not intended to constitute an official 
interpretation of the agreement and proposed order or to modify their 
terms in any way.

    By direction of the Commission.
Donald S. Clark,
Secretary.

Concurring Statement of Commissioner Orson Swindle

    I am pleased with the consent agreement that the Commission has 
reached with Eli Lilly and Company. Lilly's unfortunate and unintended 
disclosure of prescription drug users' personal information has given 
us all the opportunity to evaluate how to improve upon security 
practices for confidential information. Lilly should be respected for 
its long-standing efforts in development of its privacy practices, its 
acceptance of responsibility for the internal failures that resulted in 
the alleged violation of its privacy policy, and its willingness to 
take appropriate steps to correct those mistakes. I appreciate the 
company's leadership in cooperating with us to improve its security 
measures, and I believe the firm will fully carry out its commitments 
under the proposed order. Lilly's responsiveness and its efforts to 
improve corporate privacy practices can be a model for others to 
follow.

[FR Doc. 02-2435 Filed 1-31-02; 8:45 am]
BILLING CODE 6750-01-P