FTC Hits Lilly For Violating its Privacy Policy

Violating your website’s privacy policy can cause you long-term problems with the Federal Trade Commission.

Just ask Eli Lilly and Company. As a result of an e-mail error where all the recipients were listed for everyone to see, the company was forced to enter into a consent decree that now requires Lilly to make extensive reports to the FTC for 20 years.

Lilly maintained the website Prozac.com that allowed consumers to subscribe to an e-mail reminder service known as “Medi-messenger.” The service allowed consumers to design and receive personal e-mail reminder messages concerning their medication or other matters. As part of the registration process for the service, consumers were given a password and had to provide an e-mail address, the text of the reminder message they wanted to receive and how often they wanted to receive the message.

Consumers were invited to review Lilly’s privacy statement that included assurances that Lilly’s website has security measures in place “to protect the confidentiality of any of Your Information that you volunteer.”

Lilly’s problem began after Lilly decided to terminate the service. It notified the 669 subscribers of the termination via an e-mail. The e-mail in the “To” line listed the e-mail addresses of all 669 subscribers thus violating the company’s stated privacy policy.

As a result of the disclosure, the Federal Trade Commission (FTC) filed a complaint against Lilly. The FTC complaint stated that the disclosure of personal information “resulted from respondent’s failure to maintain or implement internal measures appropriate under the circumstances to protect sensitive consumer information.” Among the failures were: failure to provide appropriate training for its employees regarding consumer privacy and information security, failure to provide appropriate oversight and assistance to the employee who sent out the e-mail who had no prior experience in creating the computer program used, failure to implement appropriate checks and controls and failure to implement appropriate measures to follow its own policies.

Lilly entered into a consent order with the FTC. As part of the order, Lilly agreed:

  • Not to misrepresent in any manner the extent to which it maintains and protects the privacy or confidentiality of any personally identifiable information collected from or about consumers.
  • To establish and maintain an information security program for the protection of personally identifiable information collected from or about consumers. The program is to include designating a person to coordinate and oversee the program; identifying internal and external risks to security, and conducting an annual written review of the program. The program also is to identify how Lilly plans to prevent and respond to attacks, intrusions and unauthorized access to personal information.
  • Provide to the FTC for five years a copy of each different consumer-targeted print, broadcast, cable or Internet advertisement, promotion, information collection form and representation made by Lilly concerning the collection, use and security of personal information from or about consumers.

The consent order is to remain in effect for twenty years.