In re Eli Lilly & Co.

Citation: In re Eli Lilly & Co., Docket No. C-4047 (May 8, 2002).

Factual Background
Lilly is a pharmaceutical company that manufactures, markets and sells several drugs, including the antidepressant medication Prozac. Lilly operated the website (www.prozac.com), which offered an e-mail reminder service. Consumers who registered for the service could receive personal e-mail messages to remind them to take or refill their Prozac medication. On June 27, 2001, a Lilly employee created a new computer program to send subscribers an e-mail message announcing the termination of the service. That e-mail included all of the recipients' e-mail addresses within the "To:" line of the message, thereby unintentionally disclosing to each individual subscriber the e-mail addresses of the 669 other subscribers.

FTC Proceedings
According to the FTC complaint, Lilly claimed that it took appropriate measures to maintain and protect the privacy and confidentiality of personal information obtained from consumers on its websites. The FTC's complaint alleged that this claim was deceptive because Lilly failed to maintain or implement internal measures appropriate under the circumstances to protect sensitive consumer information, which led to the company's unintentional disclosure of subscribers' personal information. Lilly agreed to settle these charges.

The settlement prohibits Lilly from misrepresenting the extent to which it maintains and protects the privacy and confidentiality of its consumers' information. In addition, the settlement requires Lilly to establish a security program to protect consumers' personal information against any reasonably anticipated threats or hazards to its security, confidentiality, or integrity.