012 3214

In the Matter of

ELI LILLY and COMPANY, a corporation.

DOCKET NO. C-4047

The Federal Trade Commission, having reason to believe that Eli Lilly and Company, a corporation ("respondent") has violated the provisions of the Federal Trade Commission Act, and it appearing to the Commission that this proceeding is in the public interest, alleges:

1. Respondent Eli Lilly and Company is an Indiana corporation with its principal office or place of business at Lilly Corporate Center, Indianapolis, Indiana 46285. Respondent, a pharmaceutical company, has advertised and promoted its anti-depressant medication, Prozac, through the company's Web sites www.prozac.com and www.lilly.com.

2. The acts and practices of respondent as alleged in this complaint have been in or affecting commerce, as "commerce" is defined in Section 4 of the Federal Trade Commission Act.

3. Respondent promotes its Prozac.com Web site as "Your Guide to Evaluating and Recovering from Depression." From March 15, 2000 until June 22, 2001, respondent advertised, promoted, and marketed via www.Prozac.com and www.Lilly.com an email reminder service known as "Medi-messenger." Consumers who utilized the Medi-messenger service could design and receive personal email reminder messages from respondent concerning their medication or other matters. Once a visitor registered for Medi-messenger, the reminder messages were automatically emailed from Prozac.com to the subscriber at the email address s/he provided, and according to the schedule established by the subscriber.

4. Subscribers to the Medi-messenger service registered by providing an email address, a password, the text of the reminder message they wanted to receive, and the schedule for sending the reminder messages. (Complaint Exhibit A, pp.1-4). After providing information to register for Medi-messenger, the subscriber was invited to view the Prozac.com "Privacy Statement" via a hyperlink, which was positioned just above the "Submit" and "Reset" buttons. (Complaint Exhibit A, p.4)

5. Respondent has disseminated or has caused to be disseminated privacy policies on Prozac.com and Lilly.com, including but not necessarily limited to the attached Exhibits B and C. These privacy policies contain the following statements regarding the privacy and confidentiality of personal information collected through respondent's Web sites:

A. "Your Privacy

 

This Web site has been created to provide our visitors with information on certain medical conditions. Eli Lilly and Company respects the privacy of visitors to its Web sites, and we feel it is important to maintain our guests' privacy as they take advantage of this resource. As a result, we have developed this privacy code.

 

* * *

 

We will use Your Information to respond to requests you may make of us, and from time to time, we may refer to Your Information to better understand your needs and how we can improve our Web sites, products and services. Any and all uses would comply with all applicable laws. We may also use Your Information to contact you. However, the provision of Your Information will only be necessary if you choose to use or receive certain tools or services, such as a newsletter or our medical reminder service.

 

* * *

 

Our Web sites have security measures in place, including the use of industry standard secure socket layer encryption (SSL), to protect the confidentiality of any of Your Information that you volunteer; however, to take advantage of this your browser must support encryption protection (found in Internet Explorer release 3.0 and above). These security measures also help us to honor your choices for the use of Your Information."

 

Exhibit B: "Prozac.com | Privacy Statement," http://www.prozac.com/your_privacy.jsp; and https://secure.prozac.com/your_privacy.jsp.

 

B. "privacy

 

Eli Lilly and Company respects the privacy of visitors to its websites, and we feel it is important to maintain our guests' privacy as they take advantage of this resource. As a result, we have developed this privacy code.

 

* * *

We will use Your Information to respond to requests you may make of us, and from time to time, we may refer to Your Information to better understand your needs and how we can improve our Web sites, products and services. Any and all uses would comply with all applicable laws. We may also use Your Information to contact you in connection with your requests.

* * *

 

Our Web sites have security measures in place, including the use of industry standard secure socket layer encryption (SSL), to protect the confidentiality of any of Your Information that you volunteer; however, to take advantage of this your browser must support encryption protection (found in Internet Explorer release 3.0 and above)."

 

Exhibit C: "Lilly: Privacy," http://www.lilly.com/privacy.html.

6. On June 27, 2001, at respondent's direction, an Eli Lilly employee sent an email message to Medi-messenger subscribers announcing the termination of the Medi-messenger service. To do this, the employee created a new computer program to access subscribers' email addresses and send them the email. The June 27^th email disclosed the email addresses of all 669 Medi-messenger subscribers to each individual subscriber by including all of the recipients' email addresses within the "To:" line of the message. (Complaint Exhibit D, email addresses redacted from original). By including the email addresses of all Medi-messenger subscribers within the June 27^th email message, respondent unintentionally disclosed personal information provided to it by consumers in connection with their use of the Prozac.com Web site.

7. The June 27^th disclosure of personal information resulted from respondent's failure to maintain or implement internal measures appropriate under the circumstances to protect sensitive consumer information. For example, respondent failed to provide appropriate training for its employees regarding consumer privacy and information security; failed to provide appropriate oversight and assistance for the employee who sent out the email, who had no prior experience in creating, testing, or implementing the computer program used; and failed to implement appropriate checks and controls on the process, such as reviewing the computer program with experienced personnel and pretesting the program internally before sending out the email. Respondent's failure to implement appropriate measures also violated certain of its own written policies.

8. Through the means described in Paragraph 5, respondent has represented, expressly or by implication, that it employs measures and takes steps appropriate under the circumstances to maintain and protect the privacy and confidentiality of personal information obtained from or about consumers through its Prozac.com and Lilly.com Web sites.

9. In truth and in fact, as described in Paragraphs 6 and 7, respondent has not employed measures and has not taken steps appropriate under the circumstances to maintain and protect the privacy and confidentiality of personal information obtained from or about consumers through its Prozac.com and Lilly.com Web sites. Therefore, the representation set forth in Paragraph 8 was, and is, false or misleading.

10. The acts and practices of respondent as alleged in this complaint constitute unfair or deceptive acts or practices in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act.

THEREFORE, the Federal Trade Commission this eighth day of May, 2002, has issued this complaint against respondent.

By the Commission.

Donald S. Clark
Secretary

SEAL