Federal Trade Commission.
Proposed Consent Agreement.
The consent agreement in this matter settles alleged violations of federal law prohibiting unfair or deceptive acts or practices or unfair methods of competition. The attached Analysis to Aid Public Comment describes both the allegations in the draft complaint that accompanies the consent agreement and the terms of the consent order—embodied in the consent agreement—that would settle these allegations.
Comments must be received on or before February 19, 2002.
Comments filed in paper form should be directed to: FTC/Office of the Secretary, Room 159-H, 600 Pennsylvania Avenue, NW., Washington, DC 20580. Comments filed in electronic form should be directed to: email@example.com, as prescribed below.Start Further Info
FOR FURTHER INFORMATION CONTACT:
Mary K. Engle, Division of Advertising Practices, Bureau of Consumer Protection, 600 Pennsylvania Avenue, NW., Washington, DC 20580, (202) 326-3161.End Further Info End Preamble Start Supplemental Information
Pursuant to section 6(f) of the Federal Trade Commission Act, 38 Stat. 721, 15 U.S.C. 46(f), and § 2.34 of the Commission's rules of practice, 16 CFR 2.34, notice is hereby given that the above-captioned consent agreement containing a consent order to cease and desist, having been filed with and accepted, subject to final approval, by the Commission, has been placed on the public record for a period of thirty (30) days. The following Analysis to Aid Public Comment describes the terms of the consent agreement, and the allegations in the complaint. An electronic copy of the full text of the consent agreement package can be obtained from the FTC Home Page (for January 18, 2002), on the World Wide Web, at “http://www.ftc.gov/os/2002/01/index.htm. A paper copy can be obtained from the FTC Public Reference Room, Room 130-H, 600 Pennsylvania Avenue, NW., Washington, DC 20580, either in person or by calling (202) 326-2222.
Public comments are invited, and may be filed with the Commission in either paper or electronic form. Comments filed in paper form should be directed to: FTC/Office of the Secretary, Room 159-H, 600 Pennsylvania Avenue, NW., Washington, DC 20580. If a comment contains nonpublic information, it must be filed in paper form, and the first page of the document must be clearly labeled “confidential.” Comments that do not contain any nonpublic information may instead be filed in electronic form (in ASCII format, WordPerfect, or Microsoft Word) as part of or as an attachment to e-mail messages directed to the following e-mail box: firstname.lastname@example.org. Such comments will be considered by the Commission and will be available for inspection and copying at its principal office in accordance with § 4.9(b)(6)(ii) of the Commission's rules of practice, 16 CFR 4.9(b)(6)(ii)). Start Printed Page 4964
Analysis of Proposed Consent Order to Aid Public Comment
The Federal Trade Commission has accepted, subject to final approval, an agreement containing a consent order from Eli Lilly and Company (“Lilly”).
The proposed consent order has been placed on the public record for thirty (30) days for receipt of comments by interested persons. Comments received during this period will become part of the public record. After thirty (30) days, the Commission will again review the agreement and the comments received, and will decide whether it should withdraw from the agreement and take appropriate action or make final the agreement's proposed order.
Lilly is a pharmaceutical company that manufactures, markets, and sells drugs, including the anti-depressant medication Prozac. To market Prozac, among other things Lilly operates the Prozac.com Web site, which the company promotes as “Your Guide to Evaluating and Recovering from Depression.” The Prozac.com site, like Lilly.com and several of Lilly's other product Web sites, collects personal information from visitors.
From March 2000 through June 2001, Lilly offered through Prozac.com a service called “Medi-Messenger,” which enabled its subscribers to receive individualized email reminders from Lilly concerning their Prozac medication or other matters. On June 27, 2001, Lilly sent a form email to subscribers to the service, which disclosed all of the subscribers' email addresses to each individual subscriber by including all of their addresses within the “To:” entry of the message.
This matter concerns allegedly false or misleading representations, made through Lilly's privacy policies and during the sign-up process for Medi-Messenger. The Commission's proposed complaint alleges that Lilly claimed that it employs measures and takes steps appropriate under the circumstances to maintain and protect the privacy and confidentiality of personal information obtained from or about consumers through its Prozac.com and Lilly.com Web sites, when in fact Lilly had not employed such measures and had not taken such steps.
As set forth in the complaint, Lilly's unintentional June 27th disclosure of Medi-Messenger subscribers' personal information (i.e., email addresses) resulted from its failure to maintain or implement internal measures appropriate under the circumstances to protect sensitive consumer information. For example, Lilly failed to provide appropriate training for its employees regarding consumer privacy and information security; failed to provide appropriate oversight and assistance for the employee who sent out the email, who had no prior experience in creating, testing, or implementing the computer program used; and failed to implement appropriate checks and controls on the process, such as reviewing the computer program with experienced personnel and pretesting the program internally before sending out the email. Lilly's failure to implement appropriate measures also violated certain of its own written policies.
The proposed consent order contains provisions designed to prevent Lilly from engaging in similar acts and practices in the future.
The proposed order applies to the collection of personal information from or about consumers in connection with the advertising, marketing, offering for sale, or sale of any pharmaceutical, medical, or other health-related product or service by Lilly's USA division.
Part I of the proposed order prohibits misrepresentations regarding the extent to which Lilly maintains and protects the privacy or confidentiality of any personally identifiable information collected from or about consumers.
Part II of the proposed order requires Lilly to implement a four-stage information security program designed to establish and maintain reasonable and appropriate administrative, technical, and physical safeguards to protect consumers' personal information against any reasonably anticipated threats or hazards to its security, confidentiality, or integrity, and to protect such information against unauthorized access, use, or disclosure. Specifically, Part II requires Lilly to:
- Designate appropriate personnel to coordinate and oversee the program;
- Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of personal information, including any such risks posed by lack of training, and to address these risks in each relevant area of its operations, whether performed by employees or agents, including: (i) management and training of personnel; (ii) information systems for the processing, storage, transmission, or disposal of personal information; and (iii) prevention and response to attacks, intrusions, unauthorized access, or other information systems failures;
- Conduct an annual written review by qualified persons, within ninety (90) days after the date of service of the order and yearly thereafter, which review shall monitor and document compliance with the program, evaluate the program's effectiveness, and recommend changes to it; and
- Adjust the program in light of any findings and recommendations resulting from reviews or ongoing monitoring, and in light of any material changes to Lilly's operations that affect the program.
Parts III through VI of the proposed order are reporting and compliance provisions. Part III requires Lilly's retention of materials relating to its privacy and security representations and to its compliance with the order's information security program. Part IV requires dissemination of the order now and in the future to persons with responsibilities relating to the subject matter of the order. Part V ensures notification to the FTC of changes in corporate status. Part VI mandates compliance reports, including a copy of the initial annual review required by Part II.C within one hundred and twenty (120) days after service of the order. Part VII is a provision “sunsetting” the order after twenty (20) years, with certain exceptions.
The purpose of this analysis is to facilitate public comment on the proposed order. It is not intended to constitute an official interpretation of the agreement and proposed order or to modify their terms in any way.Start Signature
By direction of the Commission.
Donald S. Clark,
Concurring Statement of Commissioner Orson Swindle
[FR Doc. 02-2435 Filed 1-31-02; 8:45 am]
BILLING CODE 6750-01-P