10-6-00
Electronic Commerce Advisory February 19, 2002FTC Settles Eli Lilly Prozac Privacy
The recently announced settlement between Eli Lilly and Company (Lilly) and the Federal Trade Commission (FTC) demonstrates once again the importance of backing up promises made in corporate privacy policies with acomprehensive corporate program. It also dramatically reconfirms the fact that even an unintentional violation of acompanys posted privacy policy can result in a regulatory enforcement action and damage to brand and reputation.
The FTC had charged that Lilly engaged in deceptive practices in connection with the unauthorized disclosure of sensitive personal information collected at the companys Prozac.com Web site. In the settlement, announced inmid-January, Lilly avoided paying a fine or damages to the affected individuals but had to agree to establish aninformation security program and to refrain from future misrepresentations concerning its information practices.
Eli Lilly promoted its Prozac.com Web site to consumers as Your Guide to Evaluating and Recovering from Depression. The site offered consumers an e-mail reminder service called Medi-messenger. Consumers whoregistered for Medi-messenger would receive personalized e-mail reminder messages concerning their medication orother matters. To register for the Medi-messenger service, individuals selected a password, specified the text of thereminder message and its frequency, and provided their e-mail address.
On June 27, 2001, Eli Lilly sent a form e-mail announcing the termination of the service to all Medi-messenger subscribers. The To: line of this e-mail contained the personal e-mail addresses of all 669 individuals registered forthe Medi-messenger service, thereby disclosing personal information provided to Lilly in connection with the con-sumers use of Prozac.com.
The privacy policy on the Prozac.com Web site stated that Lilly had security measures in place to protect the confidentiality of personal information that consumers provided in connection with use of the Web site. The privacypolicy also stated that Eli Lilly and Company respects the privacy of visitors to its Web sites, and we feel it isimportant to maintain our guests privacy as they take advantage of this resource. The FTC alleged that, by making these statements, Lilly represented, expressly or by implication, that it em- ployed measures and took appropriate steps to protect the privacy and confidentiality of personal information when,in fact, the company had not taken appropriate steps. Therefore, according to the FTC, the statements in theprivacy policy were false and misleading and constituted unfair or deceptive practices in violation of Section 5 of theFTC Act. Specifically, the FTC alleged that Lilly failed to implement or maintain internal procedures to protectpersonal information, including appropriate training for employees regarding privacy and information security,oversight and assistance for employees (the complaint states that the employee who sent the form e-mail had no priorexperience in creating, testing or implementing the computer program used), and appropriate checks and controls on the process, such as reviewing the computer program with experienced personnel and pre-testing the programinternally before sending out the e-mail. According to the FTC, Lillys failure to implement appropriate measuresviolated its own written internal security procedures.
The Consent Order
The proposed settlement agreement1 prohibits Lilly from misrepresenting in any way the extent to which the com- pany maintains and protects the privacy or confidentiality of personally identifiable information collected from or aboutconsumers. Interestingly, the order is not limited to Lillys online activities; the proposed settlement also applies to thecompanys brick and mortar activities. In addition, the proposed settlement applies to all personally identifiableinformation collected from or about consumers in connection with the advertising, marketing, offering for sale, or saleof any pharmaceutical, medical or other health-related product or service by the companys U.S. division.
Part II of the proposed order requires Lilly to establish and maintain an information security program. The program must include: Designation of appropriate personnel to coordinate and oversee the program; Identification of reasonably foreseeable internal and external risks to the security, confidentiality and integrity of personal information; Conducting an annual written review by qualified persons to monitor and document compliance with the program, evaluate the programs effectiveness and recommend changes to it; and Adjusting the program in light of the annual review or any material changes to the companys operations that affect the program.
Observations on the Lilly Settlement
The FTCs case against Lilly is interesting for many reasons. Coming as it does less than two months after FTC Chairman Timothy J. Muris announced the Commissions intention to focus on enforcing companies privacy poli-cies and existing privacy laws rather than seeking passage of new privacy laws, the case illustrates that companiesmust view promises made in their privacy policies as binding contractual representations. General feel goodstatements about the companys commitment to privacy, or customer-friendly statements designed to reduce con-sumer anxiety, can be dangerous if they are not backed up by sound policies and procedures.
As noted, Lillys disclosure of personal information was unintentional and a one-time occurrence. However, even an unintentional breach of stated policy can result in liability, especially where sensitive personal information is involved.
The Lilly case is the first FTC enforcement action to focus on the security of personally identifiable information.
Other FTC enforcement actions have addressed the collection of personal information and the transfer or sharing ofinformation, but this case hones in on the nuts and bolts of operational procedures and shows how easy it is for evensensitive personal information to be compromised through lack of training and supervision.
Finally, the Lilly case provides a glimpse into the tangled world of health care privacy where gaps between laws and overlapping laws create confusion for consumers and industry alike. While the Prozac Web site was collecting 1 The proposed consent agreement was published for public comment in the Federal Register on February 1, 2002. Comments are due by February 19, 2002. 67 Fed. Reg. 4963 (Feb. 1, 2002).
sensitive personal information about the existence and treatment of a medical condition, the site would not besubject to the privacy rules issued under the Health Insurance Portability and Protection Act (HIPAA) because Lillyis not a covered entity under HIPAA.2 On the other hand, if a Web site operated by a hospital or physician collectedthe same information, it would be subject to the HIPAA privacy rules because the hospital and physician are coveredentities. The interaction of these two regulatory schemes HIPAA and Section 5 of the FTC Act will continue tochallenge companies that collect personal health information. n 2 The HIPAA privacy rules were issued in final on December 28, 2000; compliance is not mandatory until April 14, 2003. For background on the rule, see Alston & Bird LLP Advisories, HHS Issues Final HIPAA Privacy Regulations dated January 11, 2001, and located at http:// HIPAA Privacy Regulations Become Effective, dated May 2001 and located This Electronic Commerce Advisory is published by Alston & a summary of significantdevelopments to our clients and friends. It is intended to be informational and does not constitute legal advice regardingany specific situation. This material may also be considered advertising under applicable court rules. This advisory maybe reprinted without the express permission of Alston & Bird so long as it is reprinted in its entirety including the Alston &Bird name and logo. If you have any questions or would like additional information, and/or if you would like to receivethis information via e-mail, please contact your Alston & Bird attorney or the following: If you would like to receive future advisories by e-mail, or if you would like to be removed from the distribution list,please advise Janice McDuffie via facsimile at 202-756-3333 with yourname, company and e-mail address.
Atlanta: One Atlantic Center n 1201 West Peachtree Street n Atlanta, Georgia, USA, 30309-3424 n 404-881-7000 n Fax: 404-881-7777
Charlotte: Bank of America Plaza n 101 South Tryon Street, Suite 4000 n Charlotte, North Carolina, USA, 28280-4000 n 704-444-1000 n Fax: 704-444-1111
New York: 90 Park Avenue n New York, New York, USA, 10016-1387 n 212-210-9400 n Fax: 212-210-9444
Research Triangle: 3201 Beechleaf Court, Suite 600 n Raleigh, North Carolina, USA, 27604-1062 n 919-862-2200 n Fax: 919-862-2260
Washington, D.C.: 601 Pennsylvania Avenue, N.W. n North Building, 10th Floor n Washington, D.C., USA, 20004-2601 n 202-756-3300 n Fax: 202-756-3333
Alston & Bird LLP 2002
Source: http://www.alston.com/Files/Publication/6c78c040-f412-426b-9bfc-5d7b8a631d4f/Presentation/PublicationAttachment/65cf14a2-e9a2-47eb-ba03-106f3e7c0a09/FTC%20Settles%20Eli%20Lilly.pdf
Microsoft word - 0614ascp
AMERICAN SOCIETY OF CLINICAL PSYCHOPHARMACOLOGY (ASCP) June 2014 Hollywood, FL by Lynne Peterson June 16-18, 2014 The annual meeting of the American Society of Clinical Pharmacology (ASCP) is a forum for issues in clinical research in psychiatry. It used to be known as the NCDEU (New The ASCP meeting offered a peek at
2011 report on 2010 drug violations 2
DRUGS IN U.S. RACING - 2010 THE FACTS With more rigorous standards than the Olympics, professional horse racing has the most aggressive drug testing program in professional sports, testing for more substances with greater sensitivity than anyone else. September 1, 2011 Copyright: 2011. Association of Racing Commissioners International.