Major Pharmaceutical Company Agrees To New Safeguards For Consumer Data

Attorney General Spitzer today announced a multi-state agreement with one of the world's leading pharmaceutical companies that will protect U.S. consumers from exposure of their sensitive and personal data collected by the company.

The settlement with Eli Lilly & Co., the manufacturer of Prozac and other psychotropic medications, follows an incident last year in which consumers who subscribed to the company's email alert service found that Lilly had released their email addresses to the hundreds of other subscribers to the service.

"A privacy policy without adequate privacy practices does not protect confidentiality," Spitzer said. "A company should fulfill its commitment to consumer privacy by using the same safeguards that responsible companies use to protect their other valuable information assets."

The data exposure occurred in a mass email Lilly sent to all of its alert service subscribers. Approximately 670 subscribers' email addresses were visible at the top of the email. Lilly, which had promised to maintain the confidentiality of information provided by consumers online, attributed the exposure to a programming error.

The settlement agreement requires Lilly to strengthen its internal standards relating to privacy protection, training, and monitoring. Lilly will also institute automated checks for any of its software that accesses consumer information databases. Spitzer noted that, just as companies use firewalls, intrusion detection, and authentication to shield Internet data from outsiders, they should institute internal system structures to intercept careless or malicious misuse by employees and contractors.

The company will also undergo annual, independent compliance reviews over the next five years and report the findings of those reviews to the states.

The measures announced today require Lilly to build on the obligations imposed by an administrative order issued by the Federal Trade Commission in January. The FTC order remains in effect for 20 years. Today's agreement specifies no expiration date.

Lilly has also agreed to pay $160,000 to the states to settle the case.

Spitzer commended Lilly for working with the states to develop an implementation plan that will serve as a model for the many companies now collecting large volumes of individual information that employees can access and deploy electronically.

Also joining in the agreement are California, which led the investigation, Connecticut, Idaho, Iowa, Massachusetts, New Jersey, and Vermont.

Assistant Attorney General David Stampley of the Internet Bureau handled the case for the Attorney General.