States Settle With Eli Lilly on Data Gaffe

Eli Lilly & Co. will be required to adopt stronger privacy safeguards as part of a settlement with state attorneys general stemming from its accidental release of consumer information online last year.

In a settlement with eight states, the Indianapolis-based pharmaceutical giant, which makes the anti-depression medication Prozac, agreed to adhere to enhanced privacy safeguards to protect the data of its consumers.

The terms are intended to forestall any reoccurrence of another privacy debacle. Last year, Lilly disclosed the e-mail addresses of 669 Prozac users who had opted in to receive mailings from, in violation of its stated privacy policies.

Through the settlement with California, New York, Connecticut, Idaho, Iowa, Massachusetts, New Jersey, and Vermont, Eli Lilly agreed to pay $160,000 to the states, and to better protect consumers’ privacy in the future by beefing up internal policies.

Additionally, the company will reconfigure its marketing software and practices to automatically verify that software accessing its consumer databases is in compliance with its policies. Eli Lilly also agreed to five years of annual, independently monitored compliance reviews, and to report the findings of those reviews to the states.

The focus on Lilly’s data-protection policies stems from the fact that the pharmaceutical maker blames last year’s gaffe on internal regulations that had not been followed.

Originally, Lilly had promised in its privacy policy to safeguard the confidentiality of subscribers to its Medi-Messenger e-mail alert service, which distributes reminders to take or refill medications. To alert users to the program’s termination in late June, a Lilly employee created a new computer program to access the subscribers’ e-mail addresses and send them a message. However, the mailing included the subscribers’ e-mail addresses in its “To:” header.

The settlement with the states expands on a 20-year administrative order issued by the Federal Trade Commission in January. The FTC determined that Lilly had failed to provide appropriate training and oversight for its employees regarding consumer privacy and information security, and neglected “appropriate” checks and controls on the process.

The settlement with the FTC required Lilly to establish a security program that assigns employees to track down potential privacy risks and perform annual privacy reviews.

New York Attorney General Eliot Spitzer said he commended Lilly for working with the states to develop an implementation plan, which he said would serve as a model for other major companies collecting large volumes of individual information.

“A privacy policy without adequate privacy practices does not protect confidentiality,” Spitzer said. “A company should fulfill its commitment to consumer privacy by using the same safeguards that responsible companies use to protect their other valuable information assets.”

The news comes a day after Lilly reported a 20 percent drop in second-quarter earnings, on slowing Prozac sales, and also warned that possible manufacturing quality control issues could hamper the rollout of new drugs.

News Around the Web