FTC, Eli Lilly settle privacy case

WASHINGTON -- Federal regulators today said they had settled a complaint against drug maker Eli Lilly and Co. after it released nearly 700 customer addresses collected through its Prozac.com Web site.

The release of addresses happened to some customers who had subscribed to a reminder service. On June 27, an employee created a computer program to access subscribers' e-mail addresses and then sent the customers an e-mail announcing the termination of the service. The addresses, however, were included in the To field of the message header and were visible to 669 subscribers of the service.

The company at the time called it an isolated event and blamed the foul-up on a programming error (see story).

The U.S. Federal Trade Commission said in its complaint that Indianapolis-based Lilly had failed to protect customer information, provide adequate training for its employees and provide proper oversight and assistance to the employee who sent out the e-mail.

The settlement doesn't impose any fine on the company but requires it to take steps to ensure the security of data, outlining a four-stage information security program. One settlement provision requires the company to conduct an annual review "by qualified persons" of its information security program.

Related stories:

Copyright © 2002 IDG Communications, Inc.

Shop Tech Products at Amazon