Attorney General Lockyer Announces Settlement with Major Pharmaceutical Company to Provide Consumer Privacy Safeguards

Thursday, July 25, 2002
Contact: (415) 703-5837, agpressoffice@doj.ca.gov

(SACRAMENTO) - California Attorney General Bill Lockyer today announced a multi-state settlement with Eli Lilly & Co., one of the world's leading pharmaceutical companies, aimed at protecting the privacy of consumers who have sensitive and personal data collected by the company.

The settlement with Eli Lilly & Co., the manufacturer of Prozac and other psychotropic medications, follows an incident last year in which consumers who subscribed to the company's prozac.com email alert service found that Lilly had released their email addresses to the hundreds of other subscribers to the service. The multi-state investigation into violations of consumer privacy was led by California.

"A company that collects personal data online with assurances of privacy should take its obligation seriously and protect against the release of the data electronically," Lockyer said. "The settlement specifies standards and requirements for an information security program to safeguard consumer's personal information. The settlement can serve as a valuable model for other companies to protect consumer privacy."

The data exposure occurred in a mass email Lilly sent to all of its prozac.com alert service subscribers. Approximately 670 subscribers' email addresses were visible at the top of the email. Lilly, which had promised to maintain the confidentiality of information provided by consumers online, attributed the exposure to a programming error.

Under the settlement, Eli Lilly & Co. has agreed to strengthen its internal standards relating to privacy protection, training, and monitoring. The company will institute automated checks for its software that accesses consumers information databases. The company will also undergo annual compliance reviews over the next five years and report the findings to the states. Joining California in the push for consumer privacy protections were Connecticut, Idaho, Iowa, Massachusetts, New Jersey, New York and Vermont.

The measures announced today require Lilly to build on the obligations imposed by an administrative order issued by the Federal Trade Commission in January. The FTC order remains in effect for 20 years. Today's agreement specifies no expiration date. Lilly has also agreed to pay $160,000 to the states to settle the case.

# # #