ACLU Letter to FTC Re: Eli Lilly

Timothy Muris
Chairman
Federal Trade Commission
600 Pennsylvania Avenue
Washington DC 20580

Dear Chairman Muris:

We write to ask you to investigate and take appropriate action to remedy a violation of Federal trade laws that involves the privacy of more than 700 medical consumers and Internet users.

We were alerted to this incident by “John Doe,” (we use the word “he” for convenience only; it is not meant to identify gender), a customer of Eli Lilly and Company who used the anti-depressant drug Prozac. John Doe registered with Eli Lilly through its website for a special Medi-messenger service. Under this service, Eli Lilly would send him daily email messages reminding him to take his medicine. These messages came without indication as to the identities of the recipients (the “To:” line in the address section of these messages was blank). Thus, he was led to believe that his identity (including his email address) would treated as confidential medical records, and would not be disclosed without his consent.

He received these daily reminders up until June 27, 2001. That evening, he received an email message from Eli Lilly stating that the company was discontinuing the Medi-messenger service. However, unlike its predecessors, this message included a long, publicly visible list of recipients under the previously blank “To:” line. This list included the email addresses of more than 700 people. A copy of this message has been enclosed with this letter; the precise email addresses of the recipients have been redacted to protect their privacy. (We will be happy to make a confidential copy of the original available to you).

It is unclear at this point what precise internal rules Eli Lilly followed in handling John’s personal information (during the time that the Medi-messenger service was operational). However, Eli Lilly’s privacy statement (which is posted on the company’s website) includes the following language (as of June 29, 2001):

“With respect to this website, Eli Lilly and Company and its agents will only collect, store or use personally identifiable information, such as your name, address, social security number, stockholder account number, or e-mail address (‘Your Information’), when it is voluntarily submitted to us. We will use Your Information to respond to requests you may make of us, and from time to time, we may refer to Your Information to better understand your needs and how we can improve our websites, products and services. Any and all uses would comply with all applicable laws. We may also use Your Information to contact you in connection with your requests. Any other information transferred by you in connection with your visit to this site (‘Other Information’ — i.e., information that cannot be used to identify you) may be included in databases owned and maintained by Eli Lilly and Company or its agents. Lilly retains all rights to these databases and the information contained in them.”

The statement goes on to state:

“Our websites have security measures in place, including the use of industry standard secure socket layer encryption (SSL), to protect the confidentiality of any of Your Information that you volunteer; however, to take advantage of this your browser must support encryption protection (found in Internet Explorer release 3.0 and above).”

A copy of this policy is enclosed with this letter.

Based on these facts, and Eli Lilly’s stated promise of confidentially, we believe that Eli Lilly’s actions constitute unfair trade practices in violation of section 5 of the FTC Act, 15 U.S.C. § 45 (a), which prohibits unfair or deceptive acts or practices in or affecting commerce. Eli Lilly had led John Doe and the hundreds of other users of its Medi-messenger service to believe that their identities would be protected. Its apparently negligent dissemination of his identity was made without his knowledge or consent. By divulging his identity as a user of anti-depressants, Eli Lilly’s actions have caused him substantial injury, and are likely to cause substantial injury to him in the future-injuries that they cannot reasonably avoid and are not outweighed by countervailing benefits to him or competition.

These events set a dangerous precedent. Eli Lilly had a duty of care and a duty under the Federal Trade laws to protect the confidentiality of the medical consumers who used it product. If this breach of duty goes unnoticed, it would raise the possibility not only that Eli Lilly will continue to injure consumers and harm the public interest, but that other companies will be encouraged to engage in similarly unfair and deceptive practices, and the privacy interests of consumers engaging in online commerce and other Internet activities will be significantly diminished.

Therefore, we respectfully request that the Federal Trade Commission launch a formal investigation into this matter and take appropriate steps to remedy this breach.

Thank you for your time and consideration.

Sincerely,

Christopher Chiu
Internet Policy Analyst Barry Steinhardt
Associate Director