Â鶹´«Ã½

012 3214

UNITED STATES OF AMERICA
FEDERAL TRADE COMMISSION

COMMISSIONERS:
Timothy J. Muris, Chairman
Sheila F. Anthony
Mozelle W. Thompson
Orson Swindle
Thomas B. Leary

In the Matter of

ELI LILLY AND COMPANY, a corporation.

DOCKET NO. C-4047

DECISION AND ORDER

The Â鶹´«Ã½ Trade Commission having initiated an investigation of certain acts and practices of the respondent named in the caption hereof, and the respondent having been furnished thereafter with a copy of a draft of complaint which the Bureau of Consumer Protection proposed to present to the Commission for its consideration and which, if issued by the Commission, would charge respondent with violation of the Â鶹´«Ã½ Trade Commission Act; and

The respondent, its attorneys, and counsel for Â鶹´«Ã½ Trade Commission having thereafter executed an agreement containing a consent order, an admission by the respondent of all the jurisdictional facts set forth in the aforesaid draft of complaint, a statement that the signing of said agreement is for settlement purposes only and does not constitute an admission by respondent that the law has been violated as alleged in such complaint, or that the facts as alleged in such complaint, other than jurisdictional facts, are true and waivers and other provisions as required by the Commission's Rules; and

The Commission having thereafter considered the matter and having determined that it had reason to believe that the respondent has violated the said Act, and that complaint should issue stating its charges in that respect, and having thereupon accepted the executed consent agreement and placed such agreement on the public record for a period of thirty (30) days, and having duly considered the comment received, now in further conformity with the procedure prescribed in § 2.34 of its Rules, the Commission hereby issues its complaint, makes the following jurisdictional findings and enters the following order:

1. Respondent Eli Lilly and Company is a corporation organized, existing, and doing business under and by virtue of the laws of the State of Indiana, with its principal office or place of business at Lilly Corporate Center, Indianapolis, Indiana 46285.
 
2. The Â鶹´«Ã½ Trade Commission has jurisdiction of the subject matter of this proceeding and of the respondent, and the proceeding is in the proceeding is in the public interest.

ORDER

DEFINITIONS

For purposes of this order, the following definitions shall apply:

1. "Personally identifiable information" or "personal information" shall mean individually identifiable information from or about an individual consumer including, but not limited to: (a) a first and last name; (b) a home or other physical address, including street name and name of city or town; (c) an email address or other online contact information, such as an instant messaging user identifier or a screen name that reveals an individual's email address; (d) a telephone number; (e) a social security number; (f) an Internet Protocol ("IP") address or host name that identifies an individual consumer; (g) a persistent identifier, such as a customer number held in a "cookie" or processor serial number, that is combined with other available data that identifies an individual consumer; or (h) or any information that is combined with (a) through (g) above. Provided that, this definition shall not include personally identifiable information about physicians, nurses, or other health care professionals, or their staff, that is collected in connection with such persons' professional duties.
 
2. Unless otherwise specified, "respondent" shall mean Eli Lilly and Company, its successors and assigns and its officers, agents, representatives, and employees acting within the scope of their authority on behalf of, or in active concert or participation with, Eli Lilly and Company.
 
3. "Lilly USA division" shall mean Lilly USA, a division of Eli Lilly and Company, and Lilly USA's successors, assigns, officers, representatives, agents, employees, and other entities responsible for the development, control, support, or oversight of U.S. product or service sales, advertising, or marketing, information management, or information technology. Provided that, the Lilly USA division shall be treated as a corporation under the control of Eli Lilly and Company for the purpose of determining whether any other entity is Lilly USA division's successor or assign.
 
4. "Commerce" shall mean as defined in Section 4 of the Â鶹´«Ã½ Trade Commission Act, 15 U.S.C. §  44.

I.

IT IS ORDERED that respondent shall not misrepresent in any manner, expressly or by implication, the extent to which it maintains and protects the privacy or confidentiality of any personally identifiable information collected from or about consumers, in connection with the advertising, marketing, offering for sale or sale, in or affecting commerce, of any pharmaceutical, medical or other health-related product or service by respondent's Lilly USA division, directly or through any corporation, subsidiary, division, or other entity.

II.

IT IS FURTHER ORDERED that respondent shall establish and maintain an information security program for the protection of personally identifiable information collected from or about consumers in connection with the advertising, marketing, offering for sale, or sale of any pharmaceutical, medical, or other health-related product or service, in or affecting commerce, by respondent's Lilly USA division, directly or through any corporation, subsidiary, division, or other entity. Such program shall consist of:

A. designating appropriate personnel to coordinate and oversee the program;
 
B. identifying reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of personal information, including any such risks posed by lack of training, and addressing these risks in each relevant area of its operations, whether performed by employees or agents, including: (i) management and training of personnel; (ii) information systems for the processing, storage, transmission, or disposal of personal information; and (iii) prevention and response to attacks, intrusions, unauthorized access, or other information systems failures;
 
C. conducting an annual written review by qualified persons, within ninety (90) days after the date of service of this order and yearly thereafter, which review shall monitor and document compliance with the program, evaluate the program's effectiveness, and recommend changes to it; and
 
D. adjusting the program in light of any findings and recommendations resulting from reviews or ongoing monitoring, and in light of any material changes to its operations that affect the program.

III.

IT IS FURTHER ORDERED that respondent shall for a period of five (5) years after the date of service of this order maintain and upon request make available to the Â鶹´«Ã½ Trade Commission for inspection and copying a print or electronic copy of the following documents relating to compliance with Parts I and II of this order by respondent's Lilly USA division, directly or through any corporation, subsidiary, division, or other entity:

A. a sample copy of each different consumer-targeted print, broadcast, cable, or Internet advertisement, promotion, information collection form, Web page, screen, email message, or other document containing any representation regarding the Lilly USA division's collection, use, and security of personal information from or about consumers. Each Web page copy shall be dated and contain the full URL of the Web page where the material was posted online. Electronic copies shall include all text and graphics files, audio scripts, and other computer files used in presenting the information on the Web. Provided, however, that after creation of any Web page or screen in compliance with this order, the Lilly USA division shall not be required to retain a print or electronic copy of any amended Web page or screen to the extent that the amendment does not affect its compliance obligations under this order;
 
B. all reports, studies, reviews, audits, audit trails, policies, training materials, and plans, whether prepared by or on behalf of respondent, relating to the Lilly USA division's compliance with the information security program required by Part II of this order; and
 
C. any documents, whether prepared by or on behalf of the Lilly USA division, that contradict, qualify, or call into question its compliance with the information security program required by Part II of this order, maintained through reasonable efforts in accordance with a document retention program.

IV.

IT IS FURTHER ORDERED that respondent Eli Lilly and Company, and its successors and assigns, shall deliver a copy of this order to all current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having responsibilities relating to the subject matter of this order. Respondent shall deliver this order to such current personnel within thirty (30) days after the date of service of this order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities.

V.

IT IS FURTHER ORDERED that respondent Eli Lilly and Company, and its successors and assigns, shall notify the Commission at least thirty (30) days prior to any change in the corporation that may affect compliance obligations arising under this order, including, but not limited to, a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address. Provided, however, that, with respect to any proposed change in the corporation about which respondent learns less than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge. All notices required by this Part shall be sent by certified mail to the Associate Director, Division of Â鶹´«Ã½, Bureau of Consumer Protection, Â鶹´«Ã½ Trade Commission, Washington, D.C. 20580.

VI.

IT IS FURTHER ORDERED that respondent Eli Lilly and Company, and its successors and assigns, shall within one hundred and twenty (120) days after service of this order, and at such other times as the Â鶹´«Ã½ Trade Commission may require, file with the Commission a report, in writing, setting forth in detail the manner and form in which they have complied with this order. This report shall include a copy of the initial annual review required by Part II.C of this order.

VII.

This order will terminate on May 8, 2022, or twenty (20) years from the most recent date that the United States or the Â鶹´«Ã½ Trade Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of:

A. Any Part in this order that terminates in less than twenty (20) years;

B. This order's application to any respondent that is not named as a defendant in such complaint; and

C. This order if such complaint is filed after the order has terminated pursuant to this Part.

Provided, further, that if such complaint is dismissed or a federal court rules that the respondent did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order will terminate according to this Part as though the complaint had never been filed, except that the order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.

By the Commission.

Donald S. Clark
Secretary

ISSUED: May 8, 2002

SEAL: