FTC Enforces Security Representations in Privacy Policies

A recent consent decree issued by the Federal Trade Commission ("FTC") concerning Eli Lilly and Company ("Lilly") underscores the principle that company representations concerning the protection and integrity of personal information collected creates liability for even inadvertent disclosures. A company making such representations had better have the employee training, internal procedures and auditing to back up such promises. This update discusses the steps companies should consider in light of the FTC enforcement action and settlement. The FTC's complaint against Lilly and settlement are available at http://www.ftc.gov.

The Breach

Lilly breached the confidentiality of its customers who signed up to receive e-mail reminders to take a prescription pill or refill prescriptions for Prozac, an anti-depressant. An apparently untrained Lilly employee e-mailed 669 customers, notifying them of a change in the reminder program and including the e-mail addresses of all 669 people in the "To:" line, thereby disclosing each recipient's address to all of the other recipients.

The FTC Complaint

In response to an American Civil Liberties Union July 2001 petition to the FTC to investigate the disclosure, the FTC filed a complaint alleging that Lilly's actions constituted "unfair and deceptive trade practices" because it did not have adequate procedures in place to fulfill the promises it made in its privacy policy to respect the privacy of its customers. The FTC pointed to vague homilies made in the privacy policy such as "Eli Lilly respects the privacy of visitors to its Web sites, and we feel it is important to maintain our guests' privacy as they take advantage of this resource." According to the FTC, such statements created an expectation in customers that Lilly had systems in place to protect their confidential information. The FTC alleged that Lilly did not have adequate training or oversight systems in place to prevent an improper disclosure or violation of its own privacy policy and did not have appropriate checks and controls on its computer privacy and information security process.

The Settlement

The settlement agreement requires Lilly to establish and maintain a four-stage information security program to establish and maintain reasonable and appropriate administrative, technical and physical safeguards to protect consumers' personal information against any reasonably anticipated threats or hazards to its security, confidentiality or integrity, and to protect such information against unauthorized access, use or disclosure by:

1. designating appropriate personnel to coordinate and oversee the security program;

2. identifying reasonably foreseeable internal and external risks to the security, confidentiality and integrity of personal information and to address these risks in each area of operations such as management and training, information systems for processing and storage of information, and prevention and response to attacks, intrusions and unauthorized access;

3. conducting an annual report to determine compliance with the security program; and

4. implementing changes to the security program as a result of the annual report or ongoing monitoring.

The Real Impact of Lilly

First, as we have always said about privacy policies--if you don't do it, don't say it. To take a page from the auditors, review your policy and ask whether every assertion in your privacy policy can be proven. If not, delete it or rewrite it to be absolutely true. There is no room for puffery in privacy policies. Even seemingly innocuous statements such as "We respect your privacy" may be used against you.

Second, we advise clients to "operationalize" their privacy policies. This means that companies should audit their practices, educate their workforce, train their employees and consider an interdisciplinary working team for privacy issues. As Lilly illustrates, security is part of privacy. Now ask how many corporate privacy officers or legal counsel have reviewed or even seen or heard of an IT security policy (assuming the company even has written security procedures). Operationalizing privacy should include a review of the company's security policies and integration of security procedures into privacy practices. If nothing else, the two should not be inconsistent, as is often the case because security procedures tend to be written by technical staff while privacy policies tend to be written by lawyers.

Third, the responsibility for understanding security procedures is no longer only within the purview of IT staff. As Lilly demonstrates so well, security and privacy now are risk management issues. Inadequate or neglected security may lead to third party claims for negligence (for example, if the company's network was used as a launching pad for a denial of service attack on other sites), shareholder lawsuits, and director and officer liability. Companies should examine how they deal with privacy and security in their customer and service agreements to be sure that any risk is properly allocated.

Lilly is a harbinger of things to come. Companies must take privacy and security seriously.