Any third party organization identified by a Lilly project owner as one that is being considered to handle Personal Information on Lilly's behalf must be aware of the following obligations.

On May 15, 2002 Lilly's Consent Decree with the United States Federal Trade Commission ("Consent Decree") was finalized. As a result of the same incident, in June of 2003, Lilly entered into a voluntary Assurance with eight states ("Multi-State Order"). The Consent Decree and the Multi-State Order, in nearly identical terms, require Lilly to take certain actions to address privacy issues within Lilly's operations, and those of Lilly's contractors and agents that are acting on Lilly's behalf, regarding the handling of "personally identifiable information" about individual consumers ("Personal Consumer Information" or "PCI").

If you are currently involved or are being considered to be involved in some manner with the collection, maintenance or use of PCI on behalf of Lilly, this letter is to provide you with formal notice of our obligations related to the Consent Decree, the Multi-State Order and Lilly Privacy Standard. As required by the Consent Decree and Multi-State Order, we are attaching a copy of these documents for your review.

We are requiring all of our vendors that are engaged in any manner with PCI to comply with Lilly's Vendor Privacy and Security Standard, which is available on the supplier portal http://supplierportal.lilly.com and the terms of the Consent Decree and Multi-State Order. This means that at a minimum you will need to have privacy protective measures with respect to the PCI you are handling on behalf of Lilly equivalent to those identified in the attached documents and in Lilly's Vendor Privacy and Security Standard as referenced above.