The Eli Lilly case settlement in the US should raise concerns for
anyone gathering personal information on their Web sites
The US Federal Trade commission (FTC) found Eli Lilly had failed to
protect customer information, provide adequate training for its
employees and provide proper oversight and assistance to the
employee who sent out the e-mail.
Eli Lilly was ordered to establish an audited information security
programme following an email blunder in June 2001 that contravened
the company's Web site privacy statement.
Rosemary Jay, senior consultant at law firm Masons, said Eli
Lilly's privacy statement stated that it respected personal
privacy. However, in June 2001 the company sent out an email
revealing the names of people subscribing to its Prozac.Com
information service. Apparently, the message was sent to the
subscribers using the carbon copy (CC) function rather than the
blind carbon copy (BCC) email function. This had the effect of
revealing the names of subscribers, and breaking the company's
privacy policy.
Jay said: "If a business has a privacy statement, its business
processes have to comply. Eli Lilly failed to respect its privacy
policy. It is treated as a breach of trading practices."
She advised any business trading in the US to ensure its business
practices comply with its Web site privacy statement. UK
businesses, she explained, also need to ensure their business
practices adhere to their Data Protection Registrar entry.
Non-compliance can have a profound effect on business. In the case
of Eli Lilly, the FTC ordered the company to maintain an
information security programme for all information it collects from
its customers for the next 20 years. It also required Eli Lilly to
conduct a written security review annually for the information it
holds on customers, and to nominate dedicated security staff to
oversee the programme.