The US Federal Trade commission (FTC) found Eli Lilly had failed to protect customer information, provide adequate training for its employees and provide proper oversight and assistance to the employee who sent out the e-mail.
Eli Lilly was ordered to establish an audited information security programme following an email blunder in June 2001 that contravened the company's Web site privacy statement.
She advised any business trading in the US to ensure its business practices comply with its Web site privacy statement. UK businesses, she explained, also need to ensure their business practices adhere to their Data Protection Registrar entry.
Non-compliance can have a profound effect on business. In the case of Eli Lilly, the FTC ordered the company to maintain an information security programme for all information it collects from its customers for the next 20 years. It also required Eli Lilly to conduct a written security review annually for the information it holds on customers, and to nominate dedicated security staff to oversee the programme.