Eli Lilly settlement raises privacy stakes

The Eli Lilly case settlement in the US should raise concerns for anyone gathering personal information on their Web sites

The Eli Lilly case settlement in the US should raise concerns for anyone gathering personal information on their Web sites

The US Federal Trade commission (FTC) found Eli Lilly had failed to protect customer information, provide adequate training for its employees and provide proper oversight and assistance to the employee who sent out the e-mail.

Eli Lilly was ordered to establish an audited information security programme following an email blunder in June 2001 that contravened the company's Web site privacy statement.

Rosemary Jay, senior consultant at law firm Masons, said Eli Lilly's privacy statement stated that it respected personal privacy. However, in June 2001 the company sent out an email revealing the names of people subscribing to its Prozac.Com information service. Apparently, the message was sent to the subscribers using the carbon copy (CC) function rather than the blind carbon copy (BCC) email function. This had the effect of revealing the names of subscribers, and breaking the company's privacy policy.

Jay said: "If a business has a privacy statement, its business processes have to comply. Eli Lilly failed to respect its privacy policy. It is treated as a breach of trading practices."

She advised any business trading in the US to ensure its business practices comply with its Web site privacy statement. UK businesses, she explained, also need to ensure their business practices adhere to their Data Protection Registrar entry.

Non-compliance can have a profound effect on business. In the case of Eli Lilly, the FTC ordered the company to maintain an information security programme for all information it collects from its customers for the next 20 years. It also required Eli Lilly to conduct a written security review annually for the information it holds on customers, and to nominate dedicated security staff to oversee the programme.

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.