The incident happened when one of the company’s employees
created a computer program to access subscribers’ e-mail addresses
and announce to them the termination of the service. The addresses
of 669 prozac.com e-mail alert subscribers were included in the
“To” field of the message header, so they were visible to hundreds
of other subscribers to the service. Instead, the addresses should
have appeared in the “Bcc” (blind carbon copy) field of the
message.
The company, which had promised to maintain the confidentiality
of the information provided by customers on-line, attributed the
incident to a programming error and claimed that it was an isolated
event.
According to the terms of the agreement, which was signed by
eight US states, Eli Lilly will have to build on the obligations
imposed by an administrative order issued by the Federal Trade
Commission in January. The order remains in effect for 20 rears.
The agreement, however, has no expiry date.
The agreement requires that the company strengthens its internal
standards relating to privacy protection, training and monitoring.
Lilly will institute automatic checks for any of its software that
accesses customer information databases.
The company will also pay a fine of $160,000, divided among the
states of New York, Massachusetts, Connecticut, Idaho, Iowa, New
Jersey, Vermont and California. Eli Lilly will undergo annual,
independent compliance reviews over the next 5 years and report the
findings to the states.
Attorney general Eliot Spitzer said:
“A privacy policy without adequate privacy
practices does not protect confidentiality. A company should fulfil
its commitment to consumer privacy by using the same safeguards
that responsible companies use to protect their other valuable
information assets.”
