Should Eli Lilly Be Punished for E-Mail Snafu?

By Christine Hall | July 7, 2008 | 8:19 PM EDT

( - The American Civil Liberties Union is urging the federal government to penalize the drug company Eli Lilly and Co., for inadvertently mass mailing a computer message listing the e-mail addresses of hundreds of Prozac users.

In distributing a partial list of customers who use the anti-depressant drug, Eli Lilly not only caused potential embarrassment to those on the list but also triggered another round in the nation's privacy debate.

The case against Eli Lilly could hinge on the definition of contract law, which provides "one of our strongest assurances of privacy that we use all the time in a lot of contexts," according to Eugene Volokh of the University of California school of law.

"When you go to a web site and they ask you for your e-mail address for information about Prozac, they (the company) are presumably, implicitly promising to keep it confidential, because that's how people would understand that kind of transaction," said Volokh. "Most of the time contract law is quite ample to protect privacy in this respect."

However, other privacy advocates say existing contract law isn't enough to safeguard privacy.

"We do need stronger laws that apply to the collection of data on-line, [laws] that provide a baseline privacy protection," said Barry Steinhardt, associate director of the American Civil Liberties Union (ACLU).

"That [Eli Lilly] message should have been encrypted and stored separately," said Steinhardt. "It's plain what happened here. Somebody took a list and copied it in the 'to' line" of the e-mail message. "You don't do that with sensitive medical information."

Volokh, however, sees a danger in trying to extend strict privacy protections beyond health care and financial matters to other types of consumer transactions.

"The question that should be asked is: do you believe that [a company] doing business with you is promis[ing] that they won't tell anybody," said Volokh. "If you go into a bookstore and buy a book from the store clerk, do you feel that the store and the clerk are promising you that they won't tell anybody that you bought the book?

"If you look at every-day life, I think our default assumption is that, while we might like other people to keep things confidential, we don't understand them as promising us," Volokh said, "because a promise of confidentiality is a big deal. It's something that obligates people, it may expose them to liability, and it's not something that should be inferred in every single transaction."

Instead, said Volokh, for most transactions, people should take it upon themselves to find out a company's privacy policy and take their business elsewhere if the policy isn't protective enough.

Eli Lilly blames a glitch in a computer program as the cause of the accident. According to Anne Griffen, a company spokesperson, the company is taking steps to prevent the problem from re-occurring. She added that the message informed subscribers to an e-mail alert service that the service would soon be discontinued due to a redesign of the company's web page. Furthermore, she said, the alert service could be used by consumers not only to get reminders to re-fill prescriptions for Prozac but could also be set to remind consumers of any sort of activity, like picking up dry cleaning.

Steinhardt calls the latter notion "pretty far fetched."

"When people sign up on the Prozac page, I would think that they were intended to be reminded to take Prozac," said Steinhardt. "Secondly, that's the inference that's going to be drawn by anybody who gets a hold of this list. In the world of the Internet, that list is now public property that can be duplicated and circulated almost infinitely at this point."

The ACLU, which was first approached by one of Eli Lilly's affected e-mail subscribers, contacted the Federal Trade Commission (FTC) to urge the agency to impose penalties on Eli Lilly.

"The federal trade laws provide that if a company makes a promise on its web site as to its privacy policy and it violates that promise, then it's in violation of federal trade laws," said Steinhardt. "Remedies can be ordered by the FTC and include fines. At the moment, that's the only federal law that applies here."