Damage control: protecting customer privacy

Eli Lilly & Co. did just about everything it was supposed to do to protect its customers' privacy. When the company set up its Medi-Messenger e-mail service to remind people to take their medications, the automated system sent the messages as blind carbon copies -- the "To:" line was blank. That worked fine for two years -- until June 27, when Lilly sent one last mass e-mail to notify users that it was discontinuing the service. Because of human error, that one included hundreds of names -- all the Medi-Messenger users in the "To:" line.

Now that was a privacy failure. And it wasn't the worst of it. Because when something goes wrong with privacy, we don't just have to deal with what happened. We also have to deal with what people think happened.

As IT people, it's easy to assume that when something blows up on us whether because of a technical glitch, operational error, policy mistake or just one of those things we have to deal only with the problems we actually created. That just makes sense, right?

And that's what Lilly's people did. After that last message went out, complaints started coming in. The company responded individually to every complaint and sent a separate message to all Medi-Messenger users, apologizing for exposing their names. Lilly's IT people also set up new code-review procedures and blocked all outgoing messages with more than one name in the "To:" field.

In short, they cleaned up the mess they made.

But it wasn't enough. One Medi-Messenger user, who used the service to remind him to take his Prozac, was outraged. Now hundreds of other people knew he was taking antidepressants, he thought. He contacted the American Civil Liberties Union (ACLU), which fired off a letter to the Federal Trade Commission accusing Eli Lilly of negligence, deceptive trade practices and violations of Lilly's own published privacy policy.

A week later, stories in The Washington Post and other news outlets were quoting the ACLU's letter and focusing on the exposure of Prozac users.

Did Eli Lilly accidentally expose hundreds of Prozac users? No. Not everyone using Medi-Messenger was taking Prozac. True, patients could sign up for the service through the Prozac.com Web site. But people who don't take Prozac also signed up for the service.

In other words, privacy was violated. But no one was exposed as a Prozac user just as a Medi-Messenger user.

That's not the mess Eli Lilly created. But it's still a mess that Lilly has to clean up.

There's a lesson here for every IT shop. By now, we should all have contingency plans for dealing with privacy failures. Whether that means customer information exposed on a Web site, names on a mailing list or credit card numbers stolen by crackers, we should already have plans coordinated with our companies' legal and public relations departments for notifying the affected customers, apologizing for the problem and -- of course -- correcting it.

But privacy issues are special. People are understandably afraid -- of credit card fraud, identity theft and having their medical conditions or other personal information exposed. They'll make assumptions about what they fear really happened. They'll believe the worst.

When that happens, we've got to be ready with the facts and explanations that the legal and public relations staffs will need to shoot down rumors and allay fears. They'll do the explaining, but we must make sure they've got it right not just for what happened, but also for what didn't happen.

If that's not part of your plan, add it now. Because when it comes to privacy, cleaning up the mess we've made isn't enough. We have to clean up the mess people think we've made, too.

This story, "Damage control: protecting customer privacy" was originally published by Computerworld.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon