A $1 Billion Email Gaffe

Jake writes in with the story behind an explosive NYTimes scoop last week. It seems that the Times's pharmaceutical industry reporter, Alex Berenson, scored a page-one blockbuster when he revealed that Eli Lilly was looking to reach a settlement with federal prosecutors over the company's alleged inappropriate marketing of anti-psychotic drug Zyprexa. A settlement figure of $1 billion was mentioned. This scoop dropped into Berenson's inbox when a lawyer for one of Lilly's retained firms mis-addressed an email to a colleague with the same last name as that of the Times reporter. Some online observers are speculating that auto-complete is to blame, but this has not been confirmed.
Update: 02/08 17:19 GMT by KD : Jake writes in with an update: it seems that while Berenson did receive a misdirected e-mail from Pepper Hamilton, that e-mail did not contain a detailed description of the status of the Eli Lilly settlement talks. Berenson got his story from other sources.

auto-complete is at fault?

[ChrisMounce (1096567)]

I notice the software is being blamed rather than the user.

Re:auto-complete is at fault?

[BigJClark (1226554)]

http://en.wikipedia.org/wiki/PEBKAC [wikipedia.org]

Re:auto-complete is at fault?

[fohat (168135)]

Agreed, this is more likely to be a PEBKAC.

If the info was confidential it probably had a confidentiality notice at the bottom of it, stating that if you are not the intended recipient that you aren't allowed to do anything with the email. I saw one of those sig's today and started to wonder if that was legally binding in any way. Maybe we will find out now!

Re:auto-complete is at fault?

[Gat0r30y (957941)]

probably had a confidentiality notice

One would hope a lawyer working at a major law firm on a sensitive case would be required to have a confidentiality notice. I guess the question is, how do you know if you aren't the intended recipient? The guy must be in his address book? How does he know he's not just getting a hot tip from a disgruntled lawyer / whistleblower? Even if you are fairly certain you aren't the intended recipient, do those canned confidentiality sigs mean anything anyway? IANAL, anyone who knows a little better care to inform?

Re:auto-complete is at fault?

[mbstone (457308)]

As between lawyers, if the errant email had reached the opposing lawyer there are a number of attorney ethics rules, as well as court decisions, that basically say that the other lawyer must return any mis-transmitted documents and must not use the information. (Yeah surrre.) See Perlman, Untangling Ethics Theory From Attorney Conduct Rules: The Case of Inadvertent Disclosures [typepad.com] , 13 Geo. Mason L. Rev. 767 (2005).

These types of court decisions would not, however, support a "prior restraint" such as a court order prohibiting the NYT from publishing the information, see, e.g., New York Times Co. v. United States [wikipedia.org] , 403 U.S. 713 [cornell.edu] (1971) (5-to-3 ruling prohibiting prior restraint and allowing NYT to print the top-secret "Pentagon Papers").

Re:auto-complete is at fault?

[gruntled (107194)]

About ten years ago, when I was covering the antitrust trial for the Mercury News, Microsoft's PR arm accidentally emailed me half of their internal database describing how they dealt with reporters and who each reporter's handler was and why. I looked at it, decided to be a nice guy, called the lady up and said, Hey, this isn't what I asked for, you sent the wrong stuff. So minutes later I get another email from her. This contains the *second* half of the confidential data base. Well, what could we do but make fun of them...

Re:auto-complete is at fault?

[yali (209015)]

If the info was confidential it probably had a confidentiality notice at the bottom of it, stating that if you are not the intended recipient that you aren't allowed to do anything with the email. I saw one of those sig's today and started to wonder if that was legally binding in any way. Maybe we will find out now!

IANAL, but I'm pretty sure that putting a notice at the bottom of a message creates a legally binding contract.

--
NOTICE: This message is distributed under the Slashdot Propriety License. By reading this message, you agree to moderate this message "+1 Informative" if you have mod points, otherwise to send $1,000 in small unmarked bills to the author. Failure to adhere to the terms of the license (which, if you are still reading at this point, you have already agreed to) will result in your being prosecuted under the terms of the DMCA and thrown in a small unheated cell on Guantanamo.

Re:

[ecavalli (1216014)]

IANAL, but I'm pretty sure that putting a notice at the bottom of a message creates a legally binding contract.

And while I'm sure most courts would agree with you, does that contract become void if sent to an incorrect party?

If a lawyer is upset at a ruling and leaks a confidential document to a newspaper intentionally, no amount of confidentiality disclaimers intended for the document's original target attached to the bottom of the document will stop the newspaper from running it.

I think the end point is that you can't force confidentiality on an unsuspecting party simply by sending them a piece of paper th

Re:

[ecavalli (1216014)]

Quite so.

And how would the courts rule if the unintended recipient claimed to have only read the first two paragraphs? That might be all they need to get the crucial info, but how could they be held to a contract they never actually saw?

Re:auto-complete is at fault?

[Buran (150348)]

And how are you going to prove that I agreed to it? As you pointed out in your own message, these are a joke. How exactly are you going to extort that $1,000 out of me? How are you going to force me to turn it over? You can't prove in court that I agreed to your license because you provided the goods before you had my signature or other agreement. Software licenses and real-world goods licenses don't give you the goodies until AFTER you agree.

If someone emails me something and then whines about what I do with it, perhaps they should have come to me first and said "I'm sending you (x), but if I do, will you not do (y) with it?" and then only sent it after I agreed? THAT would be enforceable.

The lawyer is SOL.

Re:auto-complete is at fault?

[BeeBeard (999187)]

Mod points wasted. AAAL, and I assure you it doesn't, any more than reading your signature creates a contractual obligation on my part to mod your posts "Informative" or send you money.

Also, since settlement information is excluded from evidence when trying to prove culpability, and never reaches the finder of fact in a court case anyway, this whole story is pretty pointless. While the leak may have a modest effect on stock prices, the fact that Eli Lilly attempted to settle and the amount in question couldn't possibly matter less in the case at bar.

Re:auto-complete is at fault?

[swillden (191260)]

AAAL

"Ah ahm a lahyah"

and a southern gentleman too.

That's right, it really, truly doesn't matter.

[BeeBeard (999187)]

Posting without a Karma bonus because I just want to make sure that this poster understands the situation:

Yes, that's right, it absolutely won't have an effect on negotiations. That was the point of the post, to assure you that as a matter of law, their bargaining position hasn't been compromised at all because the settlement information can't come in at trial anyway (and the strength of each side's case are the bargaining chips in negotiations, not some dollar amount that the press accidentally found out.) Generally, any information obtained during negotiations, or even in this case--the incredibly boring revelation that negotiations took place--cannot come in as evidence at trial. This is an well-known evidentiary rule, and the point of it is that there is a strong public policy concern for encouraging settlements between parties, so as to not needlessly burden the judicial system. And the best way to encourage settlements is to make sure that the parties can be as candid with each other during negotiations as possible without having to worry that what they say can be used against them at trial. Both parties are free to continue negotiating. No harm, no foul.

That's why the information revealed in this leak doesn't matter, and why the focus of the story is on the far more interesting [i]way[/i] it was leaked. The prosecution cannot utter a word about this at trial, regardless of what the press knows or doesn't know. Eli Lilly is still in great shape, they just might want to consider getting different counsel! Was this an embarrassing screwup by the lawyer? Absolutely. Will it have any kind of extrinsic effect, like causing a dip in stock prices? [i]Maybe[/i]. But will it matter in a potential trial, and therefore prove damaging to Lilly's position during during negotiations? Absolutely not.

Re:auto-complete is at fault?

[fosterNutrition (953798)]

I heard from corporate counsel at a previous job that, at least up here in Canada, it is *not* legally binding. The company still used them, but they viewed it more as a request ("please delete this"), with maybe a little scare tactic ("or legal consequences may apply") thrown in for good measure.

Re:

[yali (209015)]

Judging from your four-digit ID number, I am going to assume that you wrote that software yourself, so you still owe me. Unless your software passes the Turing test, in which case you are safe but your computer is going to gitmo.

Re:auto-complete is at fault?

[MightyYar (622222)]

The unheated cells are the nice ones. The heated ones are in the same wing as the ones with "running water".

Re:auto-complete is at fault?

[schwaang (667808)]

Because who hasn't been bit by auto-complete or other software features which are pitfalls for human nature waiting to happen?

My current peeve in this area is my cellphone directory. Every entry is in the same huge list, which means I have to thumb carefully past people I definitely *don't* want to call by accident (but still need to have in my book). The lame workaround is to use an alphabetic prefix to move important people to the top of the list, take-out restaurants to the bottom, etc. Is this really the 21st century?

Re:auto-complete is at fault?

[xaxa (988988)]

My favourite: 3 days after I started University I got an email...

Hi Peter (not my name),

The amount for the chemistry building work is now confirmed as £85,000,000.00 exactly -- I've left a cheque on your desk, could you sign it please?

Cheers, Dave

Turns out that my relatively unusual surname is shared with the finance director at my university. For about a month I got a few of his emails, I assume because my first name is earlier in the alphabet.

Re:auto-complete is at fault?

[rs79 (71822)]

I had a client back in the mid 90s whose last name was watson and he grabbed watson.com; I ran the email for him. I handled the postmaster account, he didn't want to.

I got a bounced mail from somebody at ibm. Every other address on the line was to "watson.ibm.com". Just not this one.

Long story short after about five of these over a few months I finally got a thing about secret nucular testing. I called them and explained what they did.

Never saw another one, ever.

I'm guessing somebody didn't get their xmas bonus that year.

Re:auto-complete is at fault?

[Viceroy Potatohead (954845)]

which means I have to thumb carefully past people I definitely *don't* want to call by accident (but still need to have in my book)

Tell me about it...

[Me autodialling]
Callee: Hello?
Me: Hey baby, it's Thursday. I've got the Tantric oil, buttplug, and Fischer-Price chainsaw ready. When are you heading over?
Callee: Ummm... How's your week going?
Me: Mom?

Every Thursday, like clockwork...

Re:auto-complete is at fault?

[jollyreaper (513215)]

Tell me about it...

[Me autodialling]
Callee: Hello?
Me: Hey baby, it's Thursday. I've got the Tantric oil, buttplug, and Fischer-Price chainsaw ready. When are you heading over?
Callee: Ummm... How's your week going?
Me: Mom?

Every Thursday, like clockwork...

Let's just hope one of those times she doesn't say "Oh, what the hell, I'll try anything once."

Re:auto-complete is at fault?

[isomeme (177414)]

Sufficiently bad design can justify blaming the software.

I routinely send emails to a member of my team named David. At some point a few months ago I emailed another person named David. Guess which one Outlook always autocompletes to, forcing me to arrow down to pick the correct one? I've sent a couple of (innocuous) emails to the other David when I forgot about this 'feature'.

You'd think any sensible autocomplete feature would remember your last selection for the same string, or at least make the default choice the most recently emailed match.

Re:

[vux984 (928602)]

The problem is that the lawyer was using the wrong piece of software.

If you're routinely dealing with communications that are sensitive, then you should be typing the full address in every time

Whole new use for Typosquatting.
Suddenly sjobs@aple.com, wbuffet@berksirehatheway.com, michael_dell@dall.com etc, etc, might have some additional value.

Or use lists that have been verified to be correct.

And how do you propose that? Run a completely separate mail identity for each case he works on, each with its own ca

Re:auto-complete is at fault?

[budgenator (254554)]

Why not just set up a separate user-space for each important case and only have the authorized contact information for that user-space/case available?

***Legal Notice*** and I mean it.

[by Anonymous Coward]

If you are not the intended recipient of this response, please disregard and forget this posting.

You are legally binded from reading, forwarding, printing, copying, remembering, discussing or in any other way acknowledging this post.

I am planning on robbing the bank on Fifth and Elm. Do not alert the police. Meet me at the warehouse after.

captcha:overlook

New feature! Auto-complete your career!

[syousef (465911)]

Tired of that pesky work getting in the way of having fun? No problems, with our new email auto-complete, work will never be a problem again. Tired of looking competent. Too few opportunties to end your career over a simple typo? Problem solved with auto-complete. People will blame you the dumb user for making the smallest mistake at any time of the day or night and regardless of your workload. With auto-complete your career is guaranteed to end in the jiffiest of jiffies.

This happens to me all the time!

[MightyYar (622222)]

I've gotten stuff from all sorts of folks - including the Times - because my gmail address is just may last name, and people seem to always forget to include the first letter of a first name, or they leave off stuff before a period: bob.smith@gmail.com or bsmith@gmail.com becomes smith@gmail.com.

I don't know what Eli Lilly's lawyers charge

[agrippa_cash (590103)]

but I'm sure they can afford PGP/gnupg AND a highschool kid to show them how to use it.

It's funny, you know ...

[ScrewMaster (602015)]

but if I were running a major law firm that regularly handled confidential matters for multi-billion dollar clients ... I'd certainly encrypt the Hell out of every communication that left my offices. I mean, all they had to do was install some free (free!) encryption software like PGP, and there'd have been no problem.

Huh. I'll bet they will now.

Re:

[fm6 (162816)]

Except that email encryption is generally done with public key encryption. That means that every recipient has a public/private key pair; the public key is used to encrypt the message and is known by everybody who wants to send them email; the private key is used to decrypt the message and is only known by the recipient. When I say "known by" I really mean known by the user's software — few people bother memorizing umpteem-bit key values.

If the lawyer had been encrypting his messages, his email would

Re:I advised my attorney to encrypt

[Anonymous Brave Guy (457657)]

In the opinion of several lawyer friends I've asked about this one, that's wrong, too. Oh, and I mean factually, not ethically. It sounds like there is at least some credibility in some jurisdictions if you have a notice *before* the rest of the content, but all these corporate types appending legalese essays to the end of every outgoing message are just jumping on a bandwagon with no wheels.

No, I'm not going to tell you who my lawyer friends are or the jurisdictions in which they practise. Yes, if you take anything you read on Slashdot as legal advice, you're a fool. No, I am not a lawyer myself.

Very Nasty Stuff

[grumpygrodyguy (603716)]

Zyprexa

I was on this terrible crap for a while...after 2 weeks I had gained 15 pounds (not exaggerating).

I remember finding myself on the candy Isle at the supermarket shoveling 12-packs of twix, snickers, and all kinds of other candy into my shopping cart...and I usually don't eat sweets.

These 'medications' are really horrible...it's sad that so many people believe schizophrenia is easily treated with them. Big pharma marketdroids are mostly to blame. In fact, after 6 months, 80% of the people on these medications quit (I suspect the other 20% are forced to take it by hospital staff)...they actually prefer being crazy (unable to work, take care of themselves, go to public places, etc.) rather than take them...the side-effects are that bad.

Re:Very Nasty Stuff

[Shados (741919)]

Whats to blame is the psychiatrists. They're virtually trained (and not by the big pharams, though they don't help) that meds are the cure to everything, as opposed to psychologists. I remember reading statistics showing that the VAST majority of people who go see a psychiatrist end up with a prescription, regardless of if they truly had problems.

The best example is the insane amount of kids with an ADD diagnostic... sure, there ARE people who are truly chemically imbalanced and such, and need treatments of some kind...I really feel for these people. The rest just need some discipline stuck in their head. As far as I know (and I know quite a few people in the field), most people getting these prescriptions don't even pass a fraction of the tests that would be required to make a proper diagnostic. The psychiatrist just go by "guts feeling".

And then you end up on mind control medication.... You're "better", but you're not "you" anymore... Some treatments are required... some mental illness CAN be treated... but in general, whats available right now is just a big cash cow, not treatments.

Re:Very Nasty Stuff

[by Anonymous Coward]

You're supposed to tell your Doctor if you experience urges of that kind while taking Zyprexa, it's one of the side effects some people experience. Now, the vast majority - myself included - are effectively treated with no side-effects and can therefore go on to lead productive and happy lives. And Zyprexa is a hell of a lot better than the previous treatment, haldol, which is a butcher of a medication. So much so that the instant Zyprexa, an effective replacement, became available haldol was dropped like the proverbial hot-potato. Also Zyprexa will not cause uncontrollable muscle movement after 20 years like haldol.

Um, no.

[Minwee (522556)]

Some online observers are speculating that auto-complete is to blame, but this has not been confirmed.

As I tried to explain to one of the Three Letter Acronyms of our company this morning, "Auto-Complete" is not to blame. "Not Paying Attention" is to blame. If you can't be bothered to look at who you are sending stuff like this to, then please step back from the computer and have someone else handle complicated things like email for you.

Surely if you are doing billion dollar deals then you can afford to hire someone capable of working a keyboard without embarrassing him or herself.

Re:Um, no.

[vux984 (928602)]

As I tried to explain to one of the Three Letter Acronyms of our company this morning, "Auto-Complete" is not to blame.

Agreed.

"Not Paying Attention" is to blame.

Yes, but mistakes happen. You can't just tell people 'pay more attention' and expect that to solve all problems.

If you can't be bothered to look at who you are sending stuff like this to, then please step back from the computer and have someone else handle complicated things like email for you.

Surely if you are doing billion dollar deals then you can afford to hire someone capable of working a keyboard without embarrassing him or herself.

The sarcasm was unwarranted, but the idea is right. If you are dealing with really sensitive material, it should be vetted by a 2nd set of eyes before its released.

And in any case it holds it in the outbox for 5 minutes before actually sending, so if you have one of those... "push send... oh shit"... moments you can still stop it from being sent.

And maybe something can be done at the software level, like a custom email client that requires you enter a passphrase that encrypts the email . The software won't send without a passphrase, and the recipient must know the passphrase to open the email. Each case file would have its own passphrase, and the case file is included in the message. So if the email reached the wrong recipient they wouldn't know the passphrase and couldn't read the message.

You could speed the process up by maintaining a dictionary of cases and passphrases, and let the recipients automatically open any email in the passphrase dictionary, and rather then enter a passphrase have them enter a case number. So, anyone involved with the case would have to add the passphrase-case number pair to their dictionary just once.

Its not bullet proof... I'm sure better solutions exist. but it would be more effective at dealing with this sort of mistake than either 'typing in the address each time', or 'yelling pay more attention' at people.

You'd use a separate email program entirely for casual non-sensitive communication with your family, friends, reporters, your chauffer, dog groomer, and staples representative...

Pardon the pedantry...misleading headline

[holden caufield (111364)]

The headline is misleading. Eli Lilly was going to pay the $1 billion anyway, regardless of who received the email. They simply didn't want anyone to know about that.

Re:

[timeOday (582209)]

Yup, from reading the story, it appears all that Eli-Lilly lost was the opportunity to manage the announcement of the penalty. BFD. At least, not a $1 BN mistake by any means.

Why was the address there?

[grub (11606)]

Why was the reporter's email address already in the lawyer's address book? They should check his mail logs and see what else he send to that person before.

Tell Me About It

[corby (56462)]

Dudes, you should see the crazy shit I get.

Signed,
Pritchard Cheney

I take ten milligrams of Zyprexa every day

[MichaelCrawford (610140)]

I take it for my schizoaffective disorder [geometricvisions.com]. I didn't make the decision to take Zyprexa lightly - I was and still am concerned it could give me diabetes.

But schizoaffective disorder is a devastating illness: it's just like being manic-depressive and schizophrenic at the same time. The risperdal I took previously for my psychotic symptoms wasn't working anymore. From 2003 through 2007, I was in the emergency room five times for psychiatric reasons, culminating in an ambulance ride to the mental ward, where I stayed for three weeks.

The Zyprexa completely eliminates the paranoia and visual hallucinations I would otherwise have almost all the time. It also brought me down from the bipolar mania that led to my ambulance ride, and prevents me from getting manic anymore.

As a result of taking it, I am able to hold a steady job - and a good one - as a software engineer, to provide for my wife and to pay her University tuition.

I've heard rumours that Zyprexa might be withdrawn from the market. I really hope that doesn't happen, as I've never had a medicine work so well.

Happened to me once...

[knodi (93913)]

Some guy bought a motion-sensitive webcam, pointed it out his window, and set it up to email him whenever it took a picture.

Except he misspelled his own email address, and the images started coming to me, a complete stranger.

I stitched all the shots together into this time-lapsed movie:
http://knodi.com/images/floral_park/time_lapse.gif [knodi.com]

I had this happen with a university address, lots

[patio11 (857072)]

I was the campus token conservative columnist. He was very flamboyantly gay. Our university email addresses were generated off of initials plus, since we had a catastrophic hash collision, one distinguishing digit which people botched quite frequently. He got my death threats, I got his love letters, and neither of us was very happy with the matter.

We both maintained a pretty good sense of humor about it, though. These were typical, with the vile language excised:

FWD: You fascist ... [Ed: I think it is for you]

FWD: I want to ... you [Ed: I think this one is for you]
RE: FWD: I want to ... you [Ed: No, read it more carefully]
RE: RE: FWD: I want to ... you [Ed: Ah, whoops, my apologies]
RE: RE: RE: FWD: I want to ... you [Ed: No problem. Hey, FWIW, I think he was out of line]

Pine? HA!

[by Anonymous Coward]

I telnet to port 25 and type my emails into the server by hand. If I screw up, I have to start over. You pine users have it easy.

Re:The best part is,

[MightyMartian (840721)]

If these guys would use PGP or some other form of encryption, then even if you did send something critical like that to the wrong address, it wouldn't be so devastating. The technology to protect email has been around for nearly twenty years.

Re:The best part is,

[rjstanford (69735)]

If these guys would use PGP or some other form of encryption, then even if you did send something critical like that to the wrong address, it wouldn't be so devastating. The technology to protect email has been around for nearly twenty years.

That pretty much assumes that the encryption is done out of band. Personally, most usable variants of email encryption are handled by the client itself (at least as an initiant). At some point, when you select "Jim Smith" as the intended recipient, you have to expect that it will be delivered to "Jim Smith" in a format that he can open, regardless of any interim encryption. This might involve encoding it with his public key, but that wouldn't help the fact that you meant to send it to "Jan Smythe" now would it?

Any more intrusive method just wouldn't be used in the real world, since the hugely vast majority of all emails are actually intended to be read by the person that the author listed in the "To:" field. Any kind of catch-all solution smacks of vistaNag.

Re:

[Lehk228 (705449)]

no it screws with YOUR browser. my browser is just fine.

Re:WARNING: GNAA

[Critical Facilities (850111)]

And while we're commenting on it, I think that SirBudgington (1232290) [slashdot.org] may be our troll given his last 5 comments. Can you say karma whore?

Little hint, Sir B, you might want to vary your "WARNING: GNAA" headline every once in a while, just for variety.

Re:WARNING: GNAA

[jbosmans (1231840)]

And the culprit is (most likely).... timecop [slashdot.org]. Smart enough to post AC, dumb enough to leave his user name in the url :p

Re:WARNING: GNAA

[OrangeTide (124937)]

then filter -1. that's the beauty of the /. system, you don't have to hack in a bunch of protection you let a minority do the enforcing and the majority can benefit.