• United States



Accidental data leakage at Eli Lilly

Feb 05, 20083 mins
Data and Information Security

You’ve probably seen one of those disclaimers, if you don’t have one on your email signature. They always say something like, “The content in this email message is for intended recipients only. If you get this message in error, you need to delete it.”

I usually get them when I get email from lawyers or big corporations that are really paranoid about IP. Like Eli LIlly, for example, whose outside counsel, Pepper Hamilton, apparently leaked a story to the New York Times in the worst possible way.

One of its outside lawyers at Philadelphia-based Pepper Hamilton had mistakenly emailed confidential information on the talks to Times reporter Alex Berenson instead of Bradford Berenson, her co-counsel at Sidley Austin.

Those e-mail auto-fill features can really come back and bite you. I’ve certainly screwed up with them, but this was a bad one. Probably the last person int he world you’d want to accidentally send a message like this to.

What I find interesting, though, is the fact that the Times reporter doesn’t want to comment on the SNAFU? ( “I can’t say anything. I just can’t,” he’s quoted as saying)

Why not? Could it be that he’s worried about a boilerplate email disclaimer in that message saying “you don’t have the right to use this material if you’re not the intended recipient.”

Nobody knows for sure, but I asked a lawyer friend of mine, Venkat Balasubramani,  what he thought. Here’s what he said:

I would guess (and I don’t think anyone knows the definitive answer at this

point) that an email disclaimer is probably not binding.  Most senders

include a disclaimer for their own protection, to be able to argue that they

took reasonable steps to restrict the free dissemination of confidential or

other sensitive information (which often belongs to the client).  But as a

simple matter of contract law, no one has asked you in advance if you agree

to the terms of the disclaimer before you open and access the message.

Ironically, you have to open the message and read its contents, before you

get down to the disclaimer which is often found at the bottom.  Where

someone sends you an unsolicited email this applies with greater force.  You

have no relationship to the sender, no course of conduct regarding treatment

of information and emails – it’s tough to argue that you as the recipient

have an obligation to obey the terms of the disclaimer.  There may be other

laws which apply which may prevent you from forwarding an email or otherwise

exploiting its contents, but generally speaking, the disclaimer alone could

probably not be used to preclude you from discussing the email or its

contents.  A disclaimer may put you on notice that you have encountered

third party confidential information and should proceed with caution, but

honestly disclaimers are so ubiquitous that it would be tough to take this

argument seriously. Still, it’s something the recipient should keep in mind.

I’m guessing in this case the reporter just wants to avoid further

aggravating the situation or ruffling the feathers of someone involved and

that’s why the reporter refused to comment.


This blog says the lawyer’s email wasn’t as filled with juicy details as the Portfolio story suggested.

Berenson did receive a mis-directed e-mail from Pepper, but that e-mail did not contain a detailed description of the status of the settlement talks. Berenson had known independently about the settlement talks for some time, and he obtained the details he published in the Times from sources other than Pepper.

–Robert McMillan