Re: Chapel Hill researcher demoted after security breach

[Gene Spafford <spaf () CERIAS PURDUE EDU>]

There is a basic issue here that goes somewhat beyond IT that cuts across campus.   When researchers conduct 
experiments that require approval of IRB (Institutional Research Board) approval, a component of that involves ethical 
treatment of subjects.  When the subjects are humans, that includes issues of privacy, informed consent, security of 
records, protection and preservation of data, and other issues.  

Too often the people on the IRBs as well as the scientists making the requests simply don't understand the issues and 
threats.   Thus, we end up with cases similar to the one at UNC where sensitive data is potentially compromised in one 
way or another.

There is plenty of blame to go around -- the researchers, who are using technology they don't fully understand and thus 
are unable to control and protect; the IRBs, for not providing appropriate oversight and staffing to ensure that issues 
of privacy, data preservation, data integrity, accuracy, deidentification, etc; and campus IT staff for not asserting 
some leadership in providing in these areas.

It is really unfair to blame the researcher for 100% of the problem at UNC if she was following an approved protocol 
and security plan, but that was not something that was described in the news article.

Expect to see more such incidents as time goes on.  Fines and losses are likely to increase, and institutions are not 
going to take them on all by themselves.

--spaf