An excellent writeup on the recent UNC-Chapel Hill security breach at Inside Higher Ed.
Here’s a quick synopsis: Dr. Bonnie Yankaskas, a professor of radiology at the university, was collecting mammography data for a study. The server holding the data, which included medical records and social security numbers, was breached by an unknown attacker and the data is considered to be potentially compromised.
The University wanted to fire her, but settled for demoting her to Assistant Professor and halving her pay.
Dr. Yankaskas’s argument is that she is an academic researcher, not a computer security expert – disciplining her for a security breach is unfair, because this is not her area of expertise or her responsibility. The school’s policy is that she should have appointed a “server caretaker” to monitor the firewall, install patches, etc., and the person she chose is a programmer with no training in security and no experience in server administration. She also ignored his requests for training over the years, and continually graded him as “excellent” in his administration of the server, despite the fact that he did not know what he was doing.
This is a typical tension in higher education – the faculty want to be free of the strictures of security and IT policy, because they feel it unfairly confines their research. IT, on the other hand, wants to be as strict as possible and keep everything in a nice, predictable box.