It’s Ten PM, Researcher. Do you know where your data is?

In a very scary story covered in the Chronicle of Higher Education last week a world-renowned cancer researcher was demoted from Full to Associate Professor by UNC Chapel Hill for failing to keep her servers patched.

Yes, you read that right.
I’ll summarize briefly here, but the full story can be found in these links:

Herald-Sun Article

Chronicle Article

Professor Yankaskas was running a large, NIH-funded research project on breast cancer, part of a national consortium. Apparently the server on which her data was stored was not properly patched (meaning the operating system hadn’t been kept up to date) and, as a result, it was hacked (electronically broken into). It’s not clear whether the data (which included names, addresses and social security numbers) was actually taken, but the University notified all the subjects in any case.
The exact details of what happened are a little unclear, but it seems that her techie assistant had not been doing his/her job properly, and the Provost held her responsible and tried to fire her. A faculty committee recommended a lesser punishment, which ended up being this demotion (with accompanying reduction in pay). She is fighting the decision.
Discussion on the web of whether she is being treated fairly is inconclusive, and we don’t know enough of the details to be able to tell exactly what happened when. But this should be a wake-up notice to everyone at Wayne (or anywhere else) who keeps sensitive research data on a computer. Do you know whether the machine is appropriately protected? Is its operating system up to date? Does it have a firewall enabled? Does it have Symantec Endpoint Protection installed (if it’s a Mac or Windows PC–see previous post)?
The take-away here is not that that administrators can be mean-spirited bullies (although some commenters seem to think so), or that faculty are goofy airheads who can’t be trusted to maintain their own machines (although different commenters are saying that). The main point is that we all need to take responsibility for ensuring the data we are collecting is properly secured, especially if it is sensitive data that we have promised HIC we will be careful with it.