An interesting narrative, trapped unfortunately behind a pay wall, comes from the Chronicle of Higher Education - "Chapel Hill Researcher Fights Demotion After Security Breach"
A cancer researcher's database of gets potentially pwnd (two years from incident to discovery), spurring the usual breach notification process. Her bosses cut the researcher's pay and reduced her status to associate from full professor. The justification was that she, as principal investigator, was responsible for the security of the personal data entrusted her by the subjects of the study.
The meat from the article (emphasis added):
The provost also accused her of assigning server-security duties to an inexperienced staff member, who failed to install important patches and upgrades, and of not providing the staff member with the training needed. Ms. Yankaskas countered that the staff member, who has since left, had worked for the university's technology office and that the employee never submitted a formal request for additional training.
"I had an employee who I trusted who told me things were OK," she added. "I would have no way to get on the computer and tell if it was secure. Unless I assumed my employee was lying to me, I don't know what I could have done."
|Working in the Public Interest|