Who Should Be Held Accountable For an IT Security Breach?

Cancer researcher says she is a scapegoat

3 min read

Who Should Be Held Accountable For an IT Security Breach?

Last year, I blogged about a server at the University of North Carolina School of Medicine at Chapel Hill that was discovered in late July of 2009 to have been hacked. The security breach was said to have placed the social security numbers of 163,000 women participating in a UNC medical study at risk.

The women were part of a National Institutes of Health funded mammography research project called the Carolina Mammography Registry. The breached server was said at the time to contain the records of a total 231,000 women.

The server where research data was uploaded was not located behind a security firewall. The records of another 400,000 women in the mammography study that resided on another server, however, were behind the firewall and were not breached.

Later investigation showed that the server had actually been hacked starting in 2007, and that "only" the records of some 180,000 women apparently had been able to be accessed.

UNC-Chapel Hill notified those 180,000 women about the breach, which the university said cost it about $250,000 to complete.

According to this story in the Raleigh, North Carolina News Observer, UNC-Chapel Hill officials decided that the lead cancer researcher for the study, Professor Bonnie Yankaskas, was negligent for not ensuring that the server that had been breached was secure.

As a result, the university first tried in October 2009 to fire Professor Yankaskas, but after her successful appeal to a faculty hearing committee, the university decided instead in July of this year to demote her from full professor to associate professor with tenure and cut her pay from $178,000 to $93,000. However, the university said it wouldn't take any action against her if she agreed to leave the university by June of next year.

Professor Yankaskas is now appealing her demotion to the university's board of trustees, claiming she is being used as a scapegoat for the security issue.

According this Durham, North Carolina Herald-Sun story, her lawyer says that university IT staffers knew since 2006 that the server could be compromised, but no one bothered to tell Professor Yankaskas. 

Apparently, the breast cancer study has been going on for 15 years, and it looks like the changing IT security landscape was not taken into account by the professor or those who worked with or for her. Everyone seems to agree that the professor is not an IT or security expert.

The university does have information security policies that spell out the responsibilities of researchers and other IT users, but I can't tell when the policies were originally developed and promulgated. Reading them over does seem to support to some degree the university's case against her.

The question at UNC-Chapel Hill is what accountability should there be for IT security breaches, and how do they rank in the scheme of all university activities?

The university paper, The Daily Tar Heel, for instance, pointed out that while the university severely sanctioned Professor Yankaskas for neglect in her university oversight duties, there seemed to be a double standard when it comes to the university's football coach:

"If you are a football coach and you don't notice infractions by your subordinates, bringing the University into disrepute, you get the support of the chancellor and athletic director."

About 10 days ago, ComputerWorld reported that some 107,000 current and prospective students at the University of North Florida had their personal information, including in some cases their Social Security numbers, compromised by a computer hacker. In fact, the university's press release on the incident says that 56 schools have reported IT security breaches this year alone. In no case that I am aware of has anyone been fired at any of those schools because of these breaches.

So, is UNC-Chapel Hill making Professor Yankaskas a scapegoat, as she claims, or does she deserve - along with others where security breaches have taken place - to be fired or demoted?

Exactly what should the punishment be - and who should receive it - for an IT security breach, at a university, government department and or commercial workplace?

My pet theory - without proof - is Professor Yankaskas is serving the role as the university's Adm. John Byng - being "hung" to encourage the others at the university to take IT security more seriously.

[Correction: I want to thank Robert Firth for pointing out that my typo involving Adm. Byng was wrong, and that he was shot - not hung - in 1757 on the deck of HMS Monarch.]

The Conversation (0)