There’s also a cultural resistance that stems, understandably, from the health and safety of research subjects’ being the boards’ utmost concern. IRBs have required privacy protections for decades, but even today, if you take a standard training on conducting human research, data security is an afterthought, said David M.J. Lazer, a professor of political and computer science at Northeastern University.

“There’s nothing about IT practices in that training,” he said. “Not one slide devoted to that. That’s just sort of the general truth. You’re not getting trained either in the issues of data security or how to create an infrastructure to guard this stuff.”