Research Security

Research security refers to the practices, policies, and protections implemented to protect the integrity and confidentiality of research conducted at academic institutions, particularly when dealing with sensitive information and technologies. At WCM, this includes protecting sensitive health data, research efforts from threats such as foreign interference, theft of intellectual property, and breaches of ethical standards.

Why is research security important?

• Protecting Investments: It ensures that public and private research funding is safeguarded from theft, misuse, or exploitation.
• Securing Intellectual Property and Data: Strong security measures protect valuable research outputs and data from unauthorized access or breaches.
• Maintaining Academic Integrity: It helps prevent research misconduct, ensuring trustworthy and credible scientific work.
• Ensuring Researcher and Student Safety: Security protocols protect individuals, especially in international research contexts, from potential risks.
• Promoting Ethical International Collaboration: Research security supports responsible global partnerships by mitigating foreign interference and maintaining scientific integrity.

Benefits of Research Security

• Fosters international collaborations
• Protects intellectual property
• Protects sensitive research and individuals
• Minimizes foreign governments interference

To strengthen our research environment, we focus on the core pillars of research security:

1. Data Protection & Cybersecurity - Protects research systems and data from cyber threats (e.g., hacking, malware) through tools like encryption, strong passwords, and regular audits.

2. Export Controls - Regulates the sharing of sensitive technologies or information with foreign individuals or entities to prevent misuse.

3. Foreign Travel Security - Addresses risks tied to international travel by safeguarding research materials and educating travelers on local security practices.

4. Disclosure Requirements - Ensures researchers openly report potential conflicts of interest, financial ties, and foreign collaborations to maintain research integrity.

5. Foreign Talent Recruitment Programs - Recognizes the risks of knowledge transfer or exploitation through certain foreign recruitment efforts that may compromise security.

6. Research Security Training - Provides education for researchers and staff on recognizing threats and following best practices to protect research assets.

7. Risk Mitigation and Management - Involves identifying, assessing, and minimizing risks to secure research processes and outcomes.

8. Information Sharing - Promotes secure and controlled exchange of sensitive data to prevent unauthorized access or leaks.

9. International Collaborations - Encourages responsible global research partnerships with clear protocols to protect data, intellectual property, and research ethics.

What Is the Bulk Data Rule?

The DOJ Bulk Data Rule is a U.S. federal data-security regulation issued by the Department of Justice to prevent certain foreign governments and any covered person from gaining access to large amounts of sensitive U.S. data. The bulk data Rule went into effect on April 8, 2025.

What Is Considered Sensitive Personal Data?

Importantly, the rule applies even if the data has been de-identified, anonymized, or encrypted, if the dataset exceeds defined size thresholds.

Who is a Covered Person?

• Individuals primarily resident and physically present in a Country of Concern
• Entities located in, owned (50% or more), or controlled by a Country of Concern
• Individuals or entities specifically designated by the U.S. government.

Foreign nationals who live and work in the United States are not considered Covered Persons solely based on citizenship, unless they are specifically designated.

What are the DOJ Countries of Concern (COC)?

• China
• Russia
• Iran
• North Korea
• Cuba
• Venezuela

What Does This Mean for WCM Researchers?

The Bulk Data Rule may apply to your research if it:

• Involves sensitive personal data, and
• Includes international collaborators, vendors, or systems and
• Planned shared data exceeds the threshold noted above

If applicable, this will require:

• Additional review before data sharing
• Contractual limits on further data transfers
• Coordination with the Export Controls and Research Security team

Key Exceptions Relevant to WCM

• Certain federally funded research where the award specifically authorizes the work
• Publicly available data that does not require login or registration
• Drug, biologic, and medical device authorizations
• Clinical investigations and post-marketing surveillance data

WCM Review Requirement

Any agreement involving access to Bulk Data must be reviewed and approved before execution by the Export Control and Research Security Officer
exportcontrols@med.cornell.edu

This includes:

• Data use and collaboration agreements
• Vendor and service agreements
• Employment agreements that involve access to Bulk Data

Important note:
WCM will include Bulk Data compliance language in all agreements. Any objections to this language will be escalated to the Office of General Counsel (OGC) by the Export Control and Research Security team before execution of the agreement.

Data Protection & Cybersecurity

Safeguarding digital assets is crucial for protecting sensitive research data, including clinical trial records, genomic datasets, and unpublished research findings. At Weill Cornell Medicine (WCM), we uphold strict ITS security policies that ensure data is securely stored, transmitted via encrypted channels, and accessible only to authorized personnel.

Key Data Security Practices

• Utilize WCM-Approved Cloud Storage: Store all research data exclusively on institution-approved cloud platforms.

• Keep Devices and Software Updated: Regularly install the latest updates and security patches to ensure optimal performance and protection.

• Protect Communication Channels: Do not use personal email accounts for the transmission or storage of research data.

Foreign Travel Security

Researchers traveling internationally should take proactive steps to secure data and devices:

• Pre-Travel Briefings: Receive risk assessments and security guidance before departure.

• Device Security Abroad: Utilize secure measures for laptops, mobile devices, and sensitive data while traveling.

• Travel Tracking: Document all research-related international travel for institutional records and compliance.

Research Security Training

WCM is committed to comprehensive security education:

• Cybersecurity Training: Learn best practices for protecting digital research assets against cyber threats.

• Foreign Travel Training: Prepare for the unique security risks that may be encountered abroad.

• Export Control Training: Understand the legal responsibilities when handling controlled technologies or sensitive data.

• Responsible Conduct of Research (RCR): Promote ethical research, integrity, and compliance with institutional and federal guidelines.

Export Controls

Certain research assets, including specific materials, software, or technologies, may be governed by U.S. export control laws, such as the Export Administration Regulations (EAR) and the International Traffic in Arms Regulations (ITAR). These regulations apply to both overseas activities and work conducted within the U.S., particularly when involving foreign nationals or international collaborators.

For more guidance on ensuring that research complies with export control laws and avoids unauthorized transfers, click here.

Other Essential Security Areas

• Insider Threat Awareness: Identify and mitigate risks posed by internal personnel.

• Conflict of Interest Management: Disclose and manage relationships or financial interests that may bias research.

• Foreign Talent Programs: Evaluate involvement in external programs to protect institutional research.

• Research Integrity: Uphold ethical research conduct and accurate reporting.

• Data Classification: Assign protection levels based on the sensitivity of the data.

Compliance Requirements

• Program Certification: Institutions must certify that their security programs meet federal and institutional standards.

• Access to Training & Resources: Ensure all researchers and staff have the necessary tools and training to maintain compliance.

Foreign Talent Recruitment Programs (FTRP) are initiatives sponsored by foreign governments or institutions aimed at attracting researchers and scientists. These programs often provide financial incentives, research support, or opportunities for collaboration, with the goal of enhancing a country’s research and development capabilities.

In contrast, Malign Foreign Talent Recruitment Programs are unethical or illegal versions of FTRPs. Participation in MFTRPs may involve undisclosed involvement with foreign entities, inappropriate or forced transfer of intellectual property (IP), or conflicts of interest with a researcher’s home institution. These activities present significant risks to research security and academic integrity.

U.S. Policy Guidance

U.S. federal policy requires researchers with federal funding to fully disclose any participation in FTRPs. Researchers are strictly prohibited from engaging in MFTRPs, particularly those sponsored by countries of concern, which currently include China, Iran, North Korea, and Russia.

WCM Policies & Compliance Resources

• Security During International Travel

• WCM Travel Registry

• Undue Foreign Influence on Research

Federal Directives:

• Jason Report (2019)—COI (NSF)
• National Security Presidential Memorandum-33 (NSPM-33) (2021)—RS program requirement
• CHIPS and Science Act (2022)—RECR training requirement, malign foreign talent recruitment programs
• NSPM RS Programs Guidelines (2024)— Cybersecurity & foreign travel security

Who is required to complete Research Security Training?

Research Security Training is mandatory for:

• All individuals identified as senior or key personnel on federal research proposals and awards.
• This includes principal investigators, co-investigators, and any personnel substantially involved in the design, conduct, or reporting of research.

How is Research Security Training completed?

Research Security Training Access and Registration Instructions

• Updates about policies, threats, case studies, or regulatory changes will be posted here.