We're talking specifically about a breach of personally sensitive data here. I note that:
1. If the company concerned had done their job properly, the data would not have been made public in the first place - in which case the researchers wouldn't have got their opportunity.
2. It was the reasonable expectation of the data subjects that their data would remain private - and if they'd known it would be published, they wouldn't have provided it in the first place.
ISTM that the only way to "right this wrong" is to prevent the data being used for any additional purposes whatsoever, thus minimising the impact of the breach, and leaving things as close to how they *should* have been.
From the point of view of the data subjects: the more eyes that this data is exposed to, no matter how well intentioned or how well supervised, increases the impact of the breach.
But that's about using this for "research". Where it becomes a trickier issue is when an accidental breach of personal communication reveals serious crime, or (say) politicians accepting bribes. It seems reasonable for the police to be able to act on this information, even if it's not directly admissible as evidence in its own right. But then again, should they be *trawling* through all data breaches, looking for signs of criminal activity?
Biting the hand that feeds IT
