« LMI offers ITIL savings, greater efficiency | Main | PCI in the UK »

Congress Takes Aim At Log Data

Retaining log data is one area that is getting significant attention as of late as cybercrime continues to be a key focal point for law enforcement authorities. Colorado Congresswoman Diana DeGette believes that no clear guidelines are in place to either protect privacy or secure onine users, and late last week said she will be introducing legislation to force Internet providers to retain customer data for at least one year.

Plenty of recommendations are out there - for instance, Basel requires data retention from 3-7 years, PCI recommends a minimum of one year of data retention. And equally important is how the data is stored and managed. For example, is the data secure in transport and at rest? Is it an immutable set of data or processed data and how do you handle disposal?

What would legislation look like? DeGette suggests that:

One form could require Internet providers and perhaps social networking sites and search engines to record for a year or two which IP address is used by which user. The other form would be far broader, requiring companies to record data such as the identities of e-mail correspondents, logs of who sent and received instant messages (but not the content of those communications), and the addresses of Web pages visited.

DeGette said Thursday that her proposal would not require retention of the communications themselves, but would identify data so that law enforcement officials--if they had probable cause to believe a crime has been committed--could go in and get a subpoena and subpoena these IP addresses.

Regardless of how legislation aims to deal with the issue of cybercrime, one trend that we are seeing at LogLogic is individual sites proactively alerting patrons of their policies regarding log data. PopSugar, a red-hot celebrity gossip site based in San Francisco, has a posted privacy policy that calls out log files in great detail. PopSugar alerts patrons of their site that they use log data "to analyze trends, administer the site, track user's movement in the aggregate, and gather broad demographic information for aggregate use. These log files are not linked to personally identifiable information. We may use a tracking utility that uses log files to analyze user movement."

Whether it is for legal reasons, to track down the bad guy, or just to gather marketing data on viewers, log data a systematic and managed approach to collecting log data is critical.

Technorati : Compliance, Logs, PCI, PCI Compliance

Posted September 25, 2006 in Compliance , LogMatters | Permalink

---

Visit loglogic.com

Subscribe to this blog’s feed

• November 2007
• October 2007
• September 2007
• August 2007
• July 2007
• June 2007
• May 2007
• April 2007
• March 2007
• February 2007
• January 2007
• December 2006
• November 2006
• October 2006
• September 2006
• August 2006
• July 2006
• June 2006
• May 2006
• April 2006
• March 2006
• February 2006
• January 2006
• December 2005
• November 2005
• October 2005
• September 2005

Blogroll

• CynergisTek
• Bruce Schneier
• InfoSecDaily

Compliance

• Continuity Central
• Compliance Pipeline
• SOX Compliance Journal
• Sarbanes-Oxley 101

Good Reading

• Log Management ROI
• Log Management Best Practices
• SANS Institute Log Management White Paper

LogLogic

• O’Reilly
• Anton Chuvakin
• LogLogic.Com
• Jian Zhen

LogLogic Partners

• Juniper Networks
• ONStor
• Counterpane
• Bluecoat

Sites We Watch

• The Merc
• CRN
• IT Architect
• The Reg
• Security Focus
• Slashdot
• TechWeb
• SANS
• C/Net
• CIO Insight
• InformationWeek
• Jamie Lewis - Burton Group
• eWeek
• IT Manager's Journal
• MIT Magazine
• VNU