When it comes to information access, logs document both normal and abnormal system usage. Both are essential to identifying and investigating a data breach. But more importantly than knowing who accessed data and when (and whether they were authorized) is knowing what -- and whose -- information has been accessed.
In this way, logs define the parameters of a breach notification and become an essential component of compliance with state laws; they alone can precisely dictate who needs to be notified in the event of a breach. By extrapolating exactly what and whose information was accessed and when, logs take the guesswork out of breach investigation and notification, potentially allowing companies to notify the appropriate people while avoiding the public relations nightmare of having to notify all their customers or facing the public at large and sheepishly admitting a lack of knowledge of the extent of the breach.
Given the importance of logs to breach-notification laws, you would expect that language about log data collection and organization would fill the pages. However, CA 1386 does not include any specific requirement for tracking log data, thus leaving companies guessing about whom to notify. Of course, that doesn't mean that references to logs can't be found by a discerning eye (the emphasis is mine):
"Notify all affected individuals whose personal information was acquired by an unauthorized person . If you cannot identify the specific individuals whose personal information was acquired, notify all those in the groups likely to have been affected, such as those whose information is stored in the files involved ."
In fact, these phrases are just longer ways of saying, "Look at the logs!" since you can literally save thousands of dollars by notifying only 20,000 people "proven to be affected" as a result of a log review and not the 40 million people whose data happened to have been stored on the server but might not have been taken by the attacker. (Obviously, logs needs to be collected and protected from the attackers for the above logic to be defensible.)
To conclude, logs are essential for compliance with breach-notification laws because you know who exactly to notify. Proper log-keeping will save massive amounts of money while complying with both the letter and the spirit of this law.
A final thought: as indicated by the results of some recent surveys, the notification laws might not reduce identity theft through increased consumer awareness, but "shaming people into security their systems" does seems to be working. Is legislation the answer to data breaches? Some say that software vendors whose insecure goods enable the cybercriminals are the ones to suffer the consequences.
Anton Chuvakin , GCIA, GCIH, GCFA, is a recognized security expert and book author. He's currently chief logging evangelist at LogLogic, a log management and intelligence company. He is the author of Security Warrior and a contributor to Know Your Enemy II, Information Security Management Handbook, Hacker's Challenge 3 and PCI Compliance.