The management of event logs is an essential aspect of the protection of personal information, particularly in the context of Quebec’s Bill 25.
These logs contain IP addresses, which are personal information.
Server farm – Photo by Massimo Botturi on Unsplash
In the event of negligent use of activity logs, the Commission d’accès à l’information du Québec can impose penalties on companies that fail to meet their data protection obligations.
This situation demonstrates the importance of securing this information and applying minimization measures.
For example, IP addresses have been used in criminal investigations to track down cybercriminals, or by companies to analyze user behavior and target personalized advertising, raising privacy issues.
I told you about cookies in another article here:
Event log processing
Data minimization
- A necessary reminder: collect only the information you need for a specific purpose.
- Anonymize or pseudonymize IP addresses to reduce the risk of identification.
For Apache in httpd.conf:
LogFormat “%a{3} %l %u %t “%r” %> s %b” anonymized # Mask the last 3 bytes of the IPCustomLog /var/log/apache2/access.log anonymized For WordPress there are plugins like WP-piwik or Statify or WP GDPR Compliance that do this job. Just as easily, the Cloudflare platform offers the “IP Masking” option. --- Define retention periods, for example, an SME operating in e-commerce might keep its logs for 12 months to track transactions and cybersecurity incidents, while a company in the financial sector might be required to keep them for 5 years for regulatory compliance reasons.
Delete or anonymize logs once the time limit has expired to minimize the risks associated with prolonged data retention.
Apply a secure destruction practice for obsolete logs, such as secure deletion with tools like BleachBit, Eraser or Sdelete.
Ideally, automated deletion after a set period!
Safety measures
- Protect logs against unauthorized access with encryption and monitoring mechanisms.
- Implement strong authentication protocols for log access.
- Set up audit logs to trace accesses and interventions on logs.
- Apply active monitoring mechanisms to detect unauthorized access.
Transfer to third parties
If event logs are transferred to an external supplier, such as a security information and event management (SIEM) service, it is essential to select suppliers who comply with the requirements of Act 25.
Choose companies with recognized certifications such as ISO/IEC 27001 or SOC 2 Type II.
Also make sure the supplier has data centers located in Quebec. Make sure :
- Check that these third parties comply with data protection standards.
- Sign contractual agreements in compliance with the requirements of Act 25.
- Carry out regular audits to ensure compliance.
Tasks of the website manager
As a website manager, here are a few reminders for you:
Identify the person responsible for protecting personal information
Find out who is responsible for compliance with Bill 25 and post their contact details on your website.
Informing and obtaining consent
- Display a clear consent banner for cookies and event logs.
- Provide a privacy policy explaining the use of event logs.
Privacy Impact Assessment (PIA)
Before introducing new systems that involve personal information, such as for event log analysisconduct a PIA (Privacy Impact Assessment).
This assessment identifies potential data protection risks and determines appropriate mitigation measures. A PIA includes an analysis of the types of information collected, the purposes for which it is processed, the stakeholders involved, and the security and data retention mechanisms in place. to identify and mitigate risks.
Confidentiality incident management
- Develop a way of detecting, reporting and managing confidentiality incidents.
- Use tools such as SIEM (Security Information and Event Management) for real-time monitoring, as well as anomaly detection solutions.
- Integrate advanced alerting and logging systems to quickly identify suspicious activity and trigger appropriate action.
- Inform the persons concerned and the Commission d’accès à l’information in the event of an incident presenting a risk of serious harm.
Transparency
Don’t forget to publish your privacy policies and practices on your website in simple, accessible terms.
For example, a section entitled “Our commitment to your privacy” could explain in a few sentences how data is collected, used and protected. A bulleted list or question-and-answer format can also make it easier for site visitors to understand.
I invite you to click on “Follow” to continue learning more about the field of information security.