If they are going to require companies to retain these records then they also need to require that the companies due diligence and protect via encryption any records retained. Moreover the companies should be held to the same high standard of maintaining a clear chain of custody for records that are retained to ensure that the evidence presented or used for investigations has not been tampered with. The companies given the recent mishandling of data and the hourly loss or compromise of sensitive information some of which is covered by the Privacy Act should be required to comply with the requirements for FISMA and the recent OMB guidelines - for encrypting and securing data to include any and all outsourced data. Oh wait the federal government can't even do that....nevermind. It would be nice if someone thought these things through before making well intended but misguided decisions.


[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/406/33816#33816