audit logs of all privacy and sensitive-related events should be required by regulations