FTC Issues Stern Warning to Companies to Address Known Cybersecurity Vulnerability | Akin Gump Strauss Hauer & Feld LLP

The Federal Trade Commission (FTC) issued a surprisingly strong warning to companies that they could face potential regulatory action if they do not fix known vulnerabilities, focusing in particular on the Log4j cybersecurity vulnerability.

According to the January 4, 2022 alert (the FTC Alert), the FTC recognizes that the Log4j vulnerability poses a serious risk to consumer products and web applications and, if exploited, could cause serious irreversible damage, such as as financial losses and loss of personal data. information.¹ Citing his earlier action on the vulnerability patch failure in Equifaxthe FTC has signaled its willingness to sue companies that fail to mitigate Log4j or other known cybersecurity vulnerabilities.

The Log4j vulnerability is the very first issue to be considered by the new Cyber ​​Security Review Board (CSRB), a public-private partnership created in response to the May presidential decree on Improving the nation’s cybersecurity.² This council is a collaboration of top cybersecurity leaders from industry and government agencies, and will provide strategic recommendations to the President and Secretary of Homeland Security. The board’s first review is expected to be released this summer (see announcement for details).

Background: What is Log4j?

Log4j is a Java-based logging library that documents user activity so developers can track what’s happening on their software applications and online services. Log4j is hugely popular across a wide variety of consumer and business services, apps, and websites. In early December, several exploits were discovered affecting Log4j, but of particular note is one that allows an attacker to take control of a system by submitting a request to execute arbitrary code.³ If left unchecked, an attacker can gain access to systems, steal passwords and logins, extract data, and infect networks with malware.

The duty to correct software

The FTC’s alert points to federal laws such as the Federal Trade Commission Act and the Gramm-Leach-Bliley Act to indicate companies’ responsibility to “take reasonable steps to mitigate known software vulnerabilities.”⁴ In the $700 million Equifax settlement, the FTC’s complaint alleged that a failure to fix a known software vulnerability led to 147 million people having their personal information exposed (for more details, see our discussion on the Equifax breach here).

In addition to the FTC, the Security and Exchange Commission (SEC) also expressed concern over the Log4j vulnerability in a recent cybersecurity update. Although the SEC does not warn companies that enforcement action could follow, the alert notes that the Cybersecurity and Infrastructure Security Agency (CISA) “is responding to widespread active exploitation of a critical enforcement vulnerability. remote code in the LOG4j software library”. Companies would do well to address the LOG4j issue, as the SEC has sued companies for deficient disclosure and controls related to cybersecurity risks and incidents (see our discussion of the SEC’s cybersecurity risk disclosure actions here).

Actions to take

The FTC is urging companies to act quickly to take reasonable steps to protect their consumers’ data from known vulnerabilities, including the recently discovered Log4j vulnerability. Companies should start by confirming if they are using Log4j software. CISA has prepared specific Log4j guidelines that can help determine if mitigation is needed, which is a key part of the FTC’s recommended steps. If a company uses Log4j, the FTC advises the following:

1. If it is not up to date, start updating the Log4j firmware to the latest version.
2. Learn how to best mitigate the vulnerability using guidance from CISA.
3. Promptly proceed with mitigation measures in accordance with the law.
4. Make this information available to all relevant third-party affiliates that sell products or services to potentially vulnerable consumers.⁵

As always, companies should document the mitigation actions taken and the timeline for remediation in anticipation of any questions regulators or stakeholders may have.

Conclusion

The FTC has issued a clear warning: companies must “take reasonable steps to mitigate known software vulnerabilities”. Regular patching and vigilant monitoring of new cybersecurity threats will be necessary in order to maintain reasonable security under FTC scrutiny.

In particular, the FTC has warned of the significant risks associated with open-source software in the Internet ecosystem, saying it will review the often inadequate incident response for volunteer-maintained projects as part of efforts to resolve the “fundamental problems that endanger the safety of users”. ”⁶ Log4j is just one example of many of these open source services used by enterprises to perform a wide variety of mission-critical tasks. It may be prudent for businesses to take this time to consider the role open source plays in their business and the data it uses.

More cybersecurity vulnerabilities like Log4j are sure to surface in the coming year, and agencies like the FTC and SEC are likely to continue their aggressive campaign against companies that fail to solve them. Avoiding regulatory scrutiny will involve diligently maintaining information security policies that meet legal obligations, as well as staying abreast of new developments in the cyber threat landscape.

¹ Federal Trade Commission, FTC warns companies to fix Log4j security vulnerability (January 4, 2022) hereinafter “Alert” available at https://www.ftc.gov/news-events/blogs/techftc/2022/01/ftc-warns-companies-remediate-log4j-security-vulnerability.

² Department of Homeland Sec., DHS Launches First-Ever Cybersecurity Review Boardpress release (February 3, 2022), available at https://www.dhs.gov/news/2022/02/03/dhs-launches-first-ever-cyber-safety-review-board.

³ Agency for Cybersecurity and Infrastructure Security, Mitigation of Log4Shell and other Log4j related vulnerabilitiesAlert AA21-356A (December 23, 2021) available at https://www.cisa.gov/uscert/ncas/alerts/aa21-356a.

⁴ Alert, at 1.

⁵ ID.

⁶ ID., “open-source software” refers to computer software that the copyright holder grants the right to use, modify, or distribute to anyone. Open source software projects are developed and maintained by networks of unpaid volunteer programmers and are widely used in free and commercial products.