According to the January 4, 2022 alert (the FTC Alert), the FTC recognizes that the Log4j vulnerability poses a serious risk to consumer products and web applications, and if exploited, could cause serious irreversible harms, such as financial loss and loss of personal information.1 Citing its prior action over the vulnerability patching failure in Equifax, the FTC signaled its willingness to pursue companies that fail to mitigate Log4j or other known cybersecurity vulnerabilities.
The Log4j vulnerability is the very first matter scheduled for review by the newly formed Cyber Safety Review Board (CSRB), a public-private partnership created in response to the President’s May Executive Order on Improving the Nation’s Cybersecurity.2 This board is a collaboration of top cybersecurity leaders from both industry and government agencies, and will be delivering strategic recommendations to both the President and the Secretary of Homeland Security. The board’s first review is scheduled to be released this summer (see the announcement for more details).
Background: What is Log4j?
Log4j is a Java-based logging library that documents user activity so that developers can keep track of what happens on their software applications and online services. Log4j is extremely popular across a wide variety of consumer and enterprise services, applications and websites. Early in December, several exploits were discovered affecting Log4j, but of particular note is one that allows an attacker to gain control of a system by submitting a request to execute arbitrary code.3 If left unfixed, an attacker can gain access to systems, steal passwords and logins, extract data and infect networks with malware.
The Duty to Patch Software
The FTC Alert points to federal laws such as the Federal Trade Commission Act and the Gramm-Leach-Bliley Act to indicate the responsibility companies have to “take reasonable steps to mitigate known software vulnerabilities.”4 In the $700 million Equifax settlement, the FTC’s complaint alleged that the failure to patch a known software vulnerability led to 147 million individuals having their personal information exposed (for more details, see our discussion on the Equifax breach here).
In addition to the FTC, the Security and Exchange Commission (SEC) has also voiced concern about the Log4j vulnerability in a recent cybersecurity update. While the SEC doesn’t warn companies that enforcement actions may follow, the alert notes that the Cybersecurity and Infrastructure Security Agency (CISA) is “responding to active, widespread exploitation of a critical remote code execution vulnerability in the LOG4j software library.” Companies would be wise to address the LOG4j issue, as the SEC has pursued companies for deficient disclosure and controls related to cybersecurity risks and incidents (see our discussion of SEC cybersecurity risk disclosure actions here).
Actions to Take
The FTC is urging companies to act quickly to take reasonable steps to protect their consumer data from known vulnerabilities, including the recently discovered Log4j vulnerability. Companies should start by confirming whether they use Log4j software. CISA has prepared specific Log4j guidance that can help determine if mitigation is necessary, which forms a key part of the FTC’s recommended steps. If a company does use Log4j, the FTC advises the following:
- If not up-to-date, begin updating the Log4j software package to the most current version.
- Find out how to best mitigate the vulnerability using the CISA guidance.
- Proceed promptly with mitigating steps in compliance with the law.
- Make this information available to any relevant third-party subsidiaries that sell products or services to consumers who may be vulnerable.5
As always, companies should document mitigating steps taken and the remediation timeline in preparation for any questions regulators or stakeholders may have.
Conclusion
The FTC has issued a clear warning: companies must “take reasonable steps to mitigate known software vulnerabilities.” Regular patching and vigilant monitoring of new cybersecurity threats will be required in order to maintain reasonable security under the FTC’s watch.
In particular, the FTC warned of the significant risks associated with open-source software in the Internet ecosystem, indicating it will examine the often inadequate incident response for projects maintained by volunteers as part of the effort to address “root issues that endanger user security.”6 Log4j is just one example of many such open-source services used by companies to perform a wide variety of critical tasks. It may be prudent for companies to take this time to examine the role open-source plays in their business and what data it utilizes.
More cybersecurity vulnerabilities like Log4j are sure to arise in the coming year, and agencies like the FTC and SEC are likely to continue their aggressive push against companies that fail to address them. Avoiding regulatory scrutiny will involve diligently maintaining information security policies that meet legal obligations, as well as keeping abreast of new developments in the cyberthreat landscape.
Please contact a member of Akin Gump’s cybersecurity, privacy and data protection team if you have any questions about this or other cybersecurity vulnerabilities and how your business can respond.
1 Federal Trade Comm’n, FTC Warns Companies to Remediate Log4j Security Vulnerability (January 4, 2022) hereinafter “Alert” available at https://www.ftc.gov/news-events/blogs/techftc/2022/01/ftc-warns-companies-remediate-log4j-security-vulnerability.
2 Dep’t of Homeland Sec., DHS Launches First-Ever Cyber Safety Review Board, Press Release (February 3, 2022), available at https://www.dhs.gov/news/2022/02/03/dhs-launches-first-ever-cyber-safety-review-board.
3 Cybersecurity and Infrastructure Security Agency, Mitigating Log4Shell and Other Log4j-Related Vulnerabilities, Alert AA21-356A (December 23, 2021) available at https://www.cisa.gov/uscert/ncas/alerts/aa21-356a.
4 Alert, at 1.
5 Id.
6 Id., “open-source software” refers to computer software that the copyright holder grants the right to use, change or distribute to anyone. Open-source software projects are developed and maintained by networks of unpaid volunteer programmers and are widely used in both free and commercial products.
