The Federal Trade Commission (FTC) has issued a warning that it will pursue any company that fails to protect its customers’ data against ongoing Log4j attacks. 

In a blog, the FTC said, “The duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others, the Federal Trade Commission Act and the Gramm Leach Bliley Act. It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action.”

In addition, the agency used Equifax as an example of a company that failed to patch a known vulnerability that exposed the personal information of 147 million customers. In the aftermath, Equifax agreed to pay $700 million to settle actions by the FTC, the Consumer Financial Protection Bureau, ad all fifty U.S. states. 

The FTC says it intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar vulnerabilities in the future. In addition, the FTC recommends companies use the Cybersecurity and Infrastructure Security Agency (CISA) guidance, available here, and:

• Update Log4j software package to the most current version found here: https://logging.apache.org/log4j/2.x/security.html(link is external)
• Consult CISA guidance to mitigate this vulnerability. 
• Ensure remedial steps are taken to ensure that your company’s practices do not violate the law. Failure to identify and patch instances of this software may violate the FTC Act. 
• Distribute this information to any relevant third-party subsidiaries that sell products or services to consumers who may be vulnerable. 

Commenting on the news, Elizabeth Wharton, VP Operations, SCYTHE, says, “Compliance is never security, but you always need robust security practices to meet compliance requirements. Nearly every regulation — including GLBA — requires continuous assurance. In fact, the December 2021 Final Rule issued by the FTC under GLBA for financial institutions added provisions specific to regularly test or otherwise monitor the effectiveness of their security controls. To meet these requirements, they need to continuously validate their people, processes, and technologies, especially as new supply chain attack vectors like Log4j become more prevalent.” 

J.J. Guy, co-founder and CEO, Sevco Security, says, “One of the most challenging aspects of responding to the Log4j vulnerability is simply identifying the devices in an organization where Log4j is used. Since it is a cross-platform, widely used software library, there is incredible diversity in where and how it is deployed: it can be an application package installed by itself, bundled with another application package as just another file on disk or embedded in another application with no visible artifact. Even worse, it is used in everything from cloud-managed services to server applications and even fixed-function, embedded devices. That internet-connected toaster is very likely vulnerable to Log4Shell. We are now in the middle of the triage phase, where basic tools like systems management or software management tools to check for the file on disk can provide initial triage. However, for organizational leaders, such as boards, chief executive officers, chief information officers, or chief information security officers, and to have confidence in those triage results requires they report not only the machines that have been triaged but also how many are pending triage. Reporting the ‘pending triage’ statistic requires a complete asset inventory, including which machines have been successfully triaged. This will be one of the larger hidden challenges in every organization’s response because few have a comprehensive asset inventory, despite the fact it has been a top requirement in every security compliance program for decades.”