The Federal Trade Commission (FTC) recently warned private entities to remediate any ongoing Log4j vulnerabilities present within their networks or face possible enforcement action.
Log4j is used to record activities in a wide range of systems, sites, and software found in online products and services. Recently, a serious vulnerability in this popular software was discovered. This vulnerability poses a severe risk to millions of users. Most importantly, the Log4j vulnerability is being widely exploited by a growing set of attackers.
When software vulnerabilities like Log4j are discovered and exploited, users are exposed to a variety of risks, including financial harm. The duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others, the Federal Trade Commission Act and the Gramm Leach Bliley Act.
The FTC warned that companies and their vendors relying on Log4j should act now to reduce the likelihood of harm to consumers and to avoid FTC legal action. Furthermore, the FTC stated that it intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure to Log4j or similar known vulnerabilities in the future.
Recommended remediation steps include, but are not limited to:
- Updating your Log4j software package to the most current version.
- Consulting CISA guidance to mitigate this vulnerability.
- Ensuring remedial steps are taken to ensure that your company’s practices do not violate the law.
- Distributing this information to any relevant third-party subsidiaries that sell products or services to consumers who may be vulnerable.
Mitigating any ongoing threat posed by Log4j software present in your system will strengthen your organization’s overall security posture and will protect against possible regulatory action. Should you have any questions or if you require assistance, please contact a member of Faegre Drinker’s Privacy, Cybersecurity and Data Strategy Team.
The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.