FTC warns of legal risks of failing on Log4j mitigation

The Federal Trade Commission warned of potential legal consequences for companies that fail to protect consumer data and mitigate known software vulnerabilities amid fallout from the widespread Log4j security flaw.

The agency said in a blog post published Tuesday that the vulnerability posed a “severe risk to millions of consumer products,” and that failing to take reasonable steps to mitigate known software vulnerabilities could be considered a violation of the FTC Act. The post also cited the Equifax breach of 2017, in which the consumer credit bureau paid $700 million as part of a global settlement with the FTC, the Consumer Financial Protection Bureau (CFPB) and all 50 states.

“I don’t recall the FTC being this proactive about a specific vulnerability in the past,” Grant Schneider, senior director of cybersecurity services for Venable LLP who previously served as the White House federal chief information officer, told FCW. “It speaks to the potential significance of the Log4j vulnerability, and it shows the FTC is paying attention to the bigger issue of cybersecurity and companies’ cyber posture.”

The FTC directed firms to Log4j vulnerability guidance previously published by the Cybersecurity and Infrastructure Security Agency after the security flaw was discovered in December, which featured detailed remediation and mitigation procedures for both vendors and customers. The post also linked to a site to download the latest available version of Apache Log4j, a Java-based logging utility.

The FTC warning said the vulnerability was "being widely exploited by a growing set of attackers." The post was published as separate reports indicated nation-state hackers were attempting to exploit the flaw in China, Iran, North Korea and Turkey.

CISA Director Jen Easterly described the Log4j flaw as the "most serious" vulnerability she has seen throughout her entire career in cybersecurity. Shortly after the vulnerability was reported, CISA issued a directive instructing all federal agencies to patch any known vulnerabilities by Dec. 24.

On Wednesday, Easterly and National Cyber Director Chris Inglis briefed the Senate Homeland Security and Governmental Affairs committee on the Log4j flaw. Sen. Gary Peters (D-Mich.), chair of the committee, issued a statement shortly after the briefing also describing the vulnerability as “one of the most serious and widespread cybersecurity risks that we have ever seen.”