FTC Warning: Companies that fail to patch the Log4j vulnerability may face legal consequences

The U.S. Federal Trade Commission (FTC) warns that U.S. businesses could face legal consequences if they fail to protect customer data from Log4Shell, a zero-day vulnerability in the widely used Log4j Java log library.

In an alert this week, consumer protection agencies warned that the "serious" vulnerability first discovered in December is being exploited by a growing number of attackers, in addition to posing a "serious risk" to millions of consumer products. The open letter urges organizations to mitigate the vulnerability to reduce the likelihood of harm to consumers and avoid potential legal action.

"When a vulnerability is discovered and exploited, it has the potential to cause the loss or disclosure of personal information, financial loss and other irreversible harm," the agency said. Liability for taking reasonable steps to mitigate known software vulnerabilities involves laws, including the Ft TRADE Commission Act and the Graeme-Ridge-Billire Act. It is vital that companies and their suppliers who rely on Log4j act now to reduce the likelihood of harm to consumers and avoid legal action from the FTC. ”

The FTC highlighted the case of Equifax, which in 2017 caused sensitive information of 147 million consumers to be leaked for failing to patch a known Apache Struts flaw. The credit reporting agency then agreed to pay $700 million to settle with the agency and individual states.

"The FTC intends to use its full legal power to pursue companies that fail to take reasonable steps to protect consumer data from known vulnerabilities in Log4j or similar in the future," the FTC said. It also plans to use its legal powers to protect consumers in the future in similar cases of known vulnerabilities.

For organizations eager to evade potential multimillion-dollar fines, the FTC encourages them to follow guidelines issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). This urges businesses to update their Log4j packages to the latest version, take steps to mitigate the vulnerability, and release information about the vulnerability to potentially affected third parties and consumers.

Before the FTC issued a warning signal, Microsoft warned this week that the Log4Shell vulnerability remains a complex and high-risk situation for the company, adding that "in the last weeks of December, there are still many attempts and tests to exploit the vulnerability", and low-skilled attackers and nation-state actors are exploiting the vulnerability.

In addition, it adds: "At this juncture, customers should perceive the widely available leverage code and scanning capabilities as a real and real danger to their environment." Since many software and services are affected and given the speed of updates, it is expected that this will have a long tail of remediation and require constant vigilance. ”