Skip to main content
close search
site logo
Dive Brief

FTC threatens enforcement on firms lax about Log4j vulnerability

Published Jan. 5, 2022
David Jones's headshot
Reporter
FTC
Carol Highsmith. (2005). "Apex Bldg." [Photo]. Retrieved from Wikimedia Commons.

Dive Brief:

  • The Federal Trade Commission warned companies to remediate Log4j vulnerabilities or face potential enforcement action, as threat actors have begun scanning systems and launching attacks that pose a risk to millions of consumer products, enterprise software and web applications. 
  • Companies are required to take "reasonable steps to mitigate known software vulnerabilities" under the Federal Trade Commission Act and the Gramm-Leach-Bliley Act, the agency said Tuesday. 
  • Meanwhile, traditional dependency scanning methods to check for vulnerabilities failed to detect hundreds of instances of vulnerable code in the Maven Central repository, according to a report from JFrog Security. Vulnerable applications may remain undetected, which could put organizations at undue risk to malicious threat activity.

Dive Insight:

The FTC action underscores a commitment by federal regulators to ensure a more secure environment for enterprise and consumer software, according to legal experts and industry analysts. 

"Barring a massive, public breach of a large company, via exploiting this vulnerability, enforcing this warning will be a complex task," Allie Mellen, analyst, security and risk at Forrester, said via email. "However, it is another aspect of the potential impact of an exploit of this vulnerability that should give businesses pause."

The key words in the FTC warning are that companies need to "take reasonable steps," according to attorney Brenda Sharton, litigation partner and global co-chair of the privacy and cybersecurity practice at Dechert. 

"It is rare for the FTC to issue such a specific warning regarding a patch, but it shows the level of seriousness with which they will meet a company that turns a blind eye to the need for this patch," Sharton said.

Companies can face a very long and detailed investigation into their practices if the FTC targets them in such an investigation, Romaine Marshall, a partner at the law firm of Armstrong Teasdale, said.

"They angle towards a business settlement, but that can be after an 18 to 24 month investigation into your systems and whether or not you have reasonable security," Marshall said. 

The FTC reached a settlement for up to $700 million with Equifax in 2019, after the company failed to patch a known vulnerability in Apache Struts resulting in a breach that exposed the personal data of 147 million consumers. The Consumer Financial Protection Bureau and 50 states and territories were part of the settlement.

"We've brought a number of cases involving the lack of reasonable security, some of which involve the failure to fix known vulnerabilities, including our case against Equifax," a spokesperson for the FTC said via email. 

Asked whether an actual data breach is required to take enforcement action, an official said each situation is taken on a case-by-case basis and an investigation needs to take place in order to determine whether a law has been violated.

Filed Under: Vulnerability

Editors' picks

Company Announcements

View all | Post a press release
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell