On January 4, 2022, the Federal Trade Commission (FTC) issued a clear warning to companies to remediate any software vulnerabilities associated with the Java-based Log4j software. A critical security flaw was identified in Log4j, which is embedded in major software applications and is widely used by businesses in all sectors of the economy, this past December. The security flaw potentially allows bad actors to gain unfettered access to affected computer systems and to any sensitive information they contain.
The FTC, which increasingly prioritizes privacy and data security enforcement, stressed that companies have a legal duty to mitigate known software vulnerabilities—including Log4j—that risk harm to consumers and may face legal action from the FTC if they fail to do so.
Background
The FTC’s Privacy and Data Security Enforcement Authority
The FTC is an independent agency charged with protecting consumers and with enhancing economic competition. Pursuant to Section 5 of the Federal Trade Commission Act (FTCA), the FTC has the authority to bring enforcement actions against companies that engage in “unfair or deceptive acts or practices in or affecting commerce.” In the cyber context, the FTC has maintained that companies act deceptively when they, for example, mishandle personal information in contravention of their privacy policies or fall short of promises to protect personal information from unauthorized access. In addition, companies act unfairly when they, for example, retroactively apply revised privacy policies or maintain obscure or difficult-to-change default privacy settings.[i]
In addition to its general Section 5 authority, the FTC also has the authority to enforce certain sector-specific laws that address privacy and data security, including the Children’s Online Privacy Protection Act, the Equal Credit Opportunity Act, the Fair Credit Reporting Act, and the Gramm-Leach-Bliley Act (GLBA). The GLBA, for example, imposes data protection obligations on financial institutions, including the obligation to implement reasonable security policies and procedures to protect consumer information from unauthorized access.
The FTC has brought hundreds of enforcement actions pursuant to its general and its sector-specific privacy and data security authorities, resulting in billions of dollars in civil penalties.
The Log4j Security Vulnerability
In December 2021, federal agencies—including the Cybersecurity and Infrastructure Security Agency (CISA)[ii]—and private companies—such as Microsoft[iii] and Cisco[iv]—announced the discovery of a critical security flaw in the open-source, Java-based Log4j software provided by the Apache Software Foundation. Log4j is used to log security and performance information for system administrators and is embedded in countless commercial software platforms, websites, and digital applications.
The identified security vulnerability—known as “Log4Shell”—potentially allows bad actors to take complete control of affected systems and to access any sensitive information they contain. Public reports indicate that state-backed hackers, as well as illicit cryptocurrency miners, have already exploited the flaw to nefarious ends.[v]
Because the flaw is contained in software that is embedded deep within systems under layers of other software, it is proving extremely difficult for companies and for cybersecurity experts to determine which systems are impacted and whether they have been exploited. Indeed, Jen Easterly, the Director of CISA, referred to Log4Shell as the “most serious” vulnerability she has seen in her career and stressed that it could take years to address.[vi]
The FTC’s Warning
In its January 4 announcement, the FTC stressed that the Log4j vulnerability poses a severe risk to millions of consumer products and enterprise software and web applications, and has been exploited by a growing number of attackers.[vii] Such exploitation risks the exposure of personal information, financial loss, and other substantial harms to consumers.
The FTC made clear that, pursuant to laws such as the FTCA and the GLBA, companies have a “duty to take reasonable steps to mitigate known software vulnerabilities” that risk harm to consumers, and that the agency “intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future.”[viii] As a point of comparison, the FTC’s announcement referenced the $700 million paid by Equifax to settle actions by the FTC, the Consumer Financial Protection Bureau, and all fifty states following the company’s alleged failure to patch a known vulnerability that exposed the personal information of 147 million consumers.
Finally, the FTC observed that open-source services like Log4j, which are essential to the digital economy, are often created and maintained by volunteers who lack adequate resources for incident response and proactive maintenance. In a statement that bears close monitoring, the FTC indicated that it will consider this dynamic in addressing the root causes of threats to consumer privacy and data security in the cyber context.
Takeaways
As the FTC indicated, companies that believe they or their vendors might employ the Log4j software library should immediately consult the Apache Log4j Vulnerability Guidance issued by CISA and, if necessary, take steps to remediate any associated vulnerabilities.
More generally, companies should ensure that they maintain data security policies and procedures commensurate with their legal obligations and that reflect the evolving threat landscape. In this respect, companies that collect or maintain consumer data, rely on digital platforms or services for their core business, or otherwise face significant cybersecurity risk should consider engaging outside cybersecurity and legal advisors. These advisors can, for example, help develop data security policies and corporate governance practices, implement cyber incident response plans, and conduct tabletop exercises to assess a company’s response capabilities in the event of a cyber incident.
[i] See Congressional Research Service, Data Protection and Privacy Law: An Introduction at 1 (May 9, 2019); Federal Trade Commission, 2020 Privacy and Data Security Update at 2–10.
[ii] Cybersecurity and Infrastructure Security Agency, Statement from CISA Director Easterly on “Log4j” Vulnerability (Dec. 11, 2021).
[iii] Microsoft, Microsoft’s Response to CVE-2021-44228 Apache Log4j 2 (Dec. 11, 2021).
[iv] Cisco, Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021 (Dec. 10, 2021).
[v] See, e.g., Time, What Is Log4j? The Security Flaw That’s Freaking Out the Internet (Dec. 15, 2021).
[vi] CNBC, CISA Director Says the LOG4J Security Flaw is the “Most Serious” She’s Seen in Her Career (Dec. 16, 2021).
[vii] Federal Trade Commission, FTC Warns Companies to Remediate Log4j Security Vulnerability (Jan. 4, 2021).
[viii] Id.