On January 4, 2022, the Federal Trade Commission published a warning to companies and their vendors to take reasonable steps to remediate the Log4j vulnerability (CVE-2021-44228). The FTC provided a list of recommended remedial actions for companies using the Log4j software. The FTC’s warning references obligations under the FTC Act and Gramm Leach Bliley Act (“GLBA”) to take reasonable action to remediate vulnerabilities, and hints at potential inquiries and enforcement actions against companies and vendors that fail to do so. As the FTC notes in its warning, the “FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future.”
The Log4j Vulnerability. According to the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”), Log4j is widely-used software that has been integrated into many consumer-facing and enterprise services, websites, and applications to log security and performance information. The Log4j vulnerability became broadly publicly known in early December 2021 and is described by CISA as a “critical remote code execution” vulnerability that could allow an “unauthenticated remote actor . . . to take control of an affected system.” CISA has since observed “active, widespread exploitation” of this vulnerability.
Duty to Take Reasonable Steps to Mitigate Vulnerabilities. Because of the risk of loss arising from software vulnerabilities, such as “a loss or breach of personal information, financial loss, and other irreversible harms,” the FTC warned that companies and their vendors have a “duty to take reasonable steps to mitigate known software vulnerabilities” such as Log4j. The FTC’s recent warning states that this duty to mitigate implicates “the Federal Trade Commission Act and the Gramm Leach Bliley Act,” among other federal laws. Accordingly, the FTC noted that it “is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action.”
Enforcement Precedent. The FTC’s warning cites its prior enforcement actions against companies for failing to patch known vulnerabilities that expose the personal information of consumers. In its warning, the FTC states that it “intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future.”
Recommended Remediation. The FTC directs companies and their vendors to check whether they use the Log4j software library by consulting CISA guidance. For companies that use Log4j, the FTC recommends that the companies take immediate steps to remediate the vulnerability, including:
Updating the “Log4j software package to the most current version.”
Consulting CISA’s guidance to mitigate the Log4j vulnerability.
Ensuring that “remedial steps are taken to ensure that your company’s practices do not violate the law.” The FTC explicitly warns that failure “to identify and patch instances of this software may violate the FTC Act.”
Distributing “this information to any relevant third-party subsidiaries that sell products or services to consumers who may be vulnerable.”
Potential Enforcement Actions. The FTC’s Log4j warning suggests that the FTC may begin inquiring into companies’ remediation of this vulnerability and that the FTC is preparing to bring enforcement actions against companies that fail to remediate the known vulnerability under the FTC Act, the GLBA, and other federal laws.
Looking Forward. The FTC’s warning follows shortly after CISA warned in late December 2021 that “[m]alicious cyber actors are actively scanning networks to potentially exploit” the Log4j vulnerability. The FTC’s focus on the remediation of known software vulnerabilities is consistent with the U.S. government’s ongoing focus on strengthening cybersecurity and its warnings about cyber threats over the holidays. Companies and their vendors should review (and, if appropriate, implement) recommendations from the FTC and CISA on remediating the Log4j vulnerability to mitigate the risk of potential FTC inquiries and enforcement actions in this area.