FTC Advises Companies to Remediate Log4j Vulnerability

In an unusual warning to companies running Java applications with Log4j in their environments, the Federal Trade Commission (FTC) recently cautioned that it “intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j[] or similar known vulnerabilities in the future.” All companies with consumer information should take heed, assessing information security risks on their systems and devices and implementing policies to guard against foreseeable risks.

What prompted the FTC’s action?

The Apache Log4j software library is a ubiquitous Java-based logging utility. In December, the Cybersecurity and Infrastructure Security Agency (CISA) cautioned that a critical vulnerability in this popular open-source software rendered “hundreds of millions” of internet-connected devices vulnerable to attack. CISA’s Director advised that the software’s ubiquity makes the scale and potential impact of the vulnerability significant. CISA gave federal agencies until December 24, 2021, to patch the vulnerability or implement other mitigating measures.

A variety of executive branch agencies, including CISA and the White House’s National Cyber Director, promoted the FTC’s warning on social media. The FTC’s warning can be viewed as reiterating the FTC’s longstanding approach to data security (that companies must implement reasonable steps to protect consumer information from unauthorized disclosure or misuse) while simultaneously suggesting that a failure to protect against the Log4j vulnerability is per se unreasonable. The warning references the FTC’s $700 million 2019 settlement with Equifax Inc., in which the FTC alleged among other things that the company’s failure to patch a known vulnerability contributed to exposure of millions of consumers’ personal information. The FTC also notes that it is critical for companies and their vendors who rely on Log4j to act now, “in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action.”

Legal context

As we’ve addressed here, there is no single federal data security law in the United States requiring companies across the marketplace to implement a uniform set of data security measures. Nonetheless, the FTC’s warning—which goes further than prior FTC business guidance like Start with Security or Stick with Security—asserts that existing laws, including the FTC Act and the Gramm Leach Bliley Act, create a duty for companies to take reasonable steps to mitigate known software vulnerabilities.

Why does this matter for companies with consumer data?

The FTC’s warning reaffirms that data security enforcement remains a priority for the current Commission’s leadership. In addition, the FTC post relays the Commission’s intent to consider the “broader set of structural issues” related to “open-source services,” which it considers to be among the “root issues that endanger user security.” This seems to be a callback to Chair Khan’s strategic vision for approaching competition and consumer protection “holistically” and focusing on what the Commission regards to be “root causes” of harm.

The FTC’s admonitions remind every company with consumer information to assess the risks to that information in their environments and in vendor environments and implement reasonable policies to guard against those risks.

* * *

Please join us for State Attorney General Consumer Protection Priorities for 2022. This webinar will provide discussion and practical information on the topics mentioned above and other state consumer protection, advertising, and privacy enforcement trends. Register here.

Also join us for Privacy Priorities for 2022: Legal and Tech Developments to Track and Tackle, a joint webinar between Kelley Drye’s Privacy Team and Ketch, a data control and programmatic privacy platform. This Data Privacy Week webinar will highlight key legal and self-regulatory developments to monitor, along with practical considerations for how to tackle these changes over the course of the year. This will be the first in a series of practical privacy webinars by Kelley Drye to help you keep up with key developments, ask questions, and suggest topics that you would like to see covered in greater depth. Register here.