FTC, SEC raise legal risks surrounding the log4j flaw

Last week, the U.S. Federal Trade Commission (FTC) issued a warning to companies to remediate the serious vulnerability in the popular open-source Java logging package Log4j to avoid future legal action. In issuing its notice, the FTC underscored that organizations have legal obligations “to take reasonable steps to mitigate known software vulnerabilities.”

The FTC also evoked the cautionary tale of credit rating agency Equifax, which in 2017 failed to patch a known vulnerability that irreversibly exposed the personal information of 147 million consumers. Consequently, Equifax was forced to pay up to $700 million as part of a global settlement with the FTC, the Consumer Financial Protection Bureau (CFPB), and 50 U.S. states.

The FTC says it “intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j or similar known vulnerabilities in the future.” Some legal experts consider the FTC’s warning “an unusual but interesting move.” Others say it’s a continuation of the Biden administration’s more muscular stance on a spectrum of cybersecurity issues.

“I really believe that the FTC is laying down a marker and it fits within the broader mosaic of how the executive branch is addressing cyber threats and the responsibility of the private sector to address them,” Scott Ferber, partner at McDermott Will & Emery, tells CSO. “It’s been a mix of carrot and stick, although some might say more stick than carrot, particularly regarding industries and sectors that are regulated, whether it’s critical infrastructure, finance or government contractors.”

The FTC’s Log4j warning distinguishes itself from other administration actions precisely because it extends to all types of organizations. “One of the unique things I think about the FTC is their warning is industry-agnostic,” Ferber says. “We have a broad shot across the bow to the private sector writ large that they need to take Log4j seriously to the extent they’re not already doing so and address it.”

SEC’s spotlight on Log4j wasn’t offhanded

Even before the FTC made its announcement, another independent U.S. government agency, the Securities and Exchange Commission (SEC), signaled that it, too, frowns on organizations that fail to take reasonable measures to address the Log4j flaw. In late December, the SEC posted a “spotlight” on the vulnerability.

In its spotlight box, the SEC said, “CISA and its partners are responding to active, widespread exploitation of a critical remote code execution vulnerability in Apache’s Log4j software library. Log4j is very broadly used in a variety of consumer and enterprise services, websites, and applications—as well as in operational technology products—to log security and performance information. An unauthenticated remote actor could exploit this vulnerability to take control of an affected system.”

Ferber and his colleagues flagged the SEC’s spotlight in a December 23 analysis, saying that if the past is prologue, “The SEC could send out requests for information to companies that have downloaded a compromised version of Log4j and ask them to provide further detail about software usage as well as other compromises by external actors, regardless of materiality or access to material non-public information.” The attorneys’ analysis recommends that, “Company personnel responsible for developing and overseeing disclosure controls and procedures should have a line of sight into the technical response and ensure that company controls and procedures are being applied properly.”

“The fact that the SEC spotlighted the full vulnerability on its website, I don’t think it was done just offhandedly,” Ferber says. “My opinion is that including it on the website was to reinforce to regulated entities that the SEC is paying attention to this issue. That companies not only already have an obligation to employ reasonable cybersecurity measures, but also have obligations to notify investors of material incidents that can be those that haven’t actually resulted in a breach.”

SEC has a track record of taking action

Like the FTC, the SEC already has a track record of taking action against companies that fail to pay adequate attention to cybersecurity. Last August, the SEC fined eight firms a total of $750,000 for failures in their cybersecurity policies and procedures that resulted in email account takeovers exposing the personal information of thousands of customers.

Although the FTC and SEC could bring legal action or penalize companies that demonstrate lax attention to the Log4j vulnerability, it’s unclear under what circumstances they would do so. “I think a reviewing agency would be looking at the policies and procedures that are in place, and whether those are reasonable and were applied appropriately to a particular vulnerability,” Ferber says.

In determining whether a violation has occurred and penalties should be imposed, the SEC would likely consider, among other factors, the impact that the Log4j flaw had on a particular company and “how they handled it, not just from a technical perspective, but also in evaluating whether it was material and should be disclosed,” Ferber says. The SEC did not respond to requests for comment.

Infosec pros welcome agency attention

Not surprisingly, cybersecurity practitioners welcome the government agencies’ stricter stance. Tenable CEO Amit Yoran said in a statement, “About time. Hallelujah! The FTC warning about potential legal repercussions for companies that fail to address the Log4j vulnerability is long overdue.”

“Warnings from regulatory agencies to address Log4j are further evidence of how serious the vulnerability is to affected companies, their data and networks, and their customers,” Kevin Bocek, vice president, security strategy and threat intelligence at Venafi, tells CSO.

“Today, application attacks and breaches are often the results of easily exploited – and easily rectified – vulnerabilities like Log4j,” Brian Fox, CTO of Sonatype, tells CSO. “While many companies have heard the alarm bells, nearly one-third of recent Log4j downloads are of unpatched versions that expose organizations to attack. This tells us there is still a lot of work to be done.”