• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy, Cyber & Data Strategy Blog

  • Home
  • Services
  • Events
  • Contacts

FTC Releases Warning to Companies that Fail to Mitigate Log4j Vulnerability

January 5, 2022 By Jon Knight and Alysa Austin

Less than a month ago, a critical vulnerability was identified in the ubiquitous, open source Log4j tool prompting swift guidance from Cybersecurity and Infrastructure Security Agency (CISA) and other security practitioners.  Now, the Federal Trade Commission (FTC) has warned companies that it “intends to use its full legal authority” against any company that fails to take “reasonable steps” to protect consumers from the Log4j vulnerability.

The FTC’s release cautions that the Log4j vulnerability is being widely exploited by a growing number of attackers and poses a “severe risk” to millions of consumer products.  Accordingly, the FTC urges companies to “act now” to mitigate threats from the Log4j vulnerability or “similar known vulnerabilities” or risk legal action.  Unfortunately, the FTC provides no guidance on what these “similar known vulnerabilities” may be.

“The duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others, the Federal Trade Commission Act and the Gramm Leach Bliley Act,” the FTC said.  “It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action.”

According to the FTC, companies using Log4j should update software packages to the most current version, take steps to identify and remediate this vulnerability, and distribute information about the vulnerability to relevant third parties with consumers who may be vulnerable.  The FTC also encourages companies to consult CISA’s guidance for additional mitigation steps.  However, the FTC’s statement does not address the fact that many companies will not be able to update or patch their products until a vendor releases updates or provides further direction.

Filed Under: Cyber Risk, Cybercrime, Cybersecurity, Enforcement, FTC Tagged With: cybersecurity, Log4j, vulnerability

About Jon Knight

Jon Knight is a senior associate with Alston & Bird’s Privacy, Cyber & Data Strategy Team in the Washington, D.C. office. He focuses his practice on cybersecurity and privacy compliance and enforcement, as well as emerging technology issues.

[Read Bio]

About Alysa Austin

Alysa Austin is an associate with Alston & Bird’s Privacy & Data Security Team and advises clients on cybersecurity compliance, breach investigations and response, online procedures and policies, and vendor contracts.

[Read Bio]

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy, Cyber & Data Strategy team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • The California Privacy Protection Agency Solicits Public Input on Forthcoming Privacy Regulations
  • U.S. Department of Commerce Announces the Establishment of a Global CBPR Forum
  • Colorado Issues Pre-Rulemaking Considerations for the Colorado Privacy Act
  • Recent Updates in Two Closely-Watched Cybersecurity and Privacy-Related Securities Fraud Class Actions
  • EU and U.S. Reach Agreement In Principle on a Replacement for the EU-U.S. Privacy Shield
Copyright © 2022 · Alston & Bird · All Rights Reserved. Privacy.