SEC, FTC warn companies to remediate Log4j vulnerabilities | #government | #hacking | #cyberattack


Last week, the U.S. Federal Trade Commission (FTC) issued a warning to companies to remediate the serious vulnerability in the popular open-source Java logging package Log4j to avoid future legal action. In issuing its notice, the FTC underscored that organizations have legal obligations “to take reasonable steps to mitigate known software vulnerabilities.”

The FTC also evoked the cautionary tale of credit rating agency Equifax, which in 2017 failed to patch a known vulnerability that irreversibly exposed the personal information of 147 million consumers. Consequently, Equifax was forced to pay up to $700 million as part of a global settlement with the FTC, the Consumer Financial Protection Bureau (CFPB), and 50 U.S. states.

The FTC says it “intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j or similar known vulnerabilities in the future.” Some legal experts consider the FTC’s warning “an unusual but interesting move.” Others say it’s a continuation of the Biden administration’s more muscular stance on a spectrum of cybersecurity issues.

“I really believe that the FTC is laying down a marker and it fits within the broader mosaic of how the executive branch is addressing cyber threats and the responsibility of the private sector to address them,” Scott Ferber, partner at McDermott Will & Emery, tells CSO. “It’s been a mix of carrot and stick, although some might say more stick than carrot, particularly regarding industries and sectors that are regulated, whether it’s critical infrastructure, finance or government contractors.”

The FTC’s Log4j warning distinguishes itself from other administration actions precisely because it extends to all types of organizations. “One of the unique things I think about the FTC is their warning is industry-agnostic,” Ferber says. “We have a broad shot across the bow to the private sector writ large that they need to take Log4j seriously to the extent they’re not already doing so and address it.”

SEC’s spotlight on Log4j wasn’t offhanded

Even before the FTC made its announcement, another independent U.S. government agency, the Securities and Exchange Commission (SEC), signaled that it, too, frowns on organizations that fail to take reasonable measures to address the Log4j flaw. In late December, the SEC posted a “spotlight” on the vulnerability.

Copyright © 2022 IDG Communications, Inc.



Original Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

+ seventy nine = 86