Federal Trade Commission (FTC) has warned that any US corporation that fails to secure its customers’ data from ongoing Log4J attacks may face legal action.
“The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j or similar known vulnerabilities in the future,” explains the US government agency.
The need to take reasonable precautions to reduce known software vulnerabilities is governed by legislation such as the Federal Trade Commission Act and the Gramm-Leach-Bliley Act, among others. “It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action.”
The FTC recommends businesses to adopt CISA’s recommendations for addressing the Log4j vulnerabilities and to:
- Update their Log4j software to the most recent version, which can be obtained here: https://logging.apache.org/log4j/2.x/security.html
- Refer to the CISA guidance to mitigate this vulnerability
- Ascertain that corrective action is made to guarantee that company’s practices do not break the law. The FTC Act may be violated if instances of this software are not identified and patched.
- Distribute this information to any third-party entities that provide products or services to vulnerable consumers.
The alert comes after CISA issued an emergency directive for US Federal Civilian Executive Branch entities to patch the actively exploited Log4Shell vulnerabilities by December 23. Federal agencies have been allowed an additional five days until December 28 to disclose Log4Shell-affected goods in their environments, including app and vendor names, app versions, and steps to prevent attack attempts.
CISA has created a dedicated page with patching information for the Log4Shell vulnerabilities and a Log4j scanner to discover vulnerable Java-based programs. In collaboration with the Five Eyes cybersecurity agency and other US federal agencies, CISA also released a joint advisory providing mitigation guidance on resolving the CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105 Log4j security issues.