In an unusual warning to companies running Java applications with Log4j in their environments, the Federal Trade Commission (FTC) recently cautioned that it "intends to use its full legal authority to pursue companies that fail to take?reasonable?steps to protect consumer data from exposure?as a result of Log4j[] or similar known vulnerabilities in the future." All companies with consumer information should take heed, assessing information security risks on their systems and devices and implementing policies to guard against foreseeable risks.

What prompted the FTC's action?

The Apache Log4j software library is a ubiquitous Java-based logging utility. In December, the Cybersecurity and Infrastructure Security Agency (CISA) cautioned that a critical vulnerability in this popular open-source software rendered "hundreds of millions" of internet-connected devices vulnerable to attack. CISA's Director advised that the software's ubiquity makes the scale and potential impact of the vulnerability significant. CISA gave federal agencies until December 24, 2021, to patch the vulnerability or implement other mitigating measures.

A variety of executive branch agencies, including CISA and the White House's National Cyber Director, promoted the FTC's warning on social media. The FTC's warning can be viewed as reiterating the FTC's longstanding approach to data security (that companies must implement reasonable steps to protect consumer information from unauthorized disclosure or misuse) while simultaneously suggesting that a failure to protect against the Log4j vulnerability is per se unreasonable. The warning references the FTC's $700 million 2019 settlement with Equifax Inc., in which the FTC alleged among other things that the company's failure to patch a known vulnerability contributed to exposure of millions of consumers' personal information. The FTC also notes that it is critical for companies and their vendors who rely on Log4j to act now, "in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action."

Legal context

As we've addressed here, there is no single federal data security law in the United States requiring companies across the marketplace to implement a uniform set of data security measures. Nonetheless, the FTC's warning-which goes further than prior FTC business guidance like Start with Security or Stick with Security-asserts that existing laws, including the FTC Act and the Gramm Leach Bliley Act, create a duty for companies to take reasonable steps to mitigate known software vulnerabilities.

Why does this matter for companies with consumer data?

The FTC's warning reaffirms that data security enforcement remains a priority for the current Commission's leadership. In addition, the FTC post relays the Commission's intent to consider the "broader set of structural issues" related to "open-source services," which it considers to be among the "root issues that endanger user security." This seems to be a callback to Chair Khan's strategic vision for approaching competition and consumer protection "holistically" and focusing on what the Commission regards to be "root causes" of harm.

The FTC's admonitions remind every company with consumer information to assess the risks to that information in their environments and in vendor environments and implement reasonable policies to guard against those risks.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.