Jan 6, 2022
73 Views
0 0

FTC threatens enforcement on firms lax about Log4j vulnerability

Written by

The FTC action underscores a commitment by federal regulators to ensure a more secure environment for enterprise and consumer software, according to legal experts and industry analysts. 
“Barring a massive, public breach of a large company, via exploiting this vulnerability, enforcing this warning will be a complex task,” Allie Mellen, analyst, security and risk at Forrester, said via email. “However, it is another aspect of the potential impact of an exploit of this vulnerability that should give businesses pause.”
The key words in the FTC warning are that companies need to “take reasonable steps,” according to attorney Brenda Sharton, litigation partner and global co-chair of the privacy and cybersecurity practice at Dechert. 
“It is rare for the FTC to issue such a specific warning regarding a patch, but it shows the level of seriousness with which they will meet a company that turns a blind eye to the need for this patch,” Sharton said.
Companies can face a very long and detailed investigation into their practices if the FTC targets them in such an investigation, Romaine Marshall, a partner at the law firm of Armstrong Teasdale, said.
“They angle towards a business settlement, but that can be after an 18 to 24 month investigation into your systems and whether or not you have reasonable security,” Marshall said. 
The FTC reached a settlement for up to $700 million with Equifax in 2019, after the company failed to patch a known vulnerability in Apache Struts resulting in a breach that exposed the personal data of 147 million consumers. The Consumer Financial Protection Bureau and 50 states and territories were part of the settlement.
“We’ve brought a number of cases involving the lack of reasonable security, some of which involve the failure to fix known vulnerabilities, including our case against Equifax,” a spokesperson for the FTC said via email. 
Asked whether an actual data breach is required to take enforcement action, an official said each situation is taken on a case-by-case basis and an investigation needs to take place in order to determine whether a law has been violated.
Get the free daily newsletter read by industry experts
The pandemic created more business opportunity, but malicious actors dogged the company's technology stack. Now, the very same products touted as security defense tools are under fire. 
The biggest and baddest ransomware groups love an easy vulnerability.
Subscribe to Cybersecurity Dive for top news, trends & analysis
Get the free daily newsletter read by industry experts
Want to share a company announcement with your peers?
Share your announcement
The pandemic created more business opportunity, but malicious actors dogged the company's technology stack. Now, the very same products touted as security defense tools are under fire. 
The biggest and baddest ransomware groups love an easy vulnerability.
The free newsletter covering the top industry headlines

source

Article Categories:
Cybersecurity News

Comments are closed.