FTC Warning in Wake of Log4j: Secure Your Software Supply Chain

Approx read time: 2.5 mins

In a stern warning issued Tuesday, the Federal Trade Commission (FTC) put companies on notice that any failure to protect against Log4shell could become costly. This announcement underlines the new requirement that every company must take under the Federal Trade Commission Act (the “FTC Act”). As a result, reasonable steps to mitigate a known software vulnerability are now a legal obligation:

“[The FTC will] use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future.” (Source)

Under the FTC Act, companies are prohibited from engaging in “unfair or deceptive acts or practices in or affecting commerce.” (5(a) of 15 U.S.C. §45(a)). Acts or practices are “unfair” if they do or could likely cause substantial injury to consumers, and consumers couldn’t avoid themselves (and the cost to mitigate isn’t outweighed by countervailing benefits to consumers or competition).

Sponsorships Available

Sponsorships Available

Sponsorships Available

Previous lawsuit

After Equifax was breached, leading to massive exposure of millions of customers’ records, the FTC sued them, and settled the claim for $700M. The basis for their claim was that Equifax knew of the Struts vulnerability, and their failure to promptly patch and safeguard their applications caused substantial injury to consumers. The settlement involved not just the FTC, but also the Consumer Financial Protection Bureau (CFPB) and all 50 states in the U.S.

The FTC announcement yesterday was meant to put every company on notice. Should they fail to remediate by upgrading to a safe Log4j version and are breached as a result, the FTC (and likely the CFPB and many states) may sue for damages on behalf of consumers.

While there are already plenty of (Read more...)