On January 4, 2022, the Federal Trade Commission published a blog post reminding companies that “the duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others, the Federal Trade Commission Act and the Gramm Leach Bliley Act,” in response to Log4Shell’s public disclosure of the Log4j vulnerability. The blog post also calls for companies to take immediate steps to reduce the likelihood of harm to consumers that could result from the exposure of consumer data as a result of Log4j or similar known vulnerabilities.
Section 5 of the FTC Act prohibits “unfair or deceptive acts or practices” in or affecting commerce. The FTC has long used this authority to take action against companies in the privacy and data security context. There have been numerous Section 5 enforcement actions related to privacy and data security that have resulted in settlements that imposed civil penalties and continuing obligations to safeguard the privacy and security of personal information and enjoined future misconduct.
As an example of a case involving exploited vulnerabilities, the FTC’s blog post references the 2019 $700 million settlement with Equifax (which was paid out to the FTC, the Consumer Financial Protection Bureau and all fifty states) to resolve allegations that the company violated the FTC Act and GLBA Safeguards Rule by failing to patch a known vulnerability that exposed the personal information of 147 million consumers. According to the complaint, after Equifax was alerted to a critical network security vulnerability in March 2017, the company’s security personnel ordered that vulnerable systems be patched within 48 hours. In July 2017, however, Equifax discovered that an important database had been left unpatched, and an investigation revealed that multiple hackers had used the vulnerability to access the company’s network, obtain administrative credentials stored in plaintext from an unsecured file and steal the personal information of consumers.
The FTC’s blog post directs companies to use Cybersecurity and Infrastructure Security Agency guidance to help determine whether a company is using the Log4j software library and, if so, steps that the company may take to mitigate the vulnerability, including by distributing relevant information about mitigating the vulnerability to relevant third party subsidiaries that sell products or services to consumers. The FTC also stated that “failure to identify and patch instances of [the Log4j] software may violate the FTC Act.”