Approx read time: 2.5 mins
In a stern warning issued Tuesday, the Federal Trade Commission (FTC) put companies on notice that any failure to protect against Log4shell could become costly. This announcement underlines the new requirement that every company must take under the Federal Trade Commission Act (the "FTC Act"). As a result, reasonable steps to mitigate a known software vulnerability are now a legal obligation:
"[The FTC will] use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future." (Source)
Under the FTC Act, companies are prohibited from engaging in "unfair or deceptive acts or practices in or affecting commerce." (5(a) of 15 U.S.C. §45(a)). Acts or practices are "unfair" if they do or could likely cause substantial injury to consumers, and consumers couldn’t avoid themselves (and the cost to mitigate isn’t outweighed by countervailing benefits to consumers or competition).
After Equifax was breached, leading to massive exposure of millions of customers' records, the FTC sued them, and settled the claim for $700M. The basis for their claim was that Equifax knew of the Struts vulnerability, and their failure to promptly patch and safeguard their applications caused substantial injury to consumers. The settlement involved not just the FTC, but also the Consumer Financial Protection Bureau (CFPB) and all 50 states in the U.S.
The FTC announcement yesterday was meant to put every company on notice. Should they fail to remediate by upgrading to a safe Log4j version and are breached as a result, the FTC (and likely the CFPB and many states) may sue for damages on behalf of consumers.
While there are already plenty of incentives to remediate your Log4shell risk, the FTC's announcement provides one more. Investing the time and resources to mitigate Log4shell risk means you can have the processes and tools to help ensure you're ready for the next open source component vulnerability.
What measures that are considered "reasonable" will depend on industry norms. Increasingly, companies are expected to know all components in their software supply chain, and ideally be able to document those components in a software bill of materials (SBOM). This documentation should include not just directly-sourced components, but also transitive dependencies, meaning the building blocks of the components you use.
Even if you don’t use a commercial or open source software composition analysis (SCA) tool as part of your software development lifecycle, every company should run a manual scan of all repositories, identify where Log4j is used, and update to a safe version. You can use our free scanner, either by uploading your code or downloading our scanner and running it locally.
Now that we're over a month past the initial disclosure, any company that hasn't taken these basic measures and gets breached could find themselves the target of an FTC lawsuit.
Visit the Sonatype Log4j Resources Center for more data, insights, and updates.