Via The Record 5JAN22 – The Federal Trade Commission made an announcement on Tuesday that it may pursue legal punitive action against entities who experience a breach of consumer personal data as a result of failure to patch against Log4Shell and future ‘similar known vulnerabilities.’ This represents a huge step as I’ve personally never seen the FTC act against cyber-threats in such a proactive manner before.
Per the FTC:
When vulnerabilities are discovered and exploited, it risks a loss or breach of personal information, financial loss, and other irreversible harms. The duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others, the Federal Trade Commission Act and the Gramm Leach Bliley Act.
This release from the agency highlights an action they took back in 2019, in the aftermath of the Equifax incident. The Equifax event is startingly similar to Log4shell, as they were breached as a result of failure to patch vulnerabilities in another Apache Software Foundation product.
In response to did, I did a hot take episode with Matt Lee and Pax8’s general counsel, Tyler Rauert, on this news:
“The FTC is trying to change behavior. That’s the biggest stick the FTC carries. They can embarrass you in front of your customer. The penalty itself is not where the pain lands. The pain lands in sales and marketing and your reputation overall.” –Tyler Rauert, VP of Legal at Pax8
The push here is clear, the Federal government is using existing legal levers to demand that companies take real, measurable, defensible, proactive measures to better protect the consumer data they are entrusted with.
CALL TO ACTION:
Implement a vulnerability management process, and follow through
Adopt a framework and appropriate policies, document proof of work in iterating and sticking to your security program
This should include documented SSPs and POAMs!
Always be improving, and never let perfect be the enemy of good