Companies in the USA should consider this fair warning. The FTC has issued a warning to US companies that it will go after any company that fails to protect its customers’ data against ongoing Log4j attacks:
The duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others, the Federal Trade Commission Act and the Gramm Leach Bliley Act. It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action. According to the complaint in Equifax, a failure to patch a known vulnerability irreversibly exposed the personal information of 147 million consumers. Equifax agreed to pay $700 million to settle actions by the Federal Trade Commission, the Consumer Financial Protection Bureau, and all fifty states. The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future.
Elizabeth Wharton who is the VP Operations for SCYTHE had this comment:
Compliance is never security, but you always need robust security practices to meet compliance requirements. Nearly every regulation – including GLBA – requires continuous assurance. In fact, the December 2021 Final Rule issued by the FTC under GLBA for financial institutions added provisions specific to regularly test or otherwise monitor the effectiveness of their security controls. To meet these requirements, they need to continuously validate their people, processes, and technologies, especially as new supply chain attack vectors like Log4j become more prevalent.
Companies should do the right thing by default. But I would consider this warning from the FTC a major incentive to make sure that they address any and all issues in regards to not only this vulnerability, but any vulnerability that they might be aware of. Otherwise, they’re going to get the boom lowered on them.
Like this:
Like Loading...
Related
This entry was posted on January 5, 2022 at 1:21 pm and is filed under Commentary with tags Security. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
FTC To American Companies: Fix Log4j Issues OR ELSE
Companies in the USA should consider this fair warning. The FTC has issued a warning to US companies that it will go after any company that fails to protect its customers’ data against ongoing Log4j attacks:
The duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others, the Federal Trade Commission Act and the Gramm Leach Bliley Act. It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action. According to the complaint in Equifax, a failure to patch a known vulnerability irreversibly exposed the personal information of 147 million consumers. Equifax agreed to pay $700 million to settle actions by the Federal Trade Commission, the Consumer Financial Protection Bureau, and all fifty states. The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future.
Elizabeth Wharton who is the VP Operations for SCYTHE had this comment:
Compliance is never security, but you always need robust security practices to meet compliance requirements. Nearly every regulation – including GLBA – requires continuous assurance. In fact, the December 2021 Final Rule issued by the FTC under GLBA for financial institutions added provisions specific to regularly test or otherwise monitor the effectiveness of their security controls. To meet these requirements, they need to continuously validate their people, processes, and technologies, especially as new supply chain attack vectors like Log4j become more prevalent.
Companies should do the right thing by default. But I would consider this warning from the FTC a major incentive to make sure that they address any and all issues in regards to not only this vulnerability, but any vulnerability that they might be aware of. Otherwise, they’re going to get the boom lowered on them.
Share this:
Like this:
Related
This entry was posted on January 5, 2022 at 1:21 pm and is filed under Commentary with tags Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.