The US Consumer and Market Authority (Federal Trade Commission) is threatening fines of hundreds of millions of dollars for American organizations that fail to patch Log4j.
On December 9, Alibaba’s cloud security team disclosed a vulnerability in Log4j. The wildly popular Java library is applied in an enormous amount of enterprise environments. The initial vulnerability allowed malicious parties to direct servers with instructions to execute malware. A week later, the vulnerability had been exploited hundreds of thousands of times.
Widespread attention to the problem led to the discovery of new vulnerabilities. The developer of Log4j responds to each finding with a patch. Software developers that use Log4j in their products bear responsibility for processing the patches. Every organization bears responsibility for keeping attackers at a distance.
Warning from the FTC
In a new public letter, the Federal Trade Commission (FTC) addresses software developers. The US consumer and market authority writes that vulnerabilities in Log4j continue to be exploited. The number of attackers is said to be growing. Most of all, the FTC emphasizes that American software developers are legally obliged to address known software vulnerabilities.
If a developer fails to do so, the FTC promises the treatment that Equifax received in 2019. The financial service provider was found guilty of an inadequate response to a software vulnerability. The personal data of 147 million consumers was compromised. Equifax received a $700 million fine. The laws that led to the fine apply to vulnerabilities stemming from Log4j. Organizations that lose data due to Log4j are prone to staggering penalties.
The FTC offers a roadmap to reduce liability. Software developers are instructed to update Log4j to the most recent version at all times. In addition, the FTC refers to a CISA manual with the instruction to take as many additional measures as possible.
European fines for Log4j
At this time, the FTC has yet to act upon its warning. Nevertheless, the fate of Equifax strengthens the message. Heads can roll. In Europe, things are different.
The Network and Information Security Directive (NIS) advises organizations in European member states to take measures against digital attacks. On the other hand, no one is obliged to do so. Although picking up the pieces after a data breach can be extremely damaging, government fines are non-existent.
That’s about to change. At the end of 2021, the European Commission acceded to a renewal of the NIS. Currently, member states are negotiating a proposal to fine European organizations with two percent of annual turnover for negligent cybersecurity. Details may change, but the directive is coming.