FTC warning in the wake of Log4j: secure your software supply chain

Approximate reading time: 2.5 minutes

In one severe warning Released Tuesday, the Federal Trade Commission (FTC) warned companies that any breach of protection against Log4shell could become costly. This announcement highlights the new requirement that every business must meet under the Federal Trade Commission Act (the “FTC Act”). As a result, reasonable steps to mitigate a known software vulnerability are now a legal obligation:

“[The FTC will] use full legal authority to prosecute companies that fail to take reasonable steps to protect consumer data from exposure to Log4j or similar known vulnerabilities in the future. ” (Source)

Under FTC law, companies are prohibited from engaging in “unfair or deceptive acts or practices in trade or affecting trade”. (5 (a) of 15 USC §45 (a)). Acts or practices are “unfair” if they cause or could cause significant harm to consumers, and consumers could not help themselves (and the cost of mitigation is not outweighed by the compensatory benefits to consumers. consumers or competition).

Previous trial

After Equifax was breached, resulting in massive exposure of the records of millions of customers, the FTC sued them, and settled the complaint for $ 700 million. The basis for their claim was that Equifax was aware of the Vulnerability of jacks, and their inability to quickly patch and protect their apps has caused substantial harm to consumers. The settlement involved not only the FTC, but also the Consumer Financial Protection Bureau (CFPB) and the 50 states of the United States.

Yesterday’s FTC announcement was meant to warn every business. If they fail to fix it by switching to a secure version of Log4j and are breached as a result, the FTC (and possibly the CFPB and many states) can sue for damages on behalf of consumers.

While there are already plenty of (Read more…)

Source link