FTC, SEC raise legal risks surrounding the log4j flaw

The U.S. Federal Trade Commission also threatened possible legal action for companies that don’t address the risk from the Log4j vulnerabilities.

Last week, the U.S. Federal Trade Commission (FTC) issued a warning to companies to remediate the serious vulnerability in the popular open-source Java logging package Log4j to avoid future legal action. In issuing its notice, the FTC underscored that organizations have legal obligations “to take reasonable steps to mitigate known software vulnerabilities.”

The FTC also evoked the cautionary tale of credit rating agency Equifax, which in 2017 failed to patch a known vulnerability that irreversibly exposed the personal information of 147 million consumers. Consequently, Equifax was forced to pay up to $700 million as part of a global settlement with the FTC, the Consumer Financial Protection Bureau (CFPB), and 50 U.S. states.

The FTC says it “intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j or similar known vulnerabilities in the future.” Some legal experts consider the FTC’s warning “an unusual but interesting move.” Others say it’s a continuation of the Biden administration’s more muscular stance on a spectrum of cybersecurity issues.

“I really believe that the FTC is laying down a marker and it fits within the broader mosaic of how the executive branch is addressing cyber threats and the responsibility of the private sector to address them,” Scott Ferber, partner at McDermott Will & Emery, tells CSO. “It’s been a mix of carrot and stick, although some might say more stick than carrot, particularly regarding industries and sectors that are regulated, whether it’s critical infrastructure, finance or government contractors.”

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Tingey Injury Law Firm on Unsplash


Equifax’s data breach disaster: Will it change executive attitudes…

lead centered=”no”
Equifax’s 2017 breach will cost it billions in fines, customer restitution and mandated and voluntary security improvements. All organizations that profit from consumer data should take notice.

Equifax announced on Monday that it has agreed to a record-breaking settlement related to its massive 2017 data breach, which exposed the personal and financial records of more than 148 million people. The settlement requires the beleaguered credit ratings agency to spend at least $1.38 billion to resolve consumer claims against it. It creates a non-reversionary fund of $380.5 million to pay benefits to the class of consumers harmed by the breach, including cash compensation, credit monitoring, and help with identity restoration.

The settlement also requires Equifax to spend another $125 million for cash compensation and potentially much more if the number of class members who sign up for credit monitoring exceeds 7 million. The company will further pay $175 million in fines to settle state attorneys’ general investigations and $100 million to resolve probes by the Consumer Financial Protection Bureau and the Federal Trade Commission (FTC).

Finally, Equifax must also spend $1 billion over the next five years to improve its data security. That’s on top of the $1.25 billion in security and tech investments Equifax said it has made since the breach occurred.

This article appeared in CSO Online. To read the rest of the article please visit here.


How Facebook’s privacy woes might change the rules of…

lead centered=”no”Following a string of data privacy and protection missteps, Facebook faces potential backlash from legislators and consumers that could affect all companies that process consumer data./lead

The past year has been nightmare for Facebook, breaking a decade-long streak of seemingly boundless growth that placed the internet giant at the center of social, political and commercial activities of billions of people around the globe. Facebook began its precipitous downhill turn in March when a whistleblower uncovered Facebook’s role in helping political consultancy Cambridge Analytica harvest and use the personal data of tens of millions of users without their permission.

The company was rocked by a scandal or controversy every month thereafter, not all of which were privacy related. Emerging from these scandals was a portrait of a company with a voracious appetite for monetizing users’ detailed data and sloppy management in protecting the privacy and security of that data. How the company and its regulators react to these events could have a lasting impact on how all companies manage and protect consumer data.

This article appeared in CSO Online. To read the rest of the article please visit here.