Federal Regulator Highlights Duty for Companies to Mitigate Cybersecurity Vulnerability

Failing to mitigate a known IT security vulnerability that exposes a company to a security breach could also trigger an enforcement action by the federal government, warned the Federal Trade Commission, or FTC, in a January 4, 2022 announcement. The FTC’s warning is keyed to the widespread impact of a vulnerability in a commonly used type of IT software, known as Log4j, that is found throughout systems in many companies, and which, when compromised, allows an attacker easy access to insert other exploits, such as ransomware. The FTC’s warning notes that a failure to take reasonable steps to mitigate known software vulnerabilities may implicate violations of laws including the Federal Trade Commission Act (“FTC Act”) and the Gramm Leach Bliley Act (“GLBA”). The FTC has sought to enforce these laws in various cybersecurity breaches, most notably a successful enforcement action against Equifax in 2017. The FTC’s announcement is indicative of a view among regulators, for example the Securities and Exchange Commission, that many companies are still not taking the risks posed by cybersecurity shortcomings seriously despite the business and operational threats that they face from cybercriminals.  
 

Duty to Mitigate?

The FTC highlighted two aspects of its enforcement authority that it believes are relevant when companies fail to reasonably mitigate known cybersecurity vulnerabilities. First, the FTC views the FTC Act, which generally prohibits companies from engaging in unfair and deceptive practices, as imposing a duty on companies that claim to offer data privacy safeguards, for example in their standard privacy policies, to actually do so. Notably, after the FTC took action against Equifax concerning these duties, Equifax paid $575 million to settle the lawsuit that the FTC and other agencies and states brought after the 2017 data breach. At the time of the incident, Equifax’s privacy policy stated that it limited access to consumers’ personal information and implemented “reasonable physical, technical and procedural safeguards” to protect consumer data. Claiming to implement reasonable cybersecurity safeguards and then failing to do so for known or recklessly disregarded vulnerabilities could implicate deceptive practice prohibitions under the FTC Act.  

Second, the FTC warns that a failure to mitigate might also implicate liability under the GLBA Safeguards Rule that applies to financial institutions. Under the GLBA Safeguards Rule, financial institutions are required to develop, implement, and maintain a comprehensive information security program to protect the security, confidentiality, and integrity of customer information. Equifax, according to the FTC, failed to implement a policy to ensure that security vulnerabilities were patched, failed to segment Equifax’s database servers to block access to other parts of the network once one database was breached and failed to install robust intrusion protections for its legacy databases.  
 

How Might Companies Comply?

There is no doubt that for many companies addressing supply chain vulnerabilities in their IT and cybersecurity is a constant and difficult challenge. Having a program in place to identify, prioritize, and remediate such vulnerabilities is an essential component of a robust cybersecurity program. A vulnerability assessment program should ideally be integrated into a whole-of-company cyber program that allows scarce IT resources to be prioritized against the threats of most criticality. When faced with a serious issue such as that posed by the need to patch instances of the Log4j software, the FTC recommends considering the Cybersecurity and Infrastructure Security Agency (“CISA”) Apache Log4j Vulnerability Guidance, to include the following:
 

• Update your Log4j software package to the most current version found here: https://logging.apache.org/log4j/2.x/security.html;
• Consult CISA guidance to mitigate this vulnerability;
• Ensure remedial steps are taken to ensure that your company’s practices do not violate the law, such as identifying and patching instances of this software in accordance with the FTC Act; and
• Distribute this information to any relevant third-party subsidiaries that sell products or services to consumers who may be vulnerable.

Connect with Ice Miller Cybersecurity Attorneys for More Details

Ice Miller has extensive experience assisting companies to navigate and comply with federal cybersecurity laws and regulations, as well as conducting cybersecurity risk assessments and developing risk mitigation strategies. Our team includes Guillermo Christensen, managing partner of the firm’s Washington D.C. office and former CIA officer with decades of incident response including ransomware and nation-state attacks; Reena Bajowala (CIPT, CIPP/US, CIPM), a partner in Ice Miller’s Chicago office and practices within the Data Security and Privacy and Information and Software Disputes practices; Siddharth Bose, a former IT systems engineer and partner in Ice Miller’s Data Security and Privacy Practice; Christian Robertson, a former U.S. Air Force intelligence officer who advises clients on federal procurement cybersecurity laws and regulations; and Tiffany Kim, a Certified Information Privacy Professional and associate in Ice Miller’s Data Security and Privacy Group.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader's specific circumstances.