March 21, 2023

Volume XIII, Number 80


March 20, 2023

Subscribe to Latest Legal News and Analysis

FTC Warns Use of "Full Legal Authority" on Companies That Ignore Log4j Risk

The Federal Trade Commission (FTC) sent a strong message to organizations in the wake of the Log4j security vulnerability: patch now or face regulatory scrutiny and potential legal action.  

In the notice issued last week, the FTC acknowledged and emphasized that the Log4j vulnerability is being exploited by a growing set of attackers, which “risks a loss or breach of personal information, financial loss, and other irreversible harms.” The FTC made clear that, pursuant to federal laws such as the Federal Trade Commission Act and the Gramm-Leach-Bliley Act, organizations have “a duty to take reasonable steps to mitigate known software vulnerabilities.” Finally, the FTC cited to prior enforcement actions and stated that the agency will not hesitate to use its full legal authority “to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future.”

The FTC isn’t the only regulator with Log4j on its radar: the Securities and Exchange Commission (SEC) issued a “spotlight” on the vulnerability stating that “CISA and its partners are responding to active, widespread exploitation of a critical remote code execution vulnerability in Apache’s Log4j software library.” The SEC has a demonstrated track record of bringing enforcement actions against public companies for deficient disclosure and controls related to cybersecurity risks and incidents, including instances where companies failed to remediate known vulnerabilities.

As Log4j continues to grow in use and impact, organizations that believe they or their vendors might utilize the Log4j software should immediately review the Log4j Vulnerability Guidance issued by CISA and determine whether any remediation is necessary.  And, for those organizations that have already taken remedial measures, or are in the process of doing so, they should ensure that all remedial steps have been adequately documented in anticipation of questions from regulators or other stakeholders. In order to avoid regulatory scrutiny, organizations should also ensure they maintain information security policies and procedures in line with their legal obligations and that reflect the evolving threat landscape.

Companies with additional questions about the Log4j vulnerability and its potential impact on technical threats and potential regulatory scrutiny or commercial liability are encouraged to contact outside cybersecurity counsel.

© 2023 Bracewell LLPNational Law Review, Volume XII, Number 10

About this Author

Philip Bezanson, white collar criminal defense, securities, attorney, Bracewell
Managing Partner, Seattle

Philip J. Bezanson's practice focuses on white collar criminal defense, internal investigations, securities enforcement and regulatory matters.

Mr. Bezanson is a member of the Bracewell & Giuliani LLP team that has represented corporate and individual clients in recent high-profile and complex cases, including the Deepwater Horizon explosion, the George Washington Bridge lane closure and General Motors ignition switch investigations, "Pay to Play" cases in New York, New Mexico and Illinois, the stock options backdating cases, and a variety...

Brittney Justice Litigation Attorney Bracewell

Brittney Justice represents clients across a range of industries in litigation and government enforcement and investigations in federal and state courts. She provides advice on diverse matters, including securities litigation, complex commercial disputes, environmental claims and government investigations. 

Prior to joining Bracewell, Brittney was a legal intern with Texas’ First Court of Appeals.

Claire Cahoon Litigation Attorney Bracewell Law Firm

Claire Cahoon focuses her practice on complex commercial litigation and appeals. Prior to joining Bracewell, Claire served as a legal extern in the United States Attorney’s Office for the Northern District of Texas.


Southern Methodist University Dedman School of Law, J.D.

2020 - magna cum laude

University of Southern California, B.A.

2016 - magna cum laude

Bar Admissions



Spanish — proficient