Log4j Highlights Legal Obligations for Business Leaders

December 28, 2021 Advisory

Two weeks ago, we briefly discussed the potential legal implications for failing to respond to cyberattacks on supply chain technologies. At that time, Log4j, the critical vulnerability that was discovered in an application used in many software products, had been publicly disclosed for a few days. 

The fallout since has been intense. Just as the destructiveness of the Log4j vulnerability has been well publicized – achieving “a severity score of 10 out of 10” by one cybersecurity analyst – so too has advice on how to respond. Task forces have been formed, vulnerability scanners have been released, and agencies have issued detailed guidance.

As to cybersecurity readiness, Log4j is just the latest of many incidents highlighting the importance of supply chain risk management and related legal obligations. Recent lawsuits against SolarWinds, Colonial Pipeline and ParkMobile have asserted that failing to patch vulnerabilities is evidence of negligence. 

In each of the above cases, the plaintiffs cited the Federal Trade Commission. In April the FTC issued detailed guidance on the role business leaders must play in cybersecurity, stating “[c]ontrary to popular belief, data security begins with the Board of Directors, not the IT Department.”     

Based on our involvement in hundreds of cybersecurity incidents, we have observed that business leaders and IT teams that work closely together give their organizations the best chance of avoiding litigation and regulatory investigations. In many of these situations, we collaborate with technical consultants just as business leaders do with their IT teams.     

Technical consultant Digital Silence, for example, is monitoring the Log4j vulnerability closely. It recommends that organizations focus on ensuring their security systems are configured to protect against it by:      

  • Ensuring that the security tools used within your organization have been patched and are running the latest revision from the vendor. You can find an active list of products and services and their current status at Tech Solvency
  • Utilizing your vulnerability management and asset management processes to identify vulnerable hosts, endpoints and cloud services that may need updates. Leverage your emergency patching procedures as the CVSS Score for both (CVE-2021-44228 and CVE-2021-45046) Log4j vulnerabilities is the highest at 10, which signals that immediate patching is required.
  • For organizations with internet-facing applications, ensuring that their Web Application Firewalls (WAFs) have been configured to detect and deny any potential Log4j attacks.
  • Validating that endpoint protection solutions such as Endpoint Detection and Response (EDR) and Managed EDR (MDR) are monitoring for Log4j attacks.
  • Leveraging your established incident response plans. While this vulnerability is critical and widespread, using your established policies and procedures can ensure a successful response to this crisis.

The above recommendations are separate from the legal recommendations we previously provided. We encourage business leaders and IT teams to continue to monitor trusted news outlets for technical information, including CISA and the SANS Internet Storm Center. We also encourage organizations that share personal information with service providers (or other vendors) to reach out to them to assess whether their service providers are likewise diligently responding to the risks associated with Log4j.

Given the litigation and regulatory investigations that have occurred this year, organizations that experience cybersecurity incidents as a result of the Log4j vulnerability may also find themselves having to defend against allegations of negligence. Following this guidance could enable organizations to be prepared for, and possibly preempt, such allegations.


EU Establishes New Regime to Regulate Digital Platforms

On 18 July 2022, the European Union (EU) Council formally adopted the Digital Markets Act (DMA) which establishes for the first time in the EU an ex-ante system of regulation to address anticompetitive behaviour...

2023 Is Here, and So Are Data Privacy Compliance Deadlines

The week between the holidays and New Year are notorious for being a relatively slow time in the corporate world. If you were out of the office enjoying time with family and friends at...

NYC Publishes Final Rule on Use of Automated Employment Decision Tools

Earlier this month, the New York City Department of Consumer and Worker Protection published its Final Rule implementing provisions of the New York City Administrative Code (the Code) relating to the use of Automated...

Recent Federal, State Actions Signal Increased Scrutiny for Executives on Cybersecurity Compliance

Earlier this year, the Federal Trade Commission (FTC) took action against online alcohol marketplace Drizly and CEO James Cory Rellas over allegations that the company’s security failures led to a data breach exposing the...

AI in the Workplace: Is Your Enterprise Intelligent About Artificial Intelligence?

Artificial intelligence (AI) is everywhere—from chatbots that answer questions, draft essays and write code, to virtual assistants and self-driving cars. In the workplace, it is estimated that 99% of Fortune 500 companies use AI...

AT Health Law Beat, March 2023

AT Health Law Beat

Illinois Supreme Court Decision Exposes Employers to Significant Damages for Biometric Information Privacy Act Claims

On Feb. 17, 2023, the Supreme Court of Illinois held that claims brought pursuant to the Illinois Biometric Information Privacy Act (BIPA) accrue with every scan or transmission of biometric information without prior informed...

Confronting the “Digital Elephant in the Room”: Expansion of SEC Crypto Regulation Looms

Last week, senior Securities and Exchange Commission (SEC) officials spoke at a securities industry conference and signaled that the SEC intends to expand its regulatory reach in the cryptocurrency space. For the past several...

News Item

Armstrong Teasdale Welcomes Data Privacy Lawyer Ashfin Islam in Boston

Ashfin Islam
Contact Us
  • Worldwide
  • Boston, MA
  • Chicago, IL
  • Denver, CO
  • Dublin, Ireland
  • Edwardsville, IL
  • Jefferson City, MO
  • Kansas City, MO
  • Las Vegas, NV
  • London, England
  • Miami, FL
  • New York, NY
  • Orange County, CA
  • Philadelphia, PA
  • Princeton, NJ
  • Salt Lake City, UT
  • St. Louis, MO
  • Washington, D.C.
  • Wilmington, DE
abstract image of world map
Boston, MA
800 Boylston St.
30th Floor
Boston, MA 02199
Google Maps
Boston, Massachusetts
Chicago, IL
100 North Riverside Plaza
Suite 1500
Chicago, IL 60606-1520
Google Maps
Chicago, Illinois
Denver, CO
4643 S. Ulster St.
Suite 800
Denver, CO 80237
Google Maps
Denver, Colorado
Dublin, Ireland
Fitzwilliam Hall, Fitzwilliam Place
Dublin 2, Ireland
Google Maps
Edwardsville, IL
115 N. Second St.
Edwardsville, IL 62025
Google Maps
Edwardsville, Illinois
Jefferson City, MO
101 E. High St.
First Floor
Jefferson City, MO 65101
Google Maps
Jefferson City, Missouri
Kansas City, MO
2345 Grand Blvd.
Suite 1500
Kansas City, MO 64108
Google Maps
Kansas City, Missouri
Las Vegas, NV
7160 Rafael Rivera Way
Suite 320
Las Vegas, NV 89113
Google Maps
Las Vegas, Nevada
London, England
Royal College of Surgeons of England
38-43 Lincoln’s Inn Fields
London, WC2A 3PE
Google Maps
Miami, FL
355 Alhambra Circle
Suite 1250
Coral Gables, FL 33134
Google Maps
Photo of Miami, Florida
New York, NY
7 Times Square, 44th Floor
New York, NY 10036
Google Maps
New York City skyline
Orange County, CA
19800 MacArthur Boulevard
Suite 300
Irvine, CA 92612
Google Maps
Philadelphia, PA
2005 Market Street
29th Floor, One Commerce Square
Philadelphia, PA 19103
Google Maps
Philadelphia, Pennsylvania
Princeton, NJ
100 Overlook Center
Second Floor
Princeton, NJ 08540
Google Maps
Princeton, New Jersey
Salt Lake City, UT
222 South Main St.
Suite 1830
Salt Lake City, UT 84101
Google Maps
Salt Lake City, Utah
St. Louis, MO
7700 Forsyth Blvd.
Suite 1800
St. Louis, MO 63105
Google Maps
St. Louis, Missouri
Washington, D.C.
1050 Connecticut Avenue NW
Suite 500
Washington, DC 20036
Google Maps
Photo of Washington, D.C. with the Capitol in the foreground and Washington Monument in the background.
Wilmington, DE
1007 North Market Street
Wilmington, DE 19801
Google Maps
Wilmington, Delaware