Log4j Highlights Legal Obligations for Business Leaders

December 28, 2021 Advisory

Two weeks ago, we briefly discussed the potential legal implications for failing to respond to cyberattacks on supply chain technologies. At that time, Log4j, the critical vulnerability that was discovered in an application used in many software products, had been publicly disclosed for a few days. 

The fallout since has been intense. Just as the destructiveness of the Log4j vulnerability has been well publicized – achieving “a severity score of 10 out of 10” by one cybersecurity analyst – so too has advice on how to respond. Task forces have been formed, vulnerability scanners have been released, and agencies have issued detailed guidance.

As to cybersecurity readiness, Log4j is just the latest of many incidents highlighting the importance of supply chain risk management and related legal obligations. Recent lawsuits against SolarWinds, Colonial Pipeline and ParkMobile have asserted that failing to patch vulnerabilities is evidence of negligence. 

In each of the above cases, the plaintiffs cited the Federal Trade Commission. In April the FTC issued detailed guidance on the role business leaders must play in cybersecurity, stating “[c]ontrary to popular belief, data security begins with the Board of Directors, not the IT Department.”     

Based on our involvement in hundreds of cybersecurity incidents, we have observed that business leaders and IT teams that work closely together give their organizations the best chance of avoiding litigation and regulatory investigations. In many of these situations, we collaborate with technical consultants just as business leaders do with their IT teams.     

Technical consultant Digital Silence, for example, is monitoring the Log4j vulnerability closely. It recommends that organizations focus on ensuring their security systems are configured to protect against it by:      

  • Ensuring that the security tools used within your organization have been patched and are running the latest revision from the vendor. You can find an active list of products and services and their current status at Tech Solvency
  • Utilizing your vulnerability management and asset management processes to identify vulnerable hosts, endpoints and cloud services that may need updates. Leverage your emergency patching procedures as the CVSS Score for both (CVE-2021-44228 and CVE-2021-45046) Log4j vulnerabilities is the highest at 10, which signals that immediate patching is required.
  • For organizations with internet-facing applications, ensuring that their Web Application Firewalls (WAFs) have been configured to detect and deny any potential Log4j attacks.
  • Validating that endpoint protection solutions such as Endpoint Detection and Response (EDR) and Managed EDR (MDR) are monitoring for Log4j attacks.
  • Leveraging your established incident response plans. While this vulnerability is critical and widespread, using your established policies and procedures can ensure a successful response to this crisis.

The above recommendations are separate from the legal recommendations we previously provided. We encourage business leaders and IT teams to continue to monitor trusted news outlets for technical information, including CISA and the SANS Internet Storm Center. We also encourage organizations that share personal information with service providers (or other vendors) to reach out to them to assess whether their service providers are likewise diligently responding to the risks associated with Log4j.

Given the litigation and regulatory investigations that have occurred this year, organizations that experience cybersecurity incidents as a result of the Log4j vulnerability may also find themselves having to defend against allegations of negligence. Following this guidance could enable organizations to be prepared for, and possibly preempt, such allegations.

Contact Us
  • Worldwide
  • Boston, MA
  • Denver, CO
  • Dublin, Ireland
  • Edwardsville, IL
  • Jefferson City, MO
  • Kansas City, MO
  • Las Vegas, NV
  • London, England
  • Miami, FL
  • New York, NY
  • Philadelphia, PA
  • Princeton, NJ
  • Salt Lake City, UT
  • St. Louis, MO
  • Wilmington, DE
Worldwide
abstract image of world map
Boston, MA
800 Boylston St.
30th Floor
Boston, MA 02199
Google Maps
Boston, Massachusetts
Denver, CO
4643 S. Ulster St.
Suite 800
Denver, CO 80237
Google Maps
Denver, Colorado
Dublin, Ireland
Fitzwilliam Hall, Fitzwilliam Place
Dublin 2, Ireland
Google Maps
Edwardsville, IL
115 N. Second St.
Edwardsville, IL 62025
Google Maps
Edwardsville, Illinois
Jefferson City, MO
101 E. High St.
First Floor
Jefferson City, MO 65101
Google Maps
Jefferson City, Missouri
Kansas City, MO
2345 Grand Blvd.
Suite 1500
Kansas City, MO 64108
Google Maps
Kansas City, Missouri
Las Vegas, NV
3770 Howard Hughes Parkway
Suite 200
Las Vegas, NV 89169
Google Maps
Las Vegas, Nevada
London, England
Royal College of Surgeons of England
38-43 Lincoln’s Inn Fields
London, WC2A 3PE
Google Maps
Miami, FL
3250 Mary Street
Suite 102
Coconut Grove, FL 33133
Google Maps
Photo of Miami, Florida
New York, NY
7 Times Square, 44th Floor
New York, NY 10036
Google Maps
New York City skyline
Philadelphia, PA
2005 Market Street
29th Floor, One Commerce Square
Philadelphia, PA 19103
Google Maps
Philadelphia, Pennsylvania
Princeton, NJ
100 Overlook Center
Second Floor
Princeton, NJ 08540
Google Maps
Princeton, New Jersey
Salt Lake City, UT
201 South Main Street
Suite 750
Salt Lake City, UT 84111
Google Maps
Salt Lake City, Utah
St. Louis, MO
7700 Forsyth Blvd.
Suite 1800
St. Louis, MO 63105
Google Maps
St. Louis, Missouri
Wilmington, DE
300 Delaware Avenue
Suite 210
Wilmington, DE 19801
Google Maps
Wilmington, Delaware