Responding to the Log4j Cybersecurity Vulnerability

December 14, 2021 Advisory

Since last December, cybersecurity attacks on supply chain technologies that control and process personal and sensitive information for millions of corporations have intensified. Victims have included SolarWinds, Accellion, Microsoft and Kaseya, and tens of thousands of organizations that use their products and services.

Last Friday, a critical vulnerability – Log4j – was discovered in an application widely used in many software products. The early indications are that potential ramifications could be far-reaching. IT teams for major software companies have been working feverishly to patch vulnerabilities.

What Happened?

On Saturday, the director of the Cybersecurity and Infrastructure Security Agency (CISA), Jen Easterly, issued a call to action about the Log4j vulnerability:

This vulnerability, which is being widely exploited by a growing set of threat actors, presents an urgent challenge to network defenders given its broad use. End users will be reliant on their vendors, and the vendor community must immediately identify, mitigate, and patch the wide array of products using this software.

Although the vulnerability was first publicly disclosed on Friday, attacks exploiting the vulnerability started two weeks ago, according to Cisco and Cloudfare. Many technical explanations for the vulnerability have emerged, including theories from the Swiss government and a well-informed information sharing and analysis center for the health care industry, Health-ISAC.

What Does It Mean?

The Log4j exploit not only enables threat actors to remotely access corporate networks to obtain personal and sensitive information, but even worse, it enables threat actors to develop back doors to maintain access even after patches to the vulnerability have been deployed. 

What Should Organizations Do?

CISA,  Health-ISAC and the Apache Foundation have all issued guidance.  From a legal standpoint, we have already seen numerous instances this year where technology companies have been sued for, essentially, “knowing better how to secure against such vulnerabilities and not.” 

For example, a class action filed in Northern California against Accellion, a software company, alleges that Accellion breached numerous duties it owed to customers and users, including a fundamental duty of care:

1.  Businesses whose systems and products are designed and marketed for the purposes of storing and transferring sensitive, personally identifying information (“PII”) and personal medical information (“PMI”) owe a duty of reasonable care to the individuals to whom that data relates.

As noted throughout this year, despite the broad and seemingly unwieldy patchwork of laws, regulations and industry standards that have arisen to address cybersecurity, “common threads” have emerged that, if followed, can reduce legal exposure, including:

  • Written Information Security Programs (WISPs) that include patch and vendor management programs;
  • Risk Assessments (RA) performed periodically, and the request for risk assessment information from vendors and service providers; and
  • Incident Response Plans (IRPs) that address supply chain cybersecurity incidents.

Training employees and ensuring vendors and service providers have an updated WISP, RA and IRP not only assist organizations with technical risks but also risk management and legal risks.

Contact Us
  • Worldwide
  • Boston, MA
  • Chicago, IL
  • Denver, CO
  • Dublin, Ireland
  • Edwardsville, IL
  • Jefferson City, MO
  • Kansas City, MO
  • Las Vegas, NV
  • London, England
  • Miami, FL
  • New York, NY
  • Orange County, CA
  • Philadelphia, PA
  • Princeton, NJ
  • Salt Lake City, UT
  • St. Louis, MO
  • Washington, D.C.
  • Wilmington, DE
abstract image of world map
Boston, MA
800 Boylston St.
30th Floor
Boston, MA 02199
Google Maps
Boston, Massachusetts
Chicago, IL
100 North Riverside Plaza
Suite 1500
Chicago, IL 60606-1520
Google Maps
Chicago, Illinois
Denver, CO
4643 S. Ulster St.
Suite 800
Denver, CO 80237
Google Maps
Denver, Colorado
Dublin, Ireland
Fitzwilliam Hall, Fitzwilliam Place
Dublin 2, Ireland
Google Maps
Edwardsville, IL
115 N. Second St.
Edwardsville, IL 62025
Google Maps
Edwardsville, Illinois
Jefferson City, MO
101 E. High St.
First Floor
Jefferson City, MO 65101
Google Maps
Jefferson City, Missouri
Kansas City, MO
2345 Grand Blvd.
Suite 1500
Kansas City, MO 64108
Google Maps
Kansas City, Missouri
Las Vegas, NV
7160 Rafael Rivera Way
Suite 320
Las Vegas, NV 89113
Google Maps
Las Vegas, Nevada
London, England
Royal College of Surgeons of England
38-43 Lincoln’s Inn Fields
London, WC2A 3PE
Google Maps
Miami, FL
355 Alhambra Circle
Suite 1200
Coral Gables, FL 33134
Google Maps
Photo of Miami, Florida
New York, NY
7 Times Square, 44th Floor
New York, NY 10036
Google Maps
New York City skyline
Orange County, CA
19800 MacArthur Boulevard
Suite 300
Irvine, CA 92612
Google Maps
Philadelphia, PA
2005 Market Street
29th Floor, One Commerce Square
Philadelphia, PA 19103
Google Maps
Philadelphia, Pennsylvania
Princeton, NJ
100 Overlook Center
Second Floor
Princeton, NJ 08540
Google Maps
Princeton, New Jersey
Salt Lake City, UT
222 South Main St.
Suite 1830
Salt Lake City, UT 84101
Google Maps
Salt Lake City, Utah
St. Louis, MO
7700 Forsyth Blvd.
Suite 1800
St. Louis, MO 63105
Google Maps
St. Louis, Missouri
Washington, D.C.
1717 Pennsylvania Avenue NW
Suite 400
Washington, DC 20006
Google Maps
Photo of Washington, D.C. with the Capitol in the foreground and Washington Monument in the background.
Wilmington, DE
1007 North Market Street
Wilmington, DE 19801
Google Maps
Wilmington, Delaware