Good day all, An example for our own Office of The Data Protection Commissioner (ODPC) of proactiveness or a heavy handed/aggressive approach? The FTC in their blog post threatened legal action and likened this turning into a situation like the #Equifax breach which resulted with the credit reference bureau paying out $700 million in fines. When vulnerabilities are discovered and exploited, it risks a loss or

breach of personal information, financial loss, and other irreversible harms. The duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others, the Federal Trade Commission Act and the Gramm Leach Bliley Act. It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action. According to the complaint in Equifax <https://www.ftc.gov/news-events/press-releases/2019/07/equifax-pay-575-million-part-settlement-ftc-cfpb-states-related>, a failure to patch a known vulnerability irreversibly exposed the personal information of 147 million consumers. Equifax agreed to pay $700 million to settle actions by the Federal Trade Commission <https://www.ftc.gov/enforcement/cases-proceedings/refunds/equifax-data-breach-settlement> , the Consumer Financial Protection Bureau <https://www.consumerfinance.gov/equifax-settlement/>, and all fifty states. The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future.

https://www.ftc.gov/news-events/blogs/techftc/2022/01/ftc-warns-companies-re...