A few weeks ago, many in the cybersecurity field started posting about the “log4j vulnerability.” According to CNBC, “Log4j” exists in open-source code and is widely used by many companies, including “Twitter, Amazon, Microsoft, Apple, IBM, Oracle, Cisco, [and] Google.”
In December 2021, stories emerged of a vulnerability that enables malicious actors to manipulate the code. Billions of people and their smart devices, as well as institutions, were at risk.
In fact, in an interview with CNBC, Jen Easterly, the Director of the Cybersecurity and Information Security Agency, said that “the log4j vulnerability is the most serious vulnerability that I have seen in my decades-long career.”
Cyberattack Statistics for 2021
While the log4j issue was relatively unique due to its widespread usage, the discovery of vulnerabilities in existing code is hardly new. The 2016 SolarWinds attack and the 2021 Colonial Pipeline hack were both examples of software breaches.
In fact, Cybersecurity Ventures estimated that by the end of 2021, “every 11 seconds, an organization will [have been] hit with a ransomware attack.” These attacks not only endanger user data and privacy, but also come with a hefty price tag. According to IBM’s “Cost of a Data Breach Report 2021,” an average data breach in the U.S. costs $9.05 million.
What Makes a Company Vulnerable to Cyberattacks?
Many of these attacks exploit vulnerabilities that have existed for years, either known or unknown to the companies that contain them. According to Verizon’s 2021 “Data Breach Investigations Report,” only 40% of vulnerabilities had been patched 75 days after the company discovered their existence. The cost of this inaction is high in every sense.
How the DOJ, SEC, & FTC Are Responding to Cyberattack Vulnerabilities
Consequently, government agencies have begun an increasing push to regulate companies and their software.
In October last year, the Department of Justice (DOJ) launched the Civil Cyber-Fraud Initiative and announced that the agency would use the False Claims Act to prosecute government contractors who were violating cybersecurity standards.
The Securities and Exchange Commission (SEC) also has its own program to target public companies violating cybersecurity regulations. In 2018, the agency issued the Commission Statement and Guidance on Public Company Cybersecurity Disclosures. In its guidance, the Commission states that they “believe it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion…”
More recently, in August 2021, the Commission acted against eight firms for cybersecurity failures that resulted in breaches of private customer data. Two months later, SEC Chairman Gary Gensler tweeted that “The issue of cybersecurity is at the heart of investor protection.” The trend is clear.
The Federal Trade Commission (FTC) uses a broad mandate in the FTC Act to go after companies that violate user privacy. Section 5(a) of the FTC Act states that “… unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.”
Recently, on December 22, 2021, the FTC required the company Ascension Data & Analytics to “implement a comprehensive data security program.” The order was a response to the FTC’s allegations that “the firm failed to ensure one of its vendors was adequately securing personal data about tens of thousands of mortgage holders.”
Both the SEC and FTC also enforce Regulation S-P (commonly known as the Safeguards Rule) of the 1999 Gramm-Leach-Bliley Act. The regulation requires brokers and investment advisors to safeguard user data. Title V of the Act requires several federal agencies—including the SEC, the FTC, and the OCC—to “establish appropriate standards for financial institutions subject to their jurisdiction to safeguard customer information and records.”
What Does This All Mean?
All of this is to say that several government agencies are working to ensure that government contractors, public companies, and financial institutions all oblige with cybersecurity standards. Yet, considering the sheer volume of attacks as well as our trajectory towards further digitalization, government enforcement is increasingly difficult. For example, nearly a month after the “log4j” vulnerability was discovered, the FTC is still warning companies to patch the bug.
Correspondingly, whistleblowers can play a unique role in helping government agencies. Through filling knowledge gaps and providing an insider’s perspective, whistleblowers can shed light on the information security field. In doing so, whistleblowers can both help the U.S. hold companies to cyber safety standards and ensure that data privacy remains protected.
Consult with a Seasoned Whistleblower Attorney Today
Our highly skilled attorneys at Sanford Heisler Sharp are experienced in representing whistleblowers. Our award-winning law firm has represented whistleblowers across a wide range of industries and recovered billions of dollars for the U.S. Government and a number of state governments under a variety of statutes and programs.