
UK firms could face government fines if they fail to patch the Log4j computer vulnerability, even if they haven’t had data breaches, authorities have confirmed to New Ӱԭ.
A security flaw discovered in December 2021 in a piece of software called Log4j saw a global rush to patch the code and prevent hackers accessing private data. The software is used by millions of web servers, and while many have now been patched there will be others that weren’t, because it requires IT departments to proactively update their systems.
In the US, the Federal Trade Commission has that it intends to “use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j”.
Advertisement
UK authorities haven’t made a comparable announcement, but at UK law firm decoded.legal says that the Information Commissioner’s Office (ICO) or communications regulator Ofcom could theoretically step in and fine companies for failing to take adequate precautions, even if no data breach has occurred. Neither have done this in the past, but they have the legal powers to do so, says Brown. “While patching is likely to be good practice, it is unlikely that Ofcom would issue a fine for a breach of the requirements without an actual compromise,” he says.
An Ofcom spokesperson confirmed to New Ӱԭ that current legislation requires companies to take measures to manage security risks, including software vulnerabilities such as Log4J. “We have been in touch with the UK’s major providers to ensure they are aware of this particular vulnerability,” they said. The ICO didn’t respond to a question about whether it planned to take proactive steps, but said that it does have enforcement powers where personal data breaches have occurred.
at the University of Surrey, UK, says there are still computer systems at risk from previous high-profile vulnerabilities, like 2014’s Heartbleed bug, even years after their discovery, and the same will probably be true for Log4j. He believes there will have been data breaches already as a result of Log4j, but that time will tell if any occurred on a large scale or if there are still vulnerable systems being attacked.
“Everybody’s sitting there holding their breath thinking ‘has anything happened?’. Somebody could have walked off with entire databases, and at the moment we don’t know,” says Woodward. “Does there come a point where the authorities probably have to be more proactive? It’s really only the government authorities that are going to be able to light a big enough fire under people sitting in that long tail to actually do something.”