The FTC jumps into Log4j cleanup with one foot

If it is to encourage remediation for the log4j problem, then the FTC’s other shoe, argue I, is in its mouth.  The FTC has posted what could only be called a regulatory blog posting, reminding people of Equifax’s $700m in fines and warning that it will use all its legal power to sue companies who fail to take reasonable steps for protecting consumer data. Tatyana Bolton, the FTC’s spokesperson defends it from any accusation of being too heavy handed. She argues that this is the most efficient way for companies to make repairs quickly and that “reasonable” steps are necessary. We’ll likely hear the phrase “we only requested reasonable steps” quite often from the FTC now that we know that Log4j will require more than regulatory muscle-flexing to fix. Also, I argue that FTC’s hard-guy posture is exactly that. When talking about open source maintainers that actually need to create many patches, FTC does not threaten them with “full legal power.” It acknowledges the fact that not all open-source coders have the right resources or personnel, something that the FTC will consider “as we address the root causes that threaten user security.” Maybe Equifax could have plead insufficient resources to save $700 million.

Glenn Gerstell, a fallible regulator, gives us a tour through China’s regulatory environment for tech and shows the dramatic decline in fortunes of Chinese tech companies. This was something that the NYT detailed last week. This is good news or bad for Silicon Valley? Unfortunately, it is not likely, I conclude.

Mark MacCarthy describes why Signal supporters fear a combination of cryptocurrency and Signal. He explains the reasons Signal’s backers are so upset about the proposal.

Glenn reports on the most recent story regarding security threats and telecom equipment from China.

Mark and me explore growing interest in regulating large Silicon Valley companies to act as gatekeepers.  That approach will be applied to Google by the Germans. South Korea is doing the exact same thing to Apple, its payment policies and app store.

Tatyana takes note of the media coverage regarding possible tensions between Anne Neuberger (White House cybersecurity officer) and Chris Inglis (White House cybersecurity official). Glenn claimed Anne “a special tendency to clash avec lawyers”. I put Glenn in the spotlight. This would make her even more special, but Glenn (NSA’s best lawyer) has absolved Anne.

Mark and I both handicap the possibility that the plaintiff would succeed in a high-profile lawsuit against Facebook/Meta. The suit is for the formation of the boogaloo conspirators responsible for the death of a federal protector officer. Although it’s unlikely, Signal could be subject to a much greater threat if its “negligent” design creates liability for software or algorithms.

Glenn describes the China-China charges against Walmart over breaches of cybersecurity laws. Hint: they are not. Glenn covers the Lloyd’s of London announcement that their cyber insurance will not cover cyber-attacks attributed to national-states. 

Last but not least, I want to vent about Joe Sullivan’s role in expanding charges against him, Uber’s former CISO for bug bounties he paid hackers that looked like crooks rather than bounty hunters after they compromised a number of Uber records. Justice brought in new wire fraud charges for Sullivan, more or less for the exact same act after Sullivan was accused of obstruction of justice. Glenn and myself both doubt the fact that this was done without new evidence to support the charges. The logical consequences of telling breach respondents that they may face wire fraud charges for failing to disclose breach or delaying notice too much are also highlighted. This new Justice approach will be fatal for the FBI’s willingness to help and monitor companies as they deal with breaches.  If  there’s even a small risk that a decision to delay or withhold notice could lead to a criminal investigation, why would any GC want to have an FBI agent sitting in the room while the decision is being made?

Get the 389th Episode as an MP3

The Cyberlaw Podcast can be subscribed via iTunes, Google Play Spotify Pocket Casts and Google Play. The Cyberlaw Podcast invites your feedback. Engage with @stewartbakerFollow us on Twitter. Send your questions, comments, and suggestions for topics or interviewees to You will receive a Cyberlaw Podcast mug if you suggest a guest!

These podcasts are the views of the speaker and not those of their clients, institutions, friends, family, pets, or colleagues.