A flaw in a widely used software threatens system security and makes companies vulnerable to cyber threats. The Apache Software Foundation released an advisory that Apache Log4j versions up to and including 2.14.1 has a defect that may allow threat actors to execute arbitrary code and deploy viruses including ransomware on that IT infrastructure. Entities that directly or indirectly leverage this software should act with haste to mitigate the risk of a data incident. These events present companies an opportunity to examine internal incident response preparedness, and review the allocation of responsibilities in vendor agreements.

Log4j is a software made available through open source. It is most frequently used to collect information across corporate computer networks, websites and applications. The software is a logging utility widely used by applications and cloud services. For many years, relevant versions of Log4j have been distributed directly to users and developers, as well as to entities that have leveraged it as part of their product or service offerings. This makes it difficult to measure the breadth of the vulnerability. Github is, however, providing a regularly updated list of technology suppliers utilizing Log4j, which you could use to identify any of your vendors that may be impacted. Recent reporting indicates that many malicious actors, including those linked to China, Iran, North Korea, Turkey are already looking to exploit Log4j.

Entities would be well-served by testing the operability of breach response policies. In the event of a data security incident, such as a ransomware attack, you will want to have internal and external resources in place to effectively combat the threat and communicate with customers, the media, or other stakeholders. Companies can conduct table-top exercises to evaluate the efficacy of the existing processes and make adjustments where necessary.

Entities that are not directly utilizing Log4j may still be impacted as many technology vendors have incorporated this software into their service offerings. Given this possibility, companies should assess their vendor contracts and understand the allocation of responsibility between the parties with respect to data security incidents. In particular, identify who would bear the cost of regulatory and customer notices, enforcement actions, credit monitoring services, third party claims, and legal support.

Companies should consider communicating with technology service providers to ensure the safety of their digital assets. One option is to submit inquiries to technology service providers to understand the risk to the vendor’s IT systems and steps that could be taken to mitigate.  

To assist in this inquiry, we are providing a sample list of cybersecurity questions for your technology service providers:

  • Do you currently use or have you used the Apache Log4j open source software within your environment?
    • If yes, have you upgraded to Log4j 2.16.0?
      • If you have not upgraded to Log4j2.16.0, do you intend to do so? And is there a timeline for this upgrade?
  • Have you been formally notified of a potential impact to your systems in connection with the recently identified software vulnerability? If yes, please provide whatever details are currently available.
  • Have you evaluated the Cybersecurity and Infrastructure Security Agency Guidance and/or Apache Foundation statements on this matter? If so, what changes have you made to your IT systems as a result?
  • Have you conducted an assessment of your IT systems to identify any irregularities associated with this software vulnerability?
  • Do you have any evidence to suspect that your network may have been compromised by the Log4j vulnerability?
  • Have you checked with all subcontractors (e.g., HVAC, anti-malware provider, vulnerability scanning provider, cloud providers) that have access to your network to see if they have evaluated their own internal network to verify they were not compromised by the Log4j vulnerability?

As additional information about this cyber crisis comes to light, it is important that all companies take appropriate action now to mitigate the potential harm that your organization may be exposed to. If you have any questions about this or any other privacy or data security law development, please do not hesitate to reach out to one of the authors listed below.


Brian provides advice on global data privacy, data protection, cybersecurity, digital media, direct marketing information management, and other legal and regulatory issues. He is Chair of Baker McKenzie's Global Data Privacy and Security group.


Stephen Reynolds frequently advises clients on complex matters involving data privacy and security laws and serves on the board of directors of the International Association of Privacy Professionals (IAPP). Stephen’s expertise adds value to organizations by mitigating cyber threats through proactive preventative measures and navigating complex litigation on behalf of clients in data privacy and security. He is uniquely able to and routinely uses his computer background in cases involving data privacy and security, electronic discovery, social media discovery, and computer forensics.


Dominic Panakal is an associate in Baker McKenzie's Privacy and Technology practice, based in the New York office. Dominic was named by National Law Review as a "Go-To Thought Leader" for Cybersecurity.


Cristina focuses her practice on regulatory and transactional issues in global privacy and data protection, including data security, data breach notification, global privacy, website privacy policies, behavioral advertising, cross-border data transfers, and comprehensive compliance programs.