Log4Shell vulnerability in the Java log4j library: Actions required to be taken by companies

A vulnerability has been detected in the widely used Java library Log4j which is considered extremely critical by the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik – “BSI”) and now goes by the name Log4Shell. Information on the technical background and potential measures is regularly updated and made available by the BSI.

The focus of companies (potentially) affected will currently be on identifying relevant systems and components and taking appropriate action as quickly as possible. Companies are usually also required to do so by law (see, for example, Article 32 GDPR, Section 8a(1) and 8c(1) German Act regarding the Federal Office for Information Security (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik – “BSIG”), Section 19(4) German Act on the protection of data and privacy in telecommunications and telemedia (Gesetz über den Datenschutz und den Schutz der Privatsphäre in der Telekommunikation und bei Telemedien – TTDSG) and Section 165 German Telecommunications Act (Telekommunikationsgesetz – “TKG” [new version]).

There may also be contractual claims, such as claims against software suppliers and manufacturers to provide patches under warranty or software maintenance agreements.

If it turns out during technical investigations later on that attackers actually succeeded in taking advantage of the Log4Shell vulnerability, the following notification obligations may apply:

• Controllers and processors as defined in the General Data Protection Regulation (“GDPR”): Data breaches associated with security vulnerabilities can require prompt notification to data protection supervisory authorities and data subjects (Articles 33 and 34 GDPR). Processors have to report data breaches to controllers.
  
  
• Critical infrastructure operators: Operators of critical infrastructure have to inform the BSI of incidents in the cases listed in Section 8b(4) BSIG. This already applies if significant incidents could result in a failure or in an impairment of critical infrastructure, i.e. if there is just a possibility of failure or impairment.
  
  
• Digital services providers (in particular online marketplaces, online search engines, and cloud computing services): Digital services providers may also be required to notify the BSI if a security incident has a substantial impact (Section 8c(3) BSIG). When determining whether or not an incident has a substantial impact, the relevant Commission Implementing Regulation has to be considered.
  
  
• Companies of particular public interest: Companies of particular public interest which have just recently been newly defined in the revised BSIG (Unternehmen im besonderen öffentlichen Interessen – “UBI”) can also be required to notify the BSI (Section 8f(7) and (8) BSIG). While it has not yet been determined in any regulation from what precise threshold companies belong to the biggest companies in Germany (for the definition of UBI, see section 2(14) BSIG), the Act does already contains three UBI categories, and two of them have already been defined (see BSI FAQ).
  
  
• Operators of public telecommunications networks and providers of publicly accessible telecommunications services: Finally, these operators and providers are also required to notify the Bundesnetzagentur (German Federal Network Agency for Electricity, Gas, Telecommunications, Post and Railway) pursuant to section 168 TKG if a security incident has a considerable impact on the operation of the network or the provision of the services.

More information on how to handle cyberattacks can be found on the webpage of Noerr's Cyber Risk Team.