Jump to content
The Wifcon Forums and Blogs

  • entries
  • comments
  • views

The Importance of Patch Updates and Validation

Centre Law & Consulting



GovCon Legal Alerts

The Importance of Patch Updates and Validation

By: Brandon Graves, Partner, Centre Law & Consulting

Share on facebook
Share on twitter
Share on linkedin


Today, Microsoft released patches for 44 security vulnerabilities in Windows and related products.  According to Microsoft, at least one of these vulnerabilities is being actively exploited.  Organizations that use Microsoft products should patch their software as soon as possible.

The release of software patches, even ones patching actively exploited vulnerabilities, is, unfortunately, not news.  But we wanted to take this opportunity to remind our clients about some legal issues related to patching.

Failing to Patch Creates Liability

Updating software is essential to running a modern business.  In the past, there was at least some room to debate particular patches due to the possibility that a patch could break legacy software or cause other disruptions.  While patch testing and validation is still a critical part of software updates, there is very little tolerance for unpatched software.  The Equifax data breach is an excellent case study.

On March 8, 2017, the United States Computer Emergency Readiness Team (US-CERT) issued an alert about a newly discovered vulnerability in software that Equifax used to manage its web applications.  The next day, Equifax’s computer security team sent an email to 400 employees directing them to update their software within 48 hours in accordance with Equifax’s Patch Management Policy.

The next week, Equifax conducted an automated vulnerability scan of its network to ensure that all the relevant software was patched.  Unfortunately, the scanner was not configured correctly and missed a web application, called the ACIS Dispute Portal.  This portal remained unpatched for more than four months.

During these four months, attackers exploited the vulnerability (as well as some other security issues) and stole an enormous amount of personal information, including 145.5 million Social Security Numbers.

Ultimately, Equifax agreed to pay between $575 and $700 million dollars in a settlement with the FTC, CFPB, and 50 U.S. states and territories.  It is subject to additional litigation, as well as significant harm to its reputation.  Due to its privileged status as one of three nationwide consumer reporting agencies, Equifax will survive.  Organizations that do not have such a privileged position may not survive such a widespread security failure.

There are a number of lessons we can draw from Equifax’s experience.  First, an unpatched security vulnerability creates almost strict liability.  Second, organizations must have systems in place to patch vulnerabilities, including policies, patch testing, and vulnerability scanners.  And finally, Organizations must audit these systems regularly to ensure that they are patching their software appropriately.

Outdated Software Should Be Removed

Software has a lifecycle, and at some point, that lifecycle ends.  Software that has reached its End of Life (EOL) must be replaced or otherwise protected.  All software has vulnerabilities, and people will continue to discover those vulnerabilities even after software has reached EOL.  What changes at EOL is that the software vendor no longer patches those vulnerabilities.

Some legal regimes, such as HIPAA, explicitly address EOL software.  But even if an organization isn’t subject to one of those regimes, EOL software is unpatched software and creates the same risks that we saw in the Equifax case study.

There are ways to protect EOL software, especially in circumstances where an organization relies on proprietary software with little in the way of commercial replacement.  If an organization decides to use EOL software, it must take the appropriate steps to protect that software and understand the risks involved.


Microsoft’s recent software update release is an excellent opportunity to validate existing patch management and software update programs.  A program failure in these areas can create significant legal liability for companies, and the opportunities for failure abound.

If you have any questions about software patching, legal liability, or any related questions, please contact our cybersecurity legal experts at the link below.


Stay in the know. Get industry alerts from our legal team.

Read More Alerts

The Importance of Patch Updates and Validation

The release of software patches, even ones patching actively exploited vulnerabilities, is, unfortunately, not news.  But we wanted to take this opportunity to remind our clients about some legal issues related to patching.

Read More »

Vaccines for Federal Contractor Employees – Not Required, But Certainly Encouraged

In general, the new safety plans will split government employees, on-site contractors, and visitors into two groups – (1) the fully vaccinated and (2) those not vaccinated or those who refuse to provide proof of vaccination. Unsurprisingly, things are much harder for the second group:

Read More »

Department of Labor Cybersecurity Guidelines Become Rules

Government agencies continue to expand the current patchwork of cybersecurity requirements.  On April 14, 2021, the Department of Labor (DOL) released cybersecurity guidance for benefit plan sponsors, plan fiduciaries, record keepers, and plan participants. 

Read More »

Interested in Connecting with our Legal Team?

The post The Importance of Patch Updates and Validation appeared first on Centre Law & Consulting.

View the full article



Recommended Comments

There are no comments to display.

Add a comment...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...