As everyone knows, there has been a bunch of chatter on the Heartbleed bug. The vast majority has been focused on identification and remediation. While both are important, the folks over at information lawgroup (http://www.infolawgroup.com) posted some things to consider from a legal perspective. Here’s the link (FAQs Concerning the Legal Implications of the Heartbleed Vulnerability – http://bit.ly/1hF0Dcr). It is a little repetitive, but still informative.

They talk a bit about breach laws and HIPPA, with the main take away been that being exposed to the bug doesn’t trigger any legal action per-say. Like anything, failure to react and remediate could lead to some form of negligence and ultimately legal exposure.

The bank regulators also chimed in. The FFIEC publish some guidance on the Heartbleed matter recently (http://www.ffiec.gov/press/PDF/OpenSSLAlert041014.pdf). The guidance reminds institutions to not only patch their own systems, but to check with outsourced providers to make sure that they have taken appropriate action as well. Banks should ask for and document this verification from providers so that it can be shown to regulators during the next exam cycle.