SMBs often trust their managed services providers to protect their privacy and sensitive data. In the current threat landscape, however, breaches will occur, resulting in potential legal implications. MSPs have a better chance of shielding themselves from debilitating expenses and extended litigation if they follow some best practices.
Don’t Over Promise
Too often, MSPs commit to providing services they don’t have the resources to provide, observed Blair Dawson, member of Chicago-based law firm McDonald Hopkins LLC.
While this tendency may stem from good intentions — the firm wants to please its customers — it’s not a good practice, Dawson said. “If you have things like patching [or backup] schedules in the agreement and you don’t follow through with them, that can get you in a lot of trouble.”
Dawson also counsels her clients against committing to unrealistic notification deadlines.
For example, some customers may demand notification of an incident the moment the MSP suspects that a breach occurred, which isn’t realistic, she explained.
“It’s hard to comply with that, and also it could expose you to having to work with your client through an incident that turns out to not be an incident.”
Involve Your Insurance Carrier
Bradley Gross, president of the Law Offices of Bradley Gross PA in Weston, FL, urged MSPs to contact their insurance providers soon after a suspected breach occurs.
This may not result in the services provider making a claim, but it lays the groundwork for them to do so, if necessary, Gross said. “Notification is usually the first step, and it is a non-delegable prerequisite to filing a claim later.”
Determine Liability
An MSP is liable to its customers if it has done or failed to do something that led to a breach, Gross said. For example, the MSP may have neglected to apply a security protocol listed in its master service agreement (MSA).
That said, if the MSP lived up to its contractual commitments and standard industry practices, it likely won’t be held responsible, Gross said. “Breaches happen even in the best practice scenario, so not all of them result in liability.”
For MSPs that outsource security services to SOCs, Gross highlighted the importance of differentiating between services directly provided by the MSP and those it resells. This protects the MSP from being liable if its SOC experiences a breach.
“Make it very clear in contracts that there are services we provide, and then some we facilitate,” Gross emphasized.
Calculating Damages
If an MSP is to blame for a breach, it is exposed to two main categories of damages:
- Actual damages, those that result from the incident, such as mediation expenses, forensic investigation, and breach notification costs
- Consequential or indirect damages, such as a client experiencing profit loss
MSPs may protect themselves from having to pay out consequential damages by waiving them in their MSAs, Gross noted. “That is something every MSP should be doing.”
Set Clear Expectations
Customers, too, share responsibility in following security best practices, and Gross advises MSPs to spell this out in their documentation.
“It’s important for MSPs to allocate responsibility between what the MSP will handle from a security perspective, and what the customer will handle,” he said.
For example, if the client circumvented a security protocol implemented by the MSP, the latter shouldn’t be held responsible for a breach, he said.
“Allocations of responsibilities should be very clear. [That way], responsibilities are laid out so there is no question about who did what, or who should be doing what, at any given moment.”
Image: iStock