IT and Business Insights for SMB Solution Providers

New State Data Breach Laws Open Doors for MSPs

New York legislation poised to spread nationwide. By Art Gross

The Equifax hack of September 2017 not only exposed more than a third of U.S. adults to potential identity theft, it also pushed state legislatures to propose a host of new laws designed to tighten data security in the financial services industry.

For millions of concerned consumers, this clampdown sounds like good news—and if MSPs listen closely, they’ll hear it that way too. That’s because MSPs are uniquely qualified to position themselves as trusted security advisers who can help clients navigate the ever-shifting terrain of cyberspace—and the changing legislative landscape as well.

While the American Bankers Association estimates that at least half of all states will consider tougher data breach legislation in 2018, a pending bill in New York may have the greatest impact on future regulations. Because the Empire State is home base for many major financial institutions, what happens in New York may not stay in New York, and its legislation could become the model for other states or even federal laws.

The New York bill—the Stop Hacks and Improve Data Security Act (SHIELD Act)—expands the state’s current breach notification law to apply to anyone holding private information of New Yorkers, not just those who “conduct business” in the state. In other words, the SHIELD Act would require any company handling sensitive customer information to put security measures in place. Banks, insurance providers, brokerages, credit reporting agencies, and other firms will need to provide “clear examples of safeguards” to secure private information including technical, administrative, and physical measures.

Three Pillars of Protection

How can MSPs provide the security safeguard examples that may be required by the proposed law in New York and possibly other states?

Simple. They can offer clients three services that are the basic pillars of a robust data security protection plan: Conduct security risk assessments (SRAs), document breach prevention policies and procedures, and train employees to protect sensitive information.

These three methods for preventing breaches can be bundled with the other baseline security services that most MSPs already provide their clients, such as anti-virus protection, firewalls, and system patching. Offering this expanded package of services enables MSPs to go beyond a standard sales pitch for one particular security product. It opens the door to a broader discussion of practical strategies clients can use to protect themselves from the damages that cybercriminals can inflict on the company’s bottom line and reputation.

Fortunately, it is not difficult for MSPs to add these expanded services to their repertoire.

Conduct security risk assessments

MSPs can help clients identify gaps in their security measures by guiding them through the process of conducting an SRA. Used for many years in the healthcare field for HIPAA compliance, an SRA begins with a basic inventory of where sensitive data is stored, accessed, or transmitted—including texts, emails, and mobile devices.

As part of this evaluation, clients also need to gauge common or likely security threats, ranging from a full-blown ransomware attack to the simple theft of a laptop that could leave a company vulnerable to breaches. Once security gaps are identified, MSPs can make recommendations for closing them. Basic SRA checklists can be found online, while more detailed SRA tools are available to MSPs through white-label services from data security companies.

Document breach prevention policies and procedures

One aspect of protecting data is to make sure it does not walk out the door when an employee leaves the company. To prevent that problem, companies must document the policies and procedures that affect overall network security as well as employee computer use on-site and off—including what happens during a termination. MSPs can raise the issue of policies and procedures to make clients aware of the need for them.

Train employees to protect sensitive information

Of all the steps a company can take to prevent data breaches, employee training may be one of the most important, because 95 percent of data breaches are caused by human error. Employees need to be trained to identify phishing scams and suspicious links before they click on them and inadvertently allow hackers into their company’s computer system.

They also need to know about tactics for securing mobile devices and responding to breaches, should they happen. MSPs can spearhead employee training initiatives by using online programs with their clients. MSPs also need to inform their clients that just as security training has been mandatory for employees in the healthcare field, so too is it likely to be required by the pending cybersecurity laws that will affect the financial services industry.

By alerting their clients to the new cybersecurity legislation on the horizon and expanding the data protection strategies they offer, MSPs will enhance their value to clients. And they will differentiate themselves as trustworthy consultants who care about protecting companies and consumers from the dangers of cybercriminals.

Art Gross founded and is the CEO of HIPAA Secure Now! and Breach Secure Now! Both companies provide data breach prevention services for medical practices, and small and medium enterprises, respectively. Breach Secure Now! services are sold through managed service providers under their own label. He can be reached at

ChannelPro SMB Magazine

Get an edge on the competition

With each issue packed full of powerful news, reviews, analysis and advice targeting IT channel professionals, ChannelPro-SMB will help you cultivate your SMB customers and run your business more profitably.