Here’s my proclamation: Your MSP is in the cybersecurity business.
If you read that and said to yourself, “We don’t offer cybersecurity services,” or “Our clients use another company to provide cybersecurity services,” then you need to read my proclamation again, out loud, until either it sinks in to your head or you pass out from exhaustion. After that, if you’re conscious and still don’t agree with me, then call your attorney and pay her a retainer fee—at least that way you’ll be able to hit the ground running when the lawsuits start to roll in.
Listen, clients are entrusting their data to you. In doing so, they expect your MSP to follow certain unwritten, but industry-recognized, commandments relating to security. I call them The Three Gross Commandments of Cybersecurity. (Hey, it’s my name and my article, so I’m calling them that. You can call them whatever you want, but since I represent more than 100 MSPs nationwide, I think you should pay attention regardless of what I call them.)
Commandment 1: Thou shalt protect and preserve thy client’s data, even if your agreement doesn’t require it. There is no conceivable scenario in which a client would entrust its data to your company without having a reasonable expectation that your company will protect that data from unauthorized access or unwanted disclosure. If you fail to protect your client’s data, then your company will almost certainly be in breach of an “implied duty of care.” Now take a moment and do a Google search for “implied duty of care.” (Don’t worry, I’ll wait.) Got it now? Do you understand that expensive litigation awaits your company if it breaches an “implied duty of care”?
Now, I know what you’re thinking. You’re thinking that your company is safe because its service agreement requires all clients to waive negligence claims. Well, stop thinking that way—because you’re wrong.
Security is fast becoming a non-delegable duty—meaning you can’t put the blame of a security failure elsewhere, and your clients won’t waive their rights to sue your company unless your company’s agreement is very specifically written to comport with the latest case law in this area. Not-So-Gentle Reminder: Have your service agreement reviewed to make sure it can be enforced under current laws.
Commandment 2: Thou shalt have a written incident response plan. Your MSP might employ best-in-class physical and virtual security defenses, but here’s a dirty little secret: Your defenses can be penetrated. You know it. I know it. Hackers know it. You know who else knows it? The government. For that reason, 48 states (as well as the District of Columbia, Guam, Puerto Rico, and the Virgin Islands) have all enacted laws requiring your MSP to notify individuals of security breaches of information involving personally identifiable information.
You need to be able to quickly and properly follow the law in the event of a security breach. Right now, the odds are good that you can’t comply with applicable law—and I’ll prove it to you. Answer the following questions, and if any of your answers are, “I don’t know” or “no,” then you’re neither ready nor able to comply with the law:
- Where is your incident response plan? (Do you even have one?)
- How often are your company’s security defenses tested?
- How is a breach detected, and who is alerted when a breach occurs?
- Who in your company is specifically designated to investigate a suspected breach?
- Which employees in your company are members of your company’s Computer Emergency Response Team (or “CERT”)? Do you even have a CERT?
- When must you notify the authorities of a breach? (On the flip side, when do you not have to notify authorities?)
- When should you notify customers of a suspected or actual breach? (On the flip side, when do you not have to notify your customers?)
To be clear: You can have the best security system in the world, but if you don’t have a written plan to follow after a security breach, then you won’t respond to the incident properly and you’ll likely violate applicable laws. You’ll also be in breach of an implied duty of care—you remember that term, and the liability attached to it, don’t you?
Here’s the deal: Get counsel to help draft your company’s incident response plan, and make sure it remains both updated and enforced. By investing in a plan today, you will (literally) save your company hundreds of thousands of dollars later.
Commandment 3: Thou shalt not remain silent about cybersecurity. Hackers, ransomware, and malware are a fact of life. Do not ignore that fact in your MSP’s service agreement; instead, embrace the concept and deal with it in your company’s agreements. Your customers must be told that there are “known knowns” and “known unknowns” when it comes to cybersecurity. Your company’s service agreement also needs to properly allocate the financial risk of a security breach between your customer and your company.
If you listen to me and follow all of my commandments, you’ll greatly minimize the liability to which your company is exposed. If you don’t listen to me, then your company is, and will continue to be, exposed to potentially devastating liability.
If I were you, I’d listen.