JUST BECAUSE A CUSTOMER followed all the security advice you gave them doesn’t mean they won’t get breached. And just because the advice you provided was good doesn’t mean a breached customer won’t sue you.
“Anyone can sue anybody for anything,” notes Bradley Gross, a Weston, Fla.-based attorney who specializes in business technology law. “The question isn’t, are we going to get sued? The question is, are we going to be liable?”
Followed closely by, how bad could the damage be? “If the impact is high enough, you’re going to lose everything you own,” says Mike Semel, CEO of compliance advisory firm Semel Consulting.
That makes minimizing the risk of security-related lawsuits a task no channel pro can afford to ignore. Here are some ways experts recommend going about it.
1: Get It in Writing
It should go without saying, but recommendation No. 1 is to have a contract in place with every client you serve. As hard as it is to believe, Gross says, some MSPs do business without a master services agreement.
Others make the equally dangerous mistake of negotiating the contents of their MSA, adds Semel, who uses the same document with everyone and defines anything specific to a particular customer in a separate contract he calls an engagement letter.
“You don’t have to keep rewriting your terms and conditions, because those are set in stone,” Semel observes.
Included among those terms should be language that shields you from errors and omissions by third parties, like SaaS vendors. “The MSP is merely facilitating that service,” Gross notes. “They don’t have any control over that upstream provider.”
They can’t control what their customers do either, so Semel’s engagement letters always explicitly define who’s on the hook for what regarding security. “It literally shows your responsibilities with a whole bunch of bullets below it and then our responsibilities with a whole bunch of bullets below it,” he says. That way it’s crystal clear to all parties that deploying MFA, for example, is the MSP’s duty and resisting the temptation to shut it off is the customer’s.
Gross recommends getting an additional signature on a “declination of service” agreement if a customer opts not to spend money on MFA or any other critical safeguard. “You send a notice to that customer saying, ‘this is what I offered you. This is what it does. This is the bad thing that can happen as a result of you not taking this service,” he says. “Then you’ve created a paper trail of your activities.”
2: Mind Your Marketing
Doing business without an MSA may be crazy, but doing business without tech errors and omissions insurance is even crazier, according to Robert Scott, managing partner of Scott & Scott LLP, an IT industry law firm based in Southlake, Texas.
“There’s nothing you could do that’s more important in my mind,” he says of procuring coverage.
Requiring your customers to carry cyber insurance is high on the list too, Scott adds. Businesses are much more apt to file suit over a security incident if there’s no one but you to compensate them for losses, he explains. Plus, in a worst-case scenario, most cyber policies ensure that if a channel pro does get sued, it won’t be by their client.
“The customer never has to be at odds with the MSP, because the customer is assigning its rights to any claim against the MSP to its first-party carrier,” Scott says.
You can further limit your exposure to legal risk by wording your marketing materials as carefully as your contracts. Promising your customers that they can rest easy at night with you protecting their digital assets is just garden variety advertising puffery to you. “Customers treat that as a contractual obligation,” Gross observes.
That’s why contracts aren’t the only documents a lawyer should help you draft. “Have an attorney look at your marketing,” Semel says. They don’t have to review every webinar invitation you write, but showing them a few especially critical items, like your website copy and sales brochure, will help you get a feel for what you should and shouldn’t say more generally.
Just in case you make a mistake anyway, Gross adds, address the topic in your MSA. “Include a provision that specifically says any advertising or marketing materials that we have given to you are for informational use only,” he says. “Otherwise, they can set a standard in the relationship that the MSP very often can’t fulfill.”
3: Call in the Cops
What you do after a breach to protect yourself is as important as what you do before. For starters, don’t try to sweep the matter under the rug, says Gross, who’s seen channel pros wait weeks and even months before disclosing an incident. “That’s turning a problem into a disaster,” he warns. Damages can accumulate exponentially in a shockingly brief time.
“The sooner that an MSP can have a conversation about what happened, how they can help mitigate it, and what steps can be taken in the future to avoid it, the better off that MSP will be,” Gross says.
The second call you make, according to Scott, should be the client’s insurance company. “The most important thing to do in that situation is notify the carriers, because the carriers want to be involved in the investigation and the remediation,” he says.
Make a point as well of preserving log files, which can provide crucial clues for forensic investigators, Scott continues. That goes for more than just networks and servers, moreover. “Log files for voice systems can become relevant,” Scott notes. “Access control system data can be relevant.”
Calling in law enforcement after a breach is usually a good idea too, which is why preserving evidence beyond log files should be a post-breach priority. “A hacked network is a crime scene,” Semel says. Contain the damage by shutting systems down and cutting off internet service, he advises, and then leave everything exactly as you found it.
You’ll be much less likely to find yourself dealing with an incident in the first place, Scott counsels, if you’re rigorous about security best practices. Choose a solid framework and enforce the controls it recommends. Deploy a stack of the best security solutions you can find, and back them up with carefully designed, clearly communicated policies and procedures.
“The best way to prevent a lawsuit,” Scott observes, “is to have no data loss.”
Image: iStock / malerapaso