Business Strategy
Channel Insights
Stay Connected
Acer America
Acer America Corp. is a computer manufacturer of business and consumer PCs, notebooks, ultrabooks, projectors, servers, and storage products.


333 West San Carlos Street
San Jose, California 95110
United States


ChannelPro Network Awards

hello 2
hello 3


February 19, 2024 |

How MSPs Can Avoid Cybersecurity’s Legal Pitfalls

Experts share best practices on how to best protect your MSP — and your customers.

SMBs often trust their managed services providers to protect their privacy and sensitive data. In the current threat landscape, however, breaches will occur, resulting in potential legal implications. MSPs have a better chance of shielding themselves from debilitating expenses and extended litigation if they follow some best practices.

Don’t Over Promise

Too often, MSPs commit to providing services they don’t have the resources to provide, observed Blair Dawson, member of Chicago-based law firm McDonald Hopkins LLC.

Blair Dawson

While this tendency may stem from good intentions — the firm wants to please its customers — it’s not a good practice, Dawson said. “If you have things like patching [or backup] schedules in the agreement and you don’t follow through with them, that can get you in a lot of trouble.”

Dawson also counsels her clients against committing to unrealistic notification deadlines.

For example, some customers may demand notification of an incident the moment the MSP suspects that a breach occurred, which isn’t realistic, she explained.

“It’s hard to comply with that, and also it could expose you to having to work with your client through an incident that turns out to not be an incident.”

Involve Your Insurance Carrier

Bradley Gross, president of the Law Offices of Bradley Gross PA in Weston, FL, urged MSPs to contact their insurance providers soon after a suspected breach occurs.  

This may not result in the services provider making a claim, but it lays the groundwork for them to do so, if necessary, Gross said.  “Notification is usually the first step, and it is a non-delegable prerequisite to filing a claim later.”  

Determine Liability

An MSP is liable to its customers if it has done or failed to do something that led to a breach, Gross said. For example, the MSP may have neglected to apply a security protocol listed in its master service agreement (MSA).

That said, if the MSP lived up to its contractual commitments and standard industry practices, it likely won’t be held responsible, Gross said. “Breaches happen even in the best practice scenario, so not all of them result in liability.”

For MSPs that outsource security services to SOCs, Gross highlighted the importance of differentiating between services directly provided by the MSP and those it resells. This protects the MSP from being liable if its SOC experiences a breach.

“Make it very clear in contracts that there are services we provide, and then some we facilitate,” Gross emphasized.

Bradley Gross


Calculating Damages

If an MSP is to blame for a breach, it is exposed to two main categories of damages:

  • Actual damages, those that result from the incident, such as mediation expenses, forensic investigation, and breach notification costs
  • Consequential or indirect damages, such as a client experiencing profit loss

MSPs may protect themselves from having to pay out consequential damages by waiving them in their MSAs, Gross noted. “That is something every MSP should be doing.”

Set Clear Expectations

Customers, too, share responsibility in following security best practices, and Gross advises MSPs to spell this out in their documentation.

“It’s important for MSPs to allocate responsibility between what the MSP will handle from a security perspective, and what the customer will handle,” he said.

For example, if the client circumvented a security protocol implemented by the MSP, the latter shouldn’t be held responsible for a breach, he said.

“Allocations of responsibilities should be very clear. [That way], responsibilities are laid out so there is no question about who did what, or who should be doing what, at any given moment.”

 Image: iStock

Editor’s Choice

Broadcom-VMware Shakeout: How the Channel Has Been Affected By the Big Industry Acquisition

April 11, 2024 |

Industry experts weigh in on the “messy breakup” that MSPs were left with after Broadcom’s acquisition of VMWare.

Selling Cybersecurity: How MSPs Can Become Crucial Partners in Managing Risk

March 27, 2024 | David Powell

MSPs should try to bring an end customer into the cybersecurity fold. Here are some ways to help drive that.

3 Questions with Ingram Micro’s Sanjib Sahoo on Integrating AI into Managed Services

March 25, 2024 |

Ingram Micro’s EVP and chief digital officer shares some insights on how MSPs can effectively integrate artificial intelligence into their business operations.

Related News

Growing the MSP

Explore ChannelPro


Reach Our Audience