WARREN BUFFETT SAID, “It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you’ll do things differently.” Translation: As an MSP, you need to protect yourself from yourself, because you could lose everything if you are sued.
This January, MSP Involta was sued by Boardman Molded Products, after the Ohio manufacturing company fell for a fake invoice phishing scam and lost $1.7 million. The lawsuit said that the MSP should have warned the customer about phishing and mishandled the work ticket after the client reported the incident. It also stated that the MSP “was in charge of maintaining a secure environment and was to set security rules accordingly.”
The lawsuit includes specific allegations that Involta failed to conduct promised quarterly business reviews and to ensure anti-virus software was installed on all of the client’s systems. An audit showed systems missing anti-virus protection.
The lawsuit was not just about what was promised in the MSP’s legal agreement, which contained a lot of fine print. It quotes the MSP’s marketing claims to show potential jurors what the customer was promised. According to the lawsuit, Involta sold Boardman on the fact it would be their “one-stop shop for all IT needs.” The suit refers to Involta’s website terms and conditions, which said that Involta claimed “there would be no need for any other service providers for any purpose ... Let your staff focus on innovation and business-oriented tasks …”
If that sounds familiar, follow these steps to protect your business:
1. Always use a contract
Never provide any service without a signed, written contract, and always have your contract created by an attorney familiar with the MSP industry, your business, and the laws of your state. Your contract should protect your company, state the scope and scale of your work, include any responsibilities shared with the client, and limit your risks.
2. Limit your exposure
Clearly state what is and isn’t included in your managed service fees and what services you are offering (don’t overpromise.) Include what is not your responsibility or covered under the cost of your services, and what might prevent you from delivering the services, like the COVID-19 pandemic.
If you cause a data breach, take responsibility for it, but don’t get dragged into a client’s mess.
You should also state that cybersecurity and regulatory compliance are shared responsibilities, and that your client is responsible for their users and ensuring their own compliance. You may be able to help them with that for an additional fee.
3. Limit your liability
Limit your liability for managed services to just one to two months of fees paid by your client. Make sure you aren’t responsible for consequential damages that result from your failure. That means that if the client loses $1.7 million in a fake email scam, you are not responsible for their loss. It also means that if your client gets hit with ransomware, and misses a bid deadline, for instance, you aren’t responsible for the resulting business losses or penalties.
4. Align your marketing and sales with your contract
This is a BIG deal. You can’t assume that the fine print in your contract will protect you from the claims you make on your website; what you, your sales reps, and your technical folks tell prospects and clients; and what you put in your proposals. Remove any language that promises things like: “We will take care of your IT so you don’t have to worry about it.”
5. Audit your service delivery
Imagine receiving a lawsuit and reading in a legal document that your company had not installed anti-virus protection on all the client’s computers, and that you had never done a QBR, as promised in your marketing and contracts. How mad would you be at your team and at yourself?
Perform internal audits twice a year for each of your clients and have hard discussions with your team if the reports show gaps, such as missing security patches—and then address those gaps immediately.