Does Louisiana Act 117 – Senate Bill 273 appear in your nightmares? That's the first law regulating MSPs serving public entities, triggered by the ransomware attacks last year against the City of New Orleans that paralyzed city government just as effectively as Hurricane Katrina. Will other states follow Louisiana’s lead? And if so, what does this herald for the future?
Act 117 specifically “seeks to register all MSPs who work with government bodies in the state and asks them to do things like report breaches,” says Charles Weaver, CEO and co-founder of industry association MSPAlliance. He notes that general oversight of all businesses is the right of all state governments.
"The law tries to figure out who the state is dealing with, and who's good, who's professional," says Dave Sobel, host of the Business of Tech Podcast and a former MSP. "It indicates we're a mature industry now."
Weaver adds that Act 117 is "not that big of a law," in that “there are no punitive penalties like with GDPR and the like." Yet while Louisiana may be the first government on the planet to regulate MSPs, other states are discussing it, says Weaver, who lists Georgia, Texas, and some other western states as having discussions on such a law. "MSPs need to know that the people who cut their hair have more regulation than the MSPs," he adds.
No business or individual certifications are required by Louisiana’s law, but the same may not be true of the next state regulation to arrive. Sobel believes solution providers should act first.
"We should borrow from lawyers, doctors, and CPAs, and put in a professional structure and code of conduct. Governments like that because they want industries to define and manage themselves. I'd rather providers come together and define what's professional and write the laws than let government people do it. That way we don't have to work with a bad law like HIPAA."
Imagine the all-too-common situation where the MSP suggests implementing security X and Y, and the customer says no. Who would you rather write the legal solution to that situation: MSPs or bureaucrats? asks Weaver.
Who will lead that process is an open question, however. "The MSPAlliance doesn't want to be the ones who say who is or isn't an MSP," says Weaver, who believes there can be oversight and compliance without restrictions and required licenses. "We advocate against licensures, but we're not anti-regulation."
What can MSPs do today to get ready for potential future regulations? "Practice safe cyber hygiene," says Weaver. "Most of the attacks are easily defended against, and we told Louisiana that. Protect yourself and your customers."
Sobel notes a July 2019 report from Pew Rearch that found society's confidence in tech had dropped 20% since 2016. Getting ahead of the regulation curve could improve that. "Good or bad, it's happening. We have to address it."