Hair stylists and massage therapists are regulated by state governments. Why aren’t the people responsible for safeguarding Social Security numbers?
“MSPs, and I think in general the IT world, is just sort of hanging out there without any checks and balances,” says Kyle Ardoin, Louisiana’s secretary of state.
They are until February 1st of next year, anyway. That’s when Louisiana Act 117 – Senate Bill 273, the nation’s first regulation for MSPs and MSSPs, becomes law in the Bayou State. Ardoin discussed that legislation and its implications for channel pros elsewhere in America during a Q&A appearance today at ConnectWise’s IT Nation Secure event.
The forthcoming law, which Ardoin spearheaded, came in response to a wave of ransomware attacks last year on cities and agencies across the state. “It started with school systems and local governments,” Ardoin recalls. “In fact, the entire city of New Orleans was shut down electronically at one point.”
That was last December, weeks after an assault affecting election officials that Ardoin found even more disturbing because it took place some seven days before the conclusion of a closely fought gubernatorial race. “Had the attack occurred closer to the election, we could have had a little bit of chaos,” he observes.
Before long, Ardoin was getting calls from the FBI about the incidents. “They started educating me on MSPs. I was not aware of what even an MSP was or that they even existed in any state, much less internationally,” he says. “My concern was who are these people?”
Answering that question is the pending regulation’s central objective. “If I know who the partners are, perhaps we can open up communication,” Ardoin explains.
When it goes into effect, the new law will require MSPs and MSSPs who do business with “public bodies” to register with the state for what Ardoin says is a nominal fee. Providers must also report cyber incidents affecting public bodies along with any ransom payments associated with those attacks, and write those obligations into their contracts. Public bodies, meanwhile, will be forbidden from doing business with unregistered MSPs or MSSPs.
By design, according to Ardoin, a Republican and self-described conservative with little fondness for regulation, those mandates are relatively modest and chiefly aimed at getting MSPs and their public sector customers communicating with each other about needs and capabilities.
“I think it’s important to hopefully encourage both the MSPs and government agencies to ask the right questions and offer the right information to each other, and in a constructive dialogue, without any heavy regulation at this point,” he says.
The “at this point” part of that assertion, however, hints at the potential for broader requirements later in areas like marketing claims.
“I understand that it’s a very costly business to be in cyber protection, but they’ve got to be straightforward with their customers and tell them at what levels they can protect them,” Ardoin says. “And if they’re not being straightforward because they’re concerned about losing business because of costs, well, they’re doing a disservice, an even greater disservice, not just to the entity they’re trying to protect but to the citizens that interact with that agency or their personal information.”