3 Cyber Security Legal Issues for MSPs and VARs

3-Cyber-Security-Legal-Issues-for-MSPs-and-VARs-1Cyber security is becoming a minefield of legal risk. One wrong step can blow your business sky-high.

Managed service providers live in this minefield. They’ve been safe so far. We cannot find news of any that have blown up after a misstep that caused a client’s data breach and triggered a legal issue.

But that doesn’t mean lawsuits are not coming. Regulators and lawmakers are adding mines to the cyber security field every year.

All 50 U.S. states now have data privacy laws.

This is in addition to U.S. federal privacy laws such as HIPAA, EU privacy laws such as GDR, and industry regulations such as PCI DSS – all of which have requirements for cyber security.

Lawsuits are also becoming more common after a data breach is discovered:

  • In August, a business services company was sued in multiple federal court actions a mere three days after notifying clients of a breach.
  • In January, an electronic health record (EHR) vendor was hit with a ransomware attack. Later that month, one of its clients sued the vendor, claiming the attack prevented them from accessing patients’ records. This resulted in cancelled appointments and lost revenue.

If cyber security is a minefield of legal threats for MSPs – what do the mines look like?

Here are three big issues to avoid:

  1. Breach of Contract Lawsuit
  2. Negligence Lawsuit
  3. Regulatory Enforcement

Let’s unpack each of these.

3-Cyber-Security-Legal-Issues-for-MSPs-and-VARs-2Legal Issue #1: Breach of Contract Lawsuit

A breach of contract lawsuit is very simple.

First, there must be a contract.

Second, the contract must specify the responsibility of each party (i.e. your MSP business and the client).

Third, one party (the plaintiff) files a lawsuit against the other, claiming they failed to live up to their responsibility and thus harmed the plaintiff.

For an MSP, the obvious example would be a client who suffers a data breach and files a lawsuit. The suit would claim the MSP failed to live up to the terms of the contract and this caused a data breach that resulted in losses.

How to Avoid this Threat

If you’re hit with a breach of contract lawsuit – you’ve already lost, because it will cost significant money to fight it.

The best approach is to avoid a lawsuit altogether – and you can do that with clear communication with clients at the beginning of your relationship.

It’s critical that your clients understand the role of your business in their cyber security – i.e. where your responsibilities start and end.

Verbally explain your responsibilities to clients, and ensure the responsibilities are explicitly outlined in a formal agreement signed by both parties.

Also ensure your clients understand the important aspects of their cyber security that you are NOT responsible for – i.e. what they are responsible for.

A 30-minute conversation on this topic can save you from months of headaches and legal issues if the relationship sours.

Once the terms of your agreement are clearly defined, you must live up to the terms. That’s the whole point of the agreement. If you fail to do so, and if this failure harms the client, you can expect a call from their lawyer.

Lastly, include clauses in the agreement that limit your liability. So if you are found liable in court, such clauses can reduce your exposure and prevent the lawsuit from ending your business.

3-Cyber-Security-Legal-Issues-for-MSPs-and-VARs-3Legal Issue #2. Negligence Lawsuit

A negligence lawsuit claims that a party failed to use reasonable caution when providing services and thus harmed the plaintiff.

The term “standard of care” is often used to describe the inherent responsibilities of a service provider, such as a doctor or lawyer.

For an MSP or IT firm, you owe clients a standard of care. If your services fall short of this standard and the client is harmed, then you can be sued (in theory).

Obviously, you can avoid a cyber security legal issue by living up to the ‘standard of care’. So, what’s the standard?

Unfortunately, no one knows for sure. No laws have set a clear standard in the U.S., and no court cases have yet to clearly establish one.

However, you are not completely without guidance.

You can get a sense of a reasonable standard of care from the controls recommended by proven security frameworks such as the CIS 20, NIST 800-53, NIST 800-171, and others.

Also, more frameworks may be coming. Signed into law on Aug. 14, the NIST Small Business Cybersecurity Act requires the National Institute of Standards (NIST) to “disseminate clear and concise resources to help small business concerns identify, assess, manage, and reduce their cybersecurity risks.”

These forthcoming resources may help form a reasonable standard of care for IT services in the SMB market.

Follow the Standard You’ve Set

You must also live up to the promises you’ve made to protect customer data, such as those in your privacy policy. Hospitality giant Wyndham Worldwide failed to do this and landed in court with the FTC.

The FTC sued Wyndham in 2012, claiming it did not live up to promises made in its privacy policy to protect consumers’ data. This lead to a data breach causing “substantial consumer injury”, according to the FTC.

Wyndham settled the case in 2015. Under the settlement, Wyndham had to create a comprehensive information security program. The terms of the settlement are in place for 20 years.

3-Cyber-Security-Legal-Issues-for-MSPs-and-VARs-4Legal Issue #3. Regulatory enforcement

Regulators – such as the Office for Civil Rights under HIPAA, or the PCI DSS Security Standards Council – levy fines and penalties against businesses that fail to comply with their rules.

Important ways to avoid this threat:

Know the environment

When you begin a relationship with a client, require them to disclose all regulatory frameworks associated that they are required to follow for their IT systems and data.

Make the customer responsible

Also, be sure to note in your contract that the customer has the sole responsibility for understanding and ensuring the services you provide will satisfy any necessary regulatory or legal requirements.

Limit your exposure

Cyber security regulations often focus on specific types of data.

For example, HIPAA aims to protect all “personally identifiable information” of patients and customers in the medical industry.

PCI DSS aims to protect cardholder data.

These regulations also affect the systems – i.e. the workstations and network infrastructure – that store, process, or transmit this data.

That said, one way to limit your exposure to these regulations is to limit your exposure to the data and systems they cover.

Any service you provide that affects these systems, be sure to document the extent of your access and how you’ve limited it. Also ensure the customer understands the scope of your access – both verbally and contractually.

3-Cyber-Security-Legal-Issues-for-MSPs-and-VARs-5Protect Yourself with Honesty (and a Good Contract)

In any business, legal issues can often be avoided with transparency, honesty, and a collaborative attitude.

Always set clear expectations with clients and deliver on them. Avoid absolute guarantees. Also avoid hostility and blaming of others.

Respect best practices (don’t recklessly disregard them). Also respect the things you do not yet know. Develop a strong sense of professional humility.

Remember, no one is perfect. As a director of the FBI once said, “There are only two types of companies: those that have been hacked and those that will be.”

Good Relationships Can Sour

These principles can carry you far. However, relationships can sour and partnerships can fail. That’s usually when lawyers are called and everyone starts losing money.

Unfortunately, lawsuits cannot always be avoided – and this is where your service contract becomes critical.

Your business should have a standard form agreement that all clients sign when doing business with you. This agreement should be rock-solid and crafted by a competent lawyer who is familiar with cyber security law and regulation.

The form agreement is the same for all your clients – and you need one more thing, a Statement of Work.

The statement of work is where you define the specific responsibilities and services you will provide. It should be unique to every client.

But remember, if you’re arguing about the terms of your contract in a court, you’re already losing money.

So avoid lawsuits whenever possible – maintain a strong relationship with your clients and make sure everyone is aware of their responsibilities.


Related resources

Calyptix Responds to NIST Small Business Cybersecurity Act

Shelter from Cyber Regulation: NIST 800-171

Top 5 Cyber Security Frameworks in Healthcare

HIPAA Hazards: Avoid the business associate trap



Written by Calyptix

 - November 28, 2018

About Us

Calyptix Security helps small and medium offices secure their networks so they can raise profits, protect investments, and control technology. Our customers do not waste time with security products designed for large enterprises. Instead, we make it easy for SMBs to protect and manage networks of up to 350 users.
call us
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram