Cybersecurity is not a simple check box to cross off. It involves risk management, defining threats, prevention, reaction and more. For the managed service provider (MSP), the breadth of the matter specific to each customer can be challenging. In developing a professional standard of care, there is a great deal to take into consideration.
The MSP’s responsibility for establishing and implementing a standard of care for its customers is further challenged by most customer’s gap in technical knowledge. It is why they hired an MSP! When working with a small business client, the MSP needs to convey standards to reduce and better manage cybersecurity risk in a manner the layperson can understand. The MSP is accountable to its customers for talking about cyber risk.
As we have already discussed, a professional standard of care not only helps individual business but contributes to a more robust security posture overall. To help understand how a standard of care can be used, we shared best practices for establishing standards of care. Now, we’ll dive deeper into standard of care treatment for an MSP.
The NIST Cybersecurity Framework, the CIS 20, and the Cybersecurity Maturity Model Certification (CMMC) each provide guidance different organizations can customize to suit their risks, situations, and needs. We have said before there is no one-size-fits-all solution. Some businesses also need to accommodate regulations such as HIPAA, PCI DSS, GDPR, ISO 27001, or Sarbanes-Oxley (SOX).
The complexity of these various approaches and regulations creates a minefield for the MSP. The legal implications can be daunting. An MSP might face a breach of contract lawsuit, a negligence lawsuit, or regulatory enforcement. Generally, the court expects the managed service provider to meet a standard of care that a reasonably prudent person would expect. That’s where things can get sticky.
Standard of Care Negligence
Working every day in IT, you may have a skewed version of what it means to be a “reasonably prudent person.” How many times a day are you helping someone address an issue by simply putting a wire in the right place?
Still, the threshold for a civil liability negligence claim will be founded on the expectation that your business has to show reasonable caution when providing services. Ultimately, you owe your customers a standard of care to better protect them, and you.
Yet, if you don’t establish a standard of care in your terms of service, or otherwise agree to one with your client, who is to say what the reasonable standard is? You don’t really want to go to court to find out.
After all, the courts are still feeling their way around this topic. The cybersecurity standard of care outlined in 2002 by the Gramm-Leach-Bliley Act is often used by regulators and courts. However, this is not always the case. For example, a plaintiff’s attorney might look to the Federal Trade Commission (FTC) lawsuit against Wyndham where security failures caused three data breaches in two years. Alternatively, a court may follow the precedents set by breached companies hit with class-action lawsuits and attorneys sued for malpractice when a cybersecurity incident takes place.
Rather than letting a court decide, an MSP can look at the established frameworks, as well as regulations set up by the likes of HIPAA or the PCI DSS Security Standards Council, and set clear expectations with clients from the start.
Contractual Standard of Care Avoids Threats
An MSP with an established standard of care in its services contract or terms of service is in a better position to avoid legal action. Consult with your attorney to establish an effective contractual standard of care tailored to fit your business. Outlining where responsibilities start and end can delineate a standard of care with clarity and direction.
One approach could be to verbally explain the agreement to a customer, and follow-up with a signed document that explicitly details these responsibilities. Alternatively, an MSP might provide a copy of standard terms and conditions and ensure acceptance by having the customer initialize them prior to any services. An MSP’s contractual standard of care could also be used with statements of work, contact supplements, or appendixes, engagement letters and routine invoices.
Having a standard form of agreement or terms of service that outlines a standard of care will allow an MSP to stay in front of the complex and ever-evolving cybersecurity legal environment. This framework can establish customer expectations, facilitate critical disclosures, and identify customer priorities and limitations. At Calyptix Security, we recommend including five key topics:
- Customer obligations
- MSP obligations
- Disclaimer of warranties
- Limitation of liability
- Assumption of risk
It is important to determine at the start if the customer is obliged to follow health compliance, government compliance regulations or other third-party contractual commitments, such as cybersecurity insurance requirements. Each organization has its own need to balance compliance requirements, cybersecurity safeguards, and the effects on customers and the public. Failure to require the customer to communicate these critical requirements will leave the MSP in the dark and potentially exposed.
Legal Obligations Depend on Circumstances
Yes, developing a professional standard of care in an MSP contract or terms of service can be challenging. Your business will likely need a templated addendum to adapt your standard terms for individual needs of different customers in various industries. However, avoiding conversations of safeguards and protective measures is a mistake. Failing to outline which party is responsible for implementing and overseeing cybersecurity plans is something we’d label unreasonable. It’s not a risk worth taking.
Cyber incidents and breaches are growing more common. No business is immune. Vulnerabilities will be exploited. Everything connected to the Internet is vulnerable in some way.
As a result, Calyptix Security encourages the MSP to set a professional standard of care to address cybersecurity. By being aware of continually evolving cybersecurity frameworks and clearly laying out accountability and risks, the MSP can better navigate the murky waters of reasonably prudent care and apportioning responsibility should the worst happen.
Calyptix Security aims to cut its clients fear, uncertainty and doubt. Our AccessEnforcer UTM firewall is an easy, affordable way to prevent intrusions, filter email, geo fence web traffic, and add multi factor authentication to your small business offerings. Through our solutions, we can help make delivering on that standard of care one step easier.
Want to know more about legal traps for MSPs? View this webinar from Calyptix Security CEO Ben Yarbrough, a licensed attorney, covering cybersecurity incident legal exposure, liability issues in HIPAA and PCI DSS, and hidden risks of cyber insurance.