Cyber security is becoming a minefield of legal risk. One wrong step can blow your business sky-high.
Managed service providers live in this minefield. They’ve been safe so far. We cannot find news of any that have blown up after a misstep that caused a client’s data breach and triggered a legal issue.
But that doesn’t mean lawsuits are not coming. Regulators and lawmakers are adding mines to the cyber security field every year.
All 50 U.S. states now have data privacy laws.
This is in addition to U.S. federal privacy laws such as HIPAA, EU privacy laws such as GDR, and industry regulations such as PCI DSS all of which have requirements for cyber security.
Lawsuits are also becoming more common after a data breach is discovered:In August, a business services company was sued in multiple federal court actions a mere three days after notifying clients of a breach. In January, an electronic health record (EHR) vendor was hit with a ransomware attack. Later that month, one of its clients sued the vendor , claiming the attack prevented them from accessing patients’ records. This resulted in cancelled appointments and lost revenue.
If cyber security is a minefield of legal threats for MSPs what do the mines look like?
Here are three big issues to avoid:Breach of Contract Lawsuit Negligence Lawsuit Regulatory Enforcement
Let’s unpack each of these.
Legal Issue #1: Breach of Contract Lawsuit
A breach of contract lawsuit is very simple.
First, there must be a contract.
Second, the contract must specify the responsibility of each party (i.e. your MSP business and the client).
Third, one party (the plaintiff) files a lawsuit against the other, claiming they failed to live up to their responsibility and thus harmed the plaintiff.
For an MSP, the obvious example would be a client who suffers a data breach and files a lawsuit. The suit would claim the MSP failed to live up to the terms of the contract and this caused a data breach that resulted in losses.How to Avoid this Threat
If you’re hit with a breach of contract lawsuit you’ve already lost, because it will cost significant money to fight it.
The best approach is to avoid a lawsuit altogether and you can do that with clear communication with clients at the beginning of your relationship.
It’s critical that your clients understand the role of your business in their cyber security i.e. where your responsibilities start and end.
Verbally explain your responsibilities to clients, and ensure the responsibilities are explicitly outlined in a formal agreement signed by both parties.
Also ensure your clients understand the important aspects of their cyber security that you are NOT responsible for i.e. what they are responsible for.
A 30-minute conversation on this topic can save you from months of headaches and legal issues if the relationship sours.
Once the terms of your agreement are clearly defined, you must live up to the terms. That’s the whole point of the agreement. If you fail to do so, and if this failure harms the client, you can expect a call from their lawyer.
Lastly, include clauses in the agreement that limit your liability . So if you are found liable in court, such clauses can reduce your exposure and prevent the lawsuit from ending your business.
Legal Issue #2. Negligence Lawsuit
A negligence lawsuit claims that a party failed to use reasonable caution when providing services and thus harmed the plaintiff.
The term “standard of care” is often used to describe the inherent responsibilities of a service provider, such as a doctor or lawyer.
For an MSP or IT firm, you owe clients a standard of care. If your services fall short of this standard and the client is harmed, then you can be sued (in theory).
Obviously, you can avoid a cyber security legal issue by living up to the ‘standard of care’. So, what’s the standard?
Unfortunately, no one knows for sure. No laws have set a clear standard in the U.S., and no court cases have yet to clearly establish one.
However, you are not completely without guidance.
You can get a sense of a reasonable standard of care from the controls recommended by proven security frameworks such as the CIS 20 , NIST 800-53 , NIST 800-171 , and others.
Also, more frameworks may be coming. Signed into law on Aug. 14, the NIST Small Business Cybersecurity Act requires the National Institute of Standards (NIST) to “disseminate clear and concise resources to help small business concerns identify, assess, manage, and reduce their cybersecurity risks.”
These forthcoming resources may help form a reasonable standard of care for IT services in the SMB market.Follow the Standard You’ve Set
Wyndham settled the case in 2015. Under the settlement, Wyndham had to create a comprehensive information security program. The terms of the settlement are in place for 20 years.
Legal Issue #3. Regulatory enforcement
Regulators such as the Office for Civil Rights under HIPAA, or the PCI DSS Security Standards Council levy fines and penalties against businesses that fail to comply with their rules.
Important ways to avoid this threat:Know the environment
When you begin a relationship with a client, require them to disclose all regulatory frameworks associated that they are required to follow for their IT systems and data.Make the customer responsible
Also, be sure to note in your contract that the customer has the sole responsibility for understanding and ensuring the services you provide will satisfy any necessary regulatory or legal requirements.Limit your exposure
Cyber security regulations often focus on specific types of data.
For example, HIPAA aims to protect all “personally identifiable information” of patients and customers in the medical industry.
PCI DSS aims to protect cardholder data.
These regulations also affect the systems i.e. the workstations and network infrastructure that store, process, or transmit this data.
That said, one way to limit your exposure to these regulations is to limit your exposure to the data and systems they cover.
Any service you provide that affects these systems, be sure to document the extent of your access and how you’ve limited it. Also ensure the customer understands the scope of your access both verbally and contractually.
Protect Yourself with Honesty (and a Good Contract)
In any business, legal issues can often be avoided with transparency, honesty, and a collaborative attitude.
Always set clear expectations with clients and deliver on them. Avoid absolute guarantees. Also avoid hostility and blaming of others.
Respect best practices (don’t recklessly disregard them). Also respect the things you do not yet know. Develop a strong sense of professional humility.
Remember, no one is perfect. As a director of the FBI once said, “There are only two types of companies: those that have been hacked and those that will be.”Good Relationships Can Sour
These principles can carry you far. However, relationships can sour and partnerships can fail. That’s usually when lawyers are called and everyone starts losing money.
Unfortunately, lawsuits cannot always be avoided and this is where your service contract becomes critical.
Your business should have a standard form agreement that all clients sign when doing business with you. This agreement should be rock-solid and crafted by a competent lawyer who is familiar with cyber security law and regulation.
The form agreement is the same for all your clients and you need one more thing, a Statement of Work.
The statement of work is where you define the specific responsibilities and services you will provide. It should be unique to every client.
But remember, if you’re arguing about the terms of your contract in a court, you’re already losing money.
So avoid lawsuits whenever possible maintain a strong relationship with your clients and make sure everyone is aware of their responsibilities.
Calyptix Responds to NIST Small Business Cybersecurity Act
Shelter from Cyber Regulation: NIST 800-171
Top 5 Cyber Security Frameworks in Healthcare
HIPAA Hazards: Avoid the business associate trap