38 Words That Give MSPs A Boost In Data Breach Cases: Legal Expert
After an MSP lists all vendors, vendor services agreements and privacy policies, attorney Rob Scott tells MSPs to add these 38 words: ‘Under no circumstances will the customer attempt to hold the MSP responsible for the acts or omissions of third-party service providers and [the customer] agrees that their use of the services will be governed by the agreements that we list.’
In attorney Rob Scott’s view, 38 words can give MSPs a leg up when facing a court case stemming from cyberattacks akin to the 2020 SolarWinds breach and the 2021 Kaseya ransomware attack.
After the MSP lists all vendors, vendor services agreements and privacy policies, Scott said to add the following “in big boldface letters:” “Under no circumstances will the customer attempt to hold the MSP responsible for the acts or omissions of third-party service providers and [the customer] agrees that their use of the services will be governed by the agreements that we list.”
“If I had that and was representing an MSP in a Kaseya-like incident, I would have a much stronger chance of winning,” Scott, managing partner at the Southlake, Texas-based Scott & Scott law firm, said during the XChange August 2023 conference.
“The list [includes a lot of] things that have happened in our industry over the years where MSPs’ customers fall victim to criminal activity as a result of a vulnerability or a failure of a vendor. … In the old version of our agreements, it says, ‘MSP is not responsible for the acts of third parties.’ And they also said, ‘MSP uses third parties to deliver some services.’ And what I realized in taking a deeper dive is that wouldn’t hold up in court in a ransomware scenario like Kaseya,” he said.
[RELATED: Compliancy Group Exec To MSPs: Your Customers’ Risk Is Your Risk As Well]
Attorney Scott On MSP Contracts
The XChange August 2023 conference was hosted by CRN parent The Channel Company and was held in Nashville, Tenn.
Dylan Borden, marketing director at Sarasota, Fla.-based MSP Four Winds IT, told CRN that Scott talked about topics that MSPs should focus more on.
Borden manages Four Winds contracts and works on terms and conditions, making Scott’s advice especially relevant.
“My plan this year is honestly to revamp what we’re going to release in 2024 to include more of the cyber insurance-type pieces,” he said. “So it was actually right up the alley of what I was looking for.”
Scott, who is also chief innovator at Monjur, a contracts-as-a-service product aimed at MSPs and spun off from the company during the summer, told MSPs in the crowd to make sure terms and conditions are always updated in contracts.
In a world of vendors dictating terms that MSPs and customers must follow, “customer contracts are the one thing that you have the most control over because you don’t have to start working for anybody until they agree to your terms and conditions,” Scott said.
Keeping contract language up to date has increased in importance with recent federal regulations and new state ones coming online.
According to consent management platform provider CookieYes, four states enacted new data privacy rules this year—California, Virginia, Colorado and Connecticut—while four states have ones slated for later this year and in 2024. Those states are Utah, Texas, Oregon and Montana.
“We’re in the middle of a legislative explosion in data privacy laws,” Scott said.
MSPs need to write customer agreements that would result in data protected no matter the state. Sometimes, MSPs don’t know which states customers do business in until after they starting work for them.
“These laws require you to have a written agreement with your customer that covers certain things. If you don’t have it, you’re in trouble—not only you but the customer,” he said. “If we go to court, I want all your I’s dotted and T’s crossed. That includes adding the appropriate data processing terms.”
Another suggestion Scott made was for MSPs to take a page out of the largest vendors’ playbooks and combine sales and customer contracts into one online step that customers accept through a button.
While Scott was against online terms a decade ago, court cases that have happened in that time have provided guidance around web-based contract terms. MSPs with online terms can also notify customers of contract changes by email.
“Some of the pain that you’re feeling in the customer on-boarding and customer contracting process is created by you and the processes that you adopt,” he said. Those processes “can be streamlined. I’m confident.”
He continued: “If you put all of your customers on the same customer contract, it makes it very, very, very easy for you to administer your work. You’re building systems today to build scale and operations. You don’t think that applies to managing contracts? Of course it does.”
MSPs can also benefit from a modular approach to contracts, such as separate service attachments with their own terms and conditions for managed voice, disaster recovery and other offerings, Scott said.
Adding into contracts language around not providing transition services unless customers have paid the early termination fee and all other fees is also important, he said. And with the growth in generative artificial intelligence, MSPs should consider written policies around that technology.
When it comes to insurance, MSPs should also carry about $1 million to $2 million in aggregate professional liability insurance, including errors and omissions, he said. They should also require as part of master service agreements that customers hold insurance coverage that includes first-party cyber liability insurance.
“You need not only professional liability for you, you need professional liability for all of your customers,” Scott said. “By doing that … you create a situation where you’ll never be in court with your client.”
He continued: “You may have an incident, their carrier will pay the first dollar out. If their carrier thinks you’re involved, they can get the money back from you, they’ll sue you. Who will respond? Your insurance company. So you’re never going to be at odds with your customer if you use this structure.”
MSPs should also say in their agreements that they don’t hold liability when they help customers fill out insurance applications, Scott said.