Data privacy and liability concerns for managed service providers
In today’s increasingly online and efficiency-oriented world, it is no wonder that managed service providers, or MSPs, occupy an important position in business hierarchy. In addition to assisting their clients with IT and infrastructure needs, the role of the MSP is instrumental for a variety of business functions related to day-to-day operations, payroll, human resources, recruitment functions and more. This increased integration of and reliance upon MSPs allows businesses to focus on what they know best and to outsource the rest.
Though, this increased demand has also created an ever-increasing burden of data stewardship to MSPs. MSPs are obligated to protect the personal and sensitive data shared with them, comply with existing privacy frameworks, and observe industry best practices. There are several considerations MSPs should take into account regarding privacy compliance, cybersecurity and risk management and a variety of other best practices.
Privacy Compliance
MSPs often handle their clients’ most confidential business information along with the personal data their clients maintain for employees, business partners and customers. For that reason, it is essential that MSPs be familiar with their regulatory obligations. MSPs should be aware of the data they manage – the sources and types of data that they are utilizing, processing, storing, and sharing determines what state, federal, and international laws apply.
Even if a MSP does not collect data directly from a data subject, the processing of data and the ability to access it still places them squarely within the covered definitions of most privacy regimes, including the European Union’s General Data Protection Regulation or GDPR, California Consumer Privacy Act or CCPA, and others.
MSPs should also consider their industry or industries of choice, as these industries may be subject to additional, sector-specific legal obligations, such as the HIPAA/HITECH requirements for protected health information in the United States.
Once acquired, personal data must be kept safe, so it is important for MSPs to have the appropriate policies and procedures in place, which may include multi-factor authentication, encryption and proper data deletion methods. Finally, MSPs should manage client expectations and have clear contracts in place that explicitly outline their roles and responsibilities in all situations, including in the event of a cyber incident.
MSPs should also consider their vendor relationship management when assessing their privacy compliance status. In certain jurisdictions, organizations are responsible for the practices and shortcomings of the vendors they select to assist with the data entrusted to them. To best protect themselves, MSPs should carefully vet potential vendors and only utilize those with strong reputations, public trust and technical capabilities. Additionally, many privacy laws that apply to data controllers, which may include MSPs, require contracts to obligate that vendors maintain compliant privacy and security measures.
Cybersecurity and Risk Management
Another critical task for MSPs is addressing cybersecurity gaps and managing current and future risks.
The first step for any MSP in managing cybersecurity risks is assessing its own vulnerabilities. This entails an honest examination of gaps, lack of protection and upcoming changes. A thorough self-review is in-depth and can involve risk assessments, PEN testing, and audits of the current structure.
The next step involves devising a comprehensive plan to address those vulnerabilities moving forward, including specific goals and concerns, and to stay abreast of the latest cyber threats. This plan should be feasible for the size and complexity of the organization and may involve adopting an existing cybersecurity framework, such as the National Institute of Standard and Technology or the NIST framework. This plan should include technical steps, such as regular audits and system patching, as well as taking care to train employees with up-to-date cyber awareness and education. Such training should be conducted at regular intervals and involve employees at all levels of an MSP. Similarly, MSPs should recommend that their clients conduct the appropriate employee training as well.
Finally, MSPs should have a disaster recovery plan in place, including how to recover quickly in the event of a cybersecurity incident. One way to prepare for future incidents is to conduct tabletop cybersecurity exercises.
Artificial Intelligence is a resource that MSPs should consider incorporating to assist with cybersecurity and risk management. The potential for AI implementation is seemingly limitless for aiding in the efficiency of business operations and data analytics, but it does not come without risks. MSPs that are considering the use of AI should have clear policies in place for how it will and will not be used. For example, MSPs must be cognizant of the data they provide for training and utilizing AI to ensure that sensitive or propriety information is not used. MSPs that integrate AI for workflow and monitoring assistance should not do so without regular troubleshooting and human oversight.
Best Practices
In addition to emphasizing data privacy and cybersecurity compliance consistent with federal and state regulations, MSPs should also consider adopting the following best practices when managing their own business and that of their clients:
- Adopt a multi-layered security approach for you and your clients, including password-protection, encryption techniques, and enforced multi-factor authentication at the user level for all accounts;
- Consolidate the tools you offer and opt for a unified management system to streamline processes;
- Consider the integration of AI as tool for providing enhanced customer services, but only after ensuring the appropriate policies and procedures are in place;
- Use AI as a resource to stay on top the latest vulnerabilities and security patches;
- Foster strong relationships with security, privacy, and incident response partners for your clients;
- Ensure that all client data is segregated;
- Inventory and limit the data you maintain for clients;
- Assess and incorporate appropriate cloud services alongside other services to ensure protection and storage of necessary information;
- Consider offering clients assistance with data mapping, data preservation, and data disposal;
- Conduct regular employee cybersecurity training and encourage and facilitate ways for your clients to conduct cybersecurity training for their employees;
- Participate in tabletop exercises, led by incident response teams, with your clients to understand each clients’ Incident Response Plan and your role; and
- In the event of an incident, preserve evidence and document chain of custody.
MSPs play a fundamental role for businesses. The impact that MSPs can make in helping their clients navigate the ever-changing cyber threat landscape cannot be overstated. Once MSPs ensure that their own house is in order, by keeping abreast of legal obligations and implementing best practices, that expertise and experience can prove invaluable to MSPs’ clients in fortifying their cybersecurity posture.
If you are an MSP or have questions about retaining an MSP, as well as concerns about your cybersecurity posture, contact a member of McDonald Hopkins' national cybersecurity and data privacy team.
Hannah Babinski, a law clerk at McDonald Hopkins, assisted with the writing of this article.