I am an MSP owner with a broad mix of clients, but we handle a large amount of HIPPA-protected information for healthcare customers, as well as sensitive banking data. I worry about being sued if there is a breach. Should I work with a lawyer?
Only a few MSPs are large enough to have in-house legal counsel. However, you shouldn’t let your size or budget determine whether you work with a lawyer. Regardless of whether you employ dozens of technicians or operate as a one-person shop, you need to have an attorney on retainer (or at the very least, on speed-dial). Not doing so could prove to be more expensive than being prepared in the first place.
When you are looking for an attorney, it is important to find someone who has previous experience in the IT space. Your uncle’s friend may be a great medical malpractice attorney, but you need someone who understands the rapidly shifting cyberspace landscape. Check with your local bar association for referrals or do your due diligence online.
There are some obvious reasons why an MSP should have a relationship with an attorney. For instance, your service contracts shouldn’t just be boilerplates downloaded from a legal site. Different clients have different needs. A public contract has more complications than one with the corner dry cleaner and a specialized attorney can help with that. However, there are less apparent issues beyond contracts where not having an attorney on retainer can be far costlier than having one.
To explain why an attorney needs to be part of your team, SmarterMSP talked with Dr. David Thaw, assistant professor of law and information sciences at the University of Pittsburgh, an internationally recognized expert in law and technology.
Three reasons you need a lawyer
There are legions of reasons why an MSP should have a lawyer on their team, including:
- Staying on top of regulatory requirements
- Anticipating future changes
- Avoid becoming a scapegoat for policymakers
Now that you have three of the key reasons, let’s dig deeper. When examining regulations, whether it’s HIPPA compliance, to the complicated warren of rules surrounding GDPR, to banking mandates requiring adequate data protection, an MSP can’t just be concerned with the mechanics of security. They must know what is legally required.
“Having an ongoing relationship with legal counsel that is familiar with the business is critically important because when regulatory changes come, people in the tech space won’t find out until it is too late,” explains Thaw. MSPs are usually in reactive mode which puts them at a disadvantage and carries many risks.
“Adversaries love reactive mode; they only have to succeed once. Their business model is built around a single breach, so you can’t be in a reactive mode without taking on an enormous amount of risk,” details Thaw. SMBs that don’t have sprawling tech staffs and in-house lawyers need legal advice the most.
“Small hometown medical practices and start-up businesses rely on MSPs. The MSP can have outstanding technical expertise on staff, but they don’t often have integration with legal counsel that can keep them up to date on what they have to do, and what is coming up,” Thaw says.
According to Thaw, MSPs need to work with lawyers to ensure customers are protected. Many clients hire an MSP and assume that all their security needs (and everything that goes with it, including legal) are taken care of. If an MSP isn’t consulting with an attorney, they are leaving their customers exposed.
“MSPs are constantly marketing what they do, and it is incumbent upon them to have good legal counsel,” states Thaw.
The future is now
A cyber-attorney in tune with the rapidly changing regulatory environment will be able to see what changes might be forthcoming. That can save an MSP money and help clients.
“It is such a rapidly moving field, so rapidly moving that you couldn’t write a textbook about it because by the time you submitted your manuscript and it was published, the information would have changed. It truly moves that fast,” describes Thaw. Keeping abreast of these changes is crucial because legal requirements will inform technical decisions.
“A mistake that is made is when you build a wall around your network and believe that is your sole responsibility. There is a lot more to cybersecurity than just building a wall around your networks. The problem isn’t that firewalls are not effective enough, because they are. It’s just that there are many other attack vectors unrelated to a firewall,” explains Thaw. MSPs must have not only adequate protections, but legally mandated ones. An MSP can get into regulatory hot water and not even know they are in trouble.
Avoid being scapegoated
You don’t want your healthcare client or retail customer to be the one whose data gets hacked and is held up as the next regulatory whipping post. Thaw recalls how the Target retail chain was held up to much public and political scrutiny after their infamous data breach in 2013. Whether that scapegoating was fair or not is the subject of debate.
Hackers accessed Target’s customer data by entering through the HVAC system. Target was widely criticized for not having a more compartmentalized system in place, but Thaw believes that some of the heat was probably unfair. More aggressive advocacy before and after the breach could have shielded Target from some of the costly PR fall-out.
“There are legitimate business reasons why you might want to have areas linked,” argues Thaw. For example, a store might want the refrigeration linked to the deli counter or supply chain sensors connected to perishables that might alert a store to expiring food.
“You can always use more security. At the same time, security is always a trade-off of balancing risk. I can build an impenetrable bank vault with no doors or windows you can’t break into it, but you can’t use it either. If you lock everything down the chance of a break-in is near zero, but you can’t do business,’ Thaw says. An attorney can help an MSP strike the right balance.
Photo: Proxima Studio / Shutterstock