Some managed IT providers think it's obvious that they have limited liability for data breaches, failed hardware, and clients’ data loss. On the other hand, many clients believe that their managed IT providers are totally liable for any of these incidents, and they will go straight to court to sue the MSP for any damage, downtime, or loss. While the court may not be on the side of the clients, a lawsuit is a long and expensive process by itself.
In this article, we will explain how to limit your liability as a managed services provider and define the need for cybersecurity insurance.
Why Do You Need to Limit Liability?
First of all, let's define the cases in which you may find yourself in court:
- Security breaches, including hacks, phishing, malware spreading due to open ports or other network loopholes, antivirus failures, breached firewall. Even if your client failed to comply with your security strategy, they might want to sue you for that fault.
- Lost data, including downtime due to hardware failures, failure to comply with recovery time or recovery point objective, loss of backups, non-recoverable backups, partial data losses. All of these could be classified as damages leading to downtime, which affects your client’s revenue streams.
- Failure to comply with legislation, including HIPAA, GDPR, FINRA, or other IT-related regulations. You might think that if your client is not following your security or compliance advice, they are fully responsible for their actions. However, if you read the regulations more carefully, you will see the data processor liability clauses; and, in most cases, a managed IT provider acts as a data processor.
Basically, your client may want to sue you in the event of any IT-related incident. And, if not prepared, you will spend thousands of dollars during the lawsuit, and even more if you fail to prove your limited liability. So, here's what you should do.
Steps to Limit Your Liability
Start with the Contract
Your contracts, namely the service level agreement, the scope of work, and the master service agreement, should contain clauses that protect you and define your liability.
Add Clauses and Disclaimers
- You don't want to be responsible for any third-party failures, so you should disclaim responsibility for hardware or software failures caused by any manufacturers or vendors. If you read carefully, you will see that the latter disclaim their responsibility as well. That's especially important, since hacks of RMM solutions happen more often.
- You should disclaim any hardware and software failures related to backups. If your contract is worded incorrectly, you might be liable for the backup data loss.
- If your customer was successfully hacked and their network got infected with ransomware, require the client either to pay the ransom for their data or to pay you for the remediation services as per your standard hourly rate. Otherwise, you might find yourself in a situation where you fix their fault for free, as per the standard SLA contract.
Note that break/fix clients still need to sign your service level agreement, the scope of work, and the master service agreement - in other words, the documents containing all the payment and liability information.
Create Refusal Waivers
A refusal waiver is a document, either in printed or email form, that your customer signs or answers to if they do not want to comply with or follow the security recommendations you give them. Create several refusal forms and send them to your customers to avoid being sued for gross negligence or weak security measures, or during compliance audits.
Make sure that all discussions about cybersecurity or compliance are put in writing. You will need proof if you go to court.
Check with an Attorney
Contact a local IT-specialized attorney whenever you:
- Create an initial contract.
- Change any contractual details.
- Are planning to expand to other states.
- Land any clients that fall under compliance.
Some managed IT providers tend to create their contracts without an attorney’s help, which is not the best idea. An attorney should define a sufficient number of clauses in the right contractual language, which is especially important during any lawsuits.
Further reading The Importance of Legal Services to MSPs Explained
General and cybersecurity insurance are seen as a waste of money by many MSPs; and indeed, you won't need these in 99% of cases. But the 1% when you need it might put you out of business.
- You need general liability, errors and omissions, and cybersecurity insurance. Define the insurance limits on the basis of the risks you are willing to take. The amount will also differ according to your size – the more data and premises you are managing, the higher will be the cost of insurance and, hence, the limits.
- Ask your insurance provider for the right liability, mediation, and other clauses that you will then add into your contract.
- Make sure you advise your customers to buy cybersecurity insurance as well. That does not directly limit your liability but will help the customer in the event that they experience downtime due to ransomware or human failure.
Further reading Do You Really Need Cyber Liability Insurance?
Read a Book
Joseph Brunsman is an active participant in the managed IT services community and is a cybersecurity and liability expert. He happily answers questions on the r/MSP subreddit, and also provides professional services. Joseph has written a book on cybersecurity, compliance, and cyber-insurance. You can find it for free on Joseph’s website or buy it on Amazon.
All this attention to contractual and insurance details might sound excessive for an MSP who simply wants to provide the right services to their clients. However, laws and IT compliances are getting stricter each year, cybersecurity incidents are on the rise, and some, though not all, of your clients will believe that their security breach or IT failure is your fault.