{"id":43039,"date":"2020-08-04T17:00:08","date_gmt":"2020-08-04T13:00:08","guid":{"rendered":"https:\/\/www.msp360.com\/resources\/?p=43039"},"modified":"2020-12-22T12:23:43","modified_gmt":"2020-12-22T08:23:43","slug":"louisiana-law-requires-msp-registration-with-the-state","status":"publish","type":"post","link":"https:\/\/www.msp360.com\/resources\/blog\/louisiana-law-requires-msp-registration-with-the-state\/","title":{"rendered":"Louisiana Law Requires MSP Registration with the State"},"content":{"rendered":"<p>The managed IT provider business <a href=\"https:\/\/www.spiceworks.com\/marketing\/state-of-it\/report\/\" target=\"\u201c_blank\u201d\" rel=\"\u201cnoopener\u201d noopener noreferrer\">is on the rise in the US<\/a>, and MSPs are operating in every public and private sector of the economy. Many private-sector organizations working with sensitive data were forced to operate under certain compliance regimes, such as HIPAA for the medical sector. These regimes make strict stipulations about the way sensitive data should be managed and IT infrastructure secured in an organization.<\/p>\n<p><!--more--><br \/>\nAt the same time, the number of cybersecurity threats and attacks <a href=\"https:\/\/www.varonis.com\/blog\/cybersecurity-statistics\/\" target=\"\u201c_blank\u201d\" rel=\"\u201cnoopener\u201d noopener noreferrer\">is growing each year<\/a>. Malefactors target both MSPs' clientele, in order to inject malware and demand a ransom or to breach financial or payment systems, and MSPs themselves, so as to gain access to their customers\u2019 IT infrastructure, log-ins, passwords, and other sensitive data.<br \/>\nIt was inevitable that managed IT providers working with US public institutions would, at some point, fall under some sort of compliance. Although that has not yet happened nationwide, in June 2020 the state of Louisiana signed a law prescribing the registration of all MSPs working with public bodies in that state.<br \/>\nIn this article, we will overview the act and discuss the nature and the consequences of that legislation for MSPs across the US.<\/p>\n<h2>Overview of the Law<\/h2>\n<p>Beginning February 1, 2021, any managed services provider and managed security services provider working with public bodies in the state of Louisiana will have to apply for official registration. The official register will then be accessible to any public bodies in the state. The registration will be effective for two years. Renewal requests must be sent 90 days prior to the expiration of the registration.<\/p>\n<p id=\"last\">Registered <a href=\"https:\/\/www.msp360.com\/resources\/blog\/what-is-an-msp\/\">MSPs<\/a> or <a href=\"https:\/\/www.msp360.com\/resources\/blog\/providing-managed-security-services\/\">MSSPs<\/a> working with public bodies should then report any data breach or successful ransomware attack to the Louisiana Fusion Center within 60 days of the incident.<br \/>\nBelow, we will break down the law in detail. Click this link to read the <a href=\"https:\/\/legiscan.com\/LA\/text\/SB273\/id\/2192097\"target=\"\u201c_blank\u201d\" rel=\"\u201cnoopener\u201d noopener noreferrer\">full text of the legislation<\/a>.<\/p>\n<div id=\"slidebox\"><a class=\"close\">\u00a0<\/a><!--HubSpot Call-to-Action Code --><span class=\"hs-cta-wrapper hs-cta-deferred\" id=\"hs-cta-wrapper-4a146d91-d63d-4e82-9aab-1f5f0c43f780\" data-portal=\"5442029\" data-id=\"4a146d91-d63d-4e82-9aab-1f5f0c43f780\"><span class=\"hs-cta-node hs-cta-4a146d91-d63d-4e82-9aab-1f5f0c43f780\" id=\"hs-cta-4a146d91-d63d-4e82-9aab-1f5f0c43f780\"><!--[if lte IE 8]><div id=\"hs-cta-ie-element\"><\/div><![endif]--><a href=\"https:\/\/cta-redirect.hubspot.com\/cta\/redirect\/5442029\/4a146d91-d63d-4e82-9aab-1f5f0c43f780\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" class=\"hs-cta-img\" id=\"hs-cta-img-4a146d91-d63d-4e82-9aab-1f5f0c43f780\" style=\"border-width:0px;\" src=\"https:\/\/no-cache.hubspot.com\/cta\/default\/5442029\/4a146d91-d63d-4e82-9aab-1f5f0c43f780.png\" alt=\"CTA\"><\/a><\/span><\/span><!-- end HubSpot Call-to-Action Code --><\/div>\n<h3>Parties<\/h3>\n<ul>\n<li>MSPs, MSSPs \u2013 any person or company, providing information technology services under a contract<\/li>\n<li>Public body \u2013 any public or quasi-public company, branch, department, etc., operating in Louisiana<\/li>\n<li>Louisiana Secretary of State \u2013 the body where you apply for registration<\/li>\n<li>Louisiana Fusion Center \u2013 Department of Public Safety and Corrections, the office of the state police, Louisiana State Analytical and Fusion Exchange. The bodies where you should report data breaches and <a href=\"https:\/\/www.msp360.com\/resources\/blog\/ransomware-attack-scenarios-and-how-to-be-protected\/\">ransomware attacks<\/a>.<\/li>\n<\/ul>\n<h3>The Purpose of the Law<\/h3>\n<p>This new law has three main aims:<\/p>\n<ul>\n<li>Create a register of MSPs and MSSPs who work with Louisiana public bodies. This will allow Louisiana state to monitor the work of outsourced IT companies and thus manage public IT security better.<\/li>\n<li>Allow Louisiana public bodies to gain information about managed IT providers. This way, public bodies will be able to choose between approved MSPs and MSSPs. No non-registered MSPs or MSSPs will be able to work with Louisiana public bodies.<\/li>\n<li>Register any cybersecurity incident and\/or the amount of any ransom paid in connection with the IT infrastructure or end-user systems of public bodies.<\/li>\n<\/ul>\n<div class=\"perfect-pullquote vcard pullquote-align-full pullquote-border-placement-left\"><blockquote><p>Any managed services and security services providers outside of Louisiana but working with Louisiana public bodies should be registered<\/p><\/blockquote><\/div>\n<h3>Details Needed for Registration<\/h3>\n<p>To apply for registration, you need to provide the following details:<\/p>\n<ul>\n<li>The provider's name and phone number, a contact person and a listing of any owners of more than 10 percent of the shares of the provider<\/li>\n<li>All organizational documents, including articles of incorporation, organization, association or partnership agreement<\/li>\n<li>In the event of any material change in your MSP or MSSP business, you should notify the state and provide the required documentation about the change within 60 days of the change.<\/li>\n<\/ul>\n<div class=\"perfect-pullquote vcard pullquote-align-full pullquote-border-placement-left\"><blockquote><p>The Louisiana state can deny or revoke any registration. The exact reasons for revocation are not stated in the law.<\/p><\/blockquote><\/div>\n<h3>Notifications About Cybersecurity Incidents<\/h3>\n<p>One of the main reasons behind the law is to create a centralized reporting structure with regard to cybersecurity incidents involving public bodies. Accordingly, incidents should be reported to Louisiana Fusion Center within 24 hours of the incident. If the ransom for the attack was paid, this should also be reported within 10 days of the payment. The report should include the name of the affected body and the name of the MSP or MSSP in charge of the body\u2019s IT infrastructure.<\/p>\n<div class=\"perfect-pullquote vcard pullquote-align-full pullquote-border-placement-left\"><blockquote><p><!--HubSpot Call-to-Action Code --><span class=\"hs-cta-wrapper hs-cta-deferred\" id=\"hs-cta-wrapper-1ff16dd1-0f56-4b3a-b023-2fae75e14b55\" data-portal=\"5442029\" data-id=\"1ff16dd1-0f56-4b3a-b023-2fae75e14b55\"><span class=\"hs-cta-node hs-cta-1ff16dd1-0f56-4b3a-b023-2fae75e14b55\" id=\"hs-cta-1ff16dd1-0f56-4b3a-b023-2fae75e14b55\"><!--[if lte IE 8]><div id=\"hs-cta-ie-element\"><\/div><![endif]--><a href=\"https:\/\/cta-redirect.hubspot.com\/cta\/redirect\/5442029\/1ff16dd1-0f56-4b3a-b023-2fae75e14b55\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" class=\"hs-cta-img\" id=\"hs-cta-img-1ff16dd1-0f56-4b3a-b023-2fae75e14b55\" style=\"border-width:0px;\" src=\"https:\/\/no-cache.hubspot.com\/cta\/default\/5442029\/1ff16dd1-0f56-4b3a-b023-2fae75e14b55.png\" alt=\"CTA\"><\/a><\/span><\/span><!-- end HubSpot Call-to-Action Code --><\/p><\/blockquote><\/div>\n<h2>What Does It Mean for MSPs?<\/h2>\n<p>The scope of the law is pretty narrow for now \u2013 only those managed providers who work with public bodies of Louisiana state. Moreover, the law does not call for any fines or other measures against MSPs who are successfully breached; for now, it's solely informational. However, we believe that this law is a warning to MSPs and MSSPs in the US to start thinking more seriously about their security measures. In the event of a further increase in ransomware attacks, other US states might start to register MSPs. Since public data is considered to be sensitive, it might also be a starting point for the development of the new compliance regulations aimed specifically towards managed providers.<br \/>\nTo sum up, the Louisiana law is a positive move for MSPs and MSSPs who do their job well and take security seriously; however, it might very well be laying the groundwork for more severe laws and compliance regimes in the future for public bodies and the managed providers working with them.<\/p>\n<h2>Conclusion<\/h2>\n<p>Louisiana is the first US state to sign the MSP registration bill. The bill itself is not compliance \u2013 it does not call for fines for managed providers, but it\u2019s an indication to all managed IT providers that states have started to take cybersecurity seriously. Accordingly, it\u2019s time to revise the security measures you take and policies you, as an MSP, apply to your customers and your own security.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The managed IT provider business is on the rise in the US, and MSPs are operating in every public and private sector of the economy. Many private-sector organizations working with sensitive data were forced to operate under certain compliance regimes, such as HIPAA for the medical sector. These regimes make strict stipulations about the way [&hellip;]<\/p>\n","protected":false},"author":82,"featured_media":43051,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[877,884],"tags":[],"class_list":["post-43039","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-articles","category-msp-business-articles"],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/posts\/43039","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/users\/82"}],"replies":[{"embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/comments?post=43039"}],"version-history":[{"count":0,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/posts\/43039\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/media\/43051"}],"wp:attachment":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/media?parent=43039"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/categories?post=43039"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/tags?post=43039"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}