{"id":44425,"date":"2020-09-15T18:11:37","date_gmt":"2020-09-15T14:11:37","guid":{"rendered":"https:\/\/www.msp360.com\/resources\/?p=44425"},"modified":"2021-04-07T12:44:34","modified_gmt":"2021-04-07T08:44:34","slug":"how-msps-can-limit-liability","status":"publish","type":"post","link":"https:\/\/www.msp360.com\/resources\/blog\/how-msps-can-limit-liability\/","title":{"rendered":"How Do You Limit Liability as an MSP?"},"content":{"rendered":"<p>Some <a href=\"https:\/\/www.msp360.com\/resources\/blog\/what-is-an-msp\/\">managed IT providers<\/a> think it's obvious that they have limited liability for data breaches, failed hardware, and clients\u2019 data loss. On the other hand, many clients believe that their managed IT providers are totally liable for any of these incidents, and they will go straight to court to sue the MSP for any damage, downtime, or loss. While the court may not be on the side of the clients, a lawsuit is a long and expensive process by itself.<!--more--><br \/>\nIn this article, we will explain how to limit your liability as a managed services provider and define the need for cybersecurity insurance.<\/p>\n<h2>Why Do You Need to Limit Liability?<\/h2>\n<p>First of all, let's define the cases in which you may find yourself in court:<\/p>\n<ul>\n<li><strong>Security breaches<\/strong>, including hacks, phishing, malware spreading due to open ports or other network loopholes, antivirus failures, breached firewall. Even if your client failed to comply with your security strategy, they might want to sue you for that fault.<\/li>\n<li><strong>Lost data<\/strong>, including downtime due to hardware failures, failure to comply with <a href=\"https:\/\/www.msp360.com\/resources\/blog\/rto-vs-rpo-difference\/\">recovery time or recovery point objective<\/a>, loss of backups, non-recoverable backups, partial data losses. All of these could be classified as damages leading to downtime, which affects your client\u2019s revenue streams.<\/li>\n<li><strong>Failure to comply with legislation<\/strong>, including <a href=\"https:\/\/www.msp360.com\/resources\/blog\/hipaa-compliant-cloud-backup\/\">HIPAA<\/a>, <a href=\"https:\/\/www.msp360.com\/resources\/blog\/gdpr-overview\/\">GDPR<\/a>, FINRA, or other IT-related regulations. You might think that if your client is not following your security or compliance advice, they are fully responsible for their actions. However, if you read the regulations more carefully, you will see the data processor liability clauses; and, in most cases, a managed IT provider acts as a data processor.<\/li>\n<\/ul>\n<p id=\"last\">Basically, your client may want to sue you in the event of any IT-related incident. And, if not prepared, you will spend thousands of dollars during the lawsuit, and even more if you fail to prove your limited liability. So, here's what you should do.<\/p>\n<div id=\"slidebox\"><a class=\"close\">\u00a0<\/a><!--HubSpot Call-to-Action Code --><span class=\"hs-cta-wrapper hs-cta-deferred\" id=\"hs-cta-wrapper-4a146d91-d63d-4e82-9aab-1f5f0c43f780\" data-portal=\"5442029\" data-id=\"4a146d91-d63d-4e82-9aab-1f5f0c43f780\"><span class=\"hs-cta-node hs-cta-4a146d91-d63d-4e82-9aab-1f5f0c43f780\" id=\"hs-cta-4a146d91-d63d-4e82-9aab-1f5f0c43f780\"><!--[if lte IE 8]><div id=\"hs-cta-ie-element\"><\/div><![endif]--><a href=\"https:\/\/cta-redirect.hubspot.com\/cta\/redirect\/5442029\/4a146d91-d63d-4e82-9aab-1f5f0c43f780\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" class=\"hs-cta-img\" id=\"hs-cta-img-4a146d91-d63d-4e82-9aab-1f5f0c43f780\" style=\"border-width:0px;\" src=\"https:\/\/no-cache.hubspot.com\/cta\/default\/5442029\/4a146d91-d63d-4e82-9aab-1f5f0c43f780.png\" alt=\"CTA\"><\/a><\/span><\/span><!-- end HubSpot Call-to-Action Code --><\/div>\n<h2>Steps to Limit Your Liability<\/h2>\n<h3>Start with the Contract<\/h3>\n<p>Your contracts, namely the <a href=\"https:\/\/www.msp360.com\/resources\/blog\/msp-agreement-guide\/\">service level agreement<\/a>, the scope of work, and the master service agreement, should contain clauses that protect you and define your liability.<\/p>\n<div class=\"call-to-action\">\n<div class=\"call-to-action__left\">\n<div class=\"call-to-action__tag\">FREE ASSETS<\/div>\n<div class=\"call-to-action__title\">SLA and SOW Templates for MSPs<\/div>\n<div class=\"call-to-action__text\">Create well-documented processes to provide an outstanding level of services<\/div>\n<!--HubSpot Call-to-Action Code --><span class=\"hs-cta-wrapper hs-cta-deferred\" id=\"hs-cta-wrapper-d63b12d9-98a1-41ac-babf-b115df7a97f0\" data-portal=\"5442029\" data-id=\"d63b12d9-98a1-41ac-babf-b115df7a97f0\"><span class=\"hs-cta-node hs-cta-d63b12d9-98a1-41ac-babf-b115df7a97f0\" id=\"hs-cta-d63b12d9-98a1-41ac-babf-b115df7a97f0\"><!--[if lte IE 8]><div id=\"hs-cta-ie-element\"><\/div><![endif]--><a href=\"https:\/\/cta-redirect.hubspot.com\/cta\/redirect\/5442029\/d63b12d9-98a1-41ac-babf-b115df7a97f0\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" class=\"hs-cta-img\" id=\"hs-cta-img-d63b12d9-98a1-41ac-babf-b115df7a97f0\" style=\"border-width:0px;\" src=\"https:\/\/no-cache.hubspot.com\/cta\/default\/5442029\/d63b12d9-98a1-41ac-babf-b115df7a97f0.png\" alt=\"CTA\"><\/a><\/span><\/span><!-- end HubSpot Call-to-Action Code -->\n<\/div>\n<div class=\"call-to-action__right\"><img decoding=\"async\" style=\"max-width: 300px;\" src=\"https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2020\/09\/SLA-and-SOW-templates-cta.png\" alt=\"WP icon\" \/><\/div>\n<\/div>\n<h3>Add Clauses and Disclaimers<\/h3>\n<ul>\n<li>You don't want to be responsible for any third-party failures, so you should disclaim responsibility for hardware or software failures caused by any manufacturers or vendors. If you read carefully, you will see that the latter disclaim their responsibility as well. That's especially important, since hacks of <a href=\"https:\/\/www.msp360.com\/rmm\/\">RMM solutions<\/a> happen more often.<\/li>\n<li>You should disclaim any hardware and software failures related to backups. If your contract is worded incorrectly, you might be liable for the backup data loss.<\/li>\n<li>If your customer was successfully hacked and their network got infected with <a href=\"https:\/\/www.msp360.com\/resources\/blog\/how-to-be-protected-against-ransomware\/\">ransomware<\/a>, require the client either to pay the ransom for their data or to pay you for the remediation services as per your standard hourly rate. Otherwise, you might find yourself in a situation where you fix their fault for free, as per the standard SLA contract.<\/li>\n<\/ul>\n<p>Note that break\/fix clients still need to sign your service level agreement, the scope of work, and the master service agreement - in other words, the documents containing all the payment and liability information.<\/p>\n<h3>Create Refusal Waivers<\/h3>\n<p>A refusal waiver is a document, either in printed or email form, that your customer signs or answers to if they do not want to comply with or follow the security recommendations you give them. Create several refusal forms and send them to your customers to avoid being sued for gross negligence or weak security measures, or during compliance audits.<br \/>\nMake sure that all discussions about cybersecurity or compliance are put in writing. You will need proof if you go to court.<\/p>\n<h3>Check with an Attorney<\/h3>\n<p>Contact a local IT-specialized attorney whenever you:<\/p>\n<ul>\n<li>Create an initial contract.<\/li>\n<li>Change any contractual details.<\/li>\n<li>Are planning to expand to other states.<\/li>\n<li>Land any clients that fall under compliance.<\/li>\n<\/ul>\n<p>Some managed IT providers tend to create their contracts without an attorney\u2019s help, which is not the best idea. An attorney should define a sufficient number of clauses in the right contractual language, which is especially important during any lawsuits.<\/p>\n<p><span class=\"further-reading \">Further reading<\/span> <a href=\"https:\/\/www.msp360.com\/resources\/blog\/legal-services-to-msps\/\">The Importance of Legal Services to MSPs Explained<\/a><\/p>\n<h2>Add Insurance<\/h2>\n<p>General and cybersecurity insurance are seen as a waste of money by many MSPs; and indeed, you won't need these in 99% of cases. But the 1% when you need it might put you out of business.<\/p>\n<ul>\n<li>You need general liability, errors and omissions, and cybersecurity insurance. Define the insurance limits on the basis of the risks you are willing to take. The amount will also differ according to your size \u2013 the more data and premises you are managing, the higher will be the cost of insurance and, hence, the limits.<\/li>\n<li>Ask your insurance provider for the right liability, mediation, and other clauses that you will then add into your contract.<\/li>\n<li>Make sure you advise your customers to buy cybersecurity insurance as well. That does not directly limit your liability but will help the customer in the event that they experience downtime due to ransomware or human failure.<\/li>\n<\/ul>\n<p><span class=\"further-reading \">Further reading<\/span> <a href=\"https:\/\/www.msp360.com\/resources\/blog\/cyber-liability-insurance\/\">Do You Really Need Cyber Liability Insurance?<\/a><\/p>\n<h2>Read a Book<\/h2>\n<p>Joseph Brunsman is an active participant in the managed IT services community and is a cybersecurity and liability expert. He happily answers questions on the <a href=\"https:\/\/www.reddit.com\/r\/msp\/\" target=\"\u201c_blank\u201d\" rel=\"\u201cnoopener\u201d noopener noreferrer\">r\/MSP subreddit<\/a>, and also provides professional services. Joseph has written a book on cybersecurity, compliance, and cyber-insurance. You can find it for free on <a href=\"https:\/\/cplbrokers.com\/\" target=\"\u201c_blank\u201d\" rel=\"\u201cnoopener\u201d noopener noreferrer\">Joseph\u2019s website<\/a> or buy it <a href=\"https:\/\/www.amazon.com\/Damage-Control-Cyber-Insurance-Compliance\/dp\/057866416X\/ref=sr_1_1?dchild=1&amp;keywords=damage+control+brunsman&amp;qid=1587605873&amp;sr=8-1%20Conclusion\" target=\"\u201c_blank\u201d\" rel=\"\u201cnoopener\u201d noopener noreferrer\">on Amazon<\/a>.<\/p>\n<h2>Conclusion<\/h2>\n<p>All this attention to contractual and insurance details might sound excessive for an MSP who simply wants to provide the right services to their clients. However, laws and IT compliances are getting stricter each year, cybersecurity incidents are on the rise, and some, though not all, of your clients will believe that their security breach or IT failure is your fault.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Some managed IT providers think it&#8217;s obvious that they have limited liability for data breaches, failed hardware, and clients\u2019 data loss. On the other hand, many clients believe that their managed IT providers are totally liable for any of these incidents, and they will go straight to court to sue the MSP for any damage, [&hellip;]<\/p>\n","protected":false},"author":82,"featured_media":44428,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[877,884],"tags":[],"class_list":["post-44425","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-articles","category-msp-business-articles"],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/posts\/44425","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/users\/82"}],"replies":[{"embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/comments?post=44425"}],"version-history":[{"count":0,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/posts\/44425\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/media\/44428"}],"wp:attachment":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/media?parent=44425"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/categories?post=44425"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/tags?post=44425"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}