Managed Service Providers: Risk Management and Limitation of Liability
Limiting Liability Is Key
Many managed service providers feel certain that their liability for client damages – such as hardware failures, loss of client data, and data breaches – is quite limited, while many clients are eager to litigate for any ensuing downtime and/or other losses.
Even if the court ultimately upholds your position, a lawsuit can throw an expensive and time-consuming wrench into the works. The world is unpredictable, and technology tends to make it more so. Limiting your liability as an MSP is essential, and cybersecurity insurance plays an important role in the process.
If you do find yourself in court, one of the following is likely to be the impetus:
- Data Loss – A data loss often translates to client downtime, which, in turn, translates to compromised revenue streams, and this obviously speaks to your clients. Data can be lost as a result of hardware failures, backup failures, backup losses and/or non-recoverable backups, and compliance failures (related to recovery-point objectives and/or to recovery times).
- A Security Breach – Security breaches come in many forms that can include hackers, phishing expeditions, firewalls that are breached, antivirus fails, open ports that allow malware to spread (and other loopholes in networks), and much more. Even if the breach was the direct result of a client’s failure to comply with your established security protocols, it may not stop them from taking you to court.
- Legislation Noncompliance – When it comes to MSPs, there is plenty of legislation in place, and you also naturally have compliance protocols in place. If you have a client who goes rogue, however, it does not necessarily mean that you are off the hook in terms of your liability. In fact, standard data processor liability clauses may not be in your favor.
Ultimately, if a client runs into a technology-related issue and is feeling litigious, it can lead to serious setbacks for you. This is true whether you prevail in court or not, but if you are found liable, the matter obviously becomes that much more serious.
How to Go About Limiting Your Liability
You recognize that you need to limit your liability as an MSP, but you’re likely confused about how to go about doing so. Fortunately, there are some universal guidelines that apply across the board, including:
- Your Contract Matters – When it comes to risk management, it’s important to start at the very beginning with your master service agreement and your contract or service level agreement, which should carefully define your liability while clearly delineating the scope of the work you provide. Using a one-size-fits-all boilerplate contract is ill-advised.
- Carefully Consider Clauses and Disclaimers – Disclaiming responsibility for hardware and/or software failures that are related to the manufacturer or vendor (both of whom are almost certainly also including their own disclaimers predicated on damaging hacks of remote monitoring and management solutions, which are fairly common, is fundamental to liability-limiting efforts. Your clauses and disclaimers should also include language about backup-related failures to help protect you from a liability over which you have little to no control.
- Address Ransomware – If you don’t directly address successful ransomware infections, you could find yourself footing the bill for the remediation services you provide in their wake (which is standard in many service level agreements).
Ultimately, you’ll need your clients to sign a comprehensive suite of contracts that include your service level agreement, scope of work document, and master service agreement. Finally, don’t neglect your refusal waivers.
These are either hard copy or electronic documents that your clients must either sign or respond to (in a return email) in the event they choose to eschew your security recommendations. All of these components help ensure that you have a solid paper trail and a robust defense if you do face a liability issue.
A Good Time to Consult with an Experienced MSP Attorney
It’s a good time to consult with a dedicated MSP attorney if you’re in the process of engaging in any of the following:
- If you are creating an initial contract
- If you are considering modifying any contractual details
- If you are considering expanding your services to additional states/countries
Contracts are highly specific legal documents that are often the most important weapon in your liability-limiting arsenal, and are best left to legal professionals with experience in their careful creation.
Make Insurance Part of Your Client Contracts
In addition to including the requirement that your clients purchase first-party insurance for cyber liability, it’s imperative that you include the following insurance-related provisions:
- Disclaimers for software and/or hardware issues caused by third-party publishers and manufacturers
- Disclaimers for software and/or hardware backup-related issues (requiring local backups of all essential data in addition to the backup services you provide is highly recommended – data loss and compromise are among the highest risk factors for MSPs)
- Specific requirements for your clients’ first-party insurance coverage
- Specific requirements that spell out your clients’ responsibility for paying any ransom required – or for paying your current hourly rate for your remediation services
Protect Yourself while Protecting Your Clients
As a managed service provider, you need professional liability insurance, which is essential to risk management and helps protect you from liability while you concentrate on providing your clients with the quality services upon which you’ve built your brand.
Skilled MSP attorneys have the requisite experience and legal prowess to help you obtain the necessary coverage and to carefully craft customer contracts that help balance your risk with potential growth. With that kind of professional backing, you can move forward – confident in the knowledge that you have implemented robust protections that support your best interests.