POLICY & PROCEDURES FOR MANAGED SERVICE PROVIDERS (msp)
With the tightening of data protection laws that followed the introduction of GDPR over two years ago, enforcement actions have already begun to be more widespread.
Heavy penalties are handed out by the Data Protection Authorities. There have already been some big victims, including Marriott and British Airways, who were both handed enormous fines in the UK recently for data breaches and violations of GDPR.
As a managed service provider, it would be wise to take heed of these warnings. The authorities are not just looking for large corporations.
Stay alert and address your policies and procedures if you have not done so already. This should include updating consumer privacy policies, developing robust incident response structures, notifying customers as policies change, understanding all data flows in your company, and tracking the developments of privacy laws.
The fines are too severe to risk noncompliance and it helps to educate yourself and others in the organization about what needs to be done.
Information security policies: Purpose and inclusions
An information security policy (ISP) outlines the policies and procedures within your organization to ensure that all users and networks meet minimum IT security and data protection security requirements.
Its main purpose is to protect and limit the distribution of data to authorized personnel only. This is critical for ensuring compliance with regulatory requirements, such as GDPR, HIPAA and CCPA and preventing security incidents like data leaks and data breaches.
An information security policy enables all types of organizations, established and new, to protect their reputations by establishing a general approach to information security and documenting the measures taken.
It also introduces measures to detect and minimize the impact of compromised information assets and to protect customer data.
For MSPs, which generally handle sensitive data, protection may need to be of a higher standard than with other organizations.
Your ISP should address the following aspects of your organization’s IT infrastructure:
- All data
- All users
As you can see, even third and fourth parties must be included in your ISP, meaning that it not only addresses elements within your organization – but outside of it too.
Common data protection regulations supported by ISPs
The GDPR, which came into being in the EU in May 2018, established a new framework for data protection with new obligations for organizations and a broader scope.
It affects businesses all over the world. Any entity that collects information from any one of the EU states is required to comply.
The GDPR also incorporates several consumer rights, including the right to access personal data, the right to be forgotten, the right to rectification, and the right to restrict processing.
Consequences for non-compliance of GDPR
If any breach of data happens or is suspected, companies must inform authorities and data subjects within 72 hours of the breach’s discovery.
The consequences for non-compliance are significant, with fines of up to € 20,000,000 or four percent of global revenues (whichever is higher).
Recommended steps for US businesses to comply with GDPR
- Create a data map of personal information
- Consider alternative business models
- Evaluate data processing activities
- Evaluate data retention policies and schedules
- Create and update privacy policies and terms and conditions
- Develop policies and procedures to facilitates consumer privacy rights
- Develop a written cybersecurity program
- Review and amend third party contracts
- Implement compliance mechanisms
The California Consumer Privacy Act (CCPA) was passed in June 2018. The legislation creates significant new requirements for identifying, managing, securing, tracking, producing and deleting consumer privacy information.
It covers any for-profit entity that “collects” or “sells” the personal information of California residents even if it does not do business in California.
Of particular note in the CCPA are the obligations for covered entities. These include:
- The need to provide notice at or before data collection of:
- Categories of personal information to be collected
- The commercial purpose for which it will be used
- A link titled “Do Not Sell My Personal Information” opt-out mechanism
- 45-day information request response
- Employee training
- Opt-in consent related to children’s personal information
- Non-discrimination against consumers
The CCPA also creates several rights for consumers, including:
- The right to know/access and portability
- Right to deletion
- Right to opt-out of sale
- Right to be free from discrimination
Consequences for non-compliance of CCPA
The California Attorney General, as chief enforcer of the CCPA, can pursue civil penalties of up to $7,500 for each violation by an organization. This likely extends to each affected individual.
New York SHIELD Act
The New York SHIELD Act stands for Stop Hacks and Improve Electronic Data Security Act.
This came into effect in March 2020, amending New York State's previous data breach notification law, which covered breaches of certain personally-identifiable computerized data (“private information”).
It applies to any business that collects the private information of NY residents. Each business must “develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.”
The “private information” referred to now includes:
- Biometric information
- Account, credit, or debit card number
- Username or e-mail with a password or security question and answer
The Personal Information Protection and Electronic Documents Act (PIPEDA) came into being in 2015 and was amended in 2018 to help guard Canadians' private data stored by US-based services.
It sets the ground rules for how private-sector organizations collect, use, and disclose personal information in the course of for-profit, commercial activities across Canada.
Private organizations must now maintain a record of all security incidents involving personal data for 24 months after the date the breach is confirmed. Penalties for improper record-keeping can be up to $100,000.
The CASL legislation requires consent to send commercial electronic messages to an email account, telephone account or instant messaging account.
It applies to any computer system in Canada used to send CEMs and messages must include a compliant unsubscribe process.
The legislation can lead to fines of up to $10 million for transgressions.
Data breach incident response plan
Even companies that have implemented the most advanced security initiatives are not immune from data breaches.
If your business collects, uses, maintains, or stores electronic data, it is at risk of a security incident – and if that involves client or customer data, you could face severe penalties.
A data breach response plan helps MSP businesses prepare for and mitigate the liability, costs, and brand-damage associated with data security breaches or incidents.
How to respond to a data breach
If you just discovered that your business has experienced a data breach, it is important to address three major areas as follows
- Secure your operations
- Assemble a team of experts to conduct a comprehensive breach response – this may include a data forensics team and legal counsel
- Secure physical areas that may be related to the breach and change access codes
- Remove improperly posted information from the web
- Interview those who discovered the breach
- Never destroy any evidence
- Fix vulnerabilities
- Decide if you need to change access privileges of third-party service providers
- Check your network segmentation so that you can effectively contain a breach if it happens again
- Work with forensics experts on encryption, backup and preserved data and review policies/access privileges
- Notify the appropriate parties
- Create a communications plan to inform employees, customers, investors, business partners, and other stakeholders about the breach
- Notify law enforcement and any other affected businesses or individuals – check your state and federal legal requirements concerning this
- Check if you’re covered by the Health Breach Notification Rule and, if so, notify the FTC and, if applicable, the media
Acceptable Use Policy (AUP)
An acceptable use policy details the constraints and practices that a user must agree to for access to a corporate network or the Internet.
MSP businesses should require that clients and third parties sign an acceptable use policy before being granted a network ID.
Why do you need an AUP?
An acceptable use policy reduces the risks of allowing clients or third parties to access a corporate network or the Internet.
It establishes the rules of conduct that all users of the network must abide by and details what type of data they can use.
A EULA is generally used for a single piece of software but an AUP applies to entire networks, detailing how users are expected to behave while using a business's resources.
What should be included in an AUP?
The following elements should be included in an acceptable use policy document:
- General restrictions – what type of access or usage is forbidden e.g., bypassing device and network security, disclosing confidential information, etc.
- Software installation rules – what is allowed and what isn’t
- BYOD and remote work policy – how clients can securely access your network remotely and what they must do with any devices that they introduce to your network
- Consequences of AUP breaches – what will happen if someone abuses their privileges?