202212.12

Off

MSP Policy & Procedures

in Blogs, Managed Services Providers, MSP Contracts, MSP Risks

MSP Policies & procedures

POLICY & PROCEDURES FOR MANAGED SERVICE PROVIDERS (msp)

With the tightening of data protection laws that followed the introduction of GDPR, enforcement actions have begun to be more widespread.

Heavy penalties are handed out by the Data Protection Authorities. There have already been some big victims, including Marriott and British Airways, who were both handed enormous fines in the UK recently for data breaches and violations of GDPR.

As a managed service provider, it would be wise to take heed of these warnings. The authorities are not just looking for large corporations.

Stay alert and address your policies and procedures if you have not done so already. This should include updating consumer privacy policies, developing robust incident response structures, notifying customers as policies change, understanding all data flows in your company, and tracking the developments of privacy laws.

The fines are too severe to risk noncompliance, and it helps to educate yourself and others in the organization about what needs to be done.

Free Case Evaluation

Information security policies: Purpose and inclusions

An information security policy (ISP) outlines the policies and procedures within your organization to ensure that all users and networks meet minimum IT security and data protection security requirements.

Its main purpose is to protect and limit the distribution of data to authorized personnel only. This is critical for ensuring compliance with regulatory requirements, such as GDPR, HIPAA and CCPA and preventing security incidents like data leaks and data breaches.

An information security policy enables all types of organizations, established and new, to protect their reputations by establishing a general approach to information security and documenting the measures taken.

It also introduces measures to detect and minimize the impact of compromised information assets and to protect customer data.

For MSPs, which generally handle sensitive data, protection may need to be of a higher standard than with other organizations.

Your ISP should address the following aspects of your organization’s IT infrastructure:

All data
Programs
Systems
Facilities
Infrastructure
All users
Third-parties
Fourth-parties

As you can see, even third and fourth parties must be included in your ISP, meaning that it not only addresses elements within your organization – but outside of it too.

Common data protection regulations supported by ISPs

GDPR

The GDPR, which came into being in the EU in May 2018, established a new framework for data protection with new obligations for organizations and a broader scope.

It affects businesses all over the world. Any entity that collects information from any one of the EU states is required to comply.

The GDPR imposes security and privacy obligations on controllers and processors and companies must have a lawful basis to process the data. Clear and explicit consent must be given, including information collected through the use of cookies.

The GDPR also incorporates several consumer rights, including the right to access personal data, the right to be forgotten, the right to rectification, and the right to restrict processing.

Consequences for non-compliance of GDPR

If any breach of data happens or is suspected, companies must inform authorities and data subjects within 72 hours of the breach’s discovery.

The consequences for non-compliance are significant, with fines of up to € 20,000,000 or four percent of global revenues (whichever is higher).

Recommended steps for US businesses to comply with GDPR

Create a data map of personal information
Consider alternative business models
Evaluate data processing activities
Evaluate data retention policies and schedules
Create and update privacy policies and terms and conditions
Develop policies and procedures to facilitates consumer privacy rights
Develop a written cybersecurity program
Review and amend third party contracts
Implement compliance mechanisms

CCPA

The California Consumer Privacy Act (CCPA) was passed in June 2018. The legislation creates significant new requirements for identifying, managing, securing, tracking, producing and deleting consumer privacy information.

It covers any for-profit entity that “collects” or “sells” the personal information of California residents even if it does not do business in California.

Of particular note in the CCPA are the obligations for covered entities. These include:

The need to provide notice at or before data collection of:
- - Categories of personal information to be collected
  - The commercial purpose for which it will be used
  - A link titled “Do Not Sell My Personal Information” opt-out mechanism
  - Link to the business’s privacy policy
A publicly accessible and annually updated Privacy Policy
45-day information request response
Employee training
Opt-in consent related to children’s personal information
Non-discrimination against consumers

The CCPA also creates several rights for consumers, including:

The right to know/access and portability
Right to deletion
Right to opt-out of sale
Right to be free from discrimination

Consequences for non-compliance of CCPA

The California Attorney General, as chief enforcer of the CCPA, can pursue civil penalties of up to $7,500 for each violation by an organization. This likely extends to each affected individual.

New York SHIELD Act

The New York SHIELD Act stands for Stop Hacks and Improve Electronic Data Security Act.

This came into effect in March 2020, amending New York State's previous data breach notification law, which covered breaches of certain personally-identifiable computerized data (“private information”).

It applies to any business that collects the private information of NY residents. Each business must “develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.”

The “private information” referred to now includes:

Biometric information
Account, credit, or debit card number
Username or e-mail with a password or security question and answer

PIPEDA (Canada)

The Personal Information Protection and Electronic Documents Act (PIPEDA) came into being in 2015 and was amended in 2018 to help guard Canadians' private data stored by US-based services.

It sets the ground rules for how private-sector organizations collect, use, and disclose personal information in the course of for-profit, commercial activities across Canada.

Private organizations must now maintain a record of all security incidents involving personal data for 24 months after the date the breach is confirmed. Penalties for improper record-keeping can be up to $100,000.

CASL (Canada)

The CASL legislation requires consent to send commercial electronic messages to an email account, telephone account or instant messaging account.

It applies to any computer system in Canada used to send CEMs and messages must include a compliant unsubscribe process.

The legislation can lead to fines of up to $10 million for transgressions.

Data breach incident response plan

Data Breech Policies & Procedures Even companies that have implemented the most advanced security initiatives are not immune from data breaches.

If your business collects, uses, maintains, or stores electronic data, it is at risk of a security incident – and if that involves client or customer data, you could face severe penalties.

A data breach response plan helps MSP businesses prepare for and mitigate the liability, costs, and brand-damage associated with data security breaches or incidents.

How to respond to a data breach

If you just discovered that your business has experienced a data breach, it is important to address three major areas as follows

Secure your operations

Assemble a team of experts to conduct a comprehensive breach response – this may include a data forensics team and legal counsel
Secure physical areas that may be related to the breach and change access codes
Remove improperly posted information from the web
Interview those who discovered the breach
Never destroy any evidence

Fix vulnerabilities

Decide if you need to change access privileges of third-party service providers
Check your network segmentation so that you can effectively contain a breach if it happens again
Work with forensics experts on encryption, backup and preserved data and review policies/access privileges

Notify the appropriate parties

Create a communications plan to inform employees, customers, investors, business partners, and other stakeholders about the breach
Notify law enforcement and any other affected businesses or individuals – check your state and federal legal requirements concerning this
Check if you’re covered by the Health Breach Notification Rule and, if so, notify the FTC and, if applicable, the media

Acceptable Use Policy (AUP)

An acceptable use policy details the constraints and practices that a user must agree to for access to a corporate network or the Internet.

MSP businesses should require that clients and third parties sign an acceptable use policy before being granted a network ID.

Why do you need an AUP?

An acceptable use policy reduces the risks of allowing clients or third parties to access a corporate network or the Internet.

It establishes the rules of conduct that all users of the network must abide by and details what type of data they can use.

A EULA is generally used for a single piece of software but an AUP applies to entire networks, detailing how users are expected to behave while using a business's resources.

What should be included in an AUP?

The following elements should be included in an acceptable use policy document:

General restrictions – what type of access or usage is forbidden e.g., bypassing device and network security, disclosing confidential information, etc.
Software installation rules – what is allowed and what isn’t
BYOD and remote work policy – how clients can securely access your network remotely and what they must do with any devices that they introduce to your network
Consequences of AUP breaches – what will happen if someone abuses their privileges?

Free Case Evaluation

5on Google,Feb 10, 2024

Salma

good

5on BirdEye,May 01, 2023

Kimberly

You made the entire process so easy! Having a lawyer with Managed Service experience and really knowing our business has been a game changer! I have nothing but great things to say about you!

5on Google,Apr 21, 2023

Mari

5on BirdEye,Apr 21, 2023

Julie and Kelli have been very helpful from beginning to end of the process.

5on BirdEye,Mar 22, 2023

George

Very professional team. I highly recommend them to any MSP.

5on Google,Mar 06, 2023

J&A

5on BirdEye,Mar 01, 2023

Steve

So far, the process has been very seamless. Some minor issues with access to the tool/portal but using incognito mode seems to get us around most of that. The team has been awesome.

5on BirdEye,Feb 07, 2023

Very professional project plan.

5on Google,Nov 19, 2022

Navid

5on Google,Aug 09, 2022

Jureni

5on Google,Jul 29, 2022

Mauricio

Scott & Scott LLP's team is very professional and efficient. Their knowledge and experience are unparalleled when it comes to MTSP/software law. Be sure to use them!

5on Google,Jul 25, 2022

Val

Rob is one of the rare few that successfully operates where the technology industry, business and entrepreneurship, and the law meet, making him an excellent resource for any company working at this unique intersection. As important, he wastes no time or words identifying the root cause of an issue and providing guidance that, without asking, takes the perspective of business, technology, and the law into account before ever being offered.

5on Google,Jan 09, 2022

Brent

Excellent legal advice.

5on Google,Jan 08, 2022

David

5on Google,Dec 29, 2021

Michael

Have used Scott & Scott on a number of different issues over the past few years. They are simply excellent. You would not go wrong using them for your legal needs.