202203.02

Off

Risk Balancing Provisions in in Managed Services Contracts

in Blogs, IT Transactions, Managed Services Providers, MSP Contracts

fight decision match wooden defeat check think mate object solution hobby politics conquering war t20 dzybWR

The risks for Managed Service Providers are constantly evolving. New cyber threats and regulatory compliance requirements present significant challenges for MSPs. The most important way to mitigate privacy and security risks for Managed Service Providers is by including proper risk balancing provisions into the MSP’s customer contracts. This article explains how limitations of liability, indemnity, and insurance provisions can be used to strike the proper risk balance between the MSP, its client and third-party insurance providers.

A limitation of liability clause is a section of a contract that describes the circumstances under which one party, or the other, can recover damages in the event of a lawsuit. It frequently excludes certain types of damages and caps other types of damages. It may also include carve-outs for types of damages that would be considered uncapped in the event of litigation.

Any good managed services contract will have a very explicit and detailed Limitation of Liability clause. There are some subtleties with respect to the wording of the clause that are unique to the managed services industry. In our contracts, we declare that the provider will not be responsible under any circumstances for indirect or inconsequential damages, such as lost profits or business interruption. There is also no recovery for punitive damages. Both parties should agree that recoverable damages should be limited to direct damages.

However, the definition of direct and indirect damages can be unclear. Some customers may attempt to specifically define certain costs as direct in the event of a data breach. For example, the client may ask to include language that would define the costs for credit monitoring, notice, reputation management, forensics, and legal fees as direct. Managed Service Providers should carefully consider contract changes that re-define as direct damages that would otherwise be considered indirect. It is also very important to consider the MSP’s professional liability coverage when drafting risk balancing provisions in customer contracts for managed services.

In our agreements, we typically recommend that the customer be offered the greater of six months of revenue for the services giving rise to the claim or the available proceeds professional liability insurance. Professional liability insurance is the primary method of risk transfer for the MSP. The MSP will be responsible for claims that are included within their liability for which there is no coverage. However, uncovered claims are limited to the six-months of revenue for services giving rise to the claim. Separate caps for covered and uncovered claims makes sense for both parties.

Another dimension of the Limitation of liability is the “carve-out”. A carve out refers to a category of claim for which the limitation of liability would not apply in the case of litigation. The language would include statements like “except for claims related to gross negligence and willful misconduct…” That “except” language is the carve out; claims that are not included within the limitation of liability and are therefore uncapped.

Carve-outs should be considered very seriously. Anything that is uncapped puts the MSP at greater risk. We strongly discourage any carveouts other than third-party IP claims, gross negligence, and willful misconduct. Any proposed carve-outs should be drafted extremely narrowly.

MSP customer contracts should contain indemnity provisions that clearly set forth what types of claims each party to the contract will be responsible for defending and paying damages or settlements for. We recommend that the MSP’s customer contracts track the indemnity language in the professional liability insurance. For example:

By Provider

Subject to the limitation of liability set forth in the section titled LIMITATION OF LIABILITY, Provider agrees to indemnify and hold Customer harmless from and against all loss, liability, and expense including reasonable attorney’s fees caused by Provider’s:

a) negligent act, error, omission, or misrepresentation;
b) breach of any contractual term implied by law;
c) other act, error or omission giving rise to civil liability arising out of business activities performed for Customer.

We recommend separate indemnity provisions for the MSP and its customer. Intellectual property and privacy and security claims are the most important things to clarify. For example:

By Client

Client shall defend, indemnify and hold Provider harmless against all costs and expenses, including reasonable attorney’s fees, associated with the defense or settlement of any claim that:

a) Provider’s use, access or modifications of any software that Client has requested that Provider use,
b) any claim related to software licensing and software licensing compliance; or
c) any claim related to any federal, state, or international law or regulation involving data privacy, data protection, or data breach to which Client is subject.

MSPs have agreements with many third-party providers that have their own terms and conditions including risk balancing provisions. For this reason, we have developed a schedule of third-party services. The schedule of third-party service providers includes the name of the vendor, the purpose of the vendor’s service, a link to the vendors licensing and end user agreement, and a link to the vendor’s privacy policy. This detailed schedule of third-party service providers contains a waiver of the client’s right to sue the MSP for failures of third-party services.

Managed Service Providers that have not reviewed their customer contract stacks in recent years need to do so now. Many cyber threats and regulatory compliance requirements to which customers and, by extension, MSPs are subject did not exist four years ago. For example, at Scott and Scott, we have implemented updated ransomware language within the past 6 months due to the Kaseya incident.

Managed Service Providers need contracts that will help them win deals, retain customers, and protect the business when something goes wrong. It is part of the sales process. Contracts should have better than market terms and conditions. They should be more transparent and more detailed. Contracts should be more clear about whose responsible for what, and what’s included and excluded.

If you would like to speak with an experienced attorney regarding your contracts, click here to schedule a call.

5on Google,Feb 10, 2024

Salma

good

5on BirdEye,May 01, 2023

Kimberly

You made the entire process so easy! Having a lawyer with Managed Service experience and really knowing our business has been a game changer! I have nothing but great things to say about you!

5on Google,Apr 21, 2023

Mari

5on BirdEye,Apr 21, 2023

Julie and Kelli have been very helpful from beginning to end of the process.

5on BirdEye,Mar 22, 2023

George

Very professional team. I highly recommend them to any MSP.

5on Google,Mar 06, 2023

J&A

5on BirdEye,Mar 01, 2023

Steve

So far, the process has been very seamless. Some minor issues with access to the tool/portal but using incognito mode seems to get us around most of that. The team has been awesome.

5on BirdEye,Feb 07, 2023

Very professional project plan.

5on Google,Nov 19, 2022

Navid

5on Google,Aug 09, 2022

Jureni

5on Google,Jul 29, 2022

Mauricio

Scott & Scott LLP's team is very professional and efficient. Their knowledge and experience are unparalleled when it comes to MTSP/software law. Be sure to use them!

5on Google,Jul 25, 2022

Val

Rob is one of the rare few that successfully operates where the technology industry, business and entrepreneurship, and the law meet, making him an excellent resource for any company working at this unique intersection. As important, he wastes no time or words identifying the root cause of an issue and providing guidance that, without asking, takes the perspective of business, technology, and the law into account before ever being offered.

5on Google,Jan 09, 2022

Brent

Excellent legal advice.

5on Google,Jan 08, 2022

David

5on Google,Dec 29, 2021

Michael

Have used Scott & Scott on a number of different issues over the past few years. They are simply excellent. You would not go wrong using them for your legal needs.