Why MSPS Need Their Own Data Processing Agreements
Over the past ten years regulation of data privacy and security has proliferated at the international, federal and state levels. Several industry-based federal regulations have been developed such as HIPAA for healthcare and GLBA for financial services. Other geographically based regulations such as GDPR (EU) and CCPA (California) apply to the personal data of citizens of those jurisdictions. It is often difficult for an MSP to know what regulations its clients may be subject to. Many MSPs develop expertise in common regulatory frameworks to add more value to clients in these desirable vertical markets.
Many MSPs are processing data within these industries as a matter of course. Yet most MSPs either do not have a Data Processing Agreement (DPA) in place with clients subject to the regulations or they may have signed a data processing agreement presented by the client without understanding what is contained in the agreement. Regulated entities frequently include risk balancing provisions in their DPA’s and thereby shift risk to the MSP. MSPs that practice in regulated markets should develop their own data processing agreements and make them available to clients for signature. These agreements need not revisit risk balancing provisions frequently included in a master services agreement between the MSP and its customer.
Many MSPs falsely believe that they do not actually “handle” the data, and therefore are not subject to the regulation. This is not true. Under federal law there is the concept of “permitted access.” The fact the MSP could access the data is a sufficient trigger to bring the services under the purvey of the regulation. Similarly, the term processing when used in connection with privacy protection regulations is very broad and almost all of my MSP clients’ activities constitute processing under those regulations. Therefore, the MSP is subject to the regulation by the nature of the relationship between the MSP and the client. When MSPs do business with regulated entities, they themselves become subject to the regulations which include the requirement to enter into a written data processing agreement with all customers.
MSPs must be proactive regarding Data Processing Agreements early in the contract negotiations. Since it is impossible to know all to the regulations a new client may be subject to, the master services agreement should list the most common privacy and security regulation and expressly disclaim compliance. The best approach is to disclaim any responsibility for compliance with privacy and security regulations unless the client first enters into a written data processing agreement with the MSP. By doing so, the MSP is protected against the client handling regulated data without the knowledge of the MSP. With the proper master agreement terms, should something go wrong, the client must indemnify and hold the MSP harmless for any regulatory claims.
MSPs should only undertake to be compliant with the processor’s obligations under applicable privacy and security regulations while requiring the client to accept the responsibilities of the controller.
A Data Processing Agreement is the best way to document the responsibilities of the parties and to demonstrate compliance with the written agreement requirements contained in the common regulatory frameworks.
One common DPA is the Business Associate Agreement (BAA) required by HIPAA. When doing business with a client in the healthcare industry, it is a common occurrence for the healthcare practice to send a letter to the MSP stating something like “In light of our obligations under HIPAA, all of our clients must sign this agreement…”. The client’s BAA is attached. However, this can be a trap. It is not uncommon for the BAA provided by the client to include language far beyond what is required by the regulation. Some of that language will shift risk and liability from the client to the MSP. These terms will likely conflict with the language in the master agreement. The client is essentially trying to re-negotiate the terms of the master agreement.
For this reason, MSPs should have their own BAA in their contract stack that complies with the regulation and nothing more. The client should be presented that BAA and asked to sign. If the client demands changes to the BAA, the MSP should refuse in most instances.
Over the years, however, many MSPs have received these client-provided BAAs and signed them without much thought. They may be subject to dozens or hundreds of BAAs that contain different language and shift risk to the MSP. In some cases, the regulated entity may attempt to use the BAA to amend the risk balancing terms in a master agreement and shift too much legal and regulatory liability back onto the MSP. It is important for MSPs to review what has been signed in the past and replace them with their own limited BAA.
MSPs should have, in their contract stack, a similar DPA for all vertical industries and geographic markets they serve. During contract negotiations the MSP explains the disclaimers in the master agreement regarding regulatory compliance and lets the client declare the regulations they are subject to. The MSP can then include any DPAs required in the contract stack the client signs or accepts online.
Although this may seem like a lot of paperwork, by managing and maintaining the contract stack in the cloud, the client can electronically sign all documents. Links to supporting documents can be included for ease of reference. Changes to contracts can be managed as a service with updates being applied on a regular basis. When properly executed, the customer contracting process is collapsed into the sales process and the web-based terms are incorporated by reference into the quote, order or proposal already in use by the MSP. MSPs using industry specific quoting tools such as ConnectWise Sell or Tiger Paw can easily incorporate the cloud-based contracts into their proposal templates with the quoting solution.
In summary, MSPs should:
- Include comprehensive language in their master agreement that specifically disclaims compliance with the common regulations.
- Maintain a set of Data Processing Agreements in their contract stack for all regulations the MSP is prepared to comply with.
- Make it standard practice to present the client with the MSP version of the DPA rather than sign one presented by the client.
- Ensure the MSP is operating in accordance with the regulations they are subject to.
- Incorporate a web-based portal for the management and maintenance of the contract stack.
By going through this process, MSPs can establish their practice within those regulated vertical markets. They become the experts to their client. This increases the value of the MSP, as vertically focused MSPs command a higher price during acquisition than those that are not. If you would like to speak with an experienced attorney regarding developing data processing terms for your business, click here to schedule a call.