Managed Service Providers (MSPs) play a special role in many organizations. They may be a trusted advisor, provide specific services for which an organization lacks expertise or offer a workforce embedded within the organization as part of the team.
When an MSP is breached, it can have several lasting and damaging consequences. There’s a compromise of trust across all an MSP’s customers, which can be compounded by regulatory impacts when covered data is exfiltrated or misappropriated.
In this article, we’ll review why MSPs are high-value targets, the consequences of a breach and many of the sources of legal impacts on MSPs for breaches they sustain.
An MSP's role as a trusted advisor and subject matter expert makes it a critical partner for most organizations. In many ways, MSPs are a part of the overall corporate team. In gaining organizational trust, they are able to scale operations and work with numerous partners.
That trusted position, along with their access to a wealth of data, makes MSPs an attractive target for cybercriminals. It also makes them especially susceptible to risks resulting from the imposition of legal liability.
A cybersecurity breach can have significant, long-lasting ramifications for MSPs, including:
Black's Law Dictionary defines liability as “[t]he state of being bound or obliged in law or justice to do, pay, or make good something; legal responsibility.” This definition tacitly assumes that an obligation has been breached, that breach leads to an obligation and that obligation is a legal responsibility.
There are many sources of liability imposed by the law. The main ones outlined here will be those imposed by civil regulation, contract, tort and criminal law. Let’s dig into each of those sources and outline how liability is imposed and what that typically looks like.
Regulatory liability is a result of a law being passed to address an issue. That law empowers a government to create rules for the implementation of the purpose and effect of the law. Those rules are called regulations.
In the U.S., regulations can exist at the federal and state levels. At the federal level, the Code of Federal Regulations is the canonical source of truth for regulatory text. States, cities, townships and other political subdivisions smaller than a State also have their own bodies of regulations, many of which can be found online. For companies that operate internationally, it is helpful to view bodies of law and regulatory frameworks from other countries that govern liability in jurisdictions outside the U.S.
There are a few federal sources of regulatory liability imposed for security breaches:
It will be interesting to see what the future holds for these regulations and proclamations. Currently, the efforts appear disjointed and uncoordinated with the purpose of eliminating cyberthreats by disincentivizing companies from resolving threats instead of proactively addressing threats.
States also have regulatory authority within their borders, and many have passed data protection legislation, some of which carries financial penalties enforced by the States’ Attorney General. Most of that legislation requires reporting defined incidents to state bodies. Some states even post information about those incidents publicly. Texas has gone a step further and, through TX-RAMP, prescribes minimum security practices that must be followed by organizations within its borders.
Contracts are powerful tools. Two or more parties can make commitments, and those commitments are enforceable. There are exceptions, like illegal terms or terms that violate public policy. However, by and large, contracts are enforceable.
Contracts are typically self-contained vehicles. That means they contain the terms of the commitments, the remuneration (or consideration) for performing them and the penalties for not performing them.
Among other things, two parties can agree to security terms. Those terms can include minimum security baseline standards, audits to prove those standards and penalties or damages for failure of those standards or exfiltration and misappropriation of data.
HIPAA mandates specific contractual vehicles for the transfer, processing, storage and manipulation of PHI from a Covered Entity, the organization that owns the data, and a Business Associate. That contractual vehicle is called a Business Associate Agreement, or BAA. A BAA must contain provisions for the termination in the event of a Breach of PHI and a way for the parties to securely transfer or dispose of data to conclude the relationship.
The tort is a class of liability that arises out of an injury committed by one party to another. That injury can be defined by written law or common law, which is the body of applicable historical case law to an issue.
As applied to information security, tort claims by individuals can be tenuous. There must be a non-speculative injury for a tort claim to succeed. Therefore, for an individual to succeed at a tort claim, they have to be able to demonstrate that they were directly injured by the breach.
Put differently, where a breach results in the loss of their data, there’s no tangible damage. It’s entirely speculative until the data is, in fact, used and that use harms the individual. That use must then be tied back to a specific breach event, which is largely impossible given the volume of freely available personal data.
Cue the class action lawsuit. Class action lawsuits are brought by an attorney on behalf of an individual who represents the class: a group of people who have been harmed by an issue but whose individual harm doesn’t make a suit financially viable.
Class action lawsuits can penalize companies for failing to adequately protect the data they hold in the form of multi-million-dollar verdicts. Most of that money ultimately goes to the attorneys and named plaintiffs, with a paltry sum being distributed to identified class members. So they’re not great vehicles for making someone whole when they’ve been damaged. They are decent vehicles for disincentivizing tortious behavior.
Tort suits between companies are significantly less tenuous. Where an MSP is breached, and it provides trusted services to many companies, that trust can be compromised. It can also result in the diminution of the hiring companies’ reputations, lost profits, cessation of operations and other tortious damage. Depending on the facts and the quality of the wrong, companies can successfully sue each other for tort claims arising out of a breach.
Until 2022, most companies rarely associated “crime” and “cybersecurity” other than to say that threat actors were cybercriminals. That changed with the conviction of Joseph Sullivan, Uber’s former CISO, for obstruction of justice.
That claim stemmed from Joseph’s role in the 2016 Uber breach to thwart federal law enforcement’s investigation, which led to additional similar attacks by the same cybercriminals that were easily preventable.
The facts, in that case, were egregious and amplified by the fact that Joseph was a veteran U.S. Attorney who prosecuted cybercrime for decades. Still, the findings, in that case, seem to indicate that anyone who impedes a federal investigation into a cyber incident could be prosecuted for obstruction of justice.
Where caselaw requires active impediments, the CIRCIA seems to provide broader obstruction of justice and contempt charges. CISA is tasked with developing and implementing regulations—which it is presently doing. CIRCIA contemplates that failure to provide responsive information to a CISA investigation could result in contempt charges and financial penalties or incarceration.
It’s an interesting approach to information gathering and one that is used in other regulations to compel organizational cooperation. It will be interesting to see what the final regulations empower CISA to do and the scope of its authority.
Those sources of liability impact all organizations roughly equally. Whether you’re a contracting entity, MSP, Covered Entity, Business Associate, publicly traded company or qualify as Critical Infrastructure, those sources of liability will result in financial, administrative and criminal penalties.
MSPs have the unique problem of these issues happening at scale. Where many organizations deal with their own information, MSPs generally possess, use and manipulate the information of many different organizations. That amplifies the volume of breaches, the breach of many contracts, the imposition of tortious liability for many different harms and the increased possibility of being found to obstruct large-scale investigations.
So, where MSPs don’t have any special quality of responsibility, they have special quantities of responsibilities. The scale of the issues amplifies MSPs' risks.
Mitigating those risks, then, falls to expensive insurance plans and threat mitigation strategies. MSPs can’t afford to be complacent and risk damaging impacts such as bankruptcy when they are.
Your MSP can mitigate the consequences of a cybersecurity breach by developing effective incident response and disaster recovery plans. Clear procedures enable you to respond quickly and efficiently before, during and after an incident or disaster to minimize damage, protect data and preserve operations.
These plans should be well-defined, specifically dictating who will perform which actions if an incident occurs. Your incident response plan should focus on proactive steps that stop issues before they happen. Your plan should include:
A disaster recovery plan builds on your incident response procedures by outlining details for proactive data backup, risk management and asset inventorying. Your response and recovery plans should also prioritize cybersecurity insurance to reduce financial and legal risks.
Effective incident response and disaster recovery plans are critical for MSPs that operate alongside numerous organizations simultaneously. As you improve your risk management processes, you can avoid breaches and mitigate the impact of attacks. Phin Security is dedicated to helping your organization create a cybersecurity-first culture. Try our platform for free to see how our security training programs can enhance your cybersecurity posture.