Managed Service Providers (MSPs) play a special role in many organizations. They may be a trusted advisor, provide specific services for which an organization lacks expertise or offer a workforce embedded within the organization as part of the team.
When an MSP is breached, it can have several lasting and damaging consequences. There’s a compromise of trust across all an MSP’s customers, which can be compounded by regulatory impacts when covered data is exfiltrated or misappropriated.
In this article, we’ll review why MSPs are high-value targets, the consequences of a breach and many of the sources of legal impacts on MSPs for breaches they sustain.
Understanding Cybersecurity Breaches for MSPs
An MSP's role as a trusted advisor and subject matter expert makes it a critical partner for most organizations. In many ways, MSPs are a part of the overall corporate team. In gaining organizational trust, they are able to scale operations and work with numerous partners.
That trusted position, along with their access to a wealth of data, makes MSPs an attractive target for cybercriminals. It also makes them especially susceptible to risks resulting from the imposition of legal liability.
The Consequences of a Cybersecurity Breach
A cybersecurity breach can have significant, long-lasting ramifications for MSPs, including:
- Data loss: A breach immediately impacts data integrity, affecting its accuracy, quality and completeness.
- Decline of client trust: Cybersecurity breaches and the data loss that often results from them can erode client trust and damage reputations.
- Penalties for noncompliance: MSPs could face severe financial penalties if they fail to comply with federal and state regulations that could have prevented a breach.
- Legal consequences: In addition to noncompliance penalties, MSPs that experience a breach may face lawsuits, audits, sanctions and other legal action.
- Missed opportunities: Breaches can consume resources, lead to lost revenue and cause extensive downtime, greatly affecting business operations and growth.
Sources of Liability
Black's Law Dictionary defines liability as “[t]he state of being bound or obliged in law or justice to do, pay, or make good something; legal responsibility.” This definition tacitly assumes that an obligation has been breached, that breach leads to an obligation and that obligation is a legal responsibility.
There are many sources of liability imposed by the law. The main ones outlined here will be those imposed by civil regulation, contract, tort and criminal law. Let’s dig into each of those sources and outline how liability is imposed and what that typically looks like.
Regulation
Regulatory liability is a result of a law being passed to address an issue. That law empowers a government to create rules for the implementation of the purpose and effect of the law. Those rules are called regulations.
In the U.S., regulations can exist at the federal and state levels. At the federal level, the Code of Federal Regulations is the canonical source of truth for regulatory text. States, cities, townships and other political subdivisions smaller than a State also have their own bodies of regulations, many of which can be found online. For companies that operate internationally, it is helpful to view bodies of law and regulatory frameworks from other countries that govern liability in jurisdictions outside the U.S.
There are a few federal sources of regulatory liability imposed for security breaches:
- Health Insurance Portability and Accountability (HIPAA): Created in 1996, HIPAA is the longest-standing federal regulation. The Centers for Medicare and Medicaid Services (CMS) promulgated HIPAA regulations, supporting the Privacy and Security rules that impose minimum baseline technical, administrative and physical standards to protect the confidentiality, integrity and availability of a subset of sensitive identifiable health information called Protected Health Information (PHI). The Privacy Rules impose contractual and operational requirements to safeguard PHI too.
- Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure: Publicly traded companies must adhere to rules outlined by the Securities and Exchange Commission (SEC) to address cyberthreats. These rules enhance and standardize cybersecurity practices such as risk management, governance and incident reporting. It requires companies to disclose cybersecurity incidents and describe processes for assessing and managing risk.
- Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA): CIRCIA was signed into law in 2022. It requires the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations for critical infrastructure. Entities must participate in incident reporting to avoid liability issues.
- Sanction risks: The Department of the Treasury has not issued regulations about cybersecurity, but it has issued guidance to companies paying ransoms. If any company pays a ransom to a group that is on the restricted or terrorist watch lists, the company can face sanction risks. The Department of the Treasury could impose civil penalties for sanction violations.
It will be interesting to see what the future holds for these regulations and proclamations. Currently, the efforts appear disjointed and uncoordinated with the purpose of eliminating cyberthreats by disincentivizing companies from resolving threats instead of proactively addressing threats.
States also have regulatory authority within their borders, and many have passed data protection legislation, some of which carries financial penalties enforced by the States’ Attorney General. Most of that legislation requires reporting defined incidents to state bodies. Some states even post information about those incidents publicly. Texas has gone a step further and, through TX-RAMP, prescribes minimum security practices that must be followed by organizations within its borders.
Contract
Contracts are powerful tools. Two or more parties can make commitments, and those commitments are enforceable. There are exceptions, like illegal terms or terms that violate public policy. However, by and large, contracts are enforceable.
Contracts are typically self-contained vehicles. That means they contain the terms of the commitments, the remuneration (or consideration) for performing them and the penalties for not performing them.
Among other things, two parties can agree to security terms. Those terms can include minimum security baseline standards, audits to prove those standards and penalties or damages for failure of those standards or exfiltration and misappropriation of data.
HIPAA mandates specific contractual vehicles for the transfer, processing, storage and manipulation of PHI from a Covered Entity, the organization that owns the data, and a Business Associate. That contractual vehicle is called a Business Associate Agreement, or BAA. A BAA must contain provisions for the termination in the event of a Breach of PHI and a way for the parties to securely transfer or dispose of data to conclude the relationship.
Tort
The tort is a class of liability that arises out of an injury committed by one party to another. That injury can be defined by written law or common law, which is the body of applicable historical case law to an issue.
As applied to information security, tort claims by individuals can be tenuous. There must be a non-speculative injury for a tort claim to succeed. Therefore, for an individual to succeed at a tort claim, they have to be able to demonstrate that they were directly injured by the breach.
Put differently, where a breach results in the loss of their data, there’s no tangible damage. It’s entirely speculative until the data is, in fact, used and that use harms the individual. That use must then be tied back to a specific breach event, which is largely impossible given the volume of freely available personal data.
Cue the class action lawsuit. Class action lawsuits are brought by an attorney on behalf of an individual who represents the class: a group of people who have been harmed by an issue but whose individual harm doesn’t make a suit financially viable.
Class action lawsuits can penalize companies for failing to adequately protect the data they hold in the form of multi-million-dollar verdicts. Most of that money ultimately goes to the attorneys and named plaintiffs, with a paltry sum being distributed to identified class members. So they’re not great vehicles for making someone whole when they’ve been damaged. They are decent vehicles for disincentivizing tortious behavior.
Tort suits between companies are significantly less tenuous. Where an MSP is breached, and it provides trusted services to many companies, that trust can be compromised. It can also result in the diminution of the hiring companies’ reputations, lost profits, cessation of operations and other tortious damage. Depending on the facts and the quality of the wrong, companies can successfully sue each other for tort claims arising out of a breach.
Criminal Law
Until 2022, most companies rarely associated “crime” and “cybersecurity” other than to say that threat actors were cybercriminals. That changed with the conviction of Joseph Sullivan, Uber’s former CISO, for obstruction of justice.
That claim stemmed from Joseph’s role in the 2016 Uber breach to thwart federal law enforcement’s investigation, which led to additional similar attacks by the same cybercriminals that were easily preventable.
The facts, in that case, were egregious and amplified by the fact that Joseph was a veteran U.S. Attorney who prosecuted cybercrime for decades. Still, the findings, in that case, seem to indicate that anyone who impedes a federal investigation into a cyber incident could be prosecuted for obstruction of justice.
Where caselaw requires active impediments, the CIRCIA seems to provide broader obstruction of justice and contempt charges. CISA is tasked with developing and implementing regulations—which it is presently doing. CIRCIA contemplates that failure to provide responsive information to a CISA investigation could result in contempt charges and financial penalties or incarceration.
It’s an interesting approach to information gathering and one that is used in other regulations to compel organizational cooperation. It will be interesting to see what the final regulations empower CISA to do and the scope of its authority.
How Do These Liability Sources Impact MSPs Specifically?
Those sources of liability impact all organizations roughly equally. Whether you’re a contracting entity, MSP, Covered Entity, Business Associate, publicly traded company or qualify as Critical Infrastructure, those sources of liability will result in financial, administrative and criminal penalties.
MSPs have the unique problem of these issues happening at scale. Where many organizations deal with their own information, MSPs generally possess, use and manipulate the information of many different organizations. That amplifies the volume of breaches, the breach of many contracts, the imposition of tortious liability for many different harms and the increased possibility of being found to obstruct large-scale investigations.
So, where MSPs don’t have any special quality of responsibility, they have special quantities of responsibilities. The scale of the issues amplifies MSPs' risks.
Mitigating those risks, then, falls to expensive insurance plans and threat mitigation strategies. MSPs can’t afford to be complacent and risk damaging impacts such as bankruptcy when they are.
Incident Response and Disaster Recovery
Your MSP can mitigate the consequences of a cybersecurity breach by developing effective incident response and disaster recovery plans. Clear procedures enable you to respond quickly and efficiently before, during and after an incident or disaster to minimize damage, protect data and preserve operations.
These plans should be well-defined, specifically dictating who will perform which actions if an incident occurs. Your incident response plan should focus on proactive steps that stop issues before they happen. Your plan should include:
- Constant monitoring
- Comprehensive cybersecurity training for employees
- Clear and frequent communication between departments
- Fostering a cybersecurity-aware culture
A disaster recovery plan builds on your incident response procedures by outlining details for proactive data backup, risk management and asset inventorying. Your response and recovery plans should also prioritize cybersecurity insurance to reduce financial and legal risks.
Defend Your MSP With Help From Phin Security
Effective incident response and disaster recovery plans are critical for MSPs that operate alongside numerous organizations simultaneously. As you improve your risk management processes, you can avoid breaches and mitigate the impact of attacks. Phin Security is dedicated to helping your organization create a cybersecurity-first culture. Try our platform for free to see how our security training programs can enhance your cybersecurity posture.
