Cybersecurity Breaches and Legal Ramifications for MSPs
Cybersecurity Breaches and Legal Ramifications for MSPs
Managed Service Providers (MSPs)play a special role in many organizations. They may be a trusted advisor, provide specific services for which an organization lacks expertise, and provide a workforce embedded within the organization as part of the team.
When an MSP is breached, there’s obviously a compromise of trust. Typically, that happens across all an MSP’s customers. That breach of trust can be compounded by regulatory impacts where covered data is exfiltrated or misappropriated.
In this article, we’ll review many of the sources of legal impacts to MSPs for breaches they sustain. It won’t be an exhaustive list, but it will be a comprehensive list covering major sources of liability for MSPs and their staff.
Sources of Liability
When talking about liability and legal ramifications, I like to use the Black’s Law Dictionary definition of Liability, which is “[t]he state of being bound or obliged in law or justice to do, pay, or make good something; legal responsibility.” It tacitly assumes that an obligation has been breached, that breach leads to an obligation, and that obligation is a legal responsibility.
There are many sources of liability imposed by the law. The main ones outlined here will be those imposed by civil regulation, contract, tort, and criminal law. Let’s dig into each of those sources and outline how liability is imposed and what that typically looks like.
Regulatory liability is a result of a law being passed to address an issue. That law empowers a federal agency to create rules for the implementation of the purpose and effect of the law. Those rules are called regulations.
In the U.S., regulations can exist at the federal and state levels. At the federal level, the Code of Federal Regulations is the canonical source of truth for regulatory text. States also have their bodies of regulations, many of which can be found online. Cities, Townships, and other political subdivisions smaller than a State do as well, but for the purposes of this article, those are largely immaterial.
Other countries also have bodies of law and regulatory frameworks that govern liability in jurisdictions outside the U.S. While those are relevant to companies operating internationally, international law becomes very complex, and limiting the subject matter of this article to the U.S. keeps it from turning into a multi-volume book.
There are a few federal sources of regulatory liability imposed for security breaches. The longest-standing one by far is the Health Insurance Portability and Accountability Act of 1996, or HIPAA.
The Centers for Medicare and Medicaid Services (CMS) promulgated HIPAA regulations, which can be found at 45 CFR §§ 160-164. The main safeguards HIPAA prescribes, called the Privacy and Security Rules, can be found at 45 CFR §§ 164.300, et seq. and 45 CFR §§ 164.500, et seq., respectively.
The Security Rules impose minimum baseline technical, administrative, and physical standards to protect the confidentiality, integrity, and availability of a subset of sensitive identifiable health information called Protected Health Information (PHI). The Privacy Rules impose contractual and operational requirements to safeguard PHI too.
Civil monetary penalties are outlined in 45 CFR §§ 164.400, et seq. Those penalties are significant, and CMS has imposed fines in the tens of millions of dollars for HIPAA violations.
Other federal agencies have proposed rules to address cyber threats, like the Securities and Exchange Commission for publicly traded companies and the Department of Homeland Security Cybersecurity and Infrastructure Security Agency for critical infrastructure.
The Department of the Treasury has not issued regulations about cybersecurity but has issued guidance to companies paying ransoms that if they do so to a group that is on the restricted or terrorist watch lists, the company can be sanctioned.
It will be interesting to see what the future holds for these regulations and proclamations. Currently, the efforts appear disjointed and uncoordinated with the purpose of eliminating cyber threats by disincentivizing companies from resolving threats instead of proactively addressing threats.
States also have regulatory authority within their borders, and many have passed data protection legislation, some of which carries financial penalties enforced by the States’ Attorneys General. Most of that legislation requires reporting defined incidents to state bodies. Some states even post information about those incidents publicly. Texas has gone a step further and, through TX-RAMP, prescribes minimum security practices that must be followed by organizations within its borders.
Contracts are powerful tools. Two or more parties can make commitments, and those commitments are enforceable. There are exceptions, like illegal terms or terms that violate public policy. However, by and large, contracts are enforceable.
Very typically, contracts are self-contained vehicles. That means that they contain the terms of those commitments, the remuneration (or consideration) for the performance of those commitments, and the penalties for not performing those commitments.
Among other things, two parties can agree to security terms. Those terms can include minimum security baseline standards, audits to prove those standards, and penalties or damages for failure of those standards or exfiltration and misappropriation of data.
HIPAA mandates specific contractual vehicles for the transfer, processing, storage, and manipulation of PHI from a Covered Entity, the organization that owns the data, and a Business Associate. That contractual vehicle is called a Business Associate Agreement, or BAA. A BAA must contain provisions for the termination in the event of a Breach of PHI and a way for the parties to securely transfer or dispose of data to conclude the relationship.
The tort is a class of liability that arises out of an injury committed by one party to another. That injury can be defined by written law or common law, which is the body of applicable historical case law to an issue.
As applied to information security, tort claims by individuals can be tenuous. There must be a non-speculative injury for a tort claim to succeed. Therefore, for an individual to succeed at a tort claim, they have to be able to demonstrate that they were directly injured by the breach.
Put differently, where a breach results in the loss of their data, there’s no tangible damage. It’s entirely speculative until the data is, in fact, used and that use harms the individual. That use must then be tied back to a specific breach event, which is largely impossible given the volume of freely available personal data.
Cue the class action lawsuit. Class action lawsuits are brought by an attorney on behalf of an individual who represents the class: a group of people who have been harmed by an issue but whose individual harm doesn’t make a suit financially viable.
Class action lawsuits can penalize companies for failing to adequately protect the data they hold in the form of multi-million-dollar verdicts. Most of that money ultimately goes to the attorneys and named plaintiffs, with a paltry sum being distributed to identified class members. So they’re not great vehicles for making someone whole when they’ve been damaged. They are decent vehicles for disincentivizing tortious behavior.
Tort suits between companies are significantly less tenuous. Where an MSP is breached, and it provides trusted services to many companies, that trust can be compromised. It can also result in the diminution of the hiring companies’ reputations, lost profits, cessation of operations, and other tortious damage. Depending on the facts and the quality of the wrong, companies can successfully sue each other for tort claims arising out of a breach.
Until 2022 most companies never associated “crime” and “cybersecurity” other than to say that threat actors were cyber criminals. That changed with the conviction of Joseph Sullivan, Uber’s former CISO, for obstruction of justice.
That claim stemmed from Joseph’s role in the 2016 Uber breach to thwart federal law enforcement’s investigation, which led to additional similar attacks by the same cybercriminals that were easily preventable.
The facts, in that case, were egregious and amplified by the fact that Joseph was a veteran U.S. Attorney who prosecuted cybercrime for decades. Still, the findings, in that case, seem to indicate that anyone who impedes a federal investigation into a cyber incident could be prosecuted for obstruction of justice.
Where caselaw requires active impediments, the recently passed Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) seems to provide broader obstruction of justice and contempt charges. CISA is tasked with developing and implementing regulations—which it is presently doing. CIRCIA contemplates that failure to provide responsive information to a CISA investigation could result in contempt charges and financial penalties or incarceration.
It’s an interesting approach to information gathering, to be sure, and one that is used in other regulations to compel organizational cooperation. It will be interesting to see what the final regulations empower CISA to do and the scope of its authority.
How does this Impact MSPs Specifically
Those sources of liability impact all organizations roughly equally. Whether you’re a contracting entity, MSP, Covered Entity, Business Associate, publicly traded company, or qualify as Critical Infrastructure, those sources of liability will result in financial, administrative, and criminal penalties.
MSPs have the unique problem of these issues happening at scale. Where many organizations deal with their own information, MSPs generally possess, use, and manipulate the information of many different organizations. That amplifies the volume of breaches, the breach of many contracts, the imposition of tortious liability for many different harms, and the increased possibility of being found to obstruct large-scale investigations.
So where MSPs don’t have any special quality of responsibility, they have special quantities of responsibilities. The scale of the issues amplifies MSPs' risks.
Mitigating those risks, then, falls to expensive insurance plans and threat mitigation strategies. MSPs can’t afford to be complacent and risk bankruptcy when they are.
MSPs' role as trusted advisors and subject matter experts makes them a critical component of most organizations. In many ways, MSPs are a part of the overall corporate team. In gaining organizational trust, they are able to scale operations and work with numerous partners.
That trusted position makes them especially susceptible to risks resulting from the imposition of legal liability. There are many sources of liability, and operating alongside numerous organizations simultaneously opens an MSP to impacts from numerous sources of liability. Threat and risk management are key mitigations for those impacts, and MSPs should employ those tactics liberally to remain a going concern.