I worried about providing security services to my clients because they may hold me legally responsible if they have a data breach.
You can understand why MSPs might think that not discussing security would help them avoid legal liability. No one wants to be in the position where they told a client “if you implement these security measures, you will not have a data breach”. Then if the client does have a data breach the MSP bears the responsibility.
Let’s look at this from a different angle. Assume you don’t discuss security with your clients and just implement the standard security measures that most MSPs implement such as firewalls, anti-virus and patching. If your client has a data breach and it results in significant financial expenses, eventually the finger of blame will point to someone. Whether it is their lawyer, insurance company or accountant coaching them, they will look to place blame on someone. Being that, as their MSP, your responsibility was to secure their network and that security didn’t stop a data breach, there is a good chance that the finger of blame will point directly at you.
The message here is that avoiding discussing security with your clients will not remove responsibility and liability. If anything it may lead to the client claiming that your negligence was the cause of the data breach.
Human Resource consultants talk to their clients about the business risk of employee situations such as wrongful termination or sexual harassment. They make sure that their clients understand the risk to their business and that their clients understand the importance of polices and training of employees to avoid these situations. The HR consultants talk to their clients about business risk and how to avoid it.
MSPs need to look at security as a business risk. They need to talk to their clients about the consequences of a data breach and how to avoid them. MSPs need to discuss data breaches with fact based evidence such as the amount of liability a client may experience if they have a data breach. This can lead to a discussion to ensure that their client has the proper level of cyber insurance in the event of a breach. They need to discuss the risk of various threats that may cause a data breach such as a lost laptop or hacker penetrating a client’s network. Again, presenting fact based evidence of risk is the best way to have this conversation. In the past fear, uncertainty and doubt (FUD) helped sell security such as firewalls and anti-virus. MSPs should not rely on FUD but instead present facts and risk and address security in terms of business risk and discuss how to lower the risk.
In addition, MSPs should discuss what steps will be taken in the event of a data breach. Again, security is a business risk and planning for risk is critical. Breaches can happen no matter how much security is in place. Having a plan and identifying steps that will be taken in the event of a breach is critical to managing risk.
Security is a business discussion and avoiding this discussion with your clients could place liability on you if the client has a data breach. Use security discussions to show that your MSP services are not just technology but provide increased business value.
We built Breach Secure Now! to help MSPs with these business discussions. Breach Secure Now! helps your clients prevent, respond to and survive a data breach. Check out our MSP Partner Program.