How MSPs can Limit Legal Liability
By Robert J. Scott
One of your long-time customers is hit by a nasty cyberattack. After investigating, it turns out to have been caused by a bug in the antivirus software you sold to them. While you may think this fact means you aren’t liable, you may be wrong. Even though the software is the root of the problem, you may also be on the hook legally—especially if you haven’t protected your company with the right types of insurance, and if you haven’t required your customers to sign a contract with the right clauses.
Managed services providers today need protection more than ever. That’s because MSPs face more risks—not only cybersecurity and data privacy challenges, but compliance, profitability, technology and vendor issues, along with increased competition. Retaining customers and improving customer satisfaction while remaining profitable and reducing risk demands that MSPs clearly identify the obligations of both parties in a contract, buy effective professional liability insurance, and insist that customers buy first-party cyber liability insurance.
Professional liability insurance covers your company if a claim brought by a customer alleges negligence in the performance of a contract. Think of it as the equivalent of legal or medical malpractice insurance; it protects the customer if a service provider is negligent. For example, if an attorney gives a client bad advice that results in the client losing a court case, professional liability insurance will cover that loss.
First-party cyber liability insurance is insurance that customers buy to protect their data from cyber liability risks, no matter what the cause. It covers a customer for data breaches and data losses that are not the fault of the MSP. The cause could be virtually anything; an employ who stole data, an electronic hack or a phishing scheme, for example. Typically this type of insurance is an add-on to a general commercial liability policy.
Insurance + Contracts = Protection
In addition to insisting that your customers purchase first-party cyber liability insurance, it is extremely important to make sure that your contract with your customers includes these provisions:
- Disclaim responsibility for hardware and software failures caused by third-party manufacturers and publishers.
- Contractually disclaim hardware and software failures related to backups, and require customs to retain local backups of all critical data in addition to any backup services the MSP is providing. We recommend very specific precautions around backup and failures, because data loss and data compromise are often the highest risk factor for managed service providers.
- Include first-party insurance requirements in customer contracts. For example, we include an insurance section in our contracts that stipulates that the provider will carry first-party cyber liability insurance, and that the customer agrees to carry it. If customers are not familiar with this type of insurance, it’s your responsibility to explain it to them so they can tell their broker what they need. If they don’t have a broker, or if their broker doesn’t sell that type of product, make sure you can recommend somebody they can turn to. We recommend MSPAlliance Cloud Professional Liability Insurance, available here: https://mspalliance.com/wp-content/uploads/2019/09/Cloud-insurance-app.pdf.
- Contractually require customers to pay any ransom, or require customers to pay for remediation services at current hourly rates. This may seem counterintuitive; after all, nobody wants to pay a ransom. But you must insist on this provision. Of course, customers only have to pay a ransom if they have data stored on the compromised device. If your customers are following best practices on file storage and management, they probably won’t be affected.
Consider the first scenario we discussed at the beginning of this article. If you sold antivirus software to a customer, and that software had a defect that led to a cyber-incident, the customer is likely to place the blame on you. Think of it from their point of view; you recommended and implemented the software, so you should be responsible for any damages that result from its use. The software vendor will always disclaim liability, so you can wind up in the middle. That’s why it’s important to make it clear that you are not responsible for failures of third parties and that the customer’s remedies arise from whatever the vendors agreement provides.
Here is a second example: If your customer is hacked with ransomware, who is legally responsible? The customer is likely to blame the MSP or at the very least expect the MSP to remediate the ransomware without additional compensation. If you haven’t specified in your agreement with the customer that they are obligated to pay ransom requests, you may be on the hook. Of course, customers don’t want to pay the ransom; they want you to provide all of the remediation necessary. But it’s important to contractually require customers to pay the ransom or to pay for remediation services at current hourly rates.
One more example: Let’s say you are under contract to provide backup services. Your customer has an outage, the backup fails and they lose data. Who is responsible? You may be legally responsible for those failed backups and loss of data if your contract isn’t worded correctly. So make sure your contract disclaims hardware and software failures related to backups, and require customs to retain local backups of all critical data.
Professional liability insurance can make a real difference in all of these scenarios. In each of these situations, professional liability insurance will provide attorneys and forensic experts to isolate the cause of the incidents and defend your company against customer claims. The insurance also would pay damages to your customers to the extent that the evidence showed that an incident was caused by the negligence of your company or employees. It would also cover crisis management and in some cases, the cost of credit monitoring.
First-party cyber liability insurance also applies to each of these cases. It covers the customer’s data loss regardless of its ability to establish fault on the part of the MSP, while professional liability insurance only covers losses caused the MSP’s negligence.
While the benefits of both professional liability and first-party cyber liability insurance are clear, are they worth the cost? In our experience, we have found that the cost is much lower than the value. There is no doubt in our minds that every MSP should have professional liability insurance, and every customer should have first-party cyber liability insurance. Both cost a fraction of what you’ll pay if an incident occurs.
When you’re looking for professional liability insurance, make sure it includes adequate cyber-liability protections to protect your company against claims including data breach and data loss. In addition, make sure the cyber liability provisions are adequate to cover your customers’ probable claim scenarios. Your policy also should be specifically designed for companies providing the types of services you provide, and fully cover data breaches, regulatory response, litigation lawsuits, defense costs and forensics.
Once your insurance is in place, it is important to review the risk balancing provisions in your customer contracts. For example, we align the indemnity provisions in our client’s customer contracts with the indemnity provided by the insurance company. We also limit liability in many cases to the proceeds of applicable insurance to make sure that the bulk of the MSP’s risk will be covered by insurance.
When counseling your customers on first-party cyber liability insurance, advise them to make sure it covers the company and its entire dataset. It also should not exclude actions caused by employees or subcontractors.
Cyberattacks, software bugs and hardware failures aren’t going to go away any time soon. Protecting your company and making sure customers protect theirs are more important than ever. Working with an experience attorney can help you implement the right risk managed and customer contracting solutions to protect your business as it grows.
Robert J. Scott, is the managing partner of Scott & Scott, LLP a technology law firm focusing on cloud and managed services.