If you read the news about a national United States data privacy law and wonder whether it has anything to do with managed services, it does. The intersection of data privacy, security, and IT management, has never been as fused as it is today and MSPs had better take warning and be prepared for what is coming.
US GDPR
We have written extensively over the years about the steady march towards indirect regulation of MSPs. A “US GDPR” law would certainly meet that criterion. The US Senate Commerce Committee is preparing to introduce such a privacy law and its impact on MSPs could be significant.
MSPs won’t likely be regulated directly, but the impact of such a law on customers would inevitably spill over to the MSP managing that IT infrastructure and data on behalf of the customer.
Value of Personal Data
At the heart of the issue is how to deal with individual data. We all have data concerning our personal lives: social security numbers, bank accounts, home addresses, phone numbers, emails, health records, credit reports, job history, voting history, political and non-profit contributions, are just a few of the data points which follow us around and accumulate over the course of our lives.
All these data points have value. The data may have very little value from the owners of the data, but cybercriminals can probably tell you the value of a data point down to the penny. Plus, the more data sets a cybercriminal has, the more valuable they are as a collection.
Big Cloud vs. The World
Do not be mistaken about what is at stake; the US Congress is not trying to stamp out managed service providers. Instead, lawmakers are trying to deal with public cloud companies (many of whom are headquartered in the US) and how they use personal data.
If you are thinking, “why is this a bad thing?”, you are not wrong. The question is the unintended consequence of a GDPR style law being implemented within the United States and what it would do to small organizations, incapable as it is of managing their IT. The responsibility of complying with such a data regulation would invariably fall on the shoulders of MSPs.
The real question for any US data privacy law will be in how far Congress goes and the amount of bureaucracy associated with the law. One of the obvious and immediate failures of GDPR is the amount of bureaucracy created by that law. The sheer amount of reporting, paperwork, and the creation of data privacy officer roles are good examples of creating administrative work instead of merely legislating an outcome or proscribing bad behavior.
We can only watch Congress and see what they do. But, all MSPs should be aware of this issue and stay watchful.