MSSP Alert Live 2024’s second keynote speaker Wednesday morning tackled a timely topic on many managed service providers’ minds following the lawsuit filed against the LanTech MSP in March, stemming from a costly ransomware attack against one of its customers.
Details of the lawsuit reveal that the customer, a law firm called Mastagni Holstedt, had an “oral agreement" with LanTech in which LanTech would provide managed IT services to the law firm. Mastagni Holstedt says LanTech is responsible for damages after allegedly failing to protect the law firm’s systems from the attack, in which files were encrypted, backups were deleted, and a hefty ransom was paid.
The lack of a written contract in this case leads to a murky legal situation and shows the importance of having clear, documented terms in a managed services relationship, lawyer Eric Tilds, founder and managing member of the Law Office of Eric Tilds, said during his keynote presentation.
“Breach liability starts well before the fact,” said Tilds, and preventing a lawsuit in the event of a future breach should already be top of mind when writing and negotiating a managed service agreement (MSA). But just having a written contract “doesn’t necessarily mean you’re safe,” Tilds added, outlining key aspects MSPs should pay attention to when drafting an MSA that protects them from all manner of legal issues.
Contracts 101 – and beyond – for MSPs
Tilds walked attendees through the many considerations for drafting an MSA, starting from the basics to the potentially less obvious factors that go into a solid, comprehensive contract.
One of the most important elements needed to protect oneself from a lawsuit is a specific and conspicuous limitation of liability clause. This clause limits the amount and types of damages a customer can seek in the event of a breach or similar incident.
“You can’t bury it in the fine print,” Tilds noted, saying the limitation of liability statement should stand out to avoid any argument that the terms were not clear. Additionally, these sections should outline that only direct damages can be sought, ruling out the possibility of customers seeking damages for indirect losses like damage to reputation.
The limitation of liability clause should also avoid ambiguity and be directly tied to the services that may give rise to liability, with little to no carveouts (i.e. exceptions) included to minimize the potential for a lawsuit.
Beyond limitation of liability permissions, it is also helpful for contracts to include ownership language, assignment terms, confidentiality requirements and customer obligations to take certain measures to protect themselves from a breach.
Assignment terms ensure a contract can be reassigned without the need for the customer’s permission in the case of a sale or merger, and requirements for customers to implement basic security measures, like encryption and an acceptable use policy, can prevent MSPs for taking the blame for a customer’s poor cyber hygiene. MSPs may also want to include a requirement for the customer to have cyber insurance, which can reduce the likelihood that the customer will come after the MSP to recuperate financial losses.
Statements of work is another section of an MSA that comes into play when considering potential liability in the future. Statements of work outline the exact scope and timeline of the services to be provided, which also make clear the extent of the MSP’s responsibilities to the customer.
“Bullet points don’t work” here, Tilds noted, adding that what the MSP will do, and when, should be thoroughly written out without the opportunity for ambiguous interpretation. This ensures the MSP is only “on the hook” for what is clearly outlined in the contract, and it can’t be argued after the fact that there was more the MSP should have done to prevent a breach.
When all of these sections of a contract, and more, are strengthened to mitigate liability, they serve as a “belt and suspenders” – multiple layers of protection – to prevent a company from being caught with its pants around its ankles in the courtroom after a breach, Tilds concluded.