By Gary Audin
“Customer Privacy and Security; MSP Liabilities?
The MSP manages customer resources. The MSP may also manage security for its customers. If the security is breached and consumer data is released does the MSP have liability? Possibly!
Managing resources and software updates are the responsibility of the MSP. There are more responsibilities if the customer’s security is managed.
What is not evident is that a state regulation applies to its citizen’s consumer data no matter where that data is collected, stored, or processed. In other words, the MSP customer may be covered by state legislation even though the MSP’s customer DOES NOT have any facilities in that state. Consider that California has 12% of the US population. It is likely that the MSP customer has some data on California citizens in their IT systems covered by California privacy legislation.
There are consumer privacy and security regulations across the US (CCPA) and Europe (GDPR). You need to keep up with the growing number of existing and pending privacy bills in various states. They all vary with differing coverage, requirements, and penalties. Unfortunately this is a dynamic environment and what this blog discusses can change at any time.
At this time, it does not appear the federal government will address the privacy issues soon, so a national set of regulations is off in the future. Even if federal regulations are enacted, there will probably be conflicts with the state privacy laws.
The State of the States
A comparison table “State Comprehensive-Privacy Law Comparison Bills introduced 2018-2020” is available. There are at least three states that have enacted legislation, California, Nevada, and Maine. There are about 300 privacy and security bills and regulations being considered by many states with nineteen actively involved in legislation production.
Some State Regulation Efforts
The number of bills I discovered would be too big to include in this blog. Below are some examples:
The Vermont statue “Title 9 Commerce and Trade Chapter 62” has four subchapters entitled:
- Security Breach Notifications Act
- Social Security Number Protection Act
- Document Safe Destruction Act
- Data Brokers – This requires data brokers that collect and license the personal information of consumers to register annually with the Secretary of State. Data brokers must provide consumers with specified information, including the name, e-mail, and Internet addresses of the data broker.
Delaware has the “Delaware Online Privacy and Protection Act”. This act prohibits operators of websites, online or cloud computing services, and applications directed at children from marketing or advertising about specified products or services inappropriate for children’s viewing.
The act has three parts:
- Prohibitions on online marketing or advertising to a child
- Privacy of information regarding book service users
In Connecticut, they have proposed a regulation “Chapter 743dd Protection of Social Security Numbers and Personal Information”. If an organization collects Social Security Numbers, it needs to create a privacy protection policy. The policy must be publicly displayed on their website. The policy must protect the confidentiality of Social Security Numbers, prevent unlawful disclosure, and limit access.
The Oregon regulations “Chapter 646 — Trade Practices and Antitrust Regulation 2019 Edition” has provisions that make it unlawful if a person publishes on a website related to the person’s business, or in a consumer agreement related to a consumer transaction. It would be unlawful to use, disclose, collect, maintain, delete or dispose of the information in a manner that is materially inconsistent with the person’s statement or representation.
New Jersey introduced a privacy bill; S2834 .The bill requires operators of internet websites or online services to notify customers of the collection and disclosure of their personally identifiable information. A difference in this bill is that the bill covers any individual within the state, regardless of residency.
How should MSPs respond?
Keeping up with the varied proposed and passed privacy regulations will not be easy. Not all the possible privacy regulations are obviously apparently in their titles. You should assign one or more staff to keep track of the bills and to determine if they affect any of you customers. These should inform you of the plans to deal with the regulations. Your internal legal support should investigate the liabilities that the software vendor or cloud service will and will not accept. You need to know the possibilities of your organization not complying properly with the regulations.
Do not overlook the training your IT staff will need to deal with the variety of regulations. Your help desk staff is the first responder. As each regulation is passed, new training will be required. It is possible your customers will have incorrect assumptions as to what and who is covered by the regulations since they vary on a state-by-state basis.