Security Breach Notification Legislation Will Boost MSPsBy John Hazard | Posted 2006-03-27 Email Print
The MSP model could gain from the passage of legislation in the house, senate and several states defining liabilities and obligations in the event of data security breaches.
In the California Senate, it went by the name SB1386. It was A4001 in the New Jersey Assembly. The U.S. House of Representatives calls it HR3997, and the Senate S1789.
Whatever the anonymous title, all fall under the category of data security breach notification bills sweeping Capitol Hill and statehouses nationwide, and each could represent a boost for the managed services model.
Each bill defines a business' liability and obligations in the event a security breach releases personal data of employees and customers, such as social security numbers or credit card account information. More than two dozen states have passed similar bills and the House and Senate bills are nearing a vote.
MSPs (management service providers) and consultants at the MSP Alliance Expo on March 27 and 28 in Orlando said the legislative downpour that followed several will drive users to the MSP model that embraces proactive maintenance and liability on the part of the solution provider for resulting failures.
"Break fix shops aren't in a position to provide relief or the solution the client needs in this situation," said Charles R. Weaver, president of the MSP Alliance.
"MSPs are proactive. It's in their core to prevent breaches. Traditional VARs are reactive. You can't pick up the phone and tell a break fix gut you need (data security protection) today; you need it everyday."
Financial services giant Fidelity Investments confirmed March 23 that a laptop containing the personal information of almost 200,000 Hewlett-Packard employees was stolen from its property.
In recent weeks alone, firms including CitiBank, Ernst & Young and the New York Times have reported significant customer information breaches.
The Service Level Agreement that binds MSPs to performance standards presents a double-edged sword in light of the new legal territory, said Robert J. Scott, managing partner of Scott & Scott, of Dallas, a law firm representing IT firms and MSPs.
"MSPs are by virtue of their relationship (with the customer) bound to protect the data, as much as the business," he said.
The bond would be a selling point to businesses who know the MSP will not abandon the duty and a legal liability should a breach occur, Scott said.