One of the most pressing legal concerns for service providers is protecting the privacy and security of customer data. State and local governments are taking a very active role in protecting the privacy of their citizens by enacting aggressive legislation.
In addition to federal statutes designed to prevent unauthorized disclosure of private information, a number of states have enacted statutes that would impose liability for both inadvertent disclosure and failure to notify consumers of a breach. Service providers and resellers in all industries must be diligent about maintaining the privacy and security of the data within their control, as well as protecting themselves in the event that the uncontrollable becomes a reality.
Imagine for a moment you are a service provider that resells managed services for a company with a NOC (network operations center) in South Florida. A hurricane causes a temporary service disruption at the NOC. Your customers in a variety of locations have no service. Some of them think their data has been breached and they are threatening legal action. How your business will fare under these circumstances will be largely determined by how diligent you have been about ensuring your contracts, processes, and insurance coverage protect your business.
Do you need to notify law enforcement or regulatory agencies about a security breach?
Service providers are bound not only by the privacy requirements in their states, but also in the states where their customers conduct business. To further complicate matters, each state has its own requirements. Some state laws, such as California SB 1386, require that providers notify law enforcement agencies, state regulatory agencies, or consumers when there has been a breach in security of personal or private information. A breach in Florida must be reported within 45 days. California law doesn’t specify a timeframe in which a breach must be reported, only that it be reported as quickly as possible. Companies that do not know the difference are exposing themselves to potential legal liability.
Once service providers have diligently monitored privacy and security laws that affect them, they must also regularly review their business practices to ensure compliance with those laws. Because privacy and security laws are always evolving, it is imperative that providers regularly review and revise their processes accordingly.
Are you saying too much?
Too much knowledge about regulations, however, may be detrimental. Many technology companies learn about privacy and security laws and begin to advise their customers about whether the customers are compliant with various regulations. Although this practice is widespread, it may be illegal because most states have laws prohibiting the unauthorized practice of law.
Will you be liable in the event of an outage?
Another legal issue facing channel partners is potential contractual and tort liability for service outages and breaches in security. Many resellers look for ready-made service-level agreements and master services agreements provided by non-attorneys at relatively little or no cost. This is not an area in which service providers can afford to cut costs: These inexpensive documents can prove to be a huge liability and enormously expensive in the long run. If a reseller enters into a service-level agreement without the appropriate disclaimers and limitations of liability, that reseller may be liable for service outages beyond its control.
Have you mitigated your risk as much as possible?
Companies can mitigate their risk by having experienced attorneys prepare and review all reseller, service-level and master services agreements. To avoid potential problems, it is imperative that an attorney prepare agreements that are tailored to each company’s unique circumstances and limit liability whenever possible.
Will your insurance policy cover any losses?
Many companies may try to mitigate their risk by purchasing errors and omissions insurance policies, but that may not be enough. Some businesses do not understand what actions are excluded from their insurance policies. Companies must understand what is not covered and whether additional coverage is available under a different type of policy. When it comes to insurance coverage, what you do not know can definitely hurt you.
Companies that are diligent about their contracts, processes, and coverage are positioning themselves to be ahead of the curve if a legal issue arises. The best way to reduce possible exposure to liability is to have the right legal team at your side and be prepared for as many contingencies as possible.
Robert J. Scott is managing partner at law firm Scott & Scott LLP in Dallas and represents IT service providers with emphasis on the managed service providers industry. He serves on the Board of Directors of the Managed Services Providers Alliance.