The Four Pillars of Risk Management for MSPs - Regulatory Risks
Over the past two decades there has been an ever increasing amount of regulation regarding data privacy. Organizations are held to a much higher standards in terms of the protections they must put in place to ensure that personal data remains confidential. At the same time, the market on the dark web for personal data has exploded.
The list of data privacy regulations is long and touches most industries. The alphabet soup includes HIPAA, GLBA, SOX, FERPA, COPPA, etc. Other regulations are geography based, GDPR (EU) and CCPA (California) for example. Many other states are working on their own versions of CCPA as well.
Our clients may be subject to one or more data privacy regulations as a function of the business they are in. Some are obvious such as the fact that all medical practices are subject to HIPAA by default. However, many organizations not directly involved in the delivery of healthcare services may store Protected Health Information(PHI) for reasons not so obvious. Those organizations are bound to HIPAA rules as any other healthcare institution.
Geography based regulations can apply to any industry. They typically aim to protect the Personally Identifiable Information (PII) of the citizens of that region regardless of the location of the service provider. As an extreme example, if a small inn in rural United States were to host a guest from France they would typically collect the name, address, credit card info, phone number, etc. of that person. At that point they are holding PII of an EU citizen and are therefore bound to the regulations of GDPR with regard to protecting that information.
As a service provider to these organizations with some level of access to, and potentially storing, that data, we are subject to the same regulations.
In part one of this series we discussed the fact that we become subject to these regulations either knowingly or through the happenstance of contracting with a covered entity. In part one, Rob Scott of Scott and Scott LLP, stressed the importance of excluding any responsibility for regulatory compliance in our master services agreement. According to Scott, the master services agreement should require that any client subject to a particular regulation must declare that fact and enter into a separate Data Processing Agreement (DPA) specific to that regulation. In the absence of such an agreement, the client must hold the MSP harmless from any failures to comply with the regulation.
Scott goes on to recommend that MSP create their own version of the DPA for each regulation they offer compliance with. This, as opposed to letting each client present their own version.
MSPs should make sure they are familiar with the laws surrounding the regulation before agreeing to comply. Fortunately, most of them hold similar requirements. Compliance with one, largely overlaps with others. Your DPA for each regulation would address the specifics of that regulation and state your compliance measures.
The other aspect of regulations involving PII is the right of the individual. This includes things such as the individual's right to have access to the data held by the organizations, the right to have that data deleted, and the right to transfer that data to another entity. As an MSP serving your clients, you would likely not be in a position to control this aspect of the data but it is important to understand the requirements.
In a previous blog we discussed the importance of adopting a common security framework to formalize your security processes and procedures. By doing so, you would likely be in compliance with the regulatory requirements put forth by any of these regulations.
Throughout this series we have explored the four pillars of Risk Management for all MSPs. As a review, they are:
Regulatory Risks
By addressing each one of these areas, MSPs can take an ever increasingly risky business and make it safe, secure , and profitable.