How Liable are your clients For A Data Breach 2024

Liability for your clients' data breaches will be the topic of today's article. I am not legally trained and this is actually a highly complex area so I will be discussing this at a high level and based on my own personal experience.

This is a different subject although it sounds similar to the topic of how liable you as a service provider are when your own organization experiences an MSP sourced data breach such as the recent ransomware incident that targeted Kaseya and by proxy affected thousands of service providers both in the United States along with the rest of the world.

While you are here, take a look at some of our other materials about backup below that may interest you:

• Managed Mac Backups
• NAS vs SAN
• NAS4Free vs TrueNAS
• Oracle Zero Data Loss Recovery Appliance vs Acronis Cyber Appliance
• QNAP TS-453D vs Asustor
• Quantum DXi-Series Backup Appliances vs Commvault Hyperscale Appliance
• Server vs NAS Strategies

I will discuss cyber liability insurance and why it is such an important item to invest in and how it tends to take away some of the complexities on this topic. I will bring up some strategies that appear common sense that could cause more problems than they solve and some generic tips to reduce the liability you may face if your clients data experience a breach such as ransomware or data theft.

As a secondary aim, documentation and how it can help IT assistance providers manage their risk effectively as it specifically relates to this topic.

System manual and documentation creation is also an essential aspect of the IT industry whether it be recording the details of your cyber insurance policy as well as the initiation process if it is needed as discussed here or perhaps the steps involved in how your technicians handle non agreement backup clients so that everyone on your technical team can competently undertake the help desk tasks in front of them.

It enables IT help desk providers to manage and maintain the tech infrastructure of their clients effectively including management functions such as insurance claim procedures.

We have years of experience in working with service providers to technical content publishing and procedures and there is no area more important to a service provider than how their clients' data storage and back up recovery processes are documented.

Who Pays For Your Clients Data Breach?

The reality is that no organization has complete control of their information from the date it was created until the day it is destroyed, especially if they engage a 3rd party backup provider, this of course includes your own organization's data.

There is a strong possibility that your client is considered by law to be legally responsible for costs that they do not even realize exists, which is a scary proposition and not exactly fair.

It is a common misconception that the legal system is designed for fairness or perhaps I am a bit jaded, it's hard to say, I do not pretend to understand it.

Data Holders Versus Data Owners

As mentioned, I am not a legal advisor and this is generally state based legislation meaning you need to check with your own states laws for clarification however as a general rule, if a data holder (someone who does not own the data) suffers a data breach then that data holder will normally inform the data owner the breach has occurred.

That is the extent of the responsibility or liability of a data holder!

This is an important delineation between two groups and I will give examples of each below:

Data Holder

• Cloud Backup Vendor
• Managed Service Provider
• Outsourced IT Vendor
• Software as a Service Provider (Dropbox, S3, O365 etc)
• MSSP

Data Owner

• Your own business if you utilize the services of a data holder.
• Clients of the data holder (your clients)

In most cases the responsibility falls on to the data owner which as a service provider is a little counter intuitive. We are continually concerned about the million ways our business can be attacked via legal action if we do something wrong and let's face it, due to increasing ransomware incidents and the very nature of backup and restoration solutions, when things go bad, they can go very bad across large numbers of clients.

Sure the data owner can hire an attorney and begin a lawsuit against you if you are the service provider but you are not liable to pay for those costs, all of those actions fall on the data owner to pay for.

Clients Liable For Things They Do Not Understand?

Come on, as a service provider, there has to be a couple wins out there for us and this is one of them. All of the big boys do it, they limit their liability via clauses in their contracts and my recommendation is that you hire an attorney and get that written into your service agreement too.

Could you imagine if every time Microsoft had an information breach, they were liable for the full damages of every client? It cannot happen because allowing a data holder to be open to legal damages for a data breach would cripple them.

Clients Outsource Responsibility Not Accountability

Think about your own business, there is nobody there if you are the business to pat you on the back when things go wrong or give you soothing back massages telling you everything will be alright, no no, you hold the bag.

Outsourcing your books and you find out the bookkeeper has had a discrete problem that involves weekend trips to Vegas using some of your hard earned cash for the last 3 years? Chances are even if you have outsourced that service, their liability will be limited and you will be unable to recoup the damages caused.

How often have you heard of famous people who would not know what a calculator is going to prison because the person they trusted to do their taxes tripped over and accidentally deposited the tax payments into their own personal bank account?

Happens regularly, they legitimately did not understand what was going on and it was the tax accountants responsibility yet because you cannot transfer accountability, the client is ultimately the person who has to pay for it.

This is the same as a parking fine or forgetting to register your car, it is the car owner that is accountable not the person who is responsible for paying the bill. It is often unfair but it is the way of the world.

Spreading Monetary Risk

As touched on above, imagine if an MSP, Microsoft or AWS was liable and there was an easy path for the millions of data owners to file a legal claim against them every time there was a data breach, simply, they would cease to exist.

Does that encourage the free market we currently enjoy and would it significantly hurt commerce the way it is today if every time a large data holder who stored say Google Workspace backups experienced a data breach, they were sent bankrupt? Absolutely not and there really is such a thing as “too big to fail”

So Service Providers Are Off The Hook?

Very amusing, well that depends, are you a multi billion dollar organization that is too big to fail, whereby your failure would have a noticeable effect on hundreds of thousands of other organizations both in the United States as well as globally?

Well I have some bad news for you then however, this topic needs its very own article on the liability as a managed service provider if you are the source of the data breach.

Conclusion

This is a highly complex area with extensive multi state regulations. The two best strategies in minimizing your own risk when clients have their own data breach is to ensure that any backup applications regardless as to if the data is being stored in the form of a local NAS backup or an online cloud based backup, is to verify the security credentials of that backup application.

Check your state's regulatory requirements for things like SOCs/ISOs/HIPAA-certs and by ensuring the application is in compliance with the relevant regulations, you go some way to offloading liability because otherwise you would be in direct breach of whatever regulation the client is supposed to adhere to.

Secondly, do not skimp on cybersecurity insurance, you get what you pay for in life and insurance is no different. By having good insurance, it circumvents the need to know everything about this topic. Lying to your cybersecurity insurance providers or omitting certain information that they may have requested is actually a really good cost saving strategy until you need to make a claim.

In other words there is no other scenario that I can think of where you need to be more implicitly honest than you should when setting up a cybersecurity insurance policy. Over Communicate when you have to because the time to clarify points is not after a claim has been made.

We have a number of other client based backup articles listed below that will provide you with more detailed information on a number of related topics:

https://optimizeddocs.com/blogs/backups/backups-client-index

Our team specializes in strategies for I.T support provider organizations that assist in improving profit margins through standardization and consistent record keeping strategies, so you can be confident that our content is tailored to your needs.

Please feel free to explore our other articles and click on any that interest you. If you have any questions or would like to learn more about how we can help you with your documentation needs, please click the "Get In Touch" button to the left and we will be happy to assist you. Thank you for choosing us as your trusted source for technology documentation.