When Louisiana approved the first-ever state law regulating Managed Service Providers (MSPs), we knew it was just the beginning in a new wave of accountability. Shifting blame and responsibility for breaches from the business hacked, to the business supposed to be protecting the business hacked, puts new pressures on MSPs. As predicted, additional states are updating their breach notification laws to increase public transparency of breaches and disclosure to individuals who may be affected.As security advisors to your clients, MSPs need to explain the implications of new regulations, implore the use of business continuity and disaster recovery (BCDR) solutions, and reassess your willingness to allow clients to forgo data protection. These states are leveraging public accountability as a method to force increased data protection. Consider how these expanding laws can affect your MSP's ability to grow, gain new business, and remain competitive in the channel.Once the notification is submitted to the AG, it will be posted on a public website within 30 days – i.e. the 'wall of shame.' Notifications will be removed from the website a year after they are posted, as long as an additional breach does not occur. While the bill doesn't explicitly name MSPs, all businesses that experience a breach must adhere to the terms – and that includes MSPs. The bill goes into effect September 1, 2021, so Texas-based MSPs are encouraged to update your cybersecurity playbook and incident response plan, while regularly testing BCDR solutions to be ready to restore post-disaster.
Guest blog courtesy of Axcient. Read more guest blogs from Axcient here.
Louisiana specifies MSPs, without defining reporting requirements
Approved in June 2020, Louisiana Senate Bill 273 became the first state legislation regulating MSPs. Almost six months after the effective date, February 1, 2021, there hasn't been much buzz in the channel as to how it's going. Central to the bill is the requirement that MSPs register with the Secretary of State, and report 'cyber incidents' and ransomware payments to the Louisiana Fusion Center. A four page registration form is available on the Louisiana Secretary of State website, along with an email address and two phone numbers for reports. Beyond that, any specifics – including instruction around what needs to be reported, and a definition of 'cyber incidents' – remains scarce.Ben Nowacky, Axcient's Senior VP of Product says, "While Louisiana's statute requires reporting of any incidents within 24 hours and disclosure of any ransom paid, it doesn't describe what a cyber incident clearly is, or what constitutes a ransom. So does clicking on a phishing email require notification? Or does an employee accidentally sending a gift card to somebody over email fall under a 'payment made?' The lack of clarity could severely hurt the reputation and public image of MSPs abiding by the letter of the law, while others are simply finding new loopholes to avoid this disclosure." While enforceability may be as murky as the law itself, regulations like these continue to gain steam across the country.Texas adds public 'wall of shame' to data breach notification statute
In June 2021, Texas passed House Bill 3746 amending the state's data breach notification statute to include what some are calling a 'wall of shame.' According to the bill, after a breach of system security, businesses must notify the attorney general no later than 60 days after the breach is discovered – if it involves 250 Texas residents or more. Unlike Louisiana, Texas is providing detail around what is required in the notification:- Detailed description of the circumstances surrounding the breach, and use of sensitive personal information acquired as a result of the breach.
- Number of state residents affected.
- Number of affected residents who have been sent a breach disclosure.
- Measures taken prior to notification, and intended measures to be taken after notification.
- Information on law enforcement's involvement in an investigation of the breach.




