When Louisiana approved the first-ever state law regulating Managed Service Providers (MSPs), we knew it was just the beginning in a new wave of accountability. Shifting blame and responsibility for breaches from the business hacked, to the business supposed to be protecting the business hacked, puts new pressures on MSPs. As predicted, additional states are updating their breach notification laws to increase public transparency of breaches and disclosure to individuals who may be affected.
As security advisors to your clients, MSPs need to explain the implications of new regulations, implore the use of business continuity and disaster recovery (BCDR) solutions, and reassess your willingness to allow clients to forgo data protection. These states are leveraging public accountability as a method to force increased data protection. Consider how these expanding laws can affect your MSP's ability to grow, gain new business, and remain competitive in the channel.
Louisiana specifies MSPs, without defining reporting requirements
Approved in June 2020, Louisiana Senate Bill 273 became the first state legislation regulating MSPs. Almost six months after the effective date, February 1, 2021, there hasn't been much buzz in the channel as to how it's going. Central to the bill is the requirement that MSPs register with the Secretary of State, and report 'cyber incidents' and ransomware payments to the Louisiana Fusion Center. A four page registration form is available on the Louisiana Secretary of State website, along with an email address and two phone numbers for reports. Beyond that, any specifics – including instruction around what needs to be reported, and a definition of 'cyber incidents' – remains scarce.
Ben Nowacky, Axcient's Senior VP of Product says, "While Louisiana's statute requires reporting of any incidents within 24 hours and disclosure of any ransom paid, it doesn't describe what a cyber incident clearly is, or what constitutes a ransom. So does clicking on a phishing email require notification? Or does an employee accidentally sending a gift card to somebody over email fall under a 'payment made?' The lack of clarity could severely hurt the reputation and public image of MSPs abiding by the letter of the law, while others are simply finding new loopholes to avoid this disclosure." While enforceability may be as murky as the law itself, regulations like these continue to gain steam across the country.
Texas adds public 'wall of shame' to data breach notification statute
In June 2021, Texas passed House Bill 3746 amending the state's data breach notification statute to include what some are calling a 'wall of shame.' According to the bill, after a breach of system security, businesses must notify the attorney general no later than 60 days after the breach is discovered – if it involves 250 Texas residents or more. Unlike Louisiana, Texas is providing detail around what is required in the notification:
- Detailed description of the circumstances surrounding the breach, and use of sensitive personal information acquired as a result of the breach.
- Number of state residents affected.
- Number of affected residents who have been sent a breach disclosure.
- Measures taken prior to notification, and intended measures to be taken after notification.
- Information on law enforcement's involvement in an investigation of the breach.
Once the notification is submitted to the AG, it will be posted on a public website within 30 days – i.e. the 'wall of shame.' Notifications will be removed from the website a year after they are posted, as long as an additional breach does not occur. While the bill doesn't explicitly name MSPs, all businesses that experience a breach must adhere to the terms – and that includes MSPs. The bill goes into effect September 1, 2021, so Texas-based MSPs are encouraged to update your cybersecurity playbook and incident response plan, while regularly testing BCDR solutions to be ready to restore post-disaster.
New Jersey and Connecticut include any attack, regardless of if data is compromised
Louisiana's notification requirements are still in the air. Texas only requires notification if the data of state residents is compromised. New Jersey 56:8-163 and Connecticut General Statute 36a-701b have been updated to require notification of any breach, regardless of if data is exposed or stolen. These states define a breach of security as unauthorized access to, or acquisition of, electronic data containing personal information. That includes all ransomware and phishing attacks, successful or not. Again, these statutes don't explicitly name MSPs, but as businesses providing IT services and solutions, your clients and your MSP are responsible.
Data protection is security. How secure are you?
MSPs need a layered security approach, built on BCDR solutions that specifically combat the type of attacks we see today. Axcient x360 delivers uninterrupted business continuity with AirGap protection against ransomware, instant virtualization, and hardware-free BDR, all on one simple, unified platform.
Start Your 14-Day Free Trial!