Social
Managed Service Provider services (MSPs) are a popular solution among SMEs and not-for-profits for the remote management of their IT infrastructure and end-user systems, but they do present some risks, especially when it comes to cybersecurity and data protection. When working with an MSP, there is a transfer of duties from your business to the MSP, but not necessarily a transfer in liability. Nathan Mauriello explains your responsibilities as a business and what this means in the event of a cyber breach.
Ultimately, the party that owns the data must take reasonable steps to protect it, and in the event of a breach, they will be the first point of contact for impacted customers. Australian Privacy Principles (APPs) form the foundation of the privacy protection framework in the Privacy Act 1988. There are 13 principles that govern the standards, rights, and obligations around the collection and protection of personal information. Of particular note is Part 4 - Integrity of Personal Information (Section 11.1), which states:
“if an APP entity holds personal information, the entity must take such steps as are reasonable in the circumstances to protect the information:
In Europe, similar legislation has been passed with the establishment of the General Data Protection Regulation (GDPR, which states the data owner (the collector) must adhere to data protection legislation. It is part of the data owner’s responsibility to conduct risk assessments to ensure MSPs have adequate cybersecurity protection in place and for this reason, the data owner is usually considered liable in the event of a breach.
Even if the data owner has taken all reasonable steps to ensure the security of personal information is not compromised, they will still need to prove the MSP was negligent. The business will also be required to comply with the Notifiable Data Breach (NDB) Scheme and may incur significant incident response costs such as forensic IT & legal expenses, covered by a comprehensive Cyber Liability policy. Depending on the circumstances which lead to the data compromise and the terms of their contractual agreement, the data owner may have the right to recover losses from the MSP. If the MSP holds a Cyber Liability policy, it will cover the cost to defend third-party claims made against them. Therefore, the benefits of a Cyber Liability policy can extend to both the Data Owner and Data Holder, providing first-party and third-party coverage.
To find out more about your responsibilities as a data owner and how Cyber Liability insurance can help, feel free to reach out at any time.
Senior Client Executive – Professionals & Executive Risks
