DEV Community

Hunnicuttt
Hunnicuttt

Posted on

Cybersecurity Risk & Shared Liability for MSP Client Verticals

In today’s threat landscape, managed service providers (MSPs) face shared liability exposure when clients in various industries fall victim to cyber incidents. Courts and regulators are increasingly unwilling to accept client ignorance as an excuse – instead holding service providers to a duty of care and even constructive knowledge of risks. The following report analyzes key industry verticals served by a Minnesota-based MSP – including common breach scenarios, latent compliance obligations, and legal precedents – to quantify material cyber risk (in dollars where possible) and illustrate how client shortcomings can become MSP liabilities. Each section provides real-world examples and regulatory trends in the U.S. (with emphasis on Minnesota), followed by a concluding risk governance summary for MSP leadership.

*Cost of a data breach by industry (average in millions USD, 2023 vs 2024) Cost of a breach reaches nearly $5 million, with healthcare being hit the hardest1.

Heavily regulated sectors like healthcare incur the highest breach costs (~$9.8M on average), but even “smaller” incidents in education or public sectors still average in the multi-millions. Professional services and industrial firms also see high impact, reflecting significant downtime and legal penalties.

Construction & Trades (Roofing, HVAC, etc.)

Construction, contracting, and trades companies increasingly suffer costly cyber incidents despite often thinking “we’re not a target.” In fact, ransomware attacks against construction have surged – one analysis found the construction industry was the most heavily impacted sector by ransomware in 20232. Such attacks can halt projects and equipment, leading to significant downtime losses. Indirect costs (e.g. contractual penalties for delays) and data exposure (employee or client information) add to the damage 3.

The average breach cost in industrial sectors (which includes engineering/construction) jumped by $830k last year, reaching an average cost of $4.7-5.5M per incident

Real-world examples underscore the risk. A famous case is the Target data breach of 2013, in which attackers infiltrated the retailer via network credentials stolen from a third-party HVAC contractor. This small trades vendor’s compromise ultimately cost Target over $200 million in breach expenses and settlements4. Attackers sent phishing emails to the HVAC company (Fazio Mechanical), stole its VPN login to Target, and from there pivoted to steal 40 million credit cards 4. The incident illustrates how a seemingly low-tech vendor (refrigeration/HVAC) became the attack vector for a massive breach – with liability cascading up to the enterprise. Target paid $18.5M in multistate settlements (including Minnesota) and incurred over $200M in direct losses 4, while the HVAC firm faced intense scrutiny.

Latent compliance obligations in construction/trades are often overlooked. Many contractors accept credit card payments, making them subject to PCI-DSS standards and even Minnesota’s Plastic Card Security Act (which permits banks to recover breach costs if card data was stored improperly) 6. Construction firms working on government or defense projects may unknowingly handle sensitive building plans or Controlled Unclassified Information – obligating them to NIST 800-171/CMMC cybersecurity controls by contract. Yet many smaller trades are unaware of these duties. Additionally, employee PII (like Social Security numbers on payroll files) must be safeguarded under state data-breach laws. An MSP must recognize that if a contractor client ignores such obligations, a breach could trigger shared liability – e.g. fines for PCI non-compliance or lawsuits for negligence in protecting personal data. In short, the construction sector’s cyber ignorance can become the MSP’s problem, as regulators and clients will ask whether the MSP, as the IT expert, “should have known” and addressed obvious vulnerabilities.

Nonprofits & Human Services

Nonprofits, charities, and human services organizations (e.g. disability services, early childhood centers, housing authorities) are cyber-attack targets due to often lax security and valuable personal data. Studies show that 50% of NGOs globally reported being targeted by cyberattacks in recent years 7, and about 27% of nonprofits have already fallen victim to a cyber incident 8. These attacks can expose donor information, beneficiary data (which may include health or financial details), and even the personal info of vulnerable clients. The fallout is costly: one analysis found nonprofit data breaches affect ~19,000 individuals on average, which for a small organization could be its entire donor or client base9. Beyond notification costs, nonprofits risk reputational damage and loss of public trust – an existential threat given their reliance on goodwill.

A prominent case highlighting third-party risk is the Blackbaud breach. Blackbaud, a cloud service provider for fundraising and donor databases used by countless nonprofits (as well as schools and healthcare orgs), suffered a ransomware breach in 2020 affecting over 13,000 client organizations and millions of donor records 10. Notably, donors and stakeholders didn’t just blame the nonprofits – they took direct aim at the vendor. In fact, a U.S. court ruled that consumers whose data was compromised could pursue negligence claims directly against Blackbaud (the vendor), instead of only suing the nonprofit that entrusted Blackbaud with their data11. This unprecedented ruling signaled that service providers to nonprofits have a direct duty of care to the end individuals. Blackbaud ultimately settled with 49 state Attorneys General for $49.5 million in 2023 over its deficient security and slow breach notification10. For Minnesota, which participated in that multistate settlement, this is a clear precedent: state regulators will hold a tech vendor accountable for putting Minnesota residents’ data at risk, even if the vendor’s clients (the nonprofits) were the ones directly collecting that data.

Nonprofits often operate under latent compliance obligations that leadership may not fully understand. For example, a human services nonprofit providing counseling or healthcare services could be a HIPAA covered entity (or a business associate), but many small nonprofits are unaware that federal health privacy law might apply. Similarly, organizations serving children (e.g. a faith-based childcare center) hold sensitive minors’ data that is protected by laws like FERPA (if education-related records) or state child privacy laws – yet they might not implement required safeguards. Housing authorities and agencies handling sensitive personal/family data may be subject to government data protection rules (Minnesota’s Data Practices Act for government entities12, which mandates breach disclosure13. Donor privacy is another concern: while no single U.S. law governs donor data security, failing to protect it can trigger state consumer protection enforcement. An MSP must recognize these latent requirements. If a nonprofit client is ignorant of needed controls – for instance, not encrypting health information or lacking any cybersecurity program (as 80% of nonprofits have no formal cyber plan in place – the MSP may shoulder blame after an incident14. Regulators can argue the provider (MSP) had constructive knowledge that the client’s security was inadequate and should have advised or implemented better controls.

Healthcare & Biotech (Labs, Diagnostics, Research)

Healthcare organizations and biotech firms are high-value targets for cybercriminals and face extensive regulatory scrutiny. The healthcare industry has the highest average data breach cost of any sector, reaching about $9.77 million per incident (as of 2023)1 – a figure that continues to climb. These costs include not only technical recovery and notification, but also heavy regulatory penalties and litigation. From 2009–2022, over 5,000 healthcare breaches (exposing 380+ million patient records) were reported to federal authorities, and an increasing share of these involved third-party service providers (business associates) rather than the healthcare entities themselves15. This trend reflects how a vendor’s lapse can put a hospital or clinic in jeopardy – and vice versa.

A striking example is the case of LabCorp and its collections vendor, AMCA. When the vendor suffered a massive breach exposing the data of over 10 million patients, LabCorp faced not only class-action lawsuits from patients but also a shareholder derivative suit accusing LabCorp’s directors of failing to ensure the vendor’s cybersecurity was adequate16. In that Delaware case, the claim was essentially that LabCorp’s board breached its duty of care by providing sensitive data to a vendor with deficient security and not monitoring that vendor16. This illustrates that in healthcare, ignorance is no defense – if a covered entity fails to vet and oversee a service provider, its leadership can be held liable for the fallout. Conversely, the service provider can also be directly targeted: multiple diagnostics and research vendors have been hit with lawsuits or enforcement. For instance, when Blackbaud’s incident affected numerous hospital foundations, hospitals and Blackbaud both came under regulatory fire, culminating in that $49.5M multistate settlement requiring Blackbaud to overhaul its security10.

Healthcare and biotech SMBs often underestimate compliance obligations. Many think regulations like HIPAA only apply to hospitals, when in fact any entity handling protected health information – from a two-person diagnostics lab to a biotech research startup receiving patient data – is subject to HIPAA’s Security Rule and breach penalties. OCR (Office for Civil Rights) has directly fined small vendors for security failures: e.g. in 2023, a medical software provider MedEvolve paid $350,000 to settle HIPAA violations after a breach of ~200,000 patient records15. Notably, OCR emphasized the vendor’s failure to conduct risk analysis and implement an adequate security program. Likewise, Minnesota’s Attorney General has shown willingness to act – in 2012, AG Lori Swanson sued Accretive Health (a billing contractor) after a laptop theft exposed 23,500 patients’ data, leading to a $2.5M settlement and barring the vendor from operating in MN17. In that incident, the hospital client (Fairview Health) was separately fined $1.5M by federal regulators for failing to have a proper business associate agreement and oversight19, demonstrating that both the service provider and client suffered consequences. Beyond HIPAA, biotech firms engaged in clinical research may handle genetic or health data subject to state laws (for example, Minnesota’s Genetic Information Privacy Act) or GDPR if EU subject data is involved. FDA regulations also require certain cybersecurity practices for networked lab devices or diagnostic software. Many small healthcare and research organizations are unaware of these nuances. An MSP serving this vertical must treat compliance as a shared responsibility – if the client neglects encryption, access controls, or timely breach reporting, regulators can and will claim the MSP “should have known better” and failed its duty of care in preventing obvious security gaps20.

Professional Services (Law Firms, Consultants)

Professional service firms such as law offices, accounting or consulting firms are entrusted with highly sensitive client information – making them prime cyber targets and increasingly, legal liability flashpoints. The average data breach cost for professional services firms is around $5 million, reflecting the high stakes of exposed client data, downtime, and potential malpractice claims. Law firms in particular are under attack: in recent years, numerous law firms (large and small) have suffered breaches exposing everything from corporate deal data to personal client details. Ethics rules impose a duty of confidentiality on attorneys, and courts are now seeing clients (and regulators) hold firms accountable when cyber lapses occur.

A powerful illustration is the 2024 case Mastagni Holstedt, A.P.C. v. Lantech, LLC, where a California law firm sued its MSP (managed IT provider) after a devastating ransomware attack. The firm had hired the MSP to bolster cybersecurity and backups, yet the firm’s network was breached by the Black Basta ransomware group – encrypting servers and even deleting cloud backups21. The law firm alleges the MSP was negligent, citing several failures:

  • Inadequate backup strategy: The MSP advised switching to a cloud-based backup but failed to ensure it was ransomware-resistant. During the attack, the cloud backups were encrypted and lost, whereas the firm’s prior offline backups might have survived21.
  • Lack of MFA: The MSP did not implement multi-factor authentication on remote access, making it easier for attackers to penetrate the network21.
  • Poor preparation and monitoring: The complaint says the provider failed to harden systems or promptly detect the intrusion, which went unnoticed until ransomware detonated21.

Ultimately, the firm had to pay a ransom to recover data because backups were gone 21. This case is a wake-up call – it shows an MSP being sued for breach of contract and negligence, with the court expected to evaluate whether the MSP met the “reasonably prudent” cybersecurity standard of care20. If not, the MSP could face hefty damages. Crucially, the lack of a written contract (it was an oral agreement) complicates the MSP’s defense21, as no liability limits or warranty disclaimers were in place. The lesson for MSPs is to explicitly define and limit their obligations – otherwise courts may impose broad duties after the fact.

Professional service firms themselves are also being sued by their clients and third parties post-breach, sometimes alongside service providers. In late 2024, a proposed class action named both a law firm (Thompson Coburn LLP) and its client (Presbyterian Healthcare Services) as defendants, after a hacker accessed the law firm’s network and stole patient data related to the client22. The lawsuit claims the breach was a “direct result” of inadequate cybersecurity by both the firm and the healthcare provider, essentially arguing they “paved the way” for the attack through lax safeguards 22. This is part of a larger trend – several large firms (Orrick, Bryan Cave, etc.) have been sued over data breaches and have reached multi-million dollar settlements22. For example, a global law firm recently agreed to pay $8.5M in settlement after a breach exposed client Social Security numbers23. Law firms also risk malpractice liability if a client can prove that a cyber incident (e.g. a hacked email leading to a fraudulent wire transfer) was caused by the firm’s failure to exercise due care in security24. Consultants and other professionals face similar exposures – e.g. an HR consulting firm that mishandles employee data could be liable to the client’s employees for identity theft damages.

Compliance obligations for professional services are varied and often under-appreciated by SMBs. Lawyers, for instance, are bound by ABA Model Rule 1.6 and state ethics rules to safeguard client confidences – which today means having reasonable cybersecurity. Many state bar associations have issued guidance equating a lawyer’s duty of competence with keeping current on cybersecurity to protect clients. Some states (like New York via its SHIELD Act, or Massachusetts’ data security regulations) impose legal requirements on any business (including law firms) that holds residents’ personal data to maintain reasonable security controls22. If a firm deals with regulated client data, additional laws kick in: a law firm handling health records for a hospital becomes a business associate under HIPAA, with direct liability for breaches. A consulting firm processing credit data for a client might fall under GLBA or FTC Safeguards Rule mandates. Many small firms don’t realize these apply – for example, an accounting consultant might be deemed a “service provider” under a bank’s GLBA compliance program and be expected to uphold specific security measures. Failure to meet these latent obligations can lead to regulators or clients asserting that the professional service “should have known” and implemented the required standard of care. For MSPs, this means that your professional services clients’ ignorance or refusal to invest in security doesn’t shield you – instead, you may be accused of negligence for not compelling stronger protections.

Education & Faith-Based Childcare

Education institutions and child-focused organizations (such as private schools, daycare centers, and faith-based childcare providers) increasingly find themselves in the crosshairs of cyber attackers. K-12 schools and small educational nonprofits often have limited IT resources, making them soft targets for ransomware. In 2023, Minneapolis Public Schools (MPS) experienced a massive ransomware attack that underscores the stakes. The Medusa ransomware gang infiltrated MPS in February 2023, demanding $1 million in ransom; when the district refused to pay, the hackers leaked extremely sensitive data – including detailed student psychological reports and security camera footage – affecting over 100,000 individuals (students, parents, and employees) 25. The breach disrupted the school district’s operations for weeks and required notification to over 105,000 people, with MPS providing two years of credit monitoring to victims 25. This incident, which took place in the MSP’s home state of Minnesota, highlights that even public sector and nonprofit educators face breach costs in the millions and intense public scrutiny. In the aftermath, families have filed complaints and possibly legal claims, frustrated by delays in notification and alleging resultant fraud issues25.

Smaller faith-based and private educational organizations might assume they are under the radar, but they handle valuable personal data: children’s names, addresses, medical info (allergies, medications), parents’ financial and contact data, etc. Such information can be sold or misused if breached. Moreover, regulatory compliance does apply. FERPA (the Family Educational Rights and Privacy Act) governs student records privacy for schools receiving federal funds – while a church-run preschool might not fall under FERPA, a charter school or daycare with state funding often does. FERPA violations (like an unauthorized disclosure via a cyber breach) can lead to federal sanctions or loss of funding. Additionally, many states have student data privacy laws and breach notification laws that include nonprofits and schools. Minnesota law, for instance, requires any organization (public or private) to notify individuals of a breach of personal information “in the most expedient time possible”26, and has special provisions for breaches involving government entities12 which would cover public school districts.

For childcare centers and youth organizations, COPPA (Children’s Online Privacy Protection Act) could indirectly come into play if they use online services that collect data on children under 13 – meaning the MSP should guide them in choosing compliant platforms. Furthermore, these organizations often don’t realize the duty of care they owe for safeguarding minors’ information. An example: a daycare may keep a spreadsheet of children’s allergies and parent contact info on an office PC; if that gets hacked and posted, the organization could face lawsuits from parents claiming negligence in protecting their kids’ data. Even physical security system breaches (like the leak of school building security camera maps in the MPS incident) create safety risks and liability. Many education-focused SMBs lack even basic controls – one study noted that 4 out of 5 nonprofits (including educational ones) do not have any cybersecurity plan 7. This is where an MSP’s exposure lies: if an education client is breached, investigators will ask if the MSP had knowledge of vulnerabilities (outdated systems, lack of backups, etc.) and failed to address them. The expectation is that, as professionals, MSPs shouldn’t wait for a school principal or church pastor (often not tech-savvy) to request security – the MSP is expected to proactively recommend and implement it. Failing to do so could be seen as a breach of the MSP’s duty of care, especially if the risks were foreseeable (e.g. no firewall, no antivirus on school PCs in 2025 is clearly reckless).

Compliance obligations here can be “latent” as well. For example, a private school might not realize that state consumer protection laws require reasonable data security – Minnesota’s adoption of the NAIC Insurance Data Security model (though aimed at insurers) reflects a broader regulatory ethos that third parties must be overseen and secured27. If a faith-based school processes tuition via credit card or bank drafts, PCI DSS and GLBA (if considered a financial transaction) could impose security requirements. The bottom line is that education and childcare organizations cannot ignore cybersecurity without risking legal exposure – and by extension, neither can their MSPs.

Field Service & Restoration Contractors

Field service companies – such as disaster restoration contractors, specialty repair services, and similar SMEs – may not appear to handle sensitive data at first glance. However, these firms often collect and store client information (homeowners’ addresses, insurance claim details, photos of property damage that might include personal belongings, etc.) and maintain always-on operations to respond to emergencies. A cyber incident can derail their ability to deliver critical services and also compromise client trust. Ransomware has hit the field services sector with increasing frequency. In fact, construction and related trades (which include many restoration and field service businesses) saw a 41% increase in ransomware attacks recently28, and some cybersecurity reports rank construction/contracting firms as extremely common victims. The downtime from an attack is particularly damaging here – e.g. a restoration contractor unable to access job schedules, drying equipment data, or customer contacts for even a few days can lead to mold spreading or buildings not being secured, causing additional property damage for which the firm could be liable. According to FBI data, the average ransomware incident in 2022 caused about one month of downtime for government victims29; for a business, even a fraction of that could be ruinous. The average ransom demand has also skyrocketed (nearly two-thirds of attacks now ask >$1M)2, and while many small firms won’t pay or can’t pay that, those that do face huge costs – and those that don’t may still incur costs to rebuild systems and handle data leaks.

A scenario illustrating shared risk: imagine a fire restoration contractor working with a large insurance company – the contractor receives claim details including policy numbers and perhaps health information (if it’s fire damage at a hospital or a home with medical equipment). If the contractor’s MSP hasn’t implemented proper network security and the contractor gets hacked, that insurance-related data could leak. Under laws like the Minnesota Insurance Data Security Act, adopted in 2021, insurance companies must ensure their third-party service providers (like contractors) protect consumer data27. If a breach happens, the insurer might face regulatory action for failing to vet their vendor, and they will certainly seek to pass liability to the contractor (and indirectly, the MSP). Indeed, Minnesota’s law (mirroring a national model) requires insurers and agents to exercise oversight of third-party service providers’ security27 – effectively pushing the duty of care down the chain. This means a restoration contractor that doesn’t follow robust cybersecurity could put their partner insurance carrier in legal jeopardy, which in turn could result in lawsuits or indemnification claims against the contractor’s IT provider if negligence is found.

Even independent of larger partners, field service SMBs face compliance obligations they may not realize. Many handle payment card data (for on-site payments), so PCI-DSS standards and state laws on cardholder data apply. They also often keep employee records with sensitive PII and possibly DOT driving records or background checks (for technicians who go into homes) – such data is protected by laws like the Fair Credit Reporting Act and state PII safeguards. Environmental and safety regulations (OSHA, EPA) increasingly have cyber components too, as industrial control systems or alarm systems used by these contractors must be secure to ensure safety. Most small restoration firms lack dedicated IT staff, so they rely on MSPs for everything – effectively outsourcing their risk management. Should an incident occur, they might claim ignorance (“we thought our MSP had it handled”), while clients or regulators will ask the MSP why basic precautions weren’t in place. In legal terms, the MSP could be seen as the “expert” who should have known that, for example, the contractor needed offline backups or antivirus, etc., and thus share liability for the failure.

In summary, field service and restoration contractors present a case where client ignorance and MSP responsibility intersect. The clients may not be aware of regulatory expectations (like insurance data protection laws or breach notification duties), but regulators will not hesitate to enforce those – and the MSP must assume those obligations on the client’s behalf to avoid exposure. As one cybersecurity insurer put it, victims and their insurers are increasingly looking to “recover their losses by holding others accountable” after an attack21. In this vertical, that “other” will likely be the MSP if proper security measures and incident response plans were not in place.

Risk Governance & Shared Liability: MSP Leadership Summary

The case studies and trends above paint a clear picture: MSP leadership must treat cybersecurity and compliance risk as a core governance issue, on par with financial or legal risks. Across all client verticals – from construction sites to clinics, charities to law offices – ignorance of cyber threats is rampant. Yet regulators and courts are demonstrating little patience for after-the-fact excuses. Instead, they increasingly apply standards of constructive knowledge (what the MSP should have known and done) and enforce a duty of care on service providers to protect client data and systems.

Key themes for MSPs emerge:

  • Growing Legal Duty of Care: An MSP can face breach of contract or negligence lawsuits if a client is breached. Courts are still evolving these standards, but generally expect the MSP to act as a “reasonably prudent” IT professional20. This means if there are known best practices (encryption, MFA, backups) or known vulnerabilities, an MSP is expected to address or at least warn about them. As seen in the law firm case (Mastagni v. MSP), failure to meet this standard opens the door to litigation. The costs can be substantial – not only legal damages but also the MSP’s own remediation expenses and insurance impacts. MSPs should assume that any significant client breach will prompt the client (or their insurer) to point the finger at the MSP in search of deep pockets or error admissions20.

  • Regulatory Enforcement Extends to Vendors: Regulatory bodies now explicitly include service providers in their enforcement regimes. For example, state Attorneys General have pursued IT vendors for poor security (e.g. Minnesota AG vs Accretive Health18, multistate AGs vs Blackbaud17. The FTC has likewise held companies accountable for vendor failings – in the Wyndham case, the FTC cited lack of oversight of franchisee security as part of unfair practices20. Sector-specific rules compel oversight: HIPAA directly regulates business associates; the NAIC Insurance Data Security law adopted in Minnesota mandates oversight of third-party providers27; even the Department of Defense’s upcoming CMMC program will flow down cybersecurity requirements to the smallest subcontractors. The message: MSPs servicing regulated clients may themselves become directly subject to compliance (by law or by contract) and liable for penalties if they fall short. Leadership must ensure the company has expertise in the relevant regulations for each client vertical (be it PCI, HIPAA, FERPA, etc.), so that no “latent” obligation is overlooked. Ignorance on the MSP’s part is as dangerous as ignorance on the client’s part.

  • Quantifiable Risks & Insurance: The material risks are quantifiable – and often eye-opening. Breach costs range from $4M to $10M+ on average depending on industry1, with record-setting class action settlements (law firms paying $8M+, hospitals, class settlements, etc.) and fines (HIPAA fines in the millions, state AG fines likewise). Even for SMB clients, a breach can easily cost hundreds of thousands in response and liability. If an MSP services, say, 10 small clients and each has a 1 in 5 chance of a breach in a given year (not unrealistic in 2025), the MSP could statistically be dealing with 2 breaches annually. Cyber insurance is a necessary backstop – MSPs should carry robust Errors & Omissions (E&O) and cyber liability coverage, and consider requiring clients to carry cyber insurance as well.21 Notably, insurers now often investigate breaches to subrogate claims – i.e. they might pay the client, then sue the MSP to recover losses if MSP fault is suspected. Strong contracts with liability limitations and indemnity clauses are the MSP’s first line of protection here21.

  • Contractual Clarity and Client Education: A recurring factor in many incidents was misaligned expectations or lack of client understanding (e.g. the client assumed the MSP was handling all backups or security updates, when perhaps that wasn’t in the basic contract). To combat this, MSPs should establish a clear standard of care in contracts, spelling out MSP and client responsibilities20. This might include requiring the client to adhere to certain minimum security practices or to acknowledge residual risks if they decline recommended services. Several legal advisors suggest MSP contracts include customer obligations, MSP obligations, assumption of risk, disclaimers, and liability limits as key clauses20. From a governance perspective, MSP leadership should enforce that no client is onboarded without a written agreement that covers these points – the oral “handshake deal” is a recipe for uncertainty and expanded liability 21. Additionally, client education is part of risk management: an MSP that regularly briefs its clients (in accessible terms) about cyber threats and compliance requirements can demonstrate it took reasonable steps to inform an “ignorant” client20. This can both prompt clients to invest more in security and serve as evidence that the MSP exercised due care. Essentially, documentation and communication are as important as the technical protections deployed.

  • Proactive Risk Governance: MSP leadership should treat the MSP’s overall client portfolio as a risk portfolio. This means assessing which verticals/clients carry the highest inherent risk and ensuring internal policies address those. For instance, if many clients are in healthcare, the MSP should invest in HIPAA training for staff, have a template Business Associate Agreement, and maybe even pursue a third-party audit (like SOC 2 or ISO 27001 certification) to demonstrate its own controls meet a high standard. Regular risk reviews should be conducted: Are all clients receiving timely patching and backup services? Do any clients repeatedly refuse security recommendations (if so, is the MSP prepared to insist or document waiver of liability)? From a corporate governance standpoint, MSP boards and executives should be asking, “What if one of our client’s gets hit by a severe cyber attack – are we prepared to respond and defend ourselves?” This includes having an incident response plan that involves legal counsel, public relations, and technical response, since the MSP may need to assist the client and protect its own interests simultaneously. As Baird Holm’s cyber liability bulletin noted, victims (and their insurers) will try to “hold others accountable” to recoup losses21, so MSPs must be ready to demonstrate their accountability measures (or point to client’s own failings) in the aftermath. Good cyber hygiene within the MSP (to avoid being the vector of an attack, like through remote management tools) is also part of governance – e.g. the 2021 Kaseya incident showed how an MSP software breach can cascade to all clients, causing industry-wide impacts.

In conclusion, MSPs today stand in a position of shared fiduciary responsibility for cybersecurity. Much like an accountant is expected to catch glaring errors in a client’s finances, an MSP is expected to address glaring vulnerabilities in a client’s IT – or face potential liability for the damage that follows. Minnesota and U.S. legal precedent makes it clear that “I didn’t know” or “they didn’t ask for it” is not a winning defense for service providers. Instead, courts and regulators favor a “knew or should have known” approach – if the risk was knowable and the harm foreseeable, the MSP is expected to act. By embracing thorough risk governance, stringent compliance practices, client education, and ironclad contracts, MSP leadership can significantly mitigate this exposure. The goal is to transform what could be an adversarial blame game into a true partnership with clients on security: aligning incentives, sharing knowledge, and jointly meeting the standard of care that modern cybersecurity demands. In doing so, the MSP not only avoids legal pitfalls but also enhances its value proposition in an era where trust and accountability are paramount.

Sources:

1. "Cost of a breach reaches nearly $5 million, with healthcare being hit the hardest | The Record from Recorded Future News"

2. "Cybersecurity Industry Statistics: ATO, Ransomware, Breaches | Spycloud"

3. "Claims against IT service providers following a cyber attack | Society for Computers & Law"

4. "Bits and Breaches - Target Data Breach 2013 | Adaptive"

5. "Target Settles HVAC Data Breach for $18.5 Million | Facilitiesnet"

6. "Minnesota Gives PCI Rules a Legal Standing | Computerworld"

7. "Nonprofits and Cyberattacks: Key Stats That Boards Need to Know | BoardEffect"

8. "Cybersecurity Challenges and Best Practices for Nonprofits | EideBailly"

9. "Nonprofit Data Breaches & Their Impact | RipRap Security"

10. "Blackbaud to Pay $49.5 Million in Data Breach Settlement | Hunton"

11. "Customers Can Pursue Negligence Claims Directly Against Vendor | Data Protection Report"

12. "Data Breach Notification / Data Practices Office | State of Minnesota"

13. "[PDF] Guidelines for Vendor Contracts | MNCCC"

14. "Nonprofits and Cyberattacks: Key Stats That Boards Need to Know | BoardEffect"

15. "HHS OCR Settles HIPAA Investigation with Business Associate for $350,000 | Dorsey Health Law"

16. "Insure Against Data Breaches Suffered By Vendors and Service Providers | Ervin Cohen & Jessup LLP"

17. "Accretive Health Settles Minn. Lawsuit | DataBreachToday"

18. "Minnesota Attorney General Reaches First Settlement With Business | Foley & Lardner LLP"

19. "North Memorial Health Care paying $1.5 million in federal privacy | Star Tribune"

20. "The MSP’s Responsibility for Professional Standard of Care | Calyptix Security"

21. "The Ever-Expanding Liability of Cyber-Breaches | Baird Holm LLP"

22. "Law firm Thompson Coburn and healthcare client hit with data breach lawsuit | Reuters"

23. "Law Firm Settles Data Breach Lawsuit: A Warning for Legal | MSBA"

24. "Law Firm Data Breaches and Legal Malpractice | Helen Geib via LinkedIn Pulse"

25. "Minneapolis school district says data breach affected more than 100,000 people | The Record from Recorded Future News"

26. "Minnesota Data Breach Notification Laws | Insureon"

27. "NAIC Data Security Model Act | Minnesota Department of Commerce"

28. "Report Shows Ransomware Has Grown 41% for Construction Industry | ReliaQuest"

29. "Gov agencies $96m recovery bills after ransomware attack | TechInformed"

Top comments (0)