Home
News
E-mail Newsletters
Blogs
Tech Dispenser
Shark Bait
Knowledge Centers
Opinion
Webcasts
Video
Podcasts
White Papers
Computerworld Reports
Zones
Case Study Library
RSS Feeds
Events
Print Subscriptions

Subscribe to our e-mail newsletters
For more info on a specific newsletter, click the title. Details will be displayed in a new window.
IT Management
Computerworld Daily News (First Look and Wrap-Up)
Computerworld Blogs Newsletter
The Weekly Top 10
More E-Mail Newsletters 

Computerworld 2007Subscribe to Computerworld
40 years of the most authoritative source of news and information for IT leaders.

Data Diligence

It takes a skilled lawyer to skirt danger zones in a managed service provider agreement.
Jennifer Jones   Today’s Top Stories    or  Other Management Stories  
 

Sign up to receive Security Resource Alerts

November 14, 2005 (Computerworld) -- It's time to bring on a managed service provider. First, hire all the lawyers -- or at least consider having some legal representation. Ideally, enterprises large and small will have access to an IT attorney who specializes in security, privacy and the myriad new data disclosure laws that regulate many sectors.

Minus legal representation, companies could be open to serious liability. For instance, if an MSP is hacked or personal data is stolen or compromised by MSP employees, the customer will be held entirely responsible. Hence, agreements should spell out security measures and background checks.

"There should at least be an agreement in place that ensures MSPs disclose breaches," suggests Michael Rasmussen, an analyst in Forrester Research Inc.'s enterprise risk/compliance management group.

Be warned, however, that lawyers who know the ins and outs of these areas are hard to find. Given this scarcity of seasoned IT attorneys, some businesses have the option of spending long hours educating corporate lawyers on the nuances of hiring an MSP or simply forgoing legal representation altogether.

Most experts agree that some attorney involvement is better than none at all and urge enterprises to invest upfront to guard against legal and security land mines - a rigorous exercise, but one with many potential payoffs. For instance, MSP negotiations offer a chance to re-examine languishing privacy policies or to comb through and tighten security measures.

For these reasons, MSP agreements brokered by larger corporations almost always filter through legal departments. Says Mike Kline, manager of network operations at KB Toys Inc. in Pittsfield, Mass., "Absolutely every contract KB Toys signs goes through our in-house counsel for approval. What they typically do is add our own terms that govern areas such as exclusivity, liability and privacy." The retailer of children's products relies on MSP Atrion Networking Corp. in Warwick, R.I., for managed network services.

At Wine Warehouse in Commerce, Calif., lawyers are included early on. "Once it is determined that the MSP is a viable candidate and that the services merit the investment required, then a series of 'what if' scenarios should be run through," advises Kim Bugayong, vice president of IT. Wine Warehouse outsources services such as patch management and server and backup monitoring to provider Alvaka Networks Inc. in Huntington Beach, Calif.

Vigilance is prudent, not because MSPs are neglectful but because problems are common, experts say. "When outsourcing, it is surprisingly easy to do things like run afoul of a privacy policy," says Dennis Kennedy, an IT attorney in St. Louis.

Small to midsize businesses are the most vulnerable. "These companies are often run by CEOs who don't always know they need a lawyer to review MSP contracts before they sign them," Kennedy adds.

That oversight can easily prove to be a huge mistake, notes Thomas Barnett, special counsel at New York-based law firm Sullivan & Cromwell LLP. "If a company is subject to federal and/or state regulations concerning disclosure of client information -- such as those in the medical and banking industries -- then any inadvertent disclosures of such information by the MSP could create significant liability for the company," he says.

Know Thy Ally
Along with soliciting good legal advice, enterprise IT officials poised to hire MSPs would be wise to examine thoroughly both the service provider they're courting and the MSP agreement they're considering. "I'm looking for the track record of the vendor," says Kline.

After establishing a level of trust, spell out the limitations of the arrangement that will be put in place, advises Barnett. "It is typical to have an MSP execute very detailed confidentiality provisions that clearly define the ownership and handling of the data, as well as its disposition," he says.

Data handling is especially critical, notes Ian Campbell, president of Nucleus Research Inc. in Wellesley, Mass. "You may want to think about dedicated cabinets," he advises. "This way, your applications are physically separated and locked down, so you don't have to worry about who is wandering through your server farm."

Also consider the insertion of indemnification clauses that force the MSP to shoulder the burden of compliance, suggests Robert Scott, an attorney at Dallas-based law firm Scott & Scott LLP.

"Avoid agreeing to limitations of liability, to ensure that the MSP has a financial stake in the client's compliance obligations," he says.

Just remember that ultimate responsibility will not rest with the MSP. "You can outsource development, business practices and other services, but you cannot outsource your liability," Forrester's Rasmussen wrote in a recent report.

Fringe Benefits
While a corporation can't offload liability, it can use MSP negotiations to shore up internal practices. "My experience with MSPs is that a lot of them are playing catch-up along with their clients," says Charles Weaver, co-founder of the MSPAlliance in Chico, Calif.

For instance, the due diligence behind KB Toys' deal with Atrion enhanced its compliance with the stringent security guidelines from Visa U.S.A. Inc. The credit card behemoth imposes guidelines on merchants through its Cardholder Information Security Program. "This has really forced us to completely double-check our security and access," says Kline.

Dusting off established privacy policies during MSP negotiations is also a good idea, especially if the service provider will be handling client data. "Usually, an MSP arrangement essentially moves this data to an external site but does not transfer ownership. The privacy policy needs to explain this," cautions Wine Warehouse's Bugayong.

Don't stop with new MSP deals. Experts also advise enterprises to peruse existing contracts with an eye toward liability.

"You can't just roll over and pull the sheets over your head," insists John Stehman, director of research at Robert Francis Group Inc. in Westport, Conn. "You've got to renegotiate."

Jones is a freelance writer in Vienna, Va. Contact her at Jjwriterva@aol.com.


Special Report


ASPs, Take Two
Stories in this report:



Print this Story Send Us Feedback E-mail this Story Digg! Digg this Story Slashdot this Story

Blogs

"Let's face it, the energy IT can save through green technology for society is modest. But that doesn't mean it..." Read more...
"A marketing war over energy isn't a bad thing...." Read more...
Read more Management posts or See all Blogs

HP confirms XP SP3 endless reboot snafu, promises patch
Yahoo tells Icahn that its own board knows best
Tools circulate that crack Debian, Ubuntu keys
More top stories...
Former Microsoft manager offers free fix for XP SP3 'endless reboot'
Can Icahn take on the Yahoo board and win?
Elgan: Hyperconnectivity: Friend or foe?

Shuttle Columbia's hard drive data recovered from crash site
Specialists have retrieved about 99% of the data on a disk drive on board the crashed space shuttle Columbia. Don't miss the photographs of the recovered drive.
The top 15 vaporware products of all time
These big ideas were supposed to revolutionize technology, but they never actually appeared. In a few cases, you'll be glad they didn't.
Opinion: Malware vs. anti-malware, 20 years into the fray
Nearly 20 years after the first Internet worm, Steven J. Vaughan-Nichols takes stock of the malware/anti-malware landscape and spotlights how the two sides are approaching the battle.
Leopard at six months: Does it live up to the early hype?
Though some thought it was released too soon, Mac OS X 10.5 has matured into a solid operating system, says reviewer Michael DeAgonia.

FROM THE BLOGOSPHERE

Windows Vista A to Z
Reviews, analyses, how-tos, visual tours, hot issues and predictions about Microsoft's new OS.
IT Careers 2010
Four years from now, the IT field will be a vastly different place. Will you be ready?
All Zones
Application Performance Zone
Enterprise-Class Security Zone
Enterprise Solutions Zone
The File Data Management Zone
Grid Computing on Windows Zone
Security Management Zone
ITIL Best Practices Zone
The SAS Zone
Storage Virtualization Zone
The Data Center Management Zone


Ads by TechWords

See your link here
HP's Virtualization: HP's Remote Client Solutions Webinar
HP's Virtualization: HP's Remote Client Solutions Webinar
View this webcast!
Go to the webcast 
Computerworld Report: Storage Gets Strategic
Download this Computerworld Report, free, compliments of HP.
(Source: Computerworld) Data Storage has emerged from the back room to become a key part of regulatory compliance, disaster recovery and strategic tecnhology plans. Learn more in this new this Computerworld report, a $49.95 value, available free for a limited time, compliments of HP.
Download this executive briefing download
Does collaboration drive business success?
Get this white paper now!
(Source: Microsoft Office Live Meeting) Collaboration occurs at the intersection of an enterprise's technology and culture. Discover how these two critical factors affect the quality of collaboration in Meetings Around the World: The Impact of Collaboration on Business Performance. You'll learn why enterprises need to work collaboratively - and examine how collaboration impacts business success.
Download this white paper go
White Papers
Read up on the latest ideas and technologies from companies that sell hardware, software and services.
Discover the Secret to Secure Remote Access: GoToMyPC Corporate Security White Paper
Spam Spikes: A Real Risk to Your Business
Six Support Issues That Keep Execs Awake at Night
View more whitepapers 
HP Compaq t5735 Thin Client

Linux-based thin client delivers desktop-like performance supporting a variety of open-source applications, creating a new paradigm in thin client computing. The NEW HP Compaq t5735 Thin Client provides convenient access to server-based solutions, Virtual Desktop Infrastructure (VDI) or to a variety of remote client solutions.

Download this datasheet 
Global Operations Uses HP Thin Clients to Improve Security and TCO

Do you need a secure standardized platform while maintaining a lower cost of ownership company wide and to help make the company more competitive? Read how the CIO of the world's largest manufacturer of polyethylene folding tables, chairs, picnic tables, and residential basketball equipment obtained his IT Goal with HP Thin Clients.

Download this case study 
HP's Virtualization: HP's Remote Client Solutions Webinar

- Hear from IDC analysts on PC Client Virtualization and Alternatives to Client Computing
- Hear how customers solved IT challenges with HP's solution to Virtualization
- Learn about different types of virtualization market analysis from HP's CTO
- Hear from the VP of Netpads, Inc. how HP Thin Client solutions helped solve IT challenges, security concerns and lowered TCO for the emerging hospitality.

View this webcast 

About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map
CIO Computerworld CSO DEMO GamePro Games.net IDG Connect IDG World Expo Infoworld
The Industry Standard ITworld JavaWorld LinuxWorld