Data Diligence

Computerworld - It's time to bring on a managed service provider. First, hire all the lawyers -- or at least consider having some legal representation. Ideally, enterprises large and small will have access to an IT attorney who specializes in security, privacy and the myriad new data disclosure laws that regulate many sectors.

Minus legal representation, companies could be open to serious liability. For instance, if an MSP is hacked or personal data is stolen or compromised by MSP employees, the customer will be held entirely responsible. Hence, agreements should spell out security measures and background checks.

"There should at least be an agreement in place that ensures MSPs disclose breaches," suggests Michael Rasmussen, an analyst in Forrester Research Inc.'s enterprise risk/compliance management group.

Be warned, however, that lawyers who know the ins and outs of these areas are hard to find. Given this scarcity of seasoned IT attorneys, some businesses have the option of spending long hours educating corporate lawyers on the nuances of hiring an MSP or simply forgoing legal representation altogether.

Most experts agree that some attorney involvement is better than none at all and urge enterprises to invest upfront to guard against legal and security land mines - a rigorous exercise, but one with many potential payoffs. For instance, MSP negotiations offer a chance to re-examine languishing privacy policies or to comb through and tighten security measures.

For these reasons, MSP agreements brokered by larger corporations almost always filter through legal departments. Says Mike Kline, manager of network operations at KB Toys Inc. in Pittsfield, Mass., "Absolutely every contract KB Toys signs goes through our in-house counsel for approval. What they typically do is add our own terms that govern areas such as exclusivity, liability and privacy." The retailer of children's products relies on MSP Atrion Networking Corp. in Warwick, R.I., for managed network services.

At Wine Warehouse in Commerce, Calif., lawyers are included early on. "Once it is determined that the MSP is a viable candidate and that the services merit the investment required, then a series of 'what if' scenarios should be run through," advises Kim Bugayong, vice president of IT. Wine Warehouse outsources services such as patch management and server and backup monitoring to provider Alvaka Networks Inc. in Huntington Beach, Calif.

Vigilance is prudent, not because MSPs are neglectful but because problems are common, experts say. "When outsourcing, it is surprisingly easy to do things like run afoul of a privacy policy," says Dennis Kennedy, an IT attorney in St. Louis.

Small to midsize businesses are the most vulnerable. "These companies are often run by CEOs who don't always know they need a lawyer to review MSP contracts before they sign them," Kennedy adds.