Data Diligence

It takes a skilled lawyer to skirt danger zones in a managed service provider agreement.

It's time to bring on a managed service provider. First, hire all the lawyers -- or at least consider having some legal representation. Ideally, enterprises large and small will have access to an IT attorney who specializes in security, privacy and the myriad new data disclosure laws that regulate many sectors.

Minus legal representation, companies could be open to serious liability. For instance, if an MSP is hacked or personal data is stolen or compromised by MSP employees, the customer will be held entirely responsible. Hence, agreements should spell out security measures and background checks.

"There should at least be an agreement in place that ensures MSPs disclose breaches," suggests Michael Rasmussen, an analyst in Forrester Research Inc.'s enterprise risk/compliance management group.

Be warned, however, that lawyers who know the ins and outs of these areas are hard to find. Given this scarcity of seasoned IT attorneys, some businesses have the option of spending long hours educating corporate lawyers on the nuances of hiring an MSP or simply forgoing legal representation altogether.

Most experts agree that some attorney involvement is better than none at all and urge enterprises to invest upfront to guard against legal and security land mines - a rigorous exercise, but one with many potential payoffs. For instance, MSP negotiations offer a chance to re-examine languishing privacy policies or to comb through and tighten security measures.

For these reasons, MSP agreements brokered by larger corporations almost always filter through legal departments. Says Mike Kline, manager of network operations at KB Toys Inc. in Pittsfield, Mass., "Absolutely every contract KB Toys signs goes through our in-house counsel for approval. What they typically do is add our own terms that govern areas such as exclusivity, liability and privacy." The retailer of children's products relies on MSP Atrion Networking Corp. in Warwick, R.I., for managed network services.

At Wine Warehouse in Commerce, Calif., lawyers are included early on. "Once it is determined that the MSP is a viable candidate and that the services merit the investment required, then a series of 'what if' scenarios should be run through," advises Kim Bugayong, vice president of IT. Wine Warehouse outsources services such as patch management and server and backup monitoring to provider Alvaka Networks Inc. in Huntington Beach, Calif.

Vigilance is prudent, not because MSPs are neglectful but because problems are common, experts say. "When outsourcing, it is surprisingly easy to do things like run afoul of a privacy policy," says Dennis Kennedy, an IT attorney in St. Louis.

Small to midsize businesses are the most vulnerable. "These companies are often run by CEOs who don't always know they need a lawyer to review MSP contracts before they sign them," Kennedy adds.

That oversight can easily prove to be a huge mistake, notes Thomas Barnett, special counsel at New York-based law firm Sullivan & Cromwell LLP. "If a company is subject to federal and/or state regulations concerning disclosure of client information -- such as those in the medical and banking industries -- then any inadvertent disclosures of such information by the MSP could create significant liability for the company," he says.

Know Thy Ally

Along with soliciting good legal advice, enterprise IT officials poised to hire MSPs would be wise to examine thoroughly both the service provider they're courting and the MSP agreement they're considering. "I'm looking for the track record of the vendor," says Kline.

After establishing a level of trust, spell out the limitations of the arrangement that will be put in place, advises Barnett. "It is typical to have an MSP execute very detailed confidentiality provisions that clearly define the ownership and handling of the data, as well as its disposition," he says.

Data handling is especially critical, notes Ian Campbell, president of Nucleus Research Inc. in Wellesley, Mass. "You may want to think about dedicated cabinets," he advises. "This way, your applications are physically separated and locked down, so you don't have to worry about who is wandering through your server farm."

Also consider the insertion of indemnification clauses that force the MSP to shoulder the burden of compliance, suggests Robert Scott, an attorney at Dallas-based law firm Scott & Scott LLP.

"Avoid agreeing to limitations of liability, to ensure that the MSP has a financial stake in the client's compliance obligations," he says.

Just remember that ultimate responsibility will not rest with the MSP. "You can outsource development, business practices and other services, but you cannot outsource your liability," Forrester's Rasmussen wrote in a recent report.

Fringe Benefits

While a corporation can't offload liability, it can use MSP negotiations to shore up internal practices. "My experience with MSPs is that a lot of them are playing catch-up along with their clients," says Charles Weaver, co-founder of the MSPAlliance in Chico, Calif.

For instance, the due diligence behind KB Toys' deal with Atrion enhanced its compliance with the stringent security guidelines from Visa U.S.A. Inc. The credit card behemoth imposes guidelines on merchants through its Cardholder Information Security Program. "This has really forced us to completely double-check our security and access," says Kline.

Dusting off established privacy policies during MSP negotiations is also a good idea, especially if the service provider will be handling client data. "Usually, an MSP arrangement essentially moves this data to an external site but does not transfer ownership. The privacy policy needs to explain this," cautions Wine Warehouse's Bugayong.

Don't stop with new MSP deals. Experts also advise enterprises to peruse existing contracts with an eye toward liability.

"You can't just roll over and pull the sheets over your head," insists John Stehman, director of research at Robert Francis Group Inc. in Westport, Conn. "You've got to renegotiate."

Jones is a freelance writer in Vienna, Va. Contact her at

Special Report


ASPs, Take Two

Stories in this report:


Copyright © 2005 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon