711 Cybersecurity Lawsuits on the Rise: What MSPs Need to Know
711 Cybersecurity Lawsuits on the Rise: What MSPs Need to K…
Uncle Marv welcomes back attorney Bradley Gross to discuss the evolving landscape of cybersecurity litigation and its implications for Mana…
Sept. 4, 2024

711 Cybersecurity Lawsuits on the Rise: What MSPs Need to Know

Uncle Marv welcomes back attorney Bradley Gross to discuss the evolving landscape of cybersecurity litigation and its implications for Managed Service Providers (MSPs). The conversation delves into recent high-profile court cases, the importance of clear service agreements, and strategies for MSPs to protect themselves in an increasingly litigious environment.

Uncle Marv kicks off the episode by discussing a recent Canalys report highlighting the growth in cybersecurity services and the increasing trend of customers suing their cybersecurity providers. Brad Gross, a seasoned attorney specializing in IT law, offers his expert insights on this developing legal landscape. The discussion covers several notable court cases, including: 

  • The CrowdStrike event involving Microsoft
  • Delta Airlines' lawsuit against Microsoft
  • LanTech LLC being sued by a law firm client
  • Barry Dunn's case involving Reliable Networks of Maine
  • CDK Global facing lawsuits from automobile dealerships

Brad emphasizes the importance of managing client expectations and clearly defining the scope of services provided. He introduces a "triad" concept for MSPs to protect themselves: 

  1. Understanding the services received from upstream providers
  2. Clearly communicating the scope of services to customers
  3. Clearly allocating responsibilities in service agreements

The conversation touches on the challenges MSPs face in mapping their solutions to various cybersecurity frameworks and the importance of thorough vulnerability management. Brad stresses the need for explicit language in service agreements regarding client responsibilities and the consequences of not following MSP advice. The episode concludes with updates on Brad's professional activities, including his upcoming MSP Terms platform and his involvement with ASCII's "Taste of Success" events.

Links: 

=== Show Information

=== Music: 

  • Song: Upbeat & Fun Sports Rock Logo
  • Author: AlexanderRufire
  • License Code: 7X9F52DNML - Date: January 1st, 2024
Transcript

[Uncle Marv]
All right, Bradley Gross in the house, literally, if people can see us.

[Brad Gross]
Literally, yes, coming to you from a sunny Long Island, where it's only 75 degrees as opposed to 90 degrees in Florida.

[Uncle Marv]
It's not that hot today.

[Brad Gross]
No?

[Uncle Marv]
Well, let me check before I say that. It didn't feel as hot. And is it raining?

Well, it was raining a lot yesterday. So actually, it's weird. So right now, here in Studio B location, Fort Lauderdale, Florida, the temperature is 82, but the real feel is 95.

[Brad Gross]
There you go. Well, where I am in Long Island, it is 73 degree, I'm sorry, yes, 72 degrees, and the real feel is 72 degrees. So there you go.

It must be nice to have both numbers match. Yes, it's so rare, especially when you're in Florida, you know.

[Uncle Marv]
All right, so let me let the listeners know that I reached out to you for a myriad of reasons. One, we hadn't chatted in a while, and I like to try to keep my favorite guests, you know, close to the vest as much as possible.

[Brad Gross]
And also me. I like to keep my favorite people close. And then there's you, Brad.

I also like to keep you close.

[Uncle Marv]
Well, you know, you made the stink about not getting best, you know, episode last year. So you can't win it if you're not on it.

[Brad Gross]
Right? You're right. You're right.

I'm still in therapy over that.

[Uncle Marv]
Yeah. I know you've got a bunch of stuff that you've been working on. You've been traveling and we'll get to that.

But first, I want to get to, I forwarded you an article that I got from Canalys, our good friend, Jay McBain, and his company put out this report that on the surface, it looks like it's just about, you know, what's happening for, you know, managed services when it comes to cybersecurity and talks about the fact that, hey, listen, there's going to be a lot of growth, you know, 15% in 2024. And it talks about the fact that our managed service provider model is going to be changing, evolving. We have to be more mindful of the, you know, cybersecurity out there, both from the vendor side and the customer side, because they're getting smart.

But there was a little phrase in there that caught my attention that I thought, let me get Brad's opinion on that. And it said, there is another growth area, court cases involving customers as plaintiffs against their cybersecurity service providers. And I thought, okay, we've seen some notable court cases, but I didn't realize it was that much of an uptick.

So I wanted to get your opinion on that. What do you think, Brad?

[Brad Gross]
Well, I think that the article, as far as a predictive model of what's coming, is right on target, that there will be an uptick, certainly in court cases, involving customers as plaintiffs against their cybersecurity providers. To date, it has sort of been an equal mix of plaintiffs, companies that have been breached or their information has been breached against their providers, yes, or it has been, on the other side, sort of running in parallel to that, the actual providers, the MSPs aren't being sued, but we are seeing a number of cases of consumers suing the companies that have been breached. And it's only a matter of time before those companies then bring in the MSP.

So we have cases involving the MSPs directly, and then we're going to start to see cases in which the MSPs are pulled in. That's sort of the layout. That's the lay of the land as we see it right now.

[Uncle Marv]
So of course, most recently in everybody's mind is the CrowdStrike event, where people were blaming both Microsoft and CrowdStrike. And then of course, Delta is trying to sue Microsoft, where Microsoft is pushing back saying, hey, look, you didn't protect your stuff. That's not our fault.

We know of the case earlier this year, I believe it was January, that company out west, LanTech, LLC, was sued by their law firm. And there was a couple of others that I noticed, and one was weird because all of the details are, I mean, they're fuzzy to me because I can't follow all the legal speak, but a company Barry Dunn is wrapped up in a bunch of lawsuits and they've drug in their MSP, Reliable Networks of Maine, into the mix. And it's weird because Reliable Networks, from what it looks like, they realized that their client had a breach.

They notified them of the breach. But now the company has turned around and said, well, you're the cause of the breach. And the MSP is like, no, we're not.

We're just the ones that told you. And like you said, MSPs are being dragged in now. So that was a very interesting development I saw.

[Brad Gross]
Yeah, I think that that's going to be a very interesting case to watch because, as you pointed out, the MSP's defense is not that the security services were up to par and so forth. No, their defense is something entirely different. It's we didn't provide you with those services.

You never hired us to provide you with those services. It's sort of like saying your alarm didn't go off. So the burglar broke in and the person you're suing says, I didn't install the alarm.

I didn't I didn't manage the alarm. I don't know why you're coming after me. That's sort of the defense.

It'll also be interesting for those attorneys who are tuning in and are interested in constitutional law. It will be interesting because what has motivated, I believe, the case that Barry Dunn brought against Reliable Networks, what motivated it was the fact that a class action was brought against it by the people whose information was allegedly accessed. And the interesting thing from just a constitutional law perspective is that it was brought in the state of Maine, which is the first federal district in the U.S. The U.S. is designated to districts one, two, three, four, five, six, seven. And in their particular district, it has been held that a company cannot be sued by consumers in a class action lawsuit where the allegations are an increased level of potential identity theft. If the if the complaint actually alleged that there was damage, that somebody's identity was stolen, they had to spend money now to recover, that's different. But the class action lawsuit that's being brought against Barry Dunn by the consumers alleges in large part, if you read through all the legal mumbo jumbo, that they're really suffering from an increased risk now of having their identity stolen.

There's a case right on point that says you can't do that in Maine. So it'll be interesting to watch on two ends. Right.

The case against Reliable, where Reliable is saying we didn't even provide the security. And then the case against Barry Dunn. Barry Dunn, I think, is going to defend saying you can't sue us because no one can show that their stuff actually was used in a malicious manner.

So that's going to be an interesting case out there in Maine.

[Uncle Marv]
Yeah. Another thing I was trying to dig and research on is, you know, was Reliable Networks actually handling the network support for Barry Dunn? Because it almost seems like they weren't, or if they were, it had nothing to do with cybersecurity and they were just simply running a report, which is something that all of us are trained to do.

If you're looking for a prospect, hey, why don't you run a dark web scan and see what's out there?

[Brad Gross]
Because if it does appear as if Reliable Networks scope of service was limited to just notifying, notifying and reporting, apparently Barry Dunn had its own cybersecurity solution, whatever that was, internal, external, it doesn't matter. But there was a war of words that was going on back and forth. And ultimately Reliable, I think, put up something on their website saying, hey, listen, let's get something straight.

We didn't provide the security solution. They're just yelling at us because they're being sued by their customers. Right.

So it's an interesting case in development.

[Uncle Marv]
Yeah. And there's a couple of more. There's one that I found particularly interesting.

CDK Global is a company that is now providing cybersecurity to automobile dealerships. And now I used to support, you know, dealerships, auto body shops and use, you know, I didn't use, I supported the software that they used to create estimates and all of that stuff. And I know that CDK Global actually has put together their own security package that has kind of butt up against us, you know, service providers where even if we're providing the support for them and they come along and say, hey, look, as part of your deal, we're going to give you this cyber protection free.

Companies are saying, oh, well, we don't need you because CDK is, you know, giving us this service. Well, now they're getting hit with multiple lawsuits from dealerships because those dealerships were hit with cyber-attacks. CDK Global is the solution provider at that point, so at least it's a hybrid case, right?

[Brad Gross]
Yeah, it's a hybrid case of the they are both the solution provider and the company that is working with end users. So it's an it's sort of a merger.

[Uncle Marv]
Yeah.

[Brad Gross]
In that regard. So I see. Yeah, it's interesting because they made promises, right?

They according to the lawsuit. Now, again, you and I don't have a crystal ball. We don't know exactly what happened.

But according to the allegations, CDK, as you have correctly pointed out, took on the responsibility of cybersecurity. And it turns out that when push came to shove, according to the plaintiffs, CDK could not detect, could not prevent, could not mitigate, couldn't do anything that a security solution provider would normally be expected to do. So that's an interesting case as well.

Yeah.

[Uncle Marv]
So all of these seem to me like the tentacles are now stretching out to where we can be pulled in from so many different directions. So, I mean, obviously, the first question is, do you have a sense as to what all of these lawsuits might mean for us, whether it's short term or long term?

[Brad Gross]
Us meaning MSPs or us being lawyers? Us meaning MSPs. Because the interests are diametrically opposed, I think.

[Uncle Marv]
I mean, you're going to get rich, that's all I know.

[Brad Gross]
I think that what it means is that as MSP cybersecurity services become more ubiquitous and at the same time, again, running in parallel, hackers, malicious actors are improving their game. What you're going to see is a lot of finger pointing. And that is not only going to happen, it's already happened, it's going to increase in the future.

Finger pointing in law. Well, that's usually litigation or arbitration. So I think that MSPs would be well advised to understand that this is what's going to happen, finger pointing.

And I can change the paradigm a little bit. Let's take the words finger pointing and replace them with mismanaged expectations, because that's the heart. That's very often, very often, not always, but very often the heart of what these cases are about.

Customer expects A, B, C, D. MSP is only providing or facilitating A, B. And there's a disjointed understanding.

And that doesn't come to light until an incident arises. And then the customer says, well, what happened to C and D? And the MSP says, we weren't giving you C and D.

That's a mismanaged expectation. And that is at the heart of all these litigations, or most of them, I should say. Right.

I mean, that's at the heart of the Mustang, the LanTech litigation out in Sacramento. Like you pointed out earlier, that's the law firm suing its MSP because it was breached. And the law firm says you were providing all these services.

And LanTech turned around and said, no, we weren't. We never said we were providing those services. Right.

That's at the heart of the Barry Dunn reliable case. Barry Dunn turns around and says, how can we be breached? You should have been doing this.

Reliable turns around and says, no, we weren't doing that. Mismanaged expectation.

[Uncle Marv]
Now, obviously, you know, the first step is to have a very good agreement in place that everybody understands that is signed, that when you go back to look at it is very clear in what is being provided, what is not being provided. Another thing is if you, for instance, allow scope creep to where you start doing something that wasn't in the agreement. So now the customer thinks, well, you did that for us.

I just will assume you're doing everything else for us. You've got to be very clear if you step outside of your bounds that, hey, I'm doing this as a one-time thing or come back and say, look, we mistakenly went out of bounds. That wasn't supposed to happen.

So it won't be happening going forward. There's a lot of couldn't be more correct.

[Brad Gross]
You couldn't be more correct. I think that what you just pointed out is one piece that the Canalis article brings to light. In my view, it's a triad.

OK, three parts. You just aimed at one responsibility. OK, but let's let me lay it out for you.

I think that the first part of the triad is that MSPs need to know what services they are actually receiving from upstream providers such that they will then know what to describe and offer to their downstream customers. I believe in the industry and this is coming from 23 years of experience counseling close to 8000 MSPs. So I have a pretty good idea of where MSPs stand and what they're doing.

There is a problem in that MSPs don't truly take the time to understand what they are receiving from their upstream providers, what the limitations are of those. So they then turn around to their downstream customers and they're making all kinds of promises that they can't keep. That's one problem.

Understanding the scope of what an upstream provider is providing to the MSP, that's part. That's one end of the triad. The next.

Is the clarity piece, OK, once you understand what you are getting from an upstream provider, MSPs have to use, have to implement clarity, crystal clear clarity to their customers to describe what services are being provided or facilitated. Right. Just simply saying cybersecurity as a category is horribly dangerous because it doesn't indicate the scope of services.

It doesn't indicate whether your scope is limited to monitoring or monitoring and quarantining or monitoring, quarantining and remediation. We don't know. So once you understand what you're getting upstream, then you have to have perfect clarity.

To describe what to your customers, what you are providing or facilitating, that's the second piece. Sorry, I'm just going to keep going with the third piece and you could go right ahead. OK, keep going.

The third piece that I see is, and this is what you just described, responsibility. Even if you have perfect clarity about what you're providing, what you're facilitating, what they're receiving and so on, responsibility needs to be allocated with clarity. It is, it could be done through a narrative, right?

It could be done through a matrix of some sort. It could be done through an infographic. Candidly, I don't really care how you do it, but the responsibility of what is going to happen and who is going to handle what aspect of an incident should be in your document.

And if it's not, but you're calling yourself an MSSP or you're providing cybersecurity services, then you have a problem.

[Uncle Marv]
Hmm. So, of course, a bunch of things just went through my head because when you were talking about, you know, what do we get from our upstream provider? So I belong to a small little peer group where we started talking about mapping the solutions that we get against the frameworks that we are claiming to provide, whether it's, you know, NIST 800-171, CMMC, all of that stuff.

And, you know, but we're doing that ourselves. To some degree, I think we should probably ask our vendors to also help us do that because in some sense we might be guessing. And as you mentioned, if something happens, we're going to have to go back to them and said, well, we understood your product to do this.

And they're going to say like, no, not really. I mean, I'm also thinking of running vulnerability scans. A lot of us do it.

And one of the things that I've really worked on is not just running the scan, but making sure when the scan is run, anything that shows up gets patched. And part of our problem is a lot of the solutions that run the scans don't help us provide a way to patch open vulnerabilities. We've got to do that ourselves.

So that's a big gap there. And then, of course, you mentioned responsibility. I remember a conversation I had with one of my clients for one of the pieces where they were arguing about, well, you're doing this to protect us.

And I, you know, and my comment to them was, yeah, I'm providing you this, but if you don't use it, that's on you. Right.

[Brad Gross]
And the interesting thing, okay, is what you're saying, what you just said. Let's focus on that for a moment. If you don't use it, we give you something.

If you don't use it, that's on you. The question I would challenge your listeners, okay. MSP is to undertake.

Here's the challenge. What does your agreement say about that? What does it say about when you give your customer advice or direction and they don't follow it, what does it say?

Does it actually say what you just said, Marvin, which I love if you don't follow it, it's on you, not on us. And people might say, well, you know, that doesn't sound very legal, but it doesn't have to be legal sounding. Right.

Remember who's reading these contracts, dentists, doctors, manufacturers. There's nothing wrong with saying, we're going to give you advice. You should take our advice.

If you don't take our advice, since something bad happens as a result, that is on you, could create a billable event for which you will be responsible. Done. Plain English.

So I love it. And I challenge your listeners to say, do my contracts say that? And if they don't, well, then they need to be modified.

[Uncle Marv]
All right. We could go all day on scenarios like that.

[Brad Gross]
Oh yeah. I love it. I mean, unfortunately I love it at the, at the, to, to the detriment of all those people who are going through it.

But, um, from a, a lawyer's perspective, there's a lot of, uh, stuff that's out there now, it'll be interesting to see which way it goes, who's responsible. How are ambiguities resolved? Are they resolved in favor of one party over the other?

It'll be very interesting.

[Uncle Marv]
It will. So I want to let the listeners know, I will have this report available by downloading the website. It's a free report from Canalys.

So you don't have to go looking for it. I will have it available for you. Of course, I'll have the link to some of the cases that we discussed, or at least a link so that if you want to go and, you know, research it a little more, just to get an idea of what's happening out there.

And you heard Brad talk about some of the steps that we can take to improve our cybersecurity measures. Of course, it still behooves us to make sure that we're doing everything that we say we do. We make sure our customers are, you know, doing the multi-factor authentication, that we've got the network segmented, we've got good, you know, backups.

The article even said immutable backups, which is nice to see out there. And of course, you're patching your EDR, web filtering, all of that stuff. So be mindful of all that.

Brad, so your MSP terms is up and running. Yes.

[Brad Gross]
Well, it's about to be. It has been demonstrated and we're going to be sending out links for more demonstrations if anyone's interested in seeing that. But yes, it is.

It is not fully available this week because I did not like the registration page, if we're going to be candid. You know, I want things to be easy, user-friendly and so forth. And when I saw something that from the gateway, from the entranceway, didn't look right, I said, we're changing it.

But once that's changed, it's going to be fully operational up and running. Yeah, I'm very excited about it.

[Uncle Marv]
All right. So MSP contracts, terms and conditions, all of that good stuff there.

[Brad Gross]
And it's a document management platform is really what it's going to be. And if anyone, like I said, wants a demo of it, just send me an email. Info at MSP terms dot com and be happy to get you right on there.

You'll see a demo.

[Uncle Marv]
All right. And you've been making your way around the country. Now, normally I just kind of see you at the conferences and, you know, we make fun of the fact that we see each other more there than we do when we're a few minutes apart here in Fort Lauderdale.

But you've also been doing a new thing with ASCII. Well, not new now, but new this past year. You're doing something called the ASCII Taste of Success.

[Brad Gross]
Yes. So those are a series of either lunch and learns or dinner and learn sometimes in some locations, it's both, in which you attendees get an hour with me and they get to eat, which is nice. The event is sponsored entirely by NUSO.

So, you know, the telephony solution provider. So anyone who attends eats for free and attends for free, but they get to spend an hour with me talking about, well, pretty much whatever they want to talk about from a legal perspective. But we try to aim for the pain points and the issues that most impact their day to day, week to week operations, how to resolve them, right?

We identify them and we talk about ways to resolve them and ways to ensure that they stay resolved in the future. So it's a great little, you know, these one hour dinner and learn lunch and learns where you can learn more in an hour than you might learn all year about resolving these types of issues.

[Uncle Marv]
All right. I don't see a full schedule, but I'll have a link up to the website through the ASCII, the next one coming up Thursday, November 2nd. No, that was last year.

When's your next one coming up?

[Brad Gross]
The next one is going to be in, I believe, October, right? We're in September now in October in New York. I could send you and then you could post it for us, Mario.

I'll send you all the dates of this year that remain October, November and December, and then we're going to continue it into 2025.

[Uncle Marv]
All right. That'll be fantastic. Anything else happening that I should let the listeners know about?

[Brad Gross]
What else? I think that I, I really appreciated you reaching out to talk about this, the Canalys article, because it, yes, it does talk about cybersecurity. Okay.

From a legal perspective, but it also talks about implementation and, and almost addresses some best practices as well. It's such a great article that I think everyone should be reading it. So I really appreciate you reaching out.

But no, other than what I talked about, the mspterms.com and the lunch and learns, and then making sure people stay safe legally, I think I'm up to date with you, my friend.

[Uncle Marv]
All right. Sounds good. Now have a link to your website and to your own podcast that technology broadcasts that people can listen and get the gems of knowledge when you share them out.

So, all right. Sounds good. Thanks for making some time for me on short notice, but I appreciate it.

[Brad Gross]
Absolutely. Thank you for having me. And I look forward to seeing you at the next event, wherever that may be.

We'll see you out there.

Bradley Gross Profile Photo

Bradley Gross

Bradley Gross is the founding partner of the Law Office of Bradley Gross, P.A., a law firm that specializes in transactions involving technology service providers, VARs, technology solution resellers, cloud solution providers, IT professionals and technology companies worldwide. Bradley is one of the leading international legal authorities in the area of managed service provider transactions and has been named on fourteen occasions to the national list of ‘Super Lawyers’ in the area of IT & Technology Law. Having counseled thousands of MSPs across the country, Brad has "seen it all and done it all" when it comes to managed service transactions. Brad also runs the Technology Bradcast podcast, covering security, licensing and contract issues for MSPs.