The MSPAlliance is working to extend its professional liability insurance program for managed service providers to cover claims stemming from the European Union's General Data Protection Regulation, which goes into effect May 25.
The EU GDPR regulation requires businesses to protect the personal data of EU residents. Organizations face stiff penalties for GDPR breaches. The regulation's compliance requirements apply to data controllers, organizations that collect personal data, and data processors -- organizations that process personal data on a controller's behalf. Industry executives believe the latter category will include managed service providers (MSPs) and cloud services providers.
The MSPAlliance's professional liability insurance policy, which the organization launched in 2008, already provides coverage for GDPR claims brought in the U.S. However, the MSPAlliance insurance program doesn't cover claims brought in Europe, where most of the legal action is expected to originate. Regulators in EU member nations, dubbed data protection authorities, can impose fines for GDPR breaches. The EU GDPR regulation also provides for a private right of action, which means individuals can sue data controllers and processors for damages.
"It is our expectation that if a regulator brings a case or an individual is going to bring a private right of action … many, if not all, will be brought initially in Europe," said Robert Scott, legal counsel to the MSPAlliance and managing partner of Scott & Scott LLP, a Southlake, Texas, law firm that specializes in the managed services industry.
MSPAlliance insurance: Expanding to cover GDPR
Accordingly, MSPAlliance aims to broaden its cloud and MSP insurance to provide coverage for claims against companies processing EU residents' data in the U.S. on behalf of a controller. Scott said MSPAlliance is working with Lloyd's of London, which underwrites the organization's professional liability policy, to remove a condition that such claims need to be brought in the U.S.
Scott said he expects the updated, GDPR-ready policy to be available by the time the regulation goes into effect in late May.
Robert Scottlegal counsel to the MSPAlliance and managing partner of Scott & Scott LLP
While work continues on the MSPAlliance insurance policy, the organizationhas already rolled out a new GDPR module as part of its MSP/Cloud Verify certification program, which audits an MSP or cloud services practice and generates a report. That report is sent to a third-party certified public accounting firm, which reviews and signs the report. The module allows MSPs subject to the EU GDPR regulation to meet its requirements, according to MSPAlliance. The GDPR module will be attached to MSP/Cloud Verify reports, said Charles Weaver, CEO of the MSPAlliance, based in Chapel Hill, N.C. The module maps relevant components of GDPR, such as geolocation disclosure, access controls and the right to be forgotten, to the MSPAlliance's standard for MSPs and cloud computing providers.
The GDPR module will be attached to MSP/Cloud Verify reports, said Charles Weaver, CEO of the MSPAlliance, based in Chapel Hill, N.C. The module maps relevant components of GDPR, such as geolocation disclosure, access controls and the right to be forgotten, to the MSPAlliance's standard for MSPs and cloud computing providers.
The organization has also released a new cybersecurity module that "reports on issues such as data privacy and security, internal and external security monitoring, and data backup procedures," according to MSPAlliance.
Certification, coupled with the updated MSPAllianceinsurance policy and well-written contracts, will give MSPs "a very good ... risk story to tell to their customers, especially as it relates to GDPR," Weaver said.