Privacy regulations and best practices for MSPs
Over the next several years, data privacy will be top of mind for most companies. In addition to federal and international data privacy regulations, many states in the U.S. have passed or are considering privacy laws that will affect how companies manage client data.
This provides another opportunity for security-centric MSPs to generate new business with existing clients and prospects as they struggle to manage a myriad of compliance efforts. However, for MSPs to succeed, they need to stay abreast of these laws and follow best practices in helping clients remain compliant.
Privacy compliance ties directly into cybersecurity, as many of these regulations have strict requirements for disclosing data breaches to clients and launching a plan to respond to threats both quickly and efficiently. Organizations also must demonstrate that they have properly secured sensitive data.
Evolving Laws
The EU General Data Protection Regulation (GDPR) was one of the first major privacy regulations that affected American companies with hefty fines for even minor data breaches. But roughly 75 percent of countries now have similar privacy regulations in place, which means the need to protect client data has grown exponentially.
The California Consumer Privacy Act (CCPA), which went into effect in 2018, followed by the California Privacy Rights Act (CPRA), also changed the privacy landscape, and more states and governments around the are following suit. For example, the Colorado Privacy Act (CPA) and Virginia Consumer Data Protection Act (VCDPA) are among the most comprehensive data privacy laws in the U.S. Both go into effect in 2023. In addition, there are similar bills under consideration in New York, Massachusetts, North Carolina, Ohio, and Pennsylvania. This National Law Review article provides a good overview. In late 2020, the Canadian government joined the growing list of regulators with a plan to modernize privacy legislation through the Canadian Consumer Privacy Protection Act (CCPA).
As more organizations initiate digital transformation strategies that include cloud-based and SaaS technologies, data compliance will be a crucial decision point. However, for smaller businesses that lack the internal staff to monitor compliance and changes in these regulations, it can be nearly impossible to stay on top of data storage, data protection, and how well employees are following the rules. In addition, the use of remote or cloud-based solutions and the need to closely interact with data from business partners make this even more complicated.
What can MSPs do to help ensure client data privacy compliance?
Become data privacy compliance experts. Invest in training and monitoring to ensure your staff has a good working knowledge of relevant regulations and regularly refresh that training.
Continuous monitoring and assessment. MSPs should continually create risk assessments for each client and map those assessments to new and existing legislation. Even for clients that operate in states without current privacy requirements, follow the more stringent guidelines of the CCPA to make sure they are prepared when these regulations inevitably arrive.
Help clients understand the link between cybersecurity, data privacy, and brand/reputation value. MSPs’ clients are increasingly attuned to the vulnerability of their personal information, and these companies should make sure that protecting that data is a top priority for their business. Additionally, by emphasizing their customer data (instead of focusing primarily on their own internal data), these companies can establish themselves as a trusted brand in their markets.
Help clients create a data privacy culture. That should include having a C-level position responsible for privacy regulation education and management, as well as establishing a multi-level system of controls and responsibility throughout the organization. In addition, these team leaders should be tasked with educating staff on the importance of customer data privacy and consent.
Make sure clients understand the value of quick communications. Honest upfront communication (along with a detailed plan of action) to customers following a data breach pays long-term dividends when it comes to brand management and trust.
Make sure security tools and technology are aligned with data protection. That includes email and endpoint protection and monitoring and alerting tools that will help clients meet reporting and documentation requirements related to breaches. And confirm that any third-party software tools are fully compliant with state, federal or international requirements that may apply.
These current and emerging regulations emphasize that basic cybersecurity practices are not sufficient for ensuring the safety of client data or ensuring that they remain in compliance with stringent privacy laws. MSPs must help clients implement a comprehensive set of security tools and policies and offer assistance with privacy compliance. Clients who are already stretched thin for IT and compliance resources will put a premium on MSPs who are equipped to do so.
Neal Bradbury is Senior Vice President for Barracuda MSP, a provider of security and data protection solutions for managed services providers, where he is responsible for driving business value for the company’s MSP partner community and alliance partners.