The risks for Managed Service Providers are constantly evolving. New cyber threats and regulatory compliance requirements present significant challenges for MSPs. The most important way to mitigate privacy and security risks for Managed Service Providers is by including proper risk balancing provisions into the MSP’s customer contracts. This article explains how limitations of liability, indemnity, and insurance provisions can be used to strike the proper risk balance between the MSP, its client and third-party insurance providers.
A limitation of liability clause is a section of a contract that describes the circumstances under which one party, or the other, can recover damages in the event of a lawsuit. It frequently excludes certain types of damages and caps other types of damages. It may also include carve-outs for types of damages that would be considered uncapped in the event of litigation.
Any good managed services contract will have a very explicit and detailed Limitation of Liability clause. There are some subtleties with respect to the wording of the clause that are unique to the managed services industry. In our contracts, we declare that the provider will not be responsible under any circumstances for indirect or inconsequential damages, such as lost profits or business interruption. There is also no recovery for punitive damages. Both parties should agree that recoverable damages should be limited to direct damages.
However, the definition of direct and indirect damages can be unclear. Some customers may attempt to specifically define certain costs as direct in the event of a data breach. For example, the client may ask to include language that would define the costs for credit monitoring, notice, reputation management, forensics, and legal fees as direct. Managed Service Providers should carefully consider contract changes that re-define as direct damages that would otherwise be considered indirect. It is also very important to consider the MSP’s professional liability coverage when drafting risk balancing provisions in customer contracts for managed services.
In our agreements, we typically recommend that the customer be offered the greater of six months of revenue for the services giving rise to the claim or the available proceeds professional liability insurance. Professional liability insurance is the primary method of risk transfer for the MSP. The MSP will be responsible for claims that are included within their liability for which there is no coverage. However, uncovered claims are limited to the six-months of revenue for services giving rise to the claim. Separate caps for covered and uncovered claims makes sense for both parties.
Another dimension of the Limitation of liability is the “carve-out”. A carve out refers to a category of claim for which the limitation of liability would not apply in the case of litigation. The language would include statements like “except for claims related to gross negligence and willful misconduct…” That “except” language is the carve out; claims that are not included within the limitation of liability and are therefore uncapped.
Carve-outs should be considered very seriously. Anything that is uncapped puts the MSP at greater risk. We strongly discourage any carveouts other than third-party IP claims, gross negligence, and willful misconduct. Any proposed carve-outs should be drafted extremely narrowly.
MSP customer contracts should contain indemnity provisions that clearly set forth what types of claims each party to the contract will be responsible for defending and paying damages or settlements for. We recommend that the MSP’s customer contracts track the indemnity language in the professional liability insurance. For example:
Subject to the limitation of liability set forth in the section titled LIMITATION OF LIABILITY, Provider agrees to indemnify and hold Customer harmless from and against all loss, liability, and expense including reasonable attorney’s fees caused by Provider’s:
a) negligent act, error, omission, or misrepresentation;
b) breach of any contractual term implied by law;
c) other act, error or omission giving rise to civil liability arising out of business activities performed for Customer.
We recommend separate indemnity provisions for the MSP and its customer. Intellectual property and privacy and security claims are the most important things to clarify. For example:
Client shall defend, indemnify and hold Provider harmless against all costs and expenses, including reasonable attorney’s fees, associated with the defense or settlement of any claim that:
a) Provider’s use, access or modifications of any software that Client has requested that Provider use,
b) any claim related to software licensing and software licensing compliance; or
c) any claim related to any federal, state, or international law or regulation involving data privacy, data protection, or data breach to which Client is subject.
Managed Service Providers that have not reviewed their customer contract stacks in recent years need to do so now. Many cyber threats and regulatory compliance requirements to which customers and, by extension, MSPs are subject did not exist four years ago. For example, at Scott and Scott, we have implemented updated ransomware language within the past 6 months due to the Kaseya incident.
Managed Service Providers need contracts that will help them win deals, retain customers, and protect the business when something goes wrong. It is part of the sales process. Contracts should have better than market terms and conditions. They should be more transparent and more detailed. Contracts should be more clear about whose responsible for what, and what’s included and excluded.
If you would like to speak with an experienced attorney regarding your contracts, click here to schedule a call.