MSSPs: Gold mine or lawsuit magnet?

A recent lawsuit in the United States has found that an MSSP owed a duty of care to not only its client but also to its client’s customers to protect their information. This opens the door for claims against MSSP for negligence, and those entering the industry should take heed. Many MSSPs have been supporting enterprise-scale companies for years, but there has been a gap in providers supporting small and medium business and not-for-profit organisations. That gap is rapidly being filled by keen new entrants taking many forms, including household names like Harvey Norman – there is even a “Jim’s IT” franchise. They are providing a much-needed service to organisations, helping with the technical cyber security skills and services desperately needed to keep the hackers at bay.

Many of our clients have approached Cyber GC as they are thinking about getting into the MSSP market or white-labelling an MSSP service into their broader offerings. Sensibly, before they sell any services, they would like some cyber security legal advice and suitable customer terms and conditions.

Our advice to each of these aspiring cyber security services providers is the same – you MUST get your customer contracts right from the start. Fail to do this, and you face significant liability. You could find yourself on the hook for loss incurred by end users if your client has a breach. You may also face breach of contract claims from third-party vendors whose products you have included in your technology stack but whose end-user terms you have not passed on. Fixing up the contract later is very difficult once you’ve already started selling and/or providing services.

Becoming an MSSP (or indeed providing any cyber security services) has a risk profile that is quite different to traditional IT services. Some common cyber security services are illegal to provide unless you carefully structure the contracts with your customers. This risk applies whether you wear a white, black, red, blue or purple hat. The requirements vary from country to country (and, in some cases, state by state). Sometimes, you need a licence or a particular certification or registration.

But perhaps the most salient warning from jumping into providing cyber security services without doing your homework is the case Accenture LLP (Accenture) is defending in the US (In re Marriott Int’l, Inc., Customer Data Sec. Breach Litig., MDL No. 19-md-2879 | Casetext Search + Citator), five years after the Marriott/Starwood breach hit the headlines.

The Marriott/Starwood breach is one of the largest on record, and it lasted from July 2014 to September 2018. During that time, hackers had access to the guest reservation database of the Starwood Hotels & Resorts Worldwide (Starwood) hotel chain, which was acquired by Marriott International (Marriott) in September 2016 (while the Starwood compromise was ongoing). The breach wasn’t discovered until September 2018. A total of 383 million guest records, including nearly 24 million passport numbers and information about more than 9 million credit and debit cards, were impacted.

The breach was huge global news; it adversely impacted Marriott’s share price, and it didn’t take long for multiple lawsuits to be filed. But for the rest of the world, our attention turned to the next breach, and the next Taylor Swift tour dates.

Meanwhile, quietly, over the last five years, the various cases against Marriott and also against its IT services provider, Accenture, have been making their slow way through the courts. They are ongoing, with the latest decision in August 2023 relating to the class action lawsuits.

VIEW ALL

Accenture was contracted by Starwood in 2009 to provide IT support services, including “development, testing, maintenance, and running of the applications ... ”. It continued to provide the services after the acquisition by Marriott. According to the judgment In re Marriott Int’l, Inc., Customer Data Sec. Breach Litig., MDL No. 19-md-2879, 2-3 (D. Md. Oct. 26, 2020) “Accenture identifies and analyses suspicious activity and creates security alerts directed to the Information Risk & Security’s Incident Management team”.

The court’s finding was that, by virtue of providing these IT services, including Accenture’s role in monitoring the security tool that should have (and eventually did) identify the suspicious activity, Accenture owed a duty of care to Starwood/Marriott’s guests. That duty of care was “to protect the personal information of end users, defined to include ‘guests’ and ‘customers’ of Starwood”, and that to fulfil this duty, it had an obligation to use nothing less than a “reasonable standard of care”. Therefore, the impacted guests can bring a case in negligence against Accenture. It doesn’t matter that the guests and customers had no contractual nexus, that is, no written contract, with Accenture.

This is a key lesson for anyone providing any services that even fringe on MSSP and cyber security monitoring that the contract matters.

While the cases being brought against Accenture are under the tort of negligence (and not a breach of contract claim), there are many things an MSSP can do in their contracts with clients to protect itself against claims of this sort if the worst happens, and the client suffers a breach.

Your standard contract terms will not do the job. You need to ensure (among other things) that you have:

1. Specific warranty exclusions, proactive and carefully written consent language, and indemnities from your customer against claims by third parties like the ones being brought against Accenture. These clauses need to be tailored to your services and to the technology stack you are using to deliver them. This isn’t an “off the shelf” contract, and the details matter; and
2. A thoroughly and accurately described description of your service in the contract with a detailed RACI to define which aspects of your scope of services sit with you, and which of those sit with your client. If you’re not applying patches as part of your service – who is? Identify it, define it, and allocate responsibility to someone for it. More detail is better in cases like these.

There is no such thing as “100 per cent secure”, and no client or end customer should be entitled to expect it. Unfortunately, that’s not what Accenture’s contract with Starwood said. We don’t yet know what that’s going to cost.

Note: I worked for Accenture during the time of the Marriott/Starwood breach, but I did not work on this case or on the contract with Accenture and Starwood (or Marriott). The information included in this article is all sourced from publicly available sources and does not include any confidential information of Accenture.

Annie Haggar is the principal at Cyber GC.