Skip to content

Navigating Service Provider Liability in Managed Security Services Agreements

While managed services provider (MSP) agreements generally follow tried-and-true contracting models, managed security service provider (MSSP) contracts can run into liability concerns that should be addressed at the outset. This article lays out these concerns and some potential ways to address liability in MSSP agreements.

How Is Liability Structured in Managed Services Agreements?

As a rule, most managed services agreements follow similar structures regarding liability. Each party indemnifies the other, usually on an uncapped basis, for third-party claims arising out of specified acts or omissions that are under the control of the indemnifying party. Examples include IP infringement, breaches of law or confidentiality and employment-related claims. Each party’s liability to the other for direct damages arising out of a breach of the agreement is capped, generally to a multiple of charges incurred under the agreement with a separate and much higher cap for breaches of data security and privacy obligations.

Other than with respect to specific acts or omissions, including gross negligence or willful misconduct, neither party is liable to the other for indirect or similar consequential damages. However, in the case of certain claims, most notably data security and privacy breaches, a party can claim indirect or consequential damages up to the amount of any negotiated cap.

What Are the Liability Differences between MSP and MSSP Agreements?

The nature of MSSP contracts exposes holes in this model. For instance, a failure by the service provider to implement or maintain the security solution in accordance with the details in the agreement could itself lead to a data breach. This can trigger notification requirements and steep legal or regulatory penalties. Under the traditional liability construct, the service provider has committed a breach of its services obligations and not a breach of its data security or privacy obligations. This kind of breach-of-contract claim would be subject to the lower cap on direct damages, and the client would be unable to claim any consequential damages whatsoever.

In the event of a data breach, the client in an MSSP contract may have an obligation to provide a notice of a data breach to its own clients and regulators. If the MSSP is required to inform its client about a security failure but fails to do so, it has again breached its service obligations. The client’s failure to provide notice regarding the provider’s failure to perform the services could result in significant financial penalty to the client or its own clients.

Key Considerations in MSSP Contracts: Liability Caps, Indemnities and Pre-existing MSAs

In these circumstances, the provider’s liability for its services breach would be capped while the client incurs significant liability due to the resulting data breach that it typically is not be able to recover from its service provider.

These are not fair or rational results for clients, and clients have not agreed to the traditional managed services liability scheme in MSSP contracts. Rather, clients expect MSSPs to agree that liability for a data breach arising out of their failure to perform general service obligations will include higher caps and related indemnities – and not only for a breach of their data security obligations. While MSSPs may see this outcome as an expansion of liability, the inherent nature of the services and potential client-side exposure requires careful consideration.

In addition to the liability caps, clients and service providers should consider how indemnities may be implicated. Some MSPs request an indemnity for claims arising from the performance of their services on the grounds that the client is best positioned to handle those claims if the provider is acting in accordance with the terms of the agreement. Clients may wish to consider whether these broad indemnities are appropriate for a managed security engagement. If the service provider resists deletion, exempting out provider’s breaches of its obligations or breach of a standard of care can be appropriate.

Oftentimes, details of the scope of services implicate liability as well. For instance, service providers want to wash their hands of liability for third-party products they use as part of their managed security solution by “passing through” liability terms from the OEM. Clients expect their service providers to stand behind their solutions and should be wary of this approach to contracting. In more recent cases, as MSSPs introduce AI capabilities into their security services, clients expect them to verify outputs of these technologies and take on enhanced liability with respect to security.

Finally, it is worth considering the market size of some of the larger MSSPs. As the large technology companies move into the managed services space, they often do so under pre-existing MSAs that are not fit to form. As such, certain protections designed to discourage abandonment of services are often missing. To avoid the scenario in which a service provider can unilaterally cease providing portions of services, clients may wish to understand prohibitions on abandonment and negotiate liability on an uncapped basis.

This article is part of a thought leadership series developed by ISG and Loeb & Loeb, a global law firm that advises on corporate technology and outsourcing agreements, with meaningful input from ISG partner Doug Saylors.