Lessons From CISA for In-House Counsel on Mitigating and Managing MSP Breach Threats

Co-authored by Bonnie Schipper, Law Clerk

Picture this: You are the general counsel of a midsize American company. You’ve kept an eye on the news and take note every time yet another company becomes the victim of a malicious cyberattack. Not your company – you’ve been careful to advise company leadership not to hold sensitive information and have watched as the company diligently deployed standard cybersecurity trainings and software updates. Like most companies your size, your organization works with a managed service provider (MSP) that delivers services such as network, application, infrastructure and security via ongoing and regular support and active administration on company premises, in their MSP data center (hosting) or in a third-party data center. While you haven’t yet sifted through all of the company’s archived data stored on one of your company’s three servers, you’re confident that you’re not at significant risk of a data breach. Nevertheless, as you sit down at your desk with your morning coffee, you receive the following text message from your new chief information officer:

“I just received a notice that our company’s internal servers have been breached and sensitive data was accessed. IT is still working to identify exactly what information was compromised, but unauthorized parties outside of our organization have at the very least gained access to payroll information and confidential employee information, including names, addresses, birth dates and contact information. We’re working to secure our system but need guidance as far as our legal obligations. What do we do?”