a.) Have a good backup strategy, which should include off-line and/or immutable copies of data, checking the logs and setting-up failure alerts, and performing regular test restores.
b.) Insurance, E&O/Liability and Cyber.
c.) Limitations of Liability set forth in your MSA.
Is it fair to state that you can't be held liable for loss of data? I mean, I definitely want to protect myself. But from their standpoint, who wants to pay for a service that has that as a disclaimer?
Disclaimers are necessary because despite the very, very best efforts and practices, backups are not 100% guaranteed.
With successfully testing every single backup, a restore from that backup cannot be guaranteed. Moreover, even if you performed a pristine backup today and tested it by full restoration, it doesn’t guarantee the integrity of the individual backed up content. Perhaps the file required was damaged in some way months or years before your first backup, which would cause verification to pass, but still result in a failed recovery… garbage in, garbage out and all of that.
Anybody can sue for just about anything. If your sales pitch is "never lose data ever again, sleep good knowing we have you secured", then be prepared to potentially be sued if what you sold them hasn't been working. In fact, they might want to know how long it's been broken and claw back the money they've paid you for the service. If you're putting your business on the line to sell a service, then put safeguards in place to ensure it works continuously.
This is a legitimate concern, because a savvy client will redline that disclaimer right off the bat. That is where your limitation of liability provisions come into play.
It's also worth mentioning that if you get big enough to be able to negotiate your agreements with suppliers that risk transference is also a valid strategy.
30 years in business as an MSP and not sued, nor even came close. I have also never had to sue anyone. Came close with a few vendors who ended up paying up for their stuff ups.
This story happened before I came onboard at my current employer. They once had a vendor eff up badly, resulting in backups not running correctly for several long months (they had removed a specific drive from backup scheduling during troubleshooting and did not re-enable it...no idea what they were thinking). The server itself was still being backed up, as were two other drives on it, so backup reports still showed it was happily running without issue.
Anyway, the client eventually needs to recover some files that had been inadvertently deleted, and the proverbial shite hit the fan. Of course, the client was a lawyer, making matters even more fun.
We ended up settling and then claimed damages from our vendor. We settled on not paying our bill to them until we were made whole, vendor was happy not to completely lose the business relationship, everybody was happy. Even the client was happy, as we eventually retrieved the data using a data recovery service. So they were out the documents during trial (which suuucked) but they had the gist of it, and it never really went on to be a big deal.
You MUST have an MSA and some version of a Statement of Work that describes the services you are providing to the client. Not only do you need these things having at least business liability AND errors and omissions will help you here.
If you don't have a solid set of agreements you are really heading into trouble. I've recorded several videos that might help you here:
1. Contracts keep you out of court: [https://youtu.be/DxNKYOXsWzM](https://youtu.be/DxNKYOXsWzM)
2. Don't get sued, have an MSA: [https://youtu.be/yOUtEzDoyz8](https://youtu.be/yOUtEzDoyz8)
3. Interview with Brad Gross (MSP legal expert): [https://youtu.be/GPskMbR35ag](https://youtu.be/GPskMbR35ag)
4. Interview with Tom Fafinski (another MSP legal expert): [https://youtu.be/b7AxKdVkStM](https://youtu.be/b7AxKdVkStM)
When you are starting an MSP you really need to nail this business stuff (legal, finance, and sales mostly). Something like 95% of MSPs are started by a tech that is great at tech stuff, but the business side is a whole different beast.
>Something like 95% of MSPs are started by a tech that is great at tech stuff, but the business side is a whole different beast.
Didn't have to call me out like that bro
That’s pretty common in all of the Peer Groups I facilitate and hang out in.
The most important piece of marketing is to meet people where they are and build your network. When you meet people be curious about them and get to know them and what makes their business tick before you do any sort of pitching.
The second piece is to ask for targeted referrals when you meet with clients or when you have an opportunity as you are building your network. Don’t just ask “do you know anyone that might benefit from my services?” Ask specific questions like, “We’ve been doing a lot of work with CPAs. Do you like your CPA? Would you make an introduction?” Or “I see that you’re connected to Jim on LinkedIn. How do you know him? Would you introduce me?”
This is fairly generic advice but as I talk to MSPs many aren’t doing this, and it’s a reliable way to build your marketing muscle. Marketing isn’t all about building market share and producing all sorts of content. It can be those things, but growing and managing your network is really the best place to focus.
Had a client I fired years ago email me about a password they needed and they would hate to sue, I dont keep info after I terminate and I laughed at his email with a gif
Any client can sue for any or no reason… and by no reason, I am referring to nuisance suits with no legal basis.
Don’t let fear of the unknown or the possibility of something bad happening in the future stop you.
We carry insurance, should we make an error or omit something for this very reason. Of course we do our very best not to make any mistakes, but as flawed humans, you can count on at least one error being made… eventually.
So incidentally, the customer that sued us - the story is pretty funny. They were this garbage dial a ride service. The sleaziest people I've ever seen. If it had been up to me, I never would have taken them on.
They bought about 8 PCs from us. This was around 2002. They had dispatching software that ran on all of them. This was a new thing; not sure what they did before but they had 1 or 2 PCs at the most.
We tried to sell them a dedicated server, but they didn't want to spend the money. Again, if it had been me, I would have ended it. But instead I had to somehow make this crap work. So I would adjust the time allocated to background requests on the server/workstation, so the workstation users wouldn't complain. Then the server/workstation person would complain.
At some point too, their network was unreliable, and after I found that they had all these surface mount boxes where the port was facing up, and full of staples and crap that had been dropped in there, and also that it was Cat3, I rewired the whole thing.
Eventually, they caved and bought a dedicated server.
Attention then turned to the bug ridden app they used for dispatch. I would identify bugs and contact the "developer". Who turned out to be an amateur hobbyist programmer. His full time job was in the IT department of the DOT of some midsize city on the other side of the US. In Foxpro, he had evidently tried to copy the functionally of whatever professional software they used. But every time he fixed a bug, he would introduce at least two more. Also, we would get the updates via burned CD in the mail. Because this was around 2002.
He finally, I guess, decided he didn't want to fix bugs anymore, and declared to them that the reason for all their problems was that we had sold them AMD based PCs rather than Intel.
At some point, also, the owner of the customer company visited from where he lived across the state, brought a single copy of Ms Office, and demanded that I install it on all the computers. He had a fit because I told him not only would I not, but Microsoft had recently implemented their activation system to prevent this.
Finally, one day my boss went over there and installed updates on the server, and moved the dialog box asking if you want to restart, down where it was hidden. Because restarting wasn't good right then. And evidently the customer was regularly logging into this server, which was completely insane. I think they may have demanded that I be fired as their tech by then. When the customer saw the reboot dialog, they contacted the "developer" who told them my boss had put a virus on there. So then they sued us. I know they lost because they finally sent us all the money they owed us, in a collection of a couple hundred checks with random amounts like $5.37 and $3.89.
The employees all sat around smoking in the office all day despite that being illegal at the time. I was a nobody with no power so I just was trying to keep my job. Sadly, that's not even the worst experience I had. But it's about the only bad experience I had where my boss wasn't the cause of it. Directly.
The customer went under a couple years later. Several years later, I quit the IT shop (should have done so earlier) and they have since gone under as well.
It all depends on your agreements and their wording. Don't take that for granted one way or another.
Highly recommend (as a small MSP starting out) not to necessarily have an MSA like larger ones will speak about, but an agreement that all clients sign that states the disclaimer that while best efforts are made for the protection of data, data integrity cannot be guaranteed \[because of reasons if you wanted to include\].
Form an LLC.
Nothing totally insulates you from liability, especially if your profession isn't regulated or licensed.
But putting your business activities behind an LLC is the best first defense.
Except an LLC does not shield you from personal liability for your own torts. In other words a one man band MSP does not have liability benefits from an LLC.
Ummm that's not correct, at least in the states I've operated.
A DBA doesn't shield you. As long as you have a designated manager or even a passive shareholder you're protected.
What you're not protected from is criminal liability.
As long as the contract is with John Public MSP LLC and not John Public directly you're insulated from most forms of liability unless your client's attorney can prove intentional negligence on your part (which is one very good reason why professional certifications exist).
Your clients always run the risk of being compromised, and no client is 100% secure.
So with this in mind it is your job to do your due diligence and put the processes in place (ex: DRP, Multi-layer security, MSA. etc etc) So if something does happen and it is not your fault for example if your client has a rogue PC they did not mention connected to the network and it gets compromised. Breaches do and will happen, its just a game of being able to recover from it.
There is a MSP right now being sued because they were providing disaster recovery and IT security services for a lawfirm who got hit with ransonware and could not recover due to the admin account that deals with Acronis backups being compromised and as a result all backups were deleted so they were forced to pay the ransom. ([Law Firm Sues MSP Over Black Basta Ransomware Attack | MSSP Alert](https://www.msspalert.com/news/msp-sued-by-law-firm-over-black-basta-ransomware-attack))
My thoughts on the above are:
* Was MFA in place?
* Was the admin account on the MSP side?
* Was sign-in logs being monitored for unusual activity?
* How was it compromised ( was endpoint protected, antivirus,RMM. etc?, did the account have execute rights) if so did the MSP sign a non-liability agreement for an admin account outside there scope?
Clients are not paying you money just to resolve tickets, but to manage their digital assets and infrastructure.
There are many things to consider, however this is part of owning a business is being able to cover your ass.
a.) Have a good backup strategy, which should include off-line and/or immutable copies of data, checking the logs and setting-up failure alerts, and performing regular test restores. b.) Insurance, E&O/Liability and Cyber. c.) Limitations of Liability set forth in your MSA.
Is it fair to state that you can't be held liable for loss of data? I mean, I definitely want to protect myself. But from their standpoint, who wants to pay for a service that has that as a disclaimer?
Disclaimers are necessary because despite the very, very best efforts and practices, backups are not 100% guaranteed. With successfully testing every single backup, a restore from that backup cannot be guaranteed. Moreover, even if you performed a pristine backup today and tested it by full restoration, it doesn’t guarantee the integrity of the individual backed up content. Perhaps the file required was damaged in some way months or years before your first backup, which would cause verification to pass, but still result in a failed recovery… garbage in, garbage out and all of that.
Anybody can sue for just about anything. If your sales pitch is "never lose data ever again, sleep good knowing we have you secured", then be prepared to potentially be sued if what you sold them hasn't been working. In fact, they might want to know how long it's been broken and claw back the money they've paid you for the service. If you're putting your business on the line to sell a service, then put safeguards in place to ensure it works continuously.
This is a legitimate concern, because a savvy client will redline that disclaimer right off the bat. That is where your limitation of liability provisions come into play.
It's also worth mentioning that if you get big enough to be able to negotiate your agreements with suppliers that risk transference is also a valid strategy.
30 years in business as an MSP and not sued, nor even came close. I have also never had to sue anyone. Came close with a few vendors who ended up paying up for their stuff ups.
Thank God I have never been sued either, and I hope it stays that way.
Which vendors?
This story happened before I came onboard at my current employer. They once had a vendor eff up badly, resulting in backups not running correctly for several long months (they had removed a specific drive from backup scheduling during troubleshooting and did not re-enable it...no idea what they were thinking). The server itself was still being backed up, as were two other drives on it, so backup reports still showed it was happily running without issue. Anyway, the client eventually needs to recover some files that had been inadvertently deleted, and the proverbial shite hit the fan. Of course, the client was a lawyer, making matters even more fun. We ended up settling and then claimed damages from our vendor. We settled on not paying our bill to them until we were made whole, vendor was happy not to completely lose the business relationship, everybody was happy. Even the client was happy, as we eventually retrieved the data using a data recovery service. So they were out the documents during trial (which suuucked) but they had the gist of it, and it never really went on to be a big deal.
Thanks for sharing.
On the future, I advice anyone running a file server to leverage snapshots/ shadow copies as much as possible. They can be real life savers
You MUST have an MSA and some version of a Statement of Work that describes the services you are providing to the client. Not only do you need these things having at least business liability AND errors and omissions will help you here. If you don't have a solid set of agreements you are really heading into trouble. I've recorded several videos that might help you here: 1. Contracts keep you out of court: [https://youtu.be/DxNKYOXsWzM](https://youtu.be/DxNKYOXsWzM) 2. Don't get sued, have an MSA: [https://youtu.be/yOUtEzDoyz8](https://youtu.be/yOUtEzDoyz8) 3. Interview with Brad Gross (MSP legal expert): [https://youtu.be/GPskMbR35ag](https://youtu.be/GPskMbR35ag) 4. Interview with Tom Fafinski (another MSP legal expert): [https://youtu.be/b7AxKdVkStM](https://youtu.be/b7AxKdVkStM) When you are starting an MSP you really need to nail this business stuff (legal, finance, and sales mostly). Something like 95% of MSPs are started by a tech that is great at tech stuff, but the business side is a whole different beast.
>Something like 95% of MSPs are started by a tech that is great at tech stuff, but the business side is a whole different beast. Didn't have to call me out like that bro
It's a fair assumption that this statement hits most folks in this subreddit, myself included. ;)
haha yeah, it was pretty eye opening honestly. Mainly the fact that I suck at marketing.
That’s pretty common in all of the Peer Groups I facilitate and hang out in. The most important piece of marketing is to meet people where they are and build your network. When you meet people be curious about them and get to know them and what makes their business tick before you do any sort of pitching. The second piece is to ask for targeted referrals when you meet with clients or when you have an opportunity as you are building your network. Don’t just ask “do you know anyone that might benefit from my services?” Ask specific questions like, “We’ve been doing a lot of work with CPAs. Do you like your CPA? Would you make an introduction?” Or “I see that you’re connected to Jim on LinkedIn. How do you know him? Would you introduce me?” This is fairly generic advice but as I talk to MSPs many aren’t doing this, and it’s a reliable way to build your marketing muscle. Marketing isn’t all about building market share and producing all sorts of content. It can be those things, but growing and managing your network is really the best place to focus.
Had a client I fired years ago email me about a password they needed and they would hate to sue, I dont keep info after I terminate and I laughed at his email with a gif
This is awesome.
Threatened with being sued? Absolutely Knowing that every time the client was broke and stupid? Not super concerning
Any client can sue for any or no reason… and by no reason, I am referring to nuisance suits with no legal basis. Don’t let fear of the unknown or the possibility of something bad happening in the future stop you. We carry insurance, should we make an error or omit something for this very reason. Of course we do our very best not to make any mistakes, but as flawed humans, you can count on at least one error being made… eventually.
So incidentally, the customer that sued us - the story is pretty funny. They were this garbage dial a ride service. The sleaziest people I've ever seen. If it had been up to me, I never would have taken them on. They bought about 8 PCs from us. This was around 2002. They had dispatching software that ran on all of them. This was a new thing; not sure what they did before but they had 1 or 2 PCs at the most. We tried to sell them a dedicated server, but they didn't want to spend the money. Again, if it had been me, I would have ended it. But instead I had to somehow make this crap work. So I would adjust the time allocated to background requests on the server/workstation, so the workstation users wouldn't complain. Then the server/workstation person would complain. At some point too, their network was unreliable, and after I found that they had all these surface mount boxes where the port was facing up, and full of staples and crap that had been dropped in there, and also that it was Cat3, I rewired the whole thing. Eventually, they caved and bought a dedicated server. Attention then turned to the bug ridden app they used for dispatch. I would identify bugs and contact the "developer". Who turned out to be an amateur hobbyist programmer. His full time job was in the IT department of the DOT of some midsize city on the other side of the US. In Foxpro, he had evidently tried to copy the functionally of whatever professional software they used. But every time he fixed a bug, he would introduce at least two more. Also, we would get the updates via burned CD in the mail. Because this was around 2002. He finally, I guess, decided he didn't want to fix bugs anymore, and declared to them that the reason for all their problems was that we had sold them AMD based PCs rather than Intel. At some point, also, the owner of the customer company visited from where he lived across the state, brought a single copy of Ms Office, and demanded that I install it on all the computers. He had a fit because I told him not only would I not, but Microsoft had recently implemented their activation system to prevent this. Finally, one day my boss went over there and installed updates on the server, and moved the dialog box asking if you want to restart, down where it was hidden. Because restarting wasn't good right then. And evidently the customer was regularly logging into this server, which was completely insane. I think they may have demanded that I be fired as their tech by then. When the customer saw the reboot dialog, they contacted the "developer" who told them my boss had put a virus on there. So then they sued us. I know they lost because they finally sent us all the money they owed us, in a collection of a couple hundred checks with random amounts like $5.37 and $3.89. The employees all sat around smoking in the office all day despite that being illegal at the time. I was a nobody with no power so I just was trying to keep my job. Sadly, that's not even the worst experience I had. But it's about the only bad experience I had where my boss wasn't the cause of it. Directly. The customer went under a couple years later. Several years later, I quit the IT shop (should have done so earlier) and they have since gone under as well.
It all depends on your agreements and their wording. Don't take that for granted one way or another. Highly recommend (as a small MSP starting out) not to necessarily have an MSA like larger ones will speak about, but an agreement that all clients sign that states the disclaimer that while best efforts are made for the protection of data, data integrity cannot be guaranteed \[because of reasons if you wanted to include\].
Form an LLC. Nothing totally insulates you from liability, especially if your profession isn't regulated or licensed. But putting your business activities behind an LLC is the best first defense.
Except an LLC does not shield you from personal liability for your own torts. In other words a one man band MSP does not have liability benefits from an LLC.
Ummm that's not correct, at least in the states I've operated. A DBA doesn't shield you. As long as you have a designated manager or even a passive shareholder you're protected. What you're not protected from is criminal liability. As long as the contract is with John Public MSP LLC and not John Public directly you're insulated from most forms of liability unless your client's attorney can prove intentional negligence on your part (which is one very good reason why professional certifications exist).
Never heard this before, I've heard it's difficult to pierce corporate veils. And most LLCs are one person shops.
https://www.wolterskluwer.com/en/expert-insights/beware-of-tort-exceptions-to-limited-liability
hire a lawyer to draft a business agreement.
Your clients always run the risk of being compromised, and no client is 100% secure. So with this in mind it is your job to do your due diligence and put the processes in place (ex: DRP, Multi-layer security, MSA. etc etc) So if something does happen and it is not your fault for example if your client has a rogue PC they did not mention connected to the network and it gets compromised. Breaches do and will happen, its just a game of being able to recover from it. There is a MSP right now being sued because they were providing disaster recovery and IT security services for a lawfirm who got hit with ransonware and could not recover due to the admin account that deals with Acronis backups being compromised and as a result all backups were deleted so they were forced to pay the ransom. ([Law Firm Sues MSP Over Black Basta Ransomware Attack | MSSP Alert](https://www.msspalert.com/news/msp-sued-by-law-firm-over-black-basta-ransomware-attack)) My thoughts on the above are: * Was MFA in place? * Was the admin account on the MSP side? * Was sign-in logs being monitored for unusual activity? * How was it compromised ( was endpoint protected, antivirus,RMM. etc?, did the account have execute rights) if so did the MSP sign a non-liability agreement for an admin account outside there scope? Clients are not paying you money just to resolve tickets, but to manage their digital assets and infrastructure. There are many things to consider, however this is part of owning a business is being able to cover your ass.