The business model of the information technology managed services provider (MSP) has significantly changed over the past two decades. Many MSPs have moved away from the traditional break-fix model and are now taking on the roles of (1) trusted IT consultant, (2) outside help desk and manager of IT systems, (3) seller of hardware, licenses, and subscriptions, and (4) systems security advisor and manager, among numerous other functions. Many businesses are finding that they do not have the resources to fully manage their systems and infrastructure in-house (even those that have in-house IT departments), so they continue to lean on MSPs to help manage their technology needs. As technology advances with (i) the continued growth of cloud computing, (ii) the introduction of artificial intelligence (AI) and machine learning (ML) technologies, (iii) the explosion of applications available to consumers, and (iv) the expanding data security and privacy rules, regulations, and threats, MSPs need to make sure that their client agreements are keeping up with the latest trends and developments. This article will dive into some of the key provisions that MSPs should consider when negotiating agreements with clients.
The Services – Make Sure They are Clearly Defined
Regardless of how evolving technologies have changed the services and solutions that MSPs provide, a constant principle in drafting agreements is that the services should be comprehensive and well defined in the agreement so that there is a clear understanding by both parties of the expectations and the obligations for each side. Little can sour a MSP-client relationship more than misalignment and misunderstanding about what services the client is receiving for the money it is spending.
As an illustration of the above principle, imagine that a MSP’s client has its headquarters located in Chicago with five sales offices located throughout the United States. In the managed services agreement, the MSP agrees to provide “IT support services”, without including anything further in the description. The MSP quotes pricing for the services, and the client agrees to purchase the “IT support services” at that price. The MSP only intends to provide support services to the headquarters and priced its plan accordingly. Further, the price only covers the computers used by the employees at the client’s headquarters. Unfortunately, the client is under the impression that the “IT support services” cover its headquarters and its five sales offices. Additionally, the client believes that the “IT support services” extend to all the machines and devices that its employees use, including laptops, phones, and tablets. Regardless of whose understanding is correct, the client likely will not be happy to hear that it will have to pay more to receive the support that it requires. The client could demand that the MSP honor its original pricing, it could walk away from the deal, and it could start telling others about its bad experience with the MSP. Ultimately, these unfortunate results could have been avoided if the MSP had taken the time to expand the description of “IT support services” to include such information as: (1) the location(s) covered by the services; (2) the equipment covered by the services; (3) the types of support services that will be provided (e.g., hardware support, network support); (4) response times for requests and issues that arise; and (5) the level of support that will be provided (e.g., only during regular business hours, 24/7, on call). Clear and comprehensive service descriptions can prevent unnecessary headaches for MSPs and their clients.
Data Security and Privacy Related Provisions
While the European Union has had the General Data Protection Regulation (GDPR) in effect for five (5) years, there have been a slew of new and updated laws coming into effect recently in the United States regarding data security and privacy. These new laws and regulations include the California Privacy Rights Act (CPRA) (which expands on the California Consumer Privacy Act (CPPA)), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, and the Utah Consumer Privacy Act. All of these laws are in addition to the data breach laws that have been enacted in all fifty states over the past two decades. This large tapestry of data security and privacy laws impact the services and solutions that MSPs offer, so MSPs need to make sure that their agreements are appropriately addressing these areas to protect both them and their clients.
When robust data security and privacy provisions are included in agreements, both the MSP and the client understand what is expected of them in terms of protecting sensitive information. By outlining specific security measures that the MSP will implement and by specifying the responsibilities of the client with regard to the collection and protection of their own data, both parties can work together to reduce the risk of a data breach or other security incident. For example, say a MSP is handling a client’s data as part of a backup and recovery service and the client’s data includes certain customer data. Unfortunately, the client did not secure the appropriate consents from the customers to collect that data in the first place. In the event that the unauthorized data collection comes to light, the MSP and the client could be in violation of data privacy laws and be subject to a number of consequences. If the managed services agreement includes language around the client’s obligations to secure necessary consents and indemnification obligations in favor of the MSP if the client fails to secure the consents, then the MSP should be able to mitigate some of the risk it faces under such circumstances. It is important to set out these expectations and obligations clearly in the agreement.
Artificial Intelligence and Machine Learning Related Provisions
With the influx of AI and ML tools hitting the marketplace, including ChatGPT, Google’s Bard, and Microsoft Bing’s AI chat function, more MSPs are finding ways to incorporate AI/ML into the services and solutions that they offer. Because of this, agreements need to incorporate provisions relating to these technologies, including provisions about ownership rights, performance expectations, data privacy and security, liability, transparency and accountability, and compliance with applicable laws and regulations.
When incorporating third-party AI/ML tools and programs, the MSP should take special care to limit its responsibility and liability for the operation and outputs of the AI/ML models and algorithms. As the MSP generally has no control over the third-party, the MSP will want to limit its liability for any errors or damages caused by the client’s use of the AI/ML models or algorithms. Additionally, the MSP may not want to commit to using specific third-party AI/ML programs, as circumstances could arise where the MSP wants to swap in new AI/ML programs (e.g., the third-party goes out of business or the MSP finds other AI/ML programs that would better meet client needs).
Warranties, Indemnities, and Limitations of Liability
The warranty, indemnity, and limitation of liability sections are three key areas where MSPs are able to set client expectations and to prevent the MSP from losing its business and livelihood, if there ever is a dispute between the MSP and its client.
In the warranty section, the MSP should base its promises and guarantees on aspects that it has control over. For example, if the MSP is providing certain professional services to its client, the MSP has control over whether it actually possesses the necessary skill and background to perform those services competently, whether it is showing up and doing the job on time and in full, and whether it is acting like a professional MSP when performing the services. In that case, the MSP could provide the warranty that it will “perform the services in a professional and workman like manner”. Additionally, the MSP should use this section to clearly define reasonable remedies that it will provide if it falls short of the promises and guarantees that it makes in this section. Going back to the “professional and workman like manner” warranty, the MSP could provide that it will re-perform the work, if the client is able to demonstrate that the MSP did not meet the standard it set.
The indemnity portion of the agreement is another area where the MSP should set expectations based on what it has control over and should provide a sandbox of remedies that will not cripple the MSP’s business. As examples, the MSP may indemnify the client for any losses or damage that result from the MSP’s gross negligence or willful misconduct or from the MSP’s violation of applicable laws. Again, the MSP should have control over how it acts during the performance of its services. Additionally, it should have control over whether it is following the law. Another indemnity obligation that a client might push for is in regard to infringement. This indemnity could get a little more problematic in cases where the MSP is incorporating third-party applications and products into its offerings. The MSP likely plays no role in the development of those third-party applications and products, so how can it know whether thorough due diligence was performed to determine if they infringe on another party’s intellectual property rights? This is an instance where the MSP will want to clearly define the remedies in the agreement. In many cases, the MSP will agree to the following tier of remedies: (1) obtain the necessary rights for the client to continue to receive and use the services; (2) modify or replace the infringing portion of the services; or (3) not charge the client for the infringing services.
Finally, the limitation of liability clause empowers the MSP to establish a maximum threshold for its potential losses in the event of any agreement-related damages, such as a breach of warranty or failure to provide all services. While there are laws in certain jurisdictions that restrict the parties’ rights to agree to limit liability under some circumstances, for the most part the parties are free to negotiate caps on liability. In general, a good limitation of liability clause for a MSP would limit its liability to the amount that the client paid for services over a certain period of time (e.g., 12 months immediately prior to an incident). Additionally, the cap should cover direct and indirect damages, consequential damages, and incidental damages (alternatively, the MSP could disclaim liability for any indirect, consequential, incidental, and other like damages). The client may not be comfortable with just getting its money back, especially if the MSP is handling sensitive client data that could result in significant harm and liability to the client if a hacker gets its hands on it. As an alternative, the MSP and the client could agree to a set monetary cap that both are comfortable with (e.g., $100,000 over the term of the agreement), or the MSP and client could carve out certain instances where the limitation of liability would be increased or not applicable at all (e.g., in the case of a data breach that is due to the MSP’s gross negligence). When negotiating the limitation of liability language, the MSP also should review its insurance policies to see how those could help cover the MSP’s losses. As technology and the role of the MSP continue to evolve, agreements with clients will need to change as well. It is important for the MSP to continuously be reviewing and updating its client agreement – preferably with the assistance of a trusted attorney. Otherwise, the MSP risks exposing itself to legal and financial liabilities, as well as damaging its relationships with clients.