The recent hacking of software vendor Continuum sent shockwaves through the managed service provider (MSP) community and raised prickly questions about who’s liable when cyberattackers breach toolsets and gain access to the networks of MSPs and their clients.

In the Continuum attack – revealed to partners in early August and more broadly this month – hackers breached a legacy IP scanner tool, resulting in unauthorized administrative superuser accounts being created inside the networks of an undisclosed number of MSP customers.

Florida-based technology and MSP attorney Bradley Gross said the case serves as a pointed reminder for MSPs to clearly understand their agreements with both vendors and clients, as they relate to cyberattacks.

Bradley Gross

“An MSP has to think about the services that are being provided to it from its upstream vendor and the limitations,” Gross said. “The MSP needs to make sure that their agreement with clients takes these limitations into account.”

Following the Continuum attack, one partner – who asked not to be identified – said his MSP had been forced to have a series of very uncomfortable conversations with customers, including discussing how the full extent of damage can’t be entirely known.

“These accounts were created and active for several days prior to us being notified of the breach, so unidentified intruders had full access to our clients’ systems and data long before we found out about it,” the service provider told MSPmentor earlier this month.

“We have identified login events within server logs which confirm unauthorized access to our clients’ servers from dozens of IP addresses around the world,” the partner continued. “We still have no way to know what sort of malicious software or gateways may have been left behind nor what data has been stolen, which absolutely could lead to additional problems and liability concerns for us in the future.”

The MSP said the discussions stunned and dismayed its clients to varying degrees, causing strained relations.

No 100 percent security guarantee

Continuum officials said in a statement that they responded forcefully to the breach, engaging the FBI and a private forensic firm, as well as enacting a range of measures to help partners detect and mitigate malicious activity.

Gross said his only knowledge of the Continuum breach comes from media reports but that, generally speaking, contracts between vendors and MSPs include language that limits the circumstances under which the vendor is liable.

“I’m confident that Continuum doesn’t provide 100 percent guarantees of security,” Gross said. “The customers should understand that.”

Too often, he said, MSPs lack a solid grasp of key provisions in the contracts they sign.

“That is rule number one,” the attorney said, “the only way to really understand is to read the agreements.”

“A lot of MSPs assume that things are covered on a 24 by 7 basis, and that BDR means under all circumstances you are backed up and will be able to recover your data,” Gross said of one misconception.

“I don’t care if you’re dealing with IBM or Continuum or Amazon,” he continued. “They all have exclusions to the 100 percent guarantee that we will be able to recover your data under any circumstances. Errors happen. Hardware fails.”

Reasonable care

Indirect losses stemming from strained customer relations, cancelled service subscriptions or harm to an MSP’s reputation are legally treated as “consequential damages.”

Some MSPs suggested they deserved compensation for the impact of the Continuum breach, since it wasn’t the service providers’ fault.

“From a philosophical perspective? Sure. From a legal perspective, probably not,” Gross said. “Consequential damages are generally one of the first types of damages that are waived in agreements between vendors and service providers.”

Another important consideration involves “duty of care” provisions, which require an entity to perform with reasonable care.

Defending against exotic cyberattacks might have been deemed as beyond the scope of “reasonable care” in 2011, but times have changed.

“Three to five years ago, those threats were not as readily apparent as they are today,” Gross said. “Now what is reasonable for an upstream vendor to anticipate has become a lot wider.”

It’s critical for MSPs to ensure that the technical and legal limitations in vendor contracts are aligned with those in their client contracts, Gross said.

“If they don’t, they may be left holding the bag and could find themselves (facing) questions from clients,” he said.

Send tips and news to [email protected].