If it keeps on rainin' levee's goin' to break – Led Zeppelin
If you are any size of IT provider or MSP and someone asked you what happened at the customer’s site last month, or what services were performed for that customer, how long would it take you to generate a report that had that information, plus the costs of those services and the billing done to the customer?
That’s a question which pops up when you’re trying to manage an IT services business and it’s not usually a question that has a sense of urgency attached to it. There is a change coming. Driven by the EU/UK General Data Protection Regulation (GDPR), the question of GDPR compliance has a lot to do with what services an IT provider or MSP is delivering and the evidence of ongoing compliance effort.
IT providers and MSPs will have to support a Supervisory Authorities (SA) (in the UK the Information Commissionaires Office (ICO)) investigation into a potential customer data breach. This scenario and other data subject scenarios may ensnare an IT provider or MSP into a supporting the SA’s investigation. Like it or not this support is mandatory. 
This situation is very likely to bring potential accusations of negligence; attempts to blame 3rd parties and certainly general ill-will between the organization being accused and the IT partner, which maybe your IT provider or MSP business. The SA’s investigation agenda - especially in the early months of enforcement - will be looking to make an example of a business which has failed to take steps towards GDPR compliance.
It’s not unlikely that a customer data breach post 25 May 2017 - due to mandatory data breach reporting requirements of 72 hours - will require the IT partner to move rapidly to determine the validity and scope of the data breach. Depending on the magnitude and impact of the data breach, the ICO may begin an investigation - there is no current statute of limitations on when the SA can begin an investigation post data breach. That investigation will certainly entail a “discovery” phase to compile evidence which the SA will assert lead to the data breach. We have seen this in many cases which the ICO has brought action against. 
The bottom line for IT providers and MSPs caught in an unfortunate ICO investigation into a client’s GDPR-related business practices is the importance of your record keeping in your Professional Services Automation (PSA) and email correspondence. These hold the critical evidence required to disprove the assertions of the ICO that the client “failed to look after its customers’ data.”  For the IT provider or MSP, they have the opportunity to be heroic in their defence of the customers and their efforts – if they have the details to dispute the ICO’s claims.
It’s calm in the eye of the hurricane.
The analogy of a hurricane is great for what GDPR will inflict on a business which has had a data breach. The initial landfall of “Hurricane Data Breach” is the discovery of the data breach and the response. Quite likely the response will be from the IT provider or MSP contracted for services. The investigation has to identify what data was breached, make the necessary reports, remove the malware and return the business to regular operations - the “eye” of the hurricane settles in and all is calm.
Now, the inner edge of the hurricane in the form of the ICO’s investigation churns towards the business. The double combination of data breach and ICO investigation could severally impact the business’s ability to function – especially if the ICO’s finding indicates data protection negligence.
Make no mistake, it’s always about the money.
The loss inflicted on the business from the actual data breach may pale in comparison to the ICO’s findings and subsequent fine. The worse the findings, the bigger the fine and the lingering after-effects of brand damage to both the customer and your IT services business.
Mentioned previously is the need to track costs of the security incident and any potential ICO investigation. This information is critical, especially if your IT services business has provided and certified the customer under Cyber Security Essentials. The Cyber Security Essentials scheme has a little-known provision:
“When an organisation with a turnover under £20,000,000 achieves self-assessed certification covering their whole organisation to either the basic level of Cyber Essentials or the IASME Standard, they are automatically awarded Cyber Liability Insurance. Terms apply.” 
Although the limit of £25,000 is not large by cost of data-breach standards, the evidence in the PSA and email correspondence of the proactive work your IT services business has completed and the evidence of self-assessed or IASME Standard compliance under Cyber Essentials may make these funds available.
Keep in mind the compulsory investigation requirement for the ICO under GDPR. That £25,000 may assist in mitigating the revenue impact of the data breach and investigation but only if Cyber Essentials or the IASME standard is in place at the time of the breach. And the only place to find that documentation is in the IT provider’s or MSP’s PSA or email correspondence.
Liked the post? Download Ian's latest whitepaper to find out how to make the most of these dramatic and changing times.
"The managed services market is expected to grow from USD 152.45 billion in 2017 to 257.84 billion by 2022. In this whitepaper, security expert Ian Thornton-Trump responds to the key issues driving growth, and predicts the changes that must be taken for IT services providers and MSPs to stay in business."
About the Author: Ian Thornton-Trump, CD, CEH, CNDA, CSA+ is an ITIL certified IT professional with 20 years of experience in IT security and information technology. From 1989 to 1992, Ian served with the Canadian Forces (CF), Military Intelligence Branch; in 2002, he joined the CF Military Police Reserves and retired as a Public Affairs Officer in 2013. In Canada, Octopi Managed Services Inc. delivers managed security services to high profile legal firms and in the UK, Octopi Research Labs Ltd. undertakes security consulting and threat intelligence engagements. As the Cyber Vulnerability and Threat Hunting Team Manager for Ladbrokes Coral Group plc. Ian has an in-depth understanding of the threats, small, medium and enterprise businesses face on a daily basis. Follow Ian Thornton-Trump on Twitter