Guest Post

MSP industry regulation and how providers can shape it

MSP industry watchers have predicted the establishment of regulations for providers. The National Society of IT Service Providers wants to ensure MSPs can guide public policy.

Dave Sobel is host of the podcast The Business of Tech and co-host of the podcast Killing IT. In addition, he wrote Virtualization: Defined. Sobel is regarded as a leading expert in the delivery of technology services, with broad experience in both technology and business.

In this video, Sobel discusses regulations for IT services providers with Karl Palachuk, author of multiple books on managed services. Palachuk explains legislation he would like to see for the MSP industry and the launch of the National Society of IT Service Providers.

Transcript follows below. Minor edits have been made for brevity and clarity.

Dave Sobel: So, obviously, this is different for you and me: We co-host a podcast, but, today, I want to talk to you. You've put forth a proposed set of legislation focused on IT service providers. Can you give me an overview of what's in that proposed legislation, for those who may not have read it yet?

Karl Palachuk: The big piece, first of all, is to have some sort of registration of IT service providers. The reason that I think that's useful is so that we can begin to divide into whether you should or should not be part of the liability equation when it comes to something like a ransomware attack.

Another piece is that that [registration] database should be maintained by the state and should be searchable by the public so business owners would know who they're hiring.

Part of what we want to do is to limit liability. People always say, 'If your client won't buy this security service or that firewall, have them sign something that relieves you of liability.' Well, that has absolutely no effectiveness, legally. Liability is not a thing you can sign away by two people agreeing to something. So, the insurance companies are starting to see that they are paying out massive amounts of money that they did not expect to pay out. So, part of what we want to do is say, 'We'll create circumstances under which you can be relieved of liability.' For example, some IT service providers only sell phones or they only sell some small piece of the operation. They're not responsible for security, or backup or disaster recovery. So, they should be relieved of liability for that.

Also, there should be a process where we are required to offer the services the clients need, whether they know [they need the services] or not, and if they turn us down, that's cool. There's a process legally to be relieved of liability.

And, finally, I think there's a heavy component of us needing to partner with the insurance industry to promote this. It will help them, and it will help us. I think, in general, we need, as an industry, to become more professional, and I think this will help with that.

Sobel: The proposed legislation is only seven pages. Is that enough?

Palachuk: Well, while I would love to write a 10,000-page document, it is too complicated to enforce. I really think minimalism is important. It should just focus on what it needs to be. The other thing is I'm not a lobbyist. I'm not a legislator. I'm not a lawyer. This is spelling it out in clear English language. And we'll see what happens. They say a camel is a horse that went through committees. Those committees are in state legislatures.

Legal requirements for IT service providers

Sobel: Fair enough. So, then, in the legislation, you create a barrier of entry, providing someone is in good standing and registered. How does one enforce good standing in the context of laws like this?

Palachuk: What I would imagine is -- we'll call it Secretary of State, but it might be the Bureau of Public Affairs or Commerce or whatever. I can imagine saying, 'Well, you need to have a business license. You need to be registered to do business in that state. You need to have liability insurance and, potentially, cybersecurity insurance.' You need to have the things in place.

And, eventually -- and I don't think our industry is ready for this yet -- but, eventually, there should be some kind of certification that says you actually know what you're doing. When we hire an accountant, there's a process I don't have to understand to know that that accountant is registered with the state. They actually have to go through some continuing education. They have to have some idea what my taxes mean. I don't have to know that stuff, but they do.

Sobel: OK. So, that would be the context of how that evolves and gets enforced. Now, one of the things you've explicitly put in the proposed legislation is backups as a requirement. You've explicitly called out that they must offer backups. I agree. For me, of course, they do. But doesn't something like that also need teeth for it to be effective? Or is it just as simple as stating the requirement?

Palachuk: One of the things that I think you don't want to do in legislation is to be too specific about exactly what that means, because, as an industry professional, what's appropriate for one client may not be appropriate for another. And the technology that you implement today will not be the same as what you implement five years from now.

But at the end of the day, when you look at any of these monster ransomware attacks, if somebody could push a button and get a company back in business in 24 hours, the effect of the ransomware attack would be minimized.

And so, just being able to say, 'Look, you can't not be aware of this.' It's sort of like you have to offer these services. And the clients -- if they're conscious about it and they turn you down -- then they can't hold you responsible for the effects of not being able to recover.

Sobel: The other piece that you are explicit about in the proposed legislation is the idea of notification requirements of breaches. Walk me through where your head is at on that requirement.

Palachuk: It's interesting. One of the comments that somebody sent to me was, 'Well, we already have all of these different requirements for reporting and blah, blah, blah.' But I don't think most small business owners know that those requirements exist. And, as you've seen, a lot of companies are reluctant to report things that are going to make them look bad in terms of PR or look bad to their clients and so forth.

So, somebody has to do this reporting. And, I think, it's necessary, primarily, because we don't really have a sense of how big this problem is. But I guarantee it's bigger than what we think it is. It's bigger than what's currently visible.

How proposed legislation moves forward

Sobel: OK. That makes sense to me. Now, you've got a background in actual public policy. A lot of people know you, of course, from your IT work, your books and all that kind of stuff, but you've got a background in public policy. Help those who aren't familiar with this process understand how proposed legislation gets used as a next step. What happens with it now?

Palachuk: In a perfect world, we'll have a volunteer from every state and every province who will come forward and say, 'I will take this.' They might make their proposed changes to it -- put their flavor on it, if you will -- and then go to their state legislature and say, 'I want to talk to somebody. Who does this? Which committees deal with technology, with insurance and so forth, and maybe even criminal?' It's going to be different in every state, but it's a place to start the conversation.

One of the things that happens -- and you've seen this with pretty much everything across the board, whether it's gun control or pollution or anything else -- is an incident in the news can suddenly make legislators jump up and propose legislation, which, often, doesn't directly affect the problem or would not have prevented the incident, but it makes everybody feel good that they passed legislation.

If we have something ready so that when somebody says, 'Hey, we need legislation,' at least, we get a seat at the table. That's the important part, because insurance companies have a seat at the table. Big vendors who sell this software have a seat at the table. Your clients, small business clients, don't have a seat at the table. And small business consultants don't currently have a seat at the table.

Sobel: So, there's something almost in that word 'currently,' because don't we need a lobbying organization in order to do that? Wouldn't we need some organization advocating on behalf of this?

The National Society of IT Service Providers

Palachuk: What a coincidence. I'm trying to start an organization, which is not entirely just for lobbying, but it's a place to begin organizing it and having this discussion. And, I fully admit, there will be people who will show up simply to say, 'We should not be legislated. We should have no legislation.' That's also part of the conversation.

But yes, I have this organization that we're starting to get organized -- and we're having a meeting later in July -- to actually begin this conversation. Luckily, several people have already put their hands up and said, 'I'll volunteer for this state or that state.' And one person just made a comment about, 'Oh, don't forget Canada.' And my response was, 'Of course not.' It needs to be something that is all over. We'll start in North America, but it needs to be in the U.K. and Australia, as well.

Sobel: Tell me about the organization itself. What are you proposing then as the organization?

Palachuk: I called it the National Society for IT Service Providers. Basically, it's a place to start.

I want to put up materials, for example, like a video, that will describe what is ransomware, what is an RMM [remote monitoring and management] from the MSP's perspective, so that news organizations can see that and they will get these little snippets.

Also, I'm creating talking points for IT service providers, so that maybe they could talk to their local media and [answer questions such as], 'OK, what is ransomware? Why are we doing this? Why do [IT service providers] need this tool that seems to be so dangerous?' And we need our side of that story because, otherwise, you just have talking heads who really don't know our industry but they have to fill a show with talk. So, they've got opinions, [but] they're just not very well educated. Again, I just think we need to have our voice be part of this conversation.

Sobel: Obviously, this is not a company. This is more an association of people coming together. And it'll be structured, theoretically, more like that. Are you still figuring out the structure?

Palachuk: Yeah, we are still figuring out the structure. Again, it partly depends on who shows up at the meeting. But I discovered a long time ago, if you hold a meeting and you have an agenda, it's amazing that things can actually begin moving. And people say, 'Oh, well, it's impossible,' or, 'It's too big of a task.' OK, maybe, but we have to try. And if we all fall down and fail, that's cool, too. I've failed before. But it's a place to start.

Right now, we're just saying, 'Hey, join up. Get on the list. Participate.' We've got a little forum there. Amy Babinchak created the MSP Regulation and Legislation group over on Facebook. So, we've got places to have this discussion -- in Zoom meetings but also online in forums. We just want to get people in there. We're not charging anything for it, of course. And, partly, we want to get as many people joined up as possible so we can say we represent X number of managed service providers or whoever. That goes a long way with lobbyists.

Sobel: Well, sure. That's how this all starts. And I'll channel Hamilton for a moment: You need to be in the room where it happened for this to matter.

So, Karl, I'll include links for everybody in terms of that. I'll check back in with you then after the meeting, and we'll see where our next steps are. Does that make sense?

Palachuk: That would be great. And thank you for your support. I appreciate it.

Sobel: Absolutely. For anybody who's interested, the links will be in the [YouTube video] description and in the show notes, and you can sign up and get more information there. Karl, do you want to talk a little bit about the website and how they can register?

Palachuk: Yeah, it's nsitsp.org. Right there is a thing that says, 'Get involved.' Join the conversation. We don't ask for a bunch of information. We don't put you on a bunch of lists, but we do put you on the one list that allows you to be invited to the meetings and so forth.

About the author
Dave Sobel is host of the podcast The Business of Tech, co-host of the podcast Killing IT and authored the book Virtualization: Defined. Sobel is regarded as a leading expert in the delivery of technology services, with broad experience in both technology and business. He owned and operated an IT solution provider and MSP for more than a decade, and he has worked for vendors such as Level Platforms, GFI, LogicNow and SolarWinds, leading community, event, marketing and product strategies, as well as M&A activities. Sobel has received multiple industry recognitions, including CRN Channel Chief, CRN UK A-List, Channel Futures Circle of Excellence winner, Channel Pro's 20/20 Visionaries and MSPmentor 250.

Dig Deeper on MSP business strategy