Transcript – 3 common privacy clauses in contracts to be aware of.. Our master VCISO joins the show

hey good afternoon happy spooky scary Friday the 13th I’m I’m kind of here but I’m kind of not here it’s been couple of weeks but I’ve got I got my medicine so we’re good uh we’re really happy to have a good friend Brian here but before we get into the scary data on uh I can’t even think of what the hell we’re talking about Nightmare on data Street see there we go um why don’t you why don’t you come on up and say hello how are you all the fun things let’s do that I’m up I’m up all right uh Tim inquisitive by T I focus on high net worth individuals retirees uh individual cyber security so msps if you have customers that are too small for you to deal with I I probably have a plan for them um but uh excited for this week’s episode and uh I can’t wait to Pepper Brian with some some questions uh so Jesse oh well there we go um hey everyone Jesse Miller found founder of power PSA Consulting and creator of the power good vcso system um we help you scale your vcso programs and do it profitably oh that was quick and easy all right Brian you’re up Hey everybody uh super excited to be on the on the call here today uh Brian Blakeley um came up in the 90s much in the engineer ranks got bit hard by that entrepreneurial bug in 1999 built grew sold exited several it managed service providers uh in 2017 started a fractional ceso compliance Readiness uh business uh sold that in 22 during that time I was also for about four years full-time ceso uh for a fintech company that processed about $50 billion do a year of online uh transactions so we were getting hit all the time and but just built uh a a bunch of Security Programs and privacy programs mostly for private Equity companies that are looking to drisk their portfolio uh they’re in highly regulated environments oftentimes so compliance is a is a given and oftentimes in the in the flow of contract reviews and so that’s what I’m excited to share with you today is especially from an MSP perspective there’s gold nuggets in those contracts and agreements I’m going to do a showand tell here shortly and point out some of the stuff that that your clients are agreeing to to uh in their contracts with their customers so that will be this the scope so excited to kind of go through some of that today thanks Brian and obviously Tim golden uh founder and CEO of compliance scorecard where we help you and your MSP have the risk conversation with your customers I’m going to hopefully allow Mr schner and Jesse and Brian to kind of lead this conversation because I am still sick as a dog from this just getting back from canit but yeah we’re really excited uh feel free to jump in and ask your questions and all the fun things in the comments and uh yeah let’s Dive Right In My Friends Tim H how’s the temperature to come down are you are you I saw the medicine uh truth be told I uh I just woke up like four minutes before this so does take little catnaps during the day so yeah uh last I checked it was like 100.5 so yeah and those things Li they’re always they’re always low you ever notice that it’s always that means you’re like 101 point something I mean it it it it’s it’s interesting because probably nine times out of 10 I wind up with some kind of sinus infection it is not covid I had I took a covid test so it’s not covid but I traveled all of July and I was fine I go to Canada for a couple of days I come home I’m sick as a dog then D kcks yeah too much fresh air maybe Brian I put a comment out there I had to ask on your Metals I mean are those all marathons or it a little mix there yeah so um what they are and all my Millennial friends out there will will appreciate their this their their their uh participant trophy right everybody gets one if you finish right and there’s no Record Times there but I’ve done four full marathons and a bunch more than I can count um of half marathons my my running days are over but my wife and I love to walk and I’ve been I’m on the third month of rucking now which I really enjoy uh adding that to the to the walk a couple times a week yeah I’ve seen that from Lance Armstrong Joe Rogan like they walk around what’s like a Peter at like the help weird weird looks it looks like a bulletproof vest yeah like I’m gonna go walk around with some weight on my body it’s good to build up resistance little strength training too he’s back there he’s he’s dead to the world upside down playing dead waving yeah you ask um so Brian um really really excited to get into this today uh so why don’t you maybe just set the stage for our audience and talk about you know you said there’s gold nuggets but dig into that a little bit tell us about what that means yeah so what do I mean by that and first let’s frame this because it can get confusing because we’re not talking about the msp’s contract with their client get that out of our head the scope of what I really want to talk about where the nuggets are is as an MSP we have clients our clients sign contract with their customers their customers in turn put data security and data privacy and compliance requirements on the MSP client now do we all think it would be important to know what our clients are agreeing to in terms of data security data privacy and their contracts with their customers do you think that there’d be value and and understanding that and aligning to that it’s somewhat rhetorical but we miss it all the time msps when they do risk assessments they’ll tend to jump right to the technical controls right they’ve got their control list and they go do you have MFA check you know do it implemented yes what’s the impact you but they forget you know and and even the ones that are compliance mind have a mind compliance mindset they automatically go compliance to a framework okay and when we talk to as an MSP when you talk to your client about oh well you know you’ve had this partially implemented and this not implemented and and it’s a it’s not consistent with n SF and we wonder why our clients don’t react to that it’s because there’s no it’s not in context right it’s not in a way that they can understand whereas if we can sample during a risk assessment as an MSP if I can sample my client customer contracts that they’ve entered into especially our our clients that are B2B focused there is a gold mine and we’re going to go through I’m going to do a show and tell on two agreements and this is something too if you have a a vciso service this is one of these elements or or threads that make you sticky with your client get in the flow of those contracts and I’ll show you why you want to be in that flow not where you’re providing legal advice but where you’re able to weigh in and saying hey there’s data security and data privacy requirements in here that we don’t have the right tools people processed implemented to support that what I love love love about this what I’m so passionate about client contracts is is is our our our clients as an MSP they have Revenue tied to these customer contracts so when I go in and I say wow we’re not doing these 10 things in this contract that you signed Mrs cut Mrs client they know they’re in breach and and putting the revenue tied to that contract at risk right because all these contracts have a right to audit okay we’re going to go through this right and so clients what I found can really resonate they get it it’s tied directly to revenue and they want to keep those contracts right they want to maintain those so I was gonna say Let me let me break it down in simple terms right so we see this time and time and time again with our msps and our partners right they get a they get a customer and they’re like cmmc millions of dollars and the first thing that I asked them is have you even looked looked at that government contract between your customer and the government have you had an opportunity to look at that yet nine times out of 10 they don’t ask they just make an assumption that oh well the customer said they have to be cmmc well really did you look to see if the defarge Clauses were in there and so we see this that’s me huming or that’s somebody else probably me let me try anyways oh it sounds like somebody’s standing is that YouTu 100% I think it might be S sorry so anyways in the simplest of terms if you’re an MSP and you’re working with Johnny’s lug nut Factory and Johnny’s Lugnut Factory is selling Lugnuts to the federal government there’s a contract between Johnny Lugnut and the federal government and there’s Revenue tied to that there’s data privacy all the things that Brian was talking about so ensuring that you’re having that conversation with the customer what I hear from my msps all the time is well that’s just weird for me to ask it feels funny for me to ask why should I ask that so Brian maybe you could talk a little bit about that portion of the conversation yeah or they do ask and the customer’s like you don’t need to see that yeah and and so oftentimes what I’ll do is I’ll do I’ll just do the ask hey I want to make sure that the uh security products Services Solutions we have aligned and are consistent and support the agreements that you have with your customers so that’s what I’ll ask the client and I’ll say if you can share just a few of the most recent ones the more material ones and feel free to react or often times there’s addendums exhibits that have all the data security and data privacy requirements so lot of times I’ll disarm them by saying hey just let’s get on the phone let’s do a screen share scroll through it quickly and I’ll tell you what addendum or exhibit to send me because that’s where I need to focus and concentrate that way they don’t have to go through a big redaction effort and and we just trying to lower the friction to get a hold of some of these agreements to understand what they’ve what they’ve agreed to they believe it or not clients blindly agree to these things without understanding what they mean so Tim am I sharing now you can here we go okay so I’m going to share with you and point out because I think there’s nothing better than a showand tell right we can tear and talk about it but what I’ve got is I’ve got a sampling of two two agreements this one happens to be uh what I looked at a couple of months ago from a larger type of customer not gigantic they have about 600 million in Revenue uh you’d think that there’d be a lot of maturity there um but you know when I said hey are you guys aware of what’s in these contracts and what what we’ve agreed to what we’re obligated to provide from data breach notification requirements and a whole bunch of other stuff it’s like well no we we kind of just signed what was in front of them especially when they get these amendments uh to a previous MSA your clients get these um they’ll just blindly sign them without understanding a lot of the different Clauses so what I’m going to do is I’m going to step through this and so what this one is this this sets the stage believe me we’re not even to the good parts yet okay I’m going to warm up this is a little contract foreplay if you will to kind of get into some of the the meteor stuff so it’s not uncommon in all these agreements to have uh where they Define terms right this one’s confidential information and look how broad this one is all non-public personal information and other information relating to acne or acne affil affiliates which is shared in any form with the vendor and keep in mind the scope of our conversation today the vendor here is the MSP client okay this is our MSP client is the vendor in this case right because we’re dealing with a contract from their customer okay so we go through and it it has this really broad definition of information also says that hey there’s always this attachment that everything wants to refer to where there’s data security and data privacy and compliance requirements okay in here we’ve got all of a sudden we’ve got disposal conversations we also have uh uh where it’s pointing out um you know where where not only do we dispose of it but we can only keep of keep it and use it for the the the term that we have uh that we’re providing services to this client and when we have uh an ongoing need to to provide the services in okay so let me get to the the better stuff now if you can get the whole agreement there’s not only going to be data security and data privacy compliance requires but like this one this stuck out to me because the the msp’s client is telling their customer they’re going to have people seven days a week 30 you know 65 days a year you know by phone and email that means as an MSP I have to make sure that they’re available and if things are down I’m 247 react to that so again these are the little nuggets along the way that your clients have agreed to as an MSP your clients have agreed to provide this to their customer right 15 minute response times is what they what they have and again I’m not even to the good stuff yet yeah I think it it’s got to be real occs to me real quick ran yeah go all go J I mean um it’s got to be really rare that most msps ask for this and have some kind of Matrix like shared responsibility you know in terms of this client’s got a four-year retention period this client’s got a six-year retention period this client has like this is in scope that’s not in scope or even like data classification data governance right I mean you’re going really deep here yeah yeah and and you can right the sophistication of the client will dictate a lot of that the number of agreements that your your MSP has um but in addition to that and when you talk about a matrix and we’ll get to this in a second but there’s all kind every single one has different data uh data breach notification requirements some are very broad some of them want 24 hours some 72 hours others say best or reasonable effort you know and and then all the different breach notifications are different right so if I’m doing an incident response plan I basically have to have this other contact list of hey if if the if MSP is your client’s having a bad day goes south there’s all kinds of of um breach notifications and how they go some are by mail believe it or not that you notify some are by uh that they’ll even provide a fax number you see a lot of medical that still have back machines and stuff or the common one is send that email um the other thing since we’re talking about incident and when I get to that the breach notifications are always far too broad that’s why I said early on if you’re providing fractional or vciso Services get in this contract flow because you will want to push back right what we’re looking at is agreements where the clients already agreed to it right so there’s no there’s no going back but there’s areas where you want to push back 24 hours is one of them you know there’s also contracts where contracts where it shares that hey any incident we have to notify the client within 24 hours so that means if Jane Doe clicks on a fishing email I have to call we have to notify them no we need to Define hey when there is a breach confirmed breach of data involved with this specific contract right then we will notify in 72 hours right I did a LinkedIn post a couple weeks ago where I said always push back on 24 hours right and I forget who I I love LinkedIn for this right just the diversity of some of the comments but the the comment was oh my gosh if you can’t why would you push back at 24 hours if you can’t respond within 24 hours then you shouldn’t call yourself an MSP and all this other stuff it’s like whoa you don’t understand I I didn’t explain it well I’ll take the I’ll fall on the sword I didn’t explain it well that 2 think about and I don’t know I’m I’m battle tested right so I’ve been in this and when bad things happen it takes a little while to just figure out what’s going on yeah is it a confirmed breach what was T you know all of that kind of kind of stuff and I’m going to want to make sure I have everything and all the information and that takes time especially if you need to rely on multiple parties 24-hour uh response to to an incident is crazy right I would never agree to that yeah yeah Brian Brian I like what you said about um we we were talking about as a vciso and you know I think it’s one of the Hot Topics right now for msps is getting vciso services spun up but for a lot of clients it’s like well how do I go back to my current clients and talk about this and exactly I love the points you’re making because you can go and say well you’ve signed this already but here’s what a VC what we’ do for you with the vcso surface we’d push back here here and here and also the other problem that I see msps make or mistake they make is they see all these terms and they immediately jump to the mitigate for the risk like oh this is great you have this data requirement we’re going to have to sell you veronis and somebody to manage it and it’s going to be 200k a year and the customer’s like well I can’t afford that so I don’t know if you’re not the right partner for me where we start where we should start is the avoid transfer can we avoid transfer or accept and then if we can’t do any of those things in stay within our risk tolerance then we mitigate right and that’s these are in the risk assessment and and you nailed it Jesse these these are things that if you’re not considering your the the promises your clients have made to their customers you’re missing I think material risks and with risk as an MSP sometimes that does translate into opportunity right tools and things but you’re having a different conversation with your client that is a much different conversation uh that the business can react to versus talking about a bazillion critical vulnerabilities and jumping up and down fixing right right so so so I’ll get back to here but we’re going to hit some of these one of the things I want to call out here it’s the number one thing I’m seeing in contracts in the last say 18 months to two years is anybody heard of AI right so what yeah what your msps just know this what your clients think your clients think that they have a mass 30 years of data that they can do anything they want with okay these contracts and I’ll Point them out in specific areas your as an MSP your clients don’t own that data right it’s a work product that’s part of these contracts okay you’ll see it’s very clear in these contracts that the um that as an MSP your client is the one that is um uh obligated to to provide um uh if if you’re going to use the data in other words your MSP as your client is not the data owner okay you can’t do whatever you want and if you want to do something with the data and I’ll Point these out it’s very clear you have to get the permission of the data owner which is not you okay so what’s happening a lot is they’re saying oh we’ve got 30 years of data that’s ML and AI it and put it up there but they’re doing it without permission okay they’re they don’t own the data they’re supposed to get permission and even when they have permission it has to be deidentified and and or aggregated information m s co-pilot we’re just going to turn this on no no big deal right yeah and and it’s great but you’re using the data for a purpose other than what the contract allows you toted and you shouldn’t even really have it because data life cycle management data retention remember the earlier provision this contract that said uh you only use the data for as long as you need it to service this agreement otherwise it needs to be destroyed or if there’s a legal requirement to keep it or whatever your normal retention schedule is so this is just this is it I mean you can only this right here saying you can only process information and oh let me go back up here here’s processing which means virtually everything under the sun that you can do to data right if you’re doing that you can only do it to carry out your obligations of this agreement that’s where we get into you can’t just AI 30 years worth of your your data without getting permission this is another area where you push back politely and say hey we want the right to use it for internal operations power be you know business intelligence data analytics you know that kind of thing to improve service or something along those lines but there there’s areas where we need to start pushing back there and again this is saying hey the msp’s client’s customer has exclusive authority to determine what you can do with processing of the uh information now we get into you know need to know so Brian I know when we had when I had my MSP or I was at the MSP let me make sure I’m saying that appropriately one of the things that we always had to deal with was R Ruda right restricted used data agreements right you know we would always have to get I remember one instance where it was so uh well defined with the customer that and actually talked about we would bring you the CD of the data on Monday morning at 9 o’clock you could only access that CD of data on a computer that was not internet connected blah I mean it was very very stringent on hey we’re gonna give you a disc of all the data but you can only touch that data between 10 and 10:01 on one day at like I mean it was really really like stringent and you know if I hadn’t asked that question if I hadn’t talked with the Project Director about what are you doing what’s this Ruda what’s this restricted use data agreement you know the thing would have been willy-nilly we would have been breach of contract they could have lost millions of dollars we we had to build a special computer just for them to be able to access the data on that CD and buy a crushing service that it would you know chop up the CD yeah you know it was it was really interesting on like you should be asking about this stuff you know what your customers B might be reluctant to give it to you but really being able to push back and say listen we want to do what’s best right we don’t want you to be a material breach contractor yeah and that’s that’s exactly where we’re going with this Tim is is now we’re getting into some more specifics and and there’s going to be some real nuggets here so you’re going to want to lean in on these