IT Service Companies and Government Legislation
Government legislation and regulation could be coming to our industry — quickly. This will become one of the topics that should not be ignored or placed to the side. Regardless of how many feel about this government legislation or regulation, you cannot pretend it’s not happening.
Karl W. Palachuk has been an IT Consultant since the mid-90s and is one of the trailblazers of the managed services industry. Palachuk believes the industry needs to professionalize itself.
Palachuk has also proposed draft legislation to bring to statehouses across the United States and possibly other countries. What legislation is being proposed by Palachuk? What will happen once the legislation has been approved and passed? What will be required of your business or organization?
During the inaugural meeting of the National Society of IT Service Providers (NSITSP), Palachuk discussed government legislation and what should be expected by leaders in the industry. During the meeting, Palachuk informed the meeting attendees that legislation is happening already and this issue involves multiple parties.
Some states are already considering passing laws regulating IT service companies. According to Palachuk, now is the time to get involved and impact your future before someone else does it for you. He also acknowledged there is another option — which is to do absolutely nothing and let the legislators decide what happens.
All states in the US and other countries have already established data protection laws. With IT service companies becoming the center of attention in regard to cyber threats, cyberattacks, ransomware attacks, and other incidents, it is important that more leaders take action and become part of the ongoing conversations that are about IT service companies, including the following:
- What defines an IT service company?
- How should IT service companies be regulated?
- What will happen to IT service companies that do not comply with the legislation and regulation?
Alexander Freund, Co-Founder, President & CIO of 4it, Inc was recently asked to share his thoughts about Karl Palachuk’s proposed legislation. Alexander took some time to break down the multiple components of Palachuk’s proposed legislation:
Registration for IT Service Providers
- Maintained by the State
- Business owners know who they are hiring
- Partner with the insurance industry
- Make the industry more professional
”I think this is a good thing, and will really help to “professionalize” the IT services industry. The government already does this in many industries, so adding IT service providers to the list of businesses or professions that require registration with the state is a good first step for some regulation of the industry. It will provide a degree of transparency for organizations looking to hire an IT services company, and allows for a state-sponsored partnership between insurance companies, which are already regulated by the state, and IT service providers”, said Freund.
Enforce good standing
- Require a business license
- Registered to do business
- Liability and Cyber Insurance
- Some kind of certification that you know what you are doing
Freund shared, ”Again, I believe this is a very good thing for our industry. Companies that are hiring an IT service company will know that the state is making sure the service provider is being regulated, that they are carrying the necessary insurance as a liability protection, and that they are meeting the minimum standard of competence to be allowed to operate in the state”.
Backups as a requirement of offered services
- Define it as disaster recovery
- Limit of liability when clients refuse to implement
”I think this idea will fail to deliver on the goal. Requiring service providers to have a backup solution offering isn’t going to force customers to implement it. In the co-managed IT model, often the backups are not even being managed by the IT service provider. And even with a backup solution in place, if a disaster recovery test is not successfully executed on a scheduled basis, the solution may not work when it is most needed. This is a common challenge that many IT providers face, and customers are unwilling to interrupt the business to effectively simulate a disaster. Ultimately, I feel like the customer has to be held responsible for making sure they have an effective backup solution in place, and that the solution is being tested to verify it will work when needed”, said Freund.
Notification of Breaches
- Giving the government and public a view into the size of this problem
”This is already in place in Florida, although it does not seem to be well enforced, and the information is not being shared with the public. I actually attempted to get a complete list of all of the breaches that had been reported to the Governor’s Office in Florida, a requirement if the breach affected 500 or more individuals of the state. My initial request was simply denied, and I had to resubmit the request multiple times to even get a confirmation that information would be provided. Ultimately, the list was essentially useless, as every entry submitted to the state was submitted by a law firm on behalf of another company, many of which operate in Florida but are not Florida corporations. Most business owners and consumers in Florida currently have no way of knowing the size and scope of this problem”, said Freund.
Freund stated, ”All in all, I believe that these are generally great first steps for the state to begin to force the IT services industry to adhere to a set of business and professional standards. I don’t think anyone would argue that the level of airline safety in the US could exist without the FAA providing the standards for flight safety and the regulation of the airline industry.”
4IT Your South Florida IT Service Organization
As the conversations about government legislation for IT service companies increase, we anticipate more laws being passed that will regulate how IT service companies manage their infrastructure and end-user systems. We expect key points of the bills to require the following:
- IT service companies to register with their state
- IT service companies to report ransomware demands, payments, and other cyberattacks
- IT service companies to offer access to information regarding cyber threats and cyberattacks
Are you prepared to take action and impact the future of your business or organization? Are you prepared to help define government and legislation within the IT industry?