Though managed service provider registration has been discussed, it's only recently come into play. Louisiana Act 117 was recently signed into law to go into effect on February 1, 2021.
According to Baton Rouge IT professional, Landon Futch with Essential Solutions, This law requires MSPs handling infrastructure or end-user systems for public bodies to register with the State of Louisiana. Though the terms are defined within the law's text, the definition of "public bodies" is still ambiguous, though it will become more fully defined as time passes and the law is tested within the court system.
Type of Activity Requiring Reporting to the State
The law will require MSPs to notify the State of Louisiana in the event of a range of online security incidents, including if ransomware payments take place, data breach notifications need to go out and similar events. Though all 50 states have laws covering data breaches on the books, this law requires the MSP to not only contact the impacted parties, usually the data owner, but also the state.
By taking this action, the state can provide businesses who are pursuing MSP services with information on the companies that they are considering doing business with. This allows the business owner or manager to make smarter decisions about which service to hire to handle their IT needs, avoiding potentially costly mistakes in hiring the wrong company.
Benefits of MSP Registration
This information can actually benefit MSP businesses, allowing them to showcase the low number of incidents it has had to report, providing transparency and building trust with the public and their clients. This helps to not only boost business for good MSPs, but also limits the amount of damage that a bad or poor-performing MSP can inflict on the business community.
This bill has come into effect to protect state and local agencies because of issues with both poor-performing MSPs as well as the tendency for government intervention in the industry. However, businesses who undertake registration and report properly will see the unseen benefit of gaining additional private-sector business, as businesses check the registry to determine whether the company they're working with has had any issues with public-sector agencies.
Will the Louisiana Law Cause Regulatory Issues?
As this bill has rolled forward, it is unique in that it requires MSP companies working with public agencies to register, but does not actively work to regulate the industry. Certain incidents must be reported, but there are no direct consequences of having a particular number of reports on your MSP's record. It does, however, allow higher levels of transparency, accountability and trust between both public- and private-facing organizations and the MSP.
The legislators who were questioned about the law have stated time and again that they do not want to regulate the MSPs through certification, especially because existing testing and reporting frameworks are in place, as well as technology standards. Available options of these tools include MSP Verify, SOC 2 and similar options. The law does not so much condemn the role of MSPs as recognize the importance of these services in our businesses, helping us keep our country connected and working efficiently.
Limitations the law could put into effect on MSPs are possible within the law, however. Registration of MSPs could expand. Applications can be approved, denied or revoked in the future, allowing the state to have a say in the MSPs delivering services to public bodies. Further proscriptive action, not yet revealed, could come into play down the road. Other industries could start developing registration frameworks.
Shawn Maggio, who owns a Managed services provider in Lake Charles, LA sums it up this way, “Make sure you're working with a qualified MSP service.”
