Three Legal Tips Every MSP Should Know

Dan Astin of Ciardi, Ciardi & Astin.

by Dan Astin


1) Change in Control

One of the most important legal tips every MSP should know involves “Change in Control.” In the event of an acquisition or other change in control of the client/customer, the MCA and ancillary SOW’s remain in full force and effect. “Change in Control” means any sale, exchange, transfer, conveyance or termination of any equity or ownership interests in the client/customer, or any corporate, limited liability company or partnership reorganization, restructure, merger, acquisition, transfer of assets, consolidation or adjustment with respect to Client if the persons currently in control of the client/customer would no longer have such control after such event.

2) BAA Requirements

HIPAA requires a covered entity to enter into “business associate contracts” with business associates to safeguard protected health information and to restrict its uses and disclosures to those permitted by the contract or required by law.  Business associates are also required to enter into business associate contracts with their subcontractors.  Business associates are persons or entities that perform, or assist in the performance of, any activity involving use or disclosure of individually identifiable health information. 45 CFR §160.103. This includes, e.g., claims processing, data analysis or processing, quality assurance, billing, practice management, and accounting and legal services.

3) Cybersecurity Insurance

According to the Ponemon Institute’s “2018 Cost of Data Breach Study,” the average cost of a stolen or lost record is $148, while the overall cost of a data breach is nearly $4 million. In addition, the likelihood of getting hit with another breach within two years after the initial one is 27 percent.

As noted by FICO, businesses typically shun cybersecurity insurance for three primary reasons:

A) The organization isn’t investing in cybersecurity overall, despite an increase in threat levels.
B) Leadership believes the organization will never be the victim of a cyberattack because it is too small to be targeted, or they believe security systems will protect it.
C) Leadership doesn’t understand how cyber insurance policy premiums are estimated or what exactly is covered.

Generally, cyber policies include coverage for costs incurred for remediation in response to a data breach, liability for claims arising from the data loss or breach, fines or penalties imposed by law or regulation, and additional payment card industry fines and penalties.


Dan Astin is a Managing Partner for Ciardi Ciardi & Astin law firm and regularly represents and provides legal and business consultations to commercial creditors, litigants, contract parties, corporate debtors, importers/ exporters, MSP’s, small business owners, and trustees, in matters of commercial business practices, litigation, customs and international trade, bankruptcy liquidations, administrative law, foreign corrupt practices act FCPA, contract negotiations, business restructuring, IT, select domestic and international trade. Dan’s legal experience includes prior service in the U.S. Navy’s Judge Advocate General’s Corps, as counsel to the Commanding Officer of USS Constellation (CV64); concious objector hearing officer in the first Gulf conflict; prosecutor and defense attorney United States Navy; trial attorney with the United States Department of Justice, Office of the United States Trustee; Associate Council customs and international trade.