You need to immediately fire the MSP. They cannot be trusted. They abused their admin authority to exfiltrate data from your organization without your consent. This, in combination with the over billing issues and service delivery failures, indicate they have major integrity issues.
You should also hire a lawyer to intervene on your behalf in this case where your data is being used without authorization.
Finally, you may need to pursue your own civil action against your MSP as you will undoubtedly suffer economic losses having to bring in a new MSP on an emergency basis.
Civil court doesn't operate the same way criminal does.
Not to mention that it's possible they got the info as part of routine work done, although copying it is problematic.
Consider too that the MSP at the time potentially had a legal right to go thru anything, depending on how the contract was set up.
In Canada there is explicit rule in the Criminal Code against unauthorized access to electronic data. You may be allowed to do things like back up the mailbox or journal it or migrate it or rub it all over your buttered up nips while moaning the clients name...those are debatable based on the terms of your agreement.
But unauthorized access, IE: reading and copying without permission, is HIGHLY illegal, and no amount of "putting it in the contract" can absolve themselves of breaking the criminal code.
I see it in EULA all the time, which still count as a contract.
They make a point if you are an Australian citizen for example, that the EULA is only valid where it doesn't breach Australian consumer law. Makes no effort to tell you where it does and doesn't though.
Problem is that is isn't illegal in any way to fill a contract with blatantly illegal, nonsense or contradictory clauses, it only makes a contract void or unenforceable depending on how it is wrong.
It is very annoying having to become extremely knowledgeable about my own businesses area of work and the laws governing it, because as good as lawyers can be there isn't exact answers and you need to know which direction to go when writing or agreeing to contracts.
this just triggered an "a-ha" moment in my head.
Lawyers don't just ensure their own documents are legal - they need to know enough about their areas of practice to know when others are working outside the bounds of the law with their contracts, either intentionally or accidentally.
Now thinking about it, it's like, "No duh.' But yeah. Time for bed.
....I don't think that you understand what this means.
If the wording of the contract authorizes the MSP to access all systems without clear limits to that access, it is no longer an unauthorised access to the systems. The client authorised it when the contract was signed.
Even if I had full, unmitigated compliance and legality issue to that information from the client.
I WOULD NOT do it, its a moral thing to me, I don't want to, and my job does not require me to do anything that is going to harm my career and my reputation. Its simply a safe way to operate, I don't know what it is, I don't care what it is, and unless you willingly SHOW it to me, I will never know the contents of that information.
Plausible deniability enforced.
yes, but if the contract is worded 'properly', or vaguely, enough then it can cover that.
And in response to /u/thursday51 - I've seen some pretty broad contracts that could people have signed.
What? No, in no way would any contract give them permission to rifle through your email and *read the contents for their own ends*. That's a gross overstep and abuse of admin privileges, full stop.
I'd fire this MSP in a heartbeat AND sue for damages incurred having to replace them for such a breach.
If you're saying the MSP was acting criminially, then your assertion that it will become a criminal case (in the US, at least) is almost certainly laughable.
I have an acquaintance spending 12 years in prison right now for harassing someone over email and attempting to break into an account. These laws are taken insanely seriously.
If you don't have a non disclosure contract, yeah... otherwise, if the how and what are probable, they don't have a leg to stand on.
I wouldnt EVER engage in business with anyone that can access my companys data without a signed NDA.
Plenty of lawyers don't know anything about technology, including IT law. MSP might have just told them they were allowed to access their clients emails because they were the admin.
Are injunctions public record in Canada? If so, I’d file one with just the accusation. Either the magistrate rules they shouldn’t have the data, which helps OP, or the magistrate rules that it’s in the agreement (which it absolutely should not be) and is enforceable, but now it’s public record the MSP gets free reign to customer data.
I tend to agree, emails have two sides - so it’s possible they were obtained from the former employee, why that employee would provide them, we couldn’t know. Also - we have no idea what’s in the MSP’s contract, they may have explicit permission to do this.
There's a good chance the lawyer doesn't know how the MSP obtained those email messages and is about to be horrified.
The beautiful part is that since those have already been filed with the court in another case it should be pretty trivial to get them admitted for the civil (and if possible criminal) cases against the MSP. "You entered these as evidence in a civil proceeding, how did you obtain these?"
Edit: part of the significance of them submitting them is that it makes it hard for them to disclaim them - if the documents are fake you've submitted false evidence, if real, how? Kind of like Copyleft - if you argue that it's invalid, you argue that you're using something you have no right to use.
I was thinking the same thing...they've not only broken the law, they've gone to court and admitted they broke the law. Assuming they did not get the data directly from the ex-employee of course...which would be pretty stupid lol
Either way, most non-competes are not enforceable, especially if OP reached out to the ex-employee directly as somebody they trust. And clearly what ex-employee told them was correct, or else law-breaking MSP wouldn't have issued a refund.
All in all, things are likely going to go from bad to real bad for this particular MSP.
That is incorrect and you don't know what they put in the order to show cause. The authentication of evidence happens on the defense side. Plaintiff can use whatever means they want and you will find out how much money you need to spend you defend yourself.
They shouldn't doesn't mean they didn't. I've seen plenty of complaints written with bad data/information. My position is that they can write and use anything. That fight will become part of the actual legal case.
The MSP probably in no way would have gotten it from the client systems. They have their own email systems with those emails in them, no reason to make a bold claim like this unless you are having strong evidence. If you are wrong, you are guilt of liable here in the states, at least. I would reconsider this statement.
Depending on the Email Hosting Service, the OP should be able to verify whether the MSP, in question, performed an "eDiscovery" or "Content Search" on their Email Servers and whether they Downloaded any Data, etc.
For instance, if using Microsoft 365 & Exchange Online, I would perform an Audit, via the "Security and Compliance Center", particularly for any "eDiscovery" and/or "Content Search" Activity, in reference to the Accounts the MSP typically uses, etc.
Please, refer to the following documentation, if more info/details are needed.
https://learn.microsoft.com/en-us/purview/ediscovery-search-for-activities-in-the-audit-log
https://learn.microsoft.com/en-us/purview/audit-search?tabs=microsoft-purview-portal
This can also be accomplished within an On-Premise Exchange Server Environment.
I would also imagine that Gmail and other Email Service. However, you may need to reach out to Support, for your Email Hosting Service, for further assistance.
Dump that MSP. They're going to be a nightmare on the way out, make sure to get all documentation from them and the services of another MSP to assist, and have legal involved right now.
They should never be going through your email without getting approval. That's bonkers.
I can guarantee you that, the case this MSP is trying to bring against the third party will care how this data was obtained. The court will eat them alive if they are worth anything.
That's still the client's information.
If they go through it at any time for their own benefit without disclosure, what else are they looking through or doing?
It's incredibly unethical.
Accessing o365, going into a mail box they do not own, on a computer system they own and not the clients doesn't make any difference. They are the admin under contract. Going into a mailbox is a big no no. There is sensitive information to that buissness that employee that the msp has no right too. And stating us law means nothing to a Canada court, I am fairly sure. Making an excuse just shows you agree with breaking the law and the clients' trust. Sadly, most msp's will run the risk and treat their clients like this. With the belief, they have some right to do it since they have access. I would love to find out if you keep a job when you access a system you're not supposed to be in a look at information you dont own or have a right to. The 1st post was spot on.
Without seeing the MSP agreement that OP's company signed we cannot know for sure this was done illegally.
Best way would of been a court order, would of taken care of any doubt. I've seen some wild clauses hold up.
I have an issue with your order.
Hire an attorney to oversea contracts and look into what is going on.
Find and hire a new MSP
Have attorney fire the old MSP
Have attorney file actions against old MSP and notify authorities.
This is one of those situations where you need a third party legal expert guiding your process. Plus you are probably going to be sending "retain records" requests/notices to your MSP and the guy that initially helped you for the impending future legal action.
Beyond everything else mentioned… If this manager service providers a Microsoft partner, and this was done within 365, I would notify Microsoft of what they did after it’s done. Should get their partner status revoked.
So either way you need to fire the MSP. However when it comes to the law a civil case is needed but their could also be multiple criminal charges in this instance.
Can you disclose the industry you work in? Law firms, finance, and Healthcare have some of the strictest regulations on a global scale.
Yep and depending on what industry their are additional global governances and it gets even worse if the industry is international then they are in for a rude awakening.
True, I am assuming that based on the info provided by the OP.
And I agree with you, I really do. I mean, you'd like to think that anybody operating in our space would do so ethically and legally, but I've seen a few arrogant, narcisitic A-Holes running MSP's in my area that I could 100% imagine doing this thinking that they could get away with it. There's always going to be a few of those types in any vertical I guess.
Maybe, maybe not. 342.1 specifies "Fraudulently, or without color of right". If access is authorised by the MSP's agreement, there is not criminal action there.
Not ethical, but maybe legal.
Drop them now. Let them know. Get your network turned off. Get another MSP. Call police to file a report, get a lawyer and give them hell. Not much else you can do. Had this happen to a client. Their old It found out they were getting replaced and tried to lock everyone out of their system.
Metro Vancouver MSP myself. Both the police and a litigator are routes you should look into. I wouldn't expect the police to really do much more than take the report, but having the report would buy you points in a litigation.
I have a few names for litigators if you are interested, and the name of a local digital forensics firm headed by an ex-RCMP investigator. Feel free to DM.
We're an MSP and I can honestly say I'm disgusted by this. This should never ever happen. If there's a request for an email search, the client executives are always involved due to it pertaining to a legal case involving a current or a former employee.
While an MSP can and often does manage your data, they should be doing it ethically and responsibly. This is a huge breach of trust and abuse of their admin power. Contact your lawyer/legal team. Every admin activity is logged in a reputable cloud solution, so it should not be hard to obtain these records especially if legal gets involved. In that case, you can have valid proof to pursue the matter further, fire the MSP as soon as you can and find a new one.
The same goes for licenses, everything is logged and if done through a CSP partner, records can be provided on activities when something was done.
What does your contract with your MSP stipulate regarding how, when and why they can be accessing your data?
Was the aforementioned ex-employee of the MSP legally allowed to be in contact with a customer of their prior employer?
When you say overbilled on licensing what exactly do you mean? You were charged for more licenses than you required? Or the MSP added a markup to the license cost?
Sounds like the anti virus was erroneously billed, but was subsequently credited back.
I'm not sure about the law in BC, but in most of the US, you can't enforce permanent email data access in a contract you have to notify on each access prior to getting into it do to privacy laws.
BC has privacy laws that have the basic tenants:
Do they have the need to collect such information?
Is the subject informed of such collection?
Do they also have the need to retain such information?
NAL, but there is too many layers here. The most important is damages, You can sue, but if the infraction damages for private information are 10k, your lawyers can go 10x that.
Get all your data and then fire them.
Unacceptable.
Put it to you this way - as an IT director of a billion dollar company, if one of my admins was caught lurking through files or emails there would be hell to pay.
What makes them any different? They abused access and authority.
There are usually acceptable usage policies that state there is no right to privacy on company emails. Sometimes admins will have to access emails for security purposes.
This is not "for security purposes".
Employees have no right to privacy in their emails *from the company*.
The MSP has no right to tawl through all the company data unless it's explicitly required to perform a requested service.
Number of ways to handle this - it’s a bit of an odd one.
I would be inclined if I were you to treat this like an ongoing breach/threat actor. Speak to an incident response company and line up a replacement MSP with them quietly. Treat this company like you would any malicious hacker/threat and remove them aggressively from your system with the new MSP and incident response support.
Then sue them into the ground for all your costs and the beach - this is where the incident response company comes in, you will want them to evidence everything and advise you of how to proceed. It may well be that this is criminal on the part of old MSP. If they have done this, don’t assume they haven’t done other shady shit.
That said, it would be really odd if this evidence is permitted like you have said, so you’ll need a lawyer to check if they had some legal means to do this search.
Really depends on your organisation size and appetite.
This is nuts. Disclaimer, I am not a Lawyer, but I have one (Canadian Criminal defense attorney) in the family, so I ran this by her...
In her words, section 342.1 of the Canadian Criminal Code prohibits unauthorized access to private data by any means. In her opinion, by not *explicitly* getting your permission, just the act of opening and reading your mail *for their benefit* is illegal. Cut and dry, they have zero defense. They were not in the system helping you out and happened to accidently see it. They had to go out of their way to find out who "sold them out" on the overbilling and failing to deliver.
Just because they didn't need to "hack into the mail system" doesn't mean they have carte blanche to take your data. And just because they got caught with their pants down screwing a client and lost money on it, doesn't mean they can go digging to find out who gave you the heads up!
Speak to a lawyer immediately. You can also likely prove damages that their criminal activity not only breaks the contract, but you are now suffering damages by needing to replace them. Sue the fucking asses off these fucks
I’ve read most of the very good comments and advice here, and yes I agree with the community consensus that it sounds like this MSP is a nightmare and it’s time to ditch them from your systems and discuss with a legal professional.
However - I’ve had a quick thought that I don’t think anyone else has covered here.
You describe this as a former employee… how former?
If this employee was on gardening leave, notice, or still within their contract or employ in any capacity then it could be argued that this was an inter-company communication and the MSP should have had audit visibility of that originally. I’m not saying that excuses them taking the information themselves though.
Further, this could mean that attempts to circumvent that purview or indeed your contract with them by communicating with this ex-employee or employee using personal contact details etc could also reflect badly on you.
Even if the employee left some time ago, if such behaviour is precluded by your contract with them it could therefore risk placing you in breach of contract that would be nigh-impossible to refute.
Or to put it another way, two wrongs do not make a right and you could absolutely have found anyone else in the entire known universe to audit suspected discrepancies with this MSP rather than a disgruntled (former?) employee that is doing the rounds!!! That’s throwing gasoline on the bonfire surely. After all, you cite no resistance to crediting you back for the billing errors.
It sounds from your post that the MSP has only pursued legal action against the ex employee, but that doesn’t mean that they wouldn’t have breach of contract claims against involved clients if certain behaviour was deemed inappropriate. Heck for all you know this employee was responsible for or Involved in some of these failings before he left.
My comments by the way do not excuse their behaviour, or indeed excuse any issues with overcharging or inadequate service delivery which is not OK, but all of this does mean that you would likely be far better served by independent specialist legal advice than Reddit.
Basic summary points:
* Ex MSP employee worked with us for some time. We trust him.
* He has been gone for over 2 years now.
* He dropped by for coffee to catch up, we told him our concerns.
* He did not charge us for anything, and just took a quick look as a favour.
* MSP issued us a 5 digit refund on overcharges based on our listed concerns.
* MSP sued ex-employee several months later claiming solicitation and losses.
* By the time they did this, they had already billed us through to the end of his non-solicitation period. This sounds like the only losses were what they had to refund us.
* The sworn affidavit from the MSP CEO is publicly accessible with all of our emails (internal) and to the ex-employee. We paid the court fee and got all the records including a list of other Clients that were likely involved in the search.
* We have also considered lodging a complaint with the law society against the MSP's lawyer.
* Our contract with the MSP does give them ownership of our data.
* Our email server is Microsoft 365, and they are a Microsoft Partner.
* We did not give permission for access to our emails.
* We did not solicit the ex-employee for service during his contractual period.
* Ex-employee advised us he would not be able to do any work fur us until the period was over was over.
While we are considering legal actions, there are concerns we need to evaluate.
* We are a publicly traded company. The breach of data (done by this MSP) in this case looks bad on us.
* Legal costs are unattractive.
* We feel bad for the MSP ex-employee who has been sued just by helping us.
* We are concerned about seizing control of our data and systems. We have no trust in the MSP.
The ownership of the data is just.... odd. I can't think of a reason why any MSP would need ownership of the data. Accounts used for services (so they maintain ownership of services like Auvik and M365) makes sense, but the data in them I've always seen as owned by the client.
Depending on what your line of work is, they could have broken federal law. Call the cops on the msp in their state and bring charges on them. Ohh and FIRE THAT MSP ASAP.
If any of this is remotely true, lawyer up and notify your local police service. You might want to see if your cyber insurance might help cover with some of the fallout on their abuse of admin privileges.
As others have said, this soon to be former MSP can not be trusted since they've abused their admin authority. Firing them and getting outside help other than anyone who was associated with that former MSP is probably a good start.
Wow. That's an incredible level of gall and stupidity.
I don't know about Canadian law, but the U.S. Computer Fraud and Abuse Act would make this 1 - 5 years in prison offense.
Switch MSPs first. Your current one seems like he might be headed to prison.
> All of our emails with this old employee are now filled as public accessible record in BC Supreme court along with another companies emails filed as a sworn affidavit by the CEO.
Assuming you're not a federally regulated entity, Office of the Privacy Commissioner right now. Straight to filing a complaint. Immediately. Right away. No entity should ever get away with privacy violations.
https://www.oipc.bc.ca/for-the-public/how-do-i-make-a-complaint/
I’m pretty sure it’s your obligation to immediately report this as a data breach. You should absolutely talk to a law firm with data privacy and cyber expertise.
I see it different. The MSP owns and has rights to inspect and copy emails between MSP employees and MSP clients. If these are the emails in question, they would have been obtained legally and could be used to sue the MSP employee.
The question that needs to be answered here is- were there other emails (not between MSP employees) which were obtained by the MSP and filed in court? Also, were there any subpoenas issued by the courts for access to this data?
Not enough factual information in this to know.
You contact a seriously competent forensics organisation to obtain unambiguous evidence that the MSP has stolen data from your organisation.
Then the process begins, all under the radar.
If this is the road you wish to go.
Otherwise speak with a seriously competent MSP and explain the scenario so they can advise on next steps.
Ehhh...dunno. Sounds like the MSP already gave them the "smoking gun" so to speak by entering the stolen emails as evidence with the courts, explicitly stating how they were obtained.
He has to prove this was an unauthorized access and doesn't have any knowledge on how to do that, they're ready with guns blazing... he needs to be too (of course it means to also get a lawyer, and a good one!)
I’d ask yourself what you stand to gain if you go through all that. I’m exhausted already just reading that paragraph 😂 I’d love to never have another legal interaction in my life.
They for one can never trust their MSP again and they WILL suffer monterary losses. I think it's pretty clear what they gain. Put the MSP in place for their own good and possibly other clients of theirs and recoup losses as they move to another provider.
It's this. Also, not to be that guy, but what the heck does their **contract** say about this situation? What can MSP do with admin access to client systems? I have read, reviewed, signed, edited and critiqued hundreds of client contracts over the decades and this should ABSOLUTELY be covered in client's contract for service from the MSP. No lawyer worth the paper their law degree is printed on would file evidence with a court that they weren't absolutely certain they were entitled to hold.
Imagine Your Favorite Crime Show and the judge asks the prosecutor where they got the murder weapon and counsel says, "Oh well we knew Mr. Jones was guilty so we broke into his house and rummaged through his things, his wife's things, his adult children's things until we found this gun with his finger prints on it!" They wouldn't just lose in court, they'd be lucky to keep their job.
I'm guessing this is covered in contract and the legal consult OP got (unless they're a total fool) told them as much and they didn't like the answer and here we all are scratching our collective heads and wondering "this isn't a technical problem and it's not an MSP problem, it's a legal problem."
You cannot add illegal acts into the terms of a contract to give yourself cover for breaking the criminal code. If they tried, either that portion of the contract would be struck, or the entire contract could be voided.
What about a contracted MSP searching the mailboxes they are under contract to administer, including hygiene work like "find mah lost super important email!", strikes you as illegal?
Well, because that's not what happened in any way. The MSP searched specifically for emails to identify who ratted them out on overbilling and under delivering on service. They are not allowed to read your mail *without permission*. MSP's are contracted to manage mailboxes, licenses, and services...not to read the contents of said mailbox.
Did MSP tell OP's company, "Oh hey, we'd like to export the contents of your email correspondence to use in a lawsuit against whoever it was that informed you we were overbilling you for our losses."
Hell, to argue the other side, if you overbill a client and have to issue a refund, that's not a loss. You didn't earn that money in the first place.
To flip your own question around on you, if you were in MSP's position, how would you *even remotely* rationalise what they did as legal or ethical?
The data exfiltration is, my experience, maybe the only case where MSP could get in hot water. Which is why my only question was, what does the contract say?
To your posit about flipping it around: in the MSP's position there's absolutely no ethical argument. What they did was slimy as fuck. It was, in case unclear?, NEVER my position to defend their actions. My position remains that if a lawyer filed those emails in court, I would be shocked if same lawyer has not read and re-read the MSP's client contract in exacting detail to assure they're submitting credible evidence as it's defined in Canada.
Again, I hope I did not at all come off as defending the slimy MSP. My point again is that it's very likely their low down underhanded shafting of the ex-employee is covered in contract.
Well, again, I'd go back to the point that you cannot add something illegal (in this case the unauthorized access) to a contract and then point to said contract as a criminal defense. Data exfiltration is just "Illegal Act: Part Two Electric Boogaloo"
If their MSP read these emails, how do you know they aren't reading all of their emails? And snooping through their cloud storage? I don't see how a company could afford to *not* get a lawyer involved at this point. Who knows what other data their MSP has exfiltrated.
The person that posted this thread is not an MSP, it’s a customer of an MSP. If you like burning through cash on lawsuits where you stand to gain very little, have fun. I never said the MSP didn’t fuck up (they did) I’m just suggesting that unlike on the internet, it doesn’t always make sense to fire up the legal machine just to make a point.
Something doesn't add up here. If they already submitted the emails as evidence to the court for their own case, they probably didn't do anything nefarious to obtain them.
They searched our email server (and other companies they support) that they manage to acquire the emails, removed from our server, and used them without permission of our company. They are claiming "losses" due to former employee contract. They filed this when there could have been no other losses in the period of time that contract covered other than the overbilling.
How do you know they searched your email systems. For every email sent there is an email received. Are you willing to spend 100K+ because they may have accessed your data without permission?
None of the emails were to them, some were internal emails. Very clear from emails that they came from our own server. Also, the CEO of the MSP stated that the emails were discovered after an "investigation" in which they "accessed \[our\] email server and pulled additional correspondence from between \[us\] and \[third party\]."
Do you have a spam filtering service with them? It's possible they pulled it from there to. I do agree their lawyer would be stupid to file this case if they obtained the emails illegally.
No, all systems are ours, managed by them. We are at the point that we do not trust that they are not continuing to monitor all of our communications. They have full control of the systems.
So the email servers are on prem and belong to you? Are you absolutely certain of that? If not, you may be a tenant of the MSP on THEIR equipment, which absolutely gives them the legal right to conduct and investigation, no different than investigating suspected child pr0n or similar activity. In addition, unless you are the owner of your company, you might not be privy to the confidential communication between the c-suite and the MSP and their legal counsel… including subpoenas.
You are 100% incorrect with regards to the MSP's rights here. Not sure about other jurisdictions, but Canada has very explicit rules laid out in the Criminal Code for this exact situation. MSP may have rights to manage the mailbox but they have zero rights to access, read, and exfiltrate the content of the messages without explicit permission.
This would still be the case if they had a spam filter that also housed OP's mail.
You may be correct with regard to Canadian law. However, you would be 100% incorrect to believe that every MSP resides/operates within the jurisdiction of Canadian law. Moreover, if the equipment is actually owned by the MSP and OP’s company is a mere tenant, then different rules would apply. In addition, the MSP has every right to issue a subpoena when preparing to bring forth litigation against a former employee. If a subpoena was issued and OP’s company was not able to quash the subpoena, then they would have to allow access to their data for the limited purpose of preparing a complaint against a former employee and if they refused, they would have to answer to a judge who might fine them or perhaps even jail the offender.
You may not like this, and it might even offend your delicate Canadian sensibilities, but these are the legal rules in the vast majority of US jurisdictions.
I can also say, that as an MSP, we would have terminated services for any client who conspired with a former employee and perhaps sought damages from the former client as well.
What exactly would the MSP be issuing a subpoena over? "We got caught overbilling our client and want to sue the person who told the client this?" In Canada, non-compete clauses are exceedingly hard to enforce, especially if OP sought out the Ex-Employee for advice. Now, if emails showed that Ex-Employee reached out and said "Hey, MSP is overcharging you and not doing a good job, switch over to my new MSP and I'll help you get a big refund" then that could definitely break the solicitation clause which is usually an easy thing to sue over. But in this case that's not what this sounds like, and the MP really had no "losses", they just had to own up to their mistakes and make them right.
Admittedly the rules are murkier when using the equipment owned by another company. They could have specific "Acceptable Use" clauses...but again, I'd like to see how that would play out with regards to a criminal code complaint. And this isn't what was happening here, at all.
Also, it appears the US shares my "delicate Canadian sensibilities" regarding this matter, as Under 18 U.S.C. §1030, "it is a crime to intentionally access another person's email *without their permission* and obtain information of value". In fact, I think the US Computer Fraud and Abuse Act is a lot clearer with their wording than the Canadian criminal code. Probably worth a quick read so you can see what I'm talking about.
No lawyer would let them file a case if the emails weren't obtained legitimately. Their attorney probably subpoenaed them from the person in question. OP probably forwarded an email from the person saying "See this former employee says you're over billing me!" and that was all they needed to start digging.
Not to mention, overbilling is a subjective thing not an objective one until you get to price gouging territory. How much are we talking here? Paying MSRP or a little over? There's a lot of important info missing here.
Dude was extremely dumb to work for his former employers clients. That's truly unethical on both OP and the former employees part and they made their own bed here.
They obviously didn't have the company's permission to search the company's emails for correspondence between the company and the third party. The MSP has proven they accessed the emails in question by filing them as part of their lawsuit against the third party. What are you not understanding here?
I’m in BC (Fraser valley) if you’re local and end up needing help on this drop me a message.
Also curious what the outgoing MSP is, as we’ve had some nasty experiences with a few players in this area…
I was going to say the same. Also very curious as to who the MSP may be, but fully understand not posting it publicly especially with legal actions in progress.
MSPs are paid to manage the services and should not be accessing particulars of tenants except to provide specific tasks. IE, you may approach them to create a new mailbox or perform an e-discovery.
If they are accessing your data without knowledge or consent of your companies executives, that could constitute a data breach that your companies executives may need to report to authorities.
Either way, this matter is a Legal matter now, not a technical matter.
I’d lawyer up and ask for discovery on the other clients involved. If they’re all unaware their emails were ex filtrated without explicit permission, this MSP may find out how extensive their Professional Indemnity insurance is, and how badly their reputation will suffer when this comes out.
Reputation is often a factor in choosing an MSP.
A checkup can be argued as not maintenance, and therefore not breaking the likely customer non-compete clause in the ex-employee’s contract, but that’s for them to fight
Look at your contract. You are signing away a lot of your rights when you have an MSP manage your data. Are they supposed to do it? No. Do they have the power and control of ALL your accounts to do so? Yes. What if you had to pay them to find data, restore emails, or search ect.... add or remove users. You sign away all that when someone else manages your data. You may be able to build a case since there was a suit involved on it without your permission and used in public. But they may also have a clause in their contract. Report it to a lawyer or police, but it would be misuse of data and essentially fraud since they are using your data in the claim you were ok with it. There should be in your emails this is confidential in the footer like all decent MSP's and every company in the world started. Which means they can't use the data without permissions outside of normal communications. Now if you don't have the confidential statement and other items or there is a contract. Yea welcome to someone else owning your data that you pay them for.
Onboarded several companies where the previous MSP has given themselves delegated access to users mailboxes, usually directors and managers so blatantly targeting decision makers emails. Makes for a difficult email at the very earliest stage of taking on a new customer but an important one. I’ve seen it approximately in 10% of companies we have onboarded.
It’s a significant betrayal of trust, completely unacceptable on a professional level.
But wider, what if such an MSP stumbled across illegal content, a crime.
How do they have an open and honest conversation with their client having read their emails.
But there are reasons why we need to see data, restoring a backup, confirming a sample set of files open without reading or comprehending the data within. MSPs who abuse their power will make supporting and managing our clients data difficult. I can see a time where cloud providers alert users to delegated permissions.
Delegated access to the mailboxes? Really? Do these MSPs just have 0 technical knowledge? There's a much better way to do this that doesn't require delegated access to a whole mailbox.
There are a few cases where I can see a MSP needing to get emails directed to a specific customer mailbox. That would be the inbox where the internal IT tickets come through (if they've fully delegated their IT to you), and the inboxes where security alerts arrive or domain renewal notices arrive.
But it's just plain disgusting to grant yourself access to inboxes of company leadership as those should not have anything you as an IT provider need to have access to.
You carve them out immediately after issuing a cease and desist alongside a report to the police and serving them notice. INAL.
I worked alongside *** Solu***s, who attempted this type of shit, making bold statements like "you can't have more than one static IP at a location, that's not how the internet works" alongside technicians flippantly using lax security on the VPN. Installing a mini PC to maintain VPN connectivity because they screwed up the configs. And best yet was the techs that didn't understand port forwarding telling me, that's not something you can do, that's not how that works...
More recently I had an encounter with a vendor who was attempting to implement SMTP, I gave them the required information, and was met with "we need admin access", tha fuck you do. The dev couldn't get a standard MS SMTP account configured, I used 5 minutes and chatgpt to write a quick script that sent emails with the account...
People need to embrace "I don't know" a whole lot more.
Contact an attorney, not reddit. If needed, treat it as a cyberattack and work with a vendor specializing in emergency data recovery and breach services
Wait, so the customer approached the MSP’s former employee, he gave them a free assessment and found they were being overcharged on licenses then got sued for it? Who won the case?
North American MSP is absolutely wild.
Let’s not skip the facts and forget the origin. You vetted one of the MSP’s employees which is no no with the intent to get like always, receive a “free” spot check. If you felt you were being over billed and under serviced you should have contacted the MSP and discussed it. If indeed you wanted to verify services being rendered, you should have hired a 3rd party or another MSP not someone with ties to the current MSP. I get it “free” is what caught your attention. As for the MSP getting your data, if they are backing up your mailboxes, they could have restored the emails to a different mailbox to get the emails unless they know all the passwords to all the emails accounts but if MFA was enabled then it is not easy to just access email accounts.
Ok with that out of they way, yes the MSP should not have used your emails to gather the evidence to prove you solicited an employee because it is probably in the contract you signed.
This is going to be tough for sure and will require speaking with a lawyer to figure out your options and chances of success based on your goal however, they file first so you are already at a losing pace.
I mean to be fair, it's not that MSPs are against insourcing but consider, it's hard to get SMBs to even pay MSP rates for IT stuff, if you can convince them to spend like 2-5x that for a proper internal IT department, good for you man get it done.
I miss privacy. I hope you win some compensation money because there are tons of companies that sell your data. After the January 6th "insurrection" companies voluntarily forwarded travel itineraries, credit card usage and cell phone tower usage. If you used your credit card near XYZ coordinates between Jan 1-jan 7 your name was on a list. It's outrageous, I wish more people took privacy seriously.
"I wish I had privacy to break the law"
Buddy, what? Those records were likely granted via subpoena while investigating a criminal offense. Not even remotely close to trying to see if a barely enforceable non-compete clause was broken.
In a totalitarian society EVERYONE is guilty of breaking a law. It's not court ordered subpoenas that I'm worried about. I like those. I'm talking about "narcs as a service" that bypass the rule of law for privacy.
Law Enforcement doesn't need a warrant to search your ring door bell videos. I don't object to cooperating with an investigation, but I do object to using my house as part of surveillance state.
Try again. Not only can they not access it at will, they can't even access it by request without a warrant. They have to directly asking the owner face to face or with a warrant:
As of January 2024, Ring, an Amazon-owned company, no longer allows police to request doorbell camera footage from customers through its app. Ring removed the "Request for Assistance" tool from its Neighbors app, which allowed law enforcement agencies to request and receive video captured by Ring's doorbell cameras. Ring did not provide a reason for the change, but privacy concerns have been growing. The change gives Ring customers more control over their footage and how it's used. However, officers can still ask Ring camera owners for their video, and law enforcement agencies can still access videos using a search warrant in a small number of circumstances.
Now back to the subject at hand.
You need to immediately fire the MSP. They cannot be trusted. They abused their admin authority to exfiltrate data from your organization without your consent. This, in combination with the over billing issues and service delivery failures, indicate they have major integrity issues. You should also hire a lawyer to intervene on your behalf in this case where your data is being used without authorization. Finally, you may need to pursue your own civil action against your MSP as you will undoubtedly suffer economic losses having to bring in a new MSP on an emergency basis.
I think no lawyer would file this case for the MSP if they obtained the evidence by nefarious means. Something doesn’t add up here.
You are assuming the lawyer cares or isn't related to the msp in some way.
Even if it charges filed, it’s going to be dismissed immediately because of how it was obtained
Civil court doesn't operate the same way criminal does. Not to mention that it's possible they got the info as part of routine work done, although copying it is problematic. Consider too that the MSP at the time potentially had a legal right to go thru anything, depending on how the contract was set up.
In Canada there is explicit rule in the Criminal Code against unauthorized access to electronic data. You may be allowed to do things like back up the mailbox or journal it or migrate it or rub it all over your buttered up nips while moaning the clients name...those are debatable based on the terms of your agreement. But unauthorized access, IE: reading and copying without permission, is HIGHLY illegal, and no amount of "putting it in the contract" can absolve themselves of breaking the criminal code.
People seem to think because something is in a contract that makes it ok - it doesn't. A contract cannot contradict or override the law.
I see it in EULA all the time, which still count as a contract. They make a point if you are an Australian citizen for example, that the EULA is only valid where it doesn't breach Australian consumer law. Makes no effort to tell you where it does and doesn't though.
Problem is that is isn't illegal in any way to fill a contract with blatantly illegal, nonsense or contradictory clauses, it only makes a contract void or unenforceable depending on how it is wrong. It is very annoying having to become extremely knowledgeable about my own businesses area of work and the laws governing it, because as good as lawyers can be there isn't exact answers and you need to know which direction to go when writing or agreeing to contracts.
this just triggered an "a-ha" moment in my head. Lawyers don't just ensure their own documents are legal - they need to know enough about their areas of practice to know when others are working outside the bounds of the law with their contracts, either intentionally or accidentally. Now thinking about it, it's like, "No duh.' But yeah. Time for bed.
Salvatorian clause..
Exactly!
....I don't think that you understand what this means. If the wording of the contract authorizes the MSP to access all systems without clear limits to that access, it is no longer an unauthorised access to the systems. The client authorised it when the contract was signed.
Even if I had full, unmitigated compliance and legality issue to that information from the client. I WOULD NOT do it, its a moral thing to me, I don't want to, and my job does not require me to do anything that is going to harm my career and my reputation. Its simply a safe way to operate, I don't know what it is, I don't care what it is, and unless you willingly SHOW it to me, I will never know the contents of that information. Plausible deniability enforced.
yes, but if the contract is worded 'properly', or vaguely, enough then it can cover that. And in response to /u/thursday51 - I've seen some pretty broad contracts that could people have signed.
What? No, in no way would any contract give them permission to rifle through your email and *read the contents for their own ends*. That's a gross overstep and abuse of admin privileges, full stop. I'd fire this MSP in a heartbeat AND sue for damages incurred having to replace them for such a breach.
Fortunately this won't get far in civil court because it is quickly going to become a criminal case for the MSP.
If you're saying the MSP was acting criminially, then your assertion that it will become a criminal case (in the US, at least) is almost certainly laughable.
I have an acquaintance spending 12 years in prison right now for harassing someone over email and attempting to break into an account. These laws are taken insanely seriously.
That's cyber stalking. A completely different set of circumstances.
If you don't have a non disclosure contract, yeah... otherwise, if the how and what are probable, they don't have a leg to stand on. I wouldnt EVER engage in business with anyone that can access my companys data without a signed NDA.
Plenty of lawyers don't know anything about technology, including IT law. MSP might have just told them they were allowed to access their clients emails because they were the admin.
May also be written into the MSP agreement... Some people don't read them.
Are injunctions public record in Canada? If so, I’d file one with just the accusation. Either the magistrate rules they shouldn’t have the data, which helps OP, or the magistrate rules that it’s in the agreement (which it absolutely should not be) and is enforceable, but now it’s public record the MSP gets free reign to customer data.
You cannot add something illegal into a contract and expect to be allowed to break the law...
I tend to agree, emails have two sides - so it’s possible they were obtained from the former employee, why that employee would provide them, we couldn’t know. Also - we have no idea what’s in the MSP’s contract, they may have explicit permission to do this.
There's a good chance the lawyer doesn't know how the MSP obtained those email messages and is about to be horrified. The beautiful part is that since those have already been filed with the court in another case it should be pretty trivial to get them admitted for the civil (and if possible criminal) cases against the MSP. "You entered these as evidence in a civil proceeding, how did you obtain these?" Edit: part of the significance of them submitting them is that it makes it hard for them to disclaim them - if the documents are fake you've submitted false evidence, if real, how? Kind of like Copyleft - if you argue that it's invalid, you argue that you're using something you have no right to use.
I was thinking the same thing...they've not only broken the law, they've gone to court and admitted they broke the law. Assuming they did not get the data directly from the ex-employee of course...which would be pretty stupid lol Either way, most non-competes are not enforceable, especially if OP reached out to the ex-employee directly as somebody they trust. And clearly what ex-employee told them was correct, or else law-breaking MSP wouldn't have issued a refund. All in all, things are likely going to go from bad to real bad for this particular MSP.
That is incorrect and you don't know what they put in the order to show cause. The authentication of evidence happens on the defense side. Plaintiff can use whatever means they want and you will find out how much money you need to spend you defend yourself.
Plaintiff is not allowed to break the criminal code to obtain evidence.
They shouldn't doesn't mean they didn't. I've seen plenty of complaints written with bad data/information. My position is that they can write and use anything. That fight will become part of the actual legal case.
The MSP probably in no way would have gotten it from the client systems. They have their own email systems with those emails in them, no reason to make a bold claim like this unless you are having strong evidence. If you are wrong, you are guilt of liable here in the states, at least. I would reconsider this statement.
Depending on the Email Hosting Service, the OP should be able to verify whether the MSP, in question, performed an "eDiscovery" or "Content Search" on their Email Servers and whether they Downloaded any Data, etc. For instance, if using Microsoft 365 & Exchange Online, I would perform an Audit, via the "Security and Compliance Center", particularly for any "eDiscovery" and/or "Content Search" Activity, in reference to the Accounts the MSP typically uses, etc. Please, refer to the following documentation, if more info/details are needed. https://learn.microsoft.com/en-us/purview/ediscovery-search-for-activities-in-the-audit-log https://learn.microsoft.com/en-us/purview/audit-search?tabs=microsoft-purview-portal This can also be accomplished within an On-Premise Exchange Server Environment. I would also imagine that Gmail and other Email Service. However, you may need to reach out to Support, for your Email Hosting Service, for further assistance.
Dump that MSP. They're going to be a nightmare on the way out, make sure to get all documentation from them and the services of another MSP to assist, and have legal involved right now. They should never be going through your email without getting approval. That's bonkers.
In the US, that is a crime without expressed recorded per access auth to do so.
Have fun finding someone who cares enough to charge them criminally.
I can guarantee you that, the case this MSP is trying to bring against the third party will care how this data was obtained. The court will eat them alive if they are worth anything.
It’s more likely that they got the email from their own system, not the clients’.
That's still the client's information. If they go through it at any time for their own benefit without disclosure, what else are they looking through or doing? It's incredibly unethical.
Accessing o365, going into a mail box they do not own, on a computer system they own and not the clients doesn't make any difference. They are the admin under contract. Going into a mailbox is a big no no. There is sensitive information to that buissness that employee that the msp has no right too. And stating us law means nothing to a Canada court, I am fairly sure. Making an excuse just shows you agree with breaking the law and the clients' trust. Sadly, most msp's will run the risk and treat their clients like this. With the belief, they have some right to do it since they have access. I would love to find out if you keep a job when you access a system you're not supposed to be in a look at information you dont own or have a right to. The 1st post was spot on.
Without seeing the MSP agreement that OP's company signed we cannot know for sure this was done illegally. Best way would of been a court order, would of taken care of any doubt. I've seen some wild clauses hold up.
Lawyer up and file the charge.
Fire the MSP. Hire another to monitor activity on your network. Sue the MSP.
I have an issue with your order. Hire an attorney to oversea contracts and look into what is going on. Find and hire a new MSP Have attorney fire the old MSP Have attorney file actions against old MSP and notify authorities. This is one of those situations where you need a third party legal expert guiding your process. Plus you are probably going to be sending "retain records" requests/notices to your MSP and the guy that initially helped you for the impending future legal action.
Beyond everything else mentioned… If this manager service providers a Microsoft partner, and this was done within 365, I would notify Microsoft of what they did after it’s done. Should get their partner status revoked.
So either way you need to fire the MSP. However when it comes to the law a civil case is needed but their could also be multiple criminal charges in this instance. Can you disclose the industry you work in? Law firms, finance, and Healthcare have some of the strictest regulations on a global scale.
In Canada, MSP specifically broke section 342.1 of the Canadian Criminal Code. Ruh-roh Raggy...
Yep and depending on what industry their are additional global governances and it gets even worse if the industry is international then they are in for a rude awakening.
You are assuming they actually searched the opposing email system… this is a wild measure that I don’t think even the lowest MSP would go to for this.
True, I am assuming that based on the info provided by the OP. And I agree with you, I really do. I mean, you'd like to think that anybody operating in our space would do so ethically and legally, but I've seen a few arrogant, narcisitic A-Holes running MSP's in my area that I could 100% imagine doing this thinking that they could get away with it. There's always going to be a few of those types in any vertical I guess.
I know at least 3 MSPs that have specifically done this, happens more than you think (well, at least 3x more than you think haha)
Maybe, maybe not. 342.1 specifies "Fraudulently, or without color of right". If access is authorised by the MSP's agreement, there is not criminal action there. Not ethical, but maybe legal.
Drop them now. Let them know. Get your network turned off. Get another MSP. Call police to file a report, get a lawyer and give them hell. Not much else you can do. Had this happen to a client. Their old It found out they were getting replaced and tried to lock everyone out of their system.
Metro Vancouver MSP myself. Both the police and a litigator are routes you should look into. I wouldn't expect the police to really do much more than take the report, but having the report would buy you points in a litigation. I have a few names for litigators if you are interested, and the name of a local digital forensics firm headed by an ex-RCMP investigator. Feel free to DM.
We're an MSP and I can honestly say I'm disgusted by this. This should never ever happen. If there's a request for an email search, the client executives are always involved due to it pertaining to a legal case involving a current or a former employee. While an MSP can and often does manage your data, they should be doing it ethically and responsibly. This is a huge breach of trust and abuse of their admin power. Contact your lawyer/legal team. Every admin activity is logged in a reputable cloud solution, so it should not be hard to obtain these records especially if legal gets involved. In that case, you can have valid proof to pursue the matter further, fire the MSP as soon as you can and find a new one. The same goes for licenses, everything is logged and if done through a CSP partner, records can be provided on activities when something was done.
What does your contract with your MSP stipulate regarding how, when and why they can be accessing your data? Was the aforementioned ex-employee of the MSP legally allowed to be in contact with a customer of their prior employer? When you say overbilled on licensing what exactly do you mean? You were charged for more licenses than you required? Or the MSP added a markup to the license cost? Sounds like the anti virus was erroneously billed, but was subsequently credited back.
I'm not sure about the law in BC, but in most of the US, you can't enforce permanent email data access in a contract you have to notify on each access prior to getting into it do to privacy laws.
BC has privacy laws that have the basic tenants: Do they have the need to collect such information? Is the subject informed of such collection? Do they also have the need to retain such information?
Then it sounds like from what the OP said, at least 2 of those tenants were not met.
NAL, but there is too many layers here. The most important is damages, You can sue, but if the infraction damages for private information are 10k, your lawyers can go 10x that.
Get all your data and then fire them. Unacceptable. Put it to you this way - as an IT director of a billion dollar company, if one of my admins was caught lurking through files or emails there would be hell to pay. What makes them any different? They abused access and authority.
There are usually acceptable usage policies that state there is no right to privacy on company emails. Sometimes admins will have to access emails for security purposes.
This is not "for security purposes". Employees have no right to privacy in their emails *from the company*. The MSP has no right to tawl through all the company data unless it's explicitly required to perform a requested service.
Number of ways to handle this - it’s a bit of an odd one. I would be inclined if I were you to treat this like an ongoing breach/threat actor. Speak to an incident response company and line up a replacement MSP with them quietly. Treat this company like you would any malicious hacker/threat and remove them aggressively from your system with the new MSP and incident response support. Then sue them into the ground for all your costs and the beach - this is where the incident response company comes in, you will want them to evidence everything and advise you of how to proceed. It may well be that this is criminal on the part of old MSP. If they have done this, don’t assume they haven’t done other shady shit. That said, it would be really odd if this evidence is permitted like you have said, so you’ll need a lawyer to check if they had some legal means to do this search. Really depends on your organisation size and appetite.
This is nuts. Disclaimer, I am not a Lawyer, but I have one (Canadian Criminal defense attorney) in the family, so I ran this by her... In her words, section 342.1 of the Canadian Criminal Code prohibits unauthorized access to private data by any means. In her opinion, by not *explicitly* getting your permission, just the act of opening and reading your mail *for their benefit* is illegal. Cut and dry, they have zero defense. They were not in the system helping you out and happened to accidently see it. They had to go out of their way to find out who "sold them out" on the overbilling and failing to deliver. Just because they didn't need to "hack into the mail system" doesn't mean they have carte blanche to take your data. And just because they got caught with their pants down screwing a client and lost money on it, doesn't mean they can go digging to find out who gave you the heads up! Speak to a lawyer immediately. You can also likely prove damages that their criminal activity not only breaks the contract, but you are now suffering damages by needing to replace them. Sue the fucking asses off these fucks
Bring your agreement...a lot will rest on that too.
Sounds like talking to the RCMP and the Crown is also part of the next steps.
I’ve read most of the very good comments and advice here, and yes I agree with the community consensus that it sounds like this MSP is a nightmare and it’s time to ditch them from your systems and discuss with a legal professional. However - I’ve had a quick thought that I don’t think anyone else has covered here. You describe this as a former employee… how former? If this employee was on gardening leave, notice, or still within their contract or employ in any capacity then it could be argued that this was an inter-company communication and the MSP should have had audit visibility of that originally. I’m not saying that excuses them taking the information themselves though. Further, this could mean that attempts to circumvent that purview or indeed your contract with them by communicating with this ex-employee or employee using personal contact details etc could also reflect badly on you. Even if the employee left some time ago, if such behaviour is precluded by your contract with them it could therefore risk placing you in breach of contract that would be nigh-impossible to refute. Or to put it another way, two wrongs do not make a right and you could absolutely have found anyone else in the entire known universe to audit suspected discrepancies with this MSP rather than a disgruntled (former?) employee that is doing the rounds!!! That’s throwing gasoline on the bonfire surely. After all, you cite no resistance to crediting you back for the billing errors. It sounds from your post that the MSP has only pursued legal action against the ex employee, but that doesn’t mean that they wouldn’t have breach of contract claims against involved clients if certain behaviour was deemed inappropriate. Heck for all you know this employee was responsible for or Involved in some of these failings before he left. My comments by the way do not excuse their behaviour, or indeed excuse any issues with overcharging or inadequate service delivery which is not OK, but all of this does mean that you would likely be far better served by independent specialist legal advice than Reddit.
Basic summary points: * Ex MSP employee worked with us for some time. We trust him. * He has been gone for over 2 years now. * He dropped by for coffee to catch up, we told him our concerns. * He did not charge us for anything, and just took a quick look as a favour. * MSP issued us a 5 digit refund on overcharges based on our listed concerns. * MSP sued ex-employee several months later claiming solicitation and losses. * By the time they did this, they had already billed us through to the end of his non-solicitation period. This sounds like the only losses were what they had to refund us. * The sworn affidavit from the MSP CEO is publicly accessible with all of our emails (internal) and to the ex-employee. We paid the court fee and got all the records including a list of other Clients that were likely involved in the search. * We have also considered lodging a complaint with the law society against the MSP's lawyer. * Our contract with the MSP does give them ownership of our data. * Our email server is Microsoft 365, and they are a Microsoft Partner. * We did not give permission for access to our emails. * We did not solicit the ex-employee for service during his contractual period. * Ex-employee advised us he would not be able to do any work fur us until the period was over was over. While we are considering legal actions, there are concerns we need to evaluate. * We are a publicly traded company. The breach of data (done by this MSP) in this case looks bad on us. * Legal costs are unattractive. * We feel bad for the MSP ex-employee who has been sued just by helping us. * We are concerned about seizing control of our data and systems. We have no trust in the MSP.
1 - You need to switch MSP's. 2 - You need a good lawyer...that part put ownership of the data makes me uncertain about legal action against the MSP.
The ownership of the data is just.... odd. I can't think of a reason why any MSP would need ownership of the data. Accounts used for services (so they maintain ownership of services like Auvik and M365) makes sense, but the data in them I've always seen as owned by the client.
Depending on what your line of work is, they could have broken federal law. Call the cops on the msp in their state and bring charges on them. Ohh and FIRE THAT MSP ASAP.
Just a note, BC is Canada. Different rules apply, but yes, definitely call the cops.
If any of this is remotely true, lawyer up and notify your local police service. You might want to see if your cyber insurance might help cover with some of the fallout on their abuse of admin privileges. As others have said, this soon to be former MSP can not be trusted since they've abused their admin authority. Firing them and getting outside help other than anyone who was associated with that former MSP is probably a good start.
Wow. That's an incredible level of gall and stupidity. I don't know about Canadian law, but the U.S. Computer Fraud and Abuse Act would make this 1 - 5 years in prison offense. Switch MSPs first. Your current one seems like he might be headed to prison.
Section 342.1 of the Canadian Criminal Code is even harsher...up to 10 years lol
Definitely fire the MSP, I wouldn't want to work with anyone that thinks this is okay to do.
> All of our emails with this old employee are now filled as public accessible record in BC Supreme court along with another companies emails filed as a sworn affidavit by the CEO. Assuming you're not a federally regulated entity, Office of the Privacy Commissioner right now. Straight to filing a complaint. Immediately. Right away. No entity should ever get away with privacy violations. https://www.oipc.bc.ca/for-the-public/how-do-i-make-a-complaint/
If UK, MSP Director(s) could face up to 10yrs in jail. You’ll probably find this is more common than you think. It’s inexcusable.
I’m pretty sure it’s your obligation to immediately report this as a data breach. You should absolutely talk to a law firm with data privacy and cyber expertise.
I see it different. The MSP owns and has rights to inspect and copy emails between MSP employees and MSP clients. If these are the emails in question, they would have been obtained legally and could be used to sue the MSP employee. The question that needs to be answered here is- were there other emails (not between MSP employees) which were obtained by the MSP and filed in court? Also, were there any subpoenas issued by the courts for access to this data? Not enough factual information in this to know.
Dump the MSP, report them to the feds for spying on private correspondence without authorization, and hire a lawyer to sue them into the ground.
You contact a seriously competent forensics organisation to obtain unambiguous evidence that the MSP has stolen data from your organisation. Then the process begins, all under the radar. If this is the road you wish to go. Otherwise speak with a seriously competent MSP and explain the scenario so they can advise on next steps.
First part.. OP really needs an IR team to investigate any unauthorized access by the MSP and the actions they made to the email server
Ehhh...dunno. Sounds like the MSP already gave them the "smoking gun" so to speak by entering the stolen emails as evidence with the courts, explicitly stating how they were obtained.
He has to prove this was an unauthorized access and doesn't have any knowledge on how to do that, they're ready with guns blazing... he needs to be too (of course it means to also get a lawyer, and a good one!)
I’d ask yourself what you stand to gain if you go through all that. I’m exhausted already just reading that paragraph 😂 I’d love to never have another legal interaction in my life.
They for one can never trust their MSP again and they WILL suffer monterary losses. I think it's pretty clear what they gain. Put the MSP in place for their own good and possibly other clients of theirs and recoup losses as they move to another provider.
It's this. Also, not to be that guy, but what the heck does their **contract** say about this situation? What can MSP do with admin access to client systems? I have read, reviewed, signed, edited and critiqued hundreds of client contracts over the decades and this should ABSOLUTELY be covered in client's contract for service from the MSP. No lawyer worth the paper their law degree is printed on would file evidence with a court that they weren't absolutely certain they were entitled to hold. Imagine Your Favorite Crime Show and the judge asks the prosecutor where they got the murder weapon and counsel says, "Oh well we knew Mr. Jones was guilty so we broke into his house and rummaged through his things, his wife's things, his adult children's things until we found this gun with his finger prints on it!" They wouldn't just lose in court, they'd be lucky to keep their job. I'm guessing this is covered in contract and the legal consult OP got (unless they're a total fool) told them as much and they didn't like the answer and here we all are scratching our collective heads and wondering "this isn't a technical problem and it's not an MSP problem, it's a legal problem."
You cannot add illegal acts into the terms of a contract to give yourself cover for breaking the criminal code. If they tried, either that portion of the contract would be struck, or the entire contract could be voided.
What about a contracted MSP searching the mailboxes they are under contract to administer, including hygiene work like "find mah lost super important email!", strikes you as illegal?
Well, because that's not what happened in any way. The MSP searched specifically for emails to identify who ratted them out on overbilling and under delivering on service. They are not allowed to read your mail *without permission*. MSP's are contracted to manage mailboxes, licenses, and services...not to read the contents of said mailbox. Did MSP tell OP's company, "Oh hey, we'd like to export the contents of your email correspondence to use in a lawsuit against whoever it was that informed you we were overbilling you for our losses." Hell, to argue the other side, if you overbill a client and have to issue a refund, that's not a loss. You didn't earn that money in the first place. To flip your own question around on you, if you were in MSP's position, how would you *even remotely* rationalise what they did as legal or ethical?
The data exfiltration is, my experience, maybe the only case where MSP could get in hot water. Which is why my only question was, what does the contract say? To your posit about flipping it around: in the MSP's position there's absolutely no ethical argument. What they did was slimy as fuck. It was, in case unclear?, NEVER my position to defend their actions. My position remains that if a lawyer filed those emails in court, I would be shocked if same lawyer has not read and re-read the MSP's client contract in exacting detail to assure they're submitting credible evidence as it's defined in Canada. Again, I hope I did not at all come off as defending the slimy MSP. My point again is that it's very likely their low down underhanded shafting of the ex-employee is covered in contract.
Well, again, I'd go back to the point that you cannot add something illegal (in this case the unauthorized access) to a contract and then point to said contract as a criminal defense. Data exfiltration is just "Illegal Act: Part Two Electric Boogaloo"
Okay, thank you for making that clear. I guess my position is the access is almost certainly authorized under the client contract.
They gain their privacy back, which is priceless.
I wouldn’t consider a handful of emails priceless, but you do you
If their MSP read these emails, how do you know they aren't reading all of their emails? And snooping through their cloud storage? I don't see how a company could afford to *not* get a lawyer involved at this point. Who knows what other data their MSP has exfiltrated.
Ah another example of why MSPs are dogshit. This sub is fucking hilarious.
The person that posted this thread is not an MSP, it’s a customer of an MSP. If you like burning through cash on lawsuits where you stand to gain very little, have fun. I never said the MSP didn’t fuck up (they did) I’m just suggesting that unlike on the internet, it doesn’t always make sense to fire up the legal machine just to make a point.
Something doesn't add up here. If they already submitted the emails as evidence to the court for their own case, they probably didn't do anything nefarious to obtain them.
They searched our email server (and other companies they support) that they manage to acquire the emails, removed from our server, and used them without permission of our company. They are claiming "losses" due to former employee contract. They filed this when there could have been no other losses in the period of time that contract covered other than the overbilling.
How do you know they searched your email systems. For every email sent there is an email received. Are you willing to spend 100K+ because they may have accessed your data without permission?
None of the emails were to them, some were internal emails. Very clear from emails that they came from our own server. Also, the CEO of the MSP stated that the emails were discovered after an "investigation" in which they "accessed \[our\] email server and pulled additional correspondence from between \[us\] and \[third party\]."
How do you know that the party being sued didn’t forward or send them to someone else who may have forwarded it to the previous MSP?
Do you have a spam filtering service with them? It's possible they pulled it from there to. I do agree their lawyer would be stupid to file this case if they obtained the emails illegally.
No, all systems are ours, managed by them. We are at the point that we do not trust that they are not continuing to monitor all of our communications. They have full control of the systems.
So the email servers are on prem and belong to you? Are you absolutely certain of that? If not, you may be a tenant of the MSP on THEIR equipment, which absolutely gives them the legal right to conduct and investigation, no different than investigating suspected child pr0n or similar activity. In addition, unless you are the owner of your company, you might not be privy to the confidential communication between the c-suite and the MSP and their legal counsel… including subpoenas.
You are 100% incorrect with regards to the MSP's rights here. Not sure about other jurisdictions, but Canada has very explicit rules laid out in the Criminal Code for this exact situation. MSP may have rights to manage the mailbox but they have zero rights to access, read, and exfiltrate the content of the messages without explicit permission. This would still be the case if they had a spam filter that also housed OP's mail.
You may be correct with regard to Canadian law. However, you would be 100% incorrect to believe that every MSP resides/operates within the jurisdiction of Canadian law. Moreover, if the equipment is actually owned by the MSP and OP’s company is a mere tenant, then different rules would apply. In addition, the MSP has every right to issue a subpoena when preparing to bring forth litigation against a former employee. If a subpoena was issued and OP’s company was not able to quash the subpoena, then they would have to allow access to their data for the limited purpose of preparing a complaint against a former employee and if they refused, they would have to answer to a judge who might fine them or perhaps even jail the offender. You may not like this, and it might even offend your delicate Canadian sensibilities, but these are the legal rules in the vast majority of US jurisdictions. I can also say, that as an MSP, we would have terminated services for any client who conspired with a former employee and perhaps sought damages from the former client as well.
What exactly would the MSP be issuing a subpoena over? "We got caught overbilling our client and want to sue the person who told the client this?" In Canada, non-compete clauses are exceedingly hard to enforce, especially if OP sought out the Ex-Employee for advice. Now, if emails showed that Ex-Employee reached out and said "Hey, MSP is overcharging you and not doing a good job, switch over to my new MSP and I'll help you get a big refund" then that could definitely break the solicitation clause which is usually an easy thing to sue over. But in this case that's not what this sounds like, and the MP really had no "losses", they just had to own up to their mistakes and make them right. Admittedly the rules are murkier when using the equipment owned by another company. They could have specific "Acceptable Use" clauses...but again, I'd like to see how that would play out with regards to a criminal code complaint. And this isn't what was happening here, at all. Also, it appears the US shares my "delicate Canadian sensibilities" regarding this matter, as Under 18 U.S.C. §1030, "it is a crime to intentionally access another person's email *without their permission* and obtain information of value". In fact, I think the US Computer Fraud and Abuse Act is a lot clearer with their wording than the Canadian criminal code. Probably worth a quick read so you can see what I'm talking about.
No lawyer would let them file a case if the emails weren't obtained legitimately. Their attorney probably subpoenaed them from the person in question. OP probably forwarded an email from the person saying "See this former employee says you're over billing me!" and that was all they needed to start digging. Not to mention, overbilling is a subjective thing not an objective one until you get to price gouging territory. How much are we talking here? Paying MSRP or a little over? There's a lot of important info missing here. Dude was extremely dumb to work for his former employers clients. That's truly unethical on both OP and the former employees part and they made their own bed here.
You are completely wrong. Nobody grants a subpoena without a case attached.
They obviously didn't have the company's permission to search the company's emails for correspondence between the company and the third party. The MSP has proven they accessed the emails in question by filing them as part of their lawsuit against the third party. What are you not understanding here?
May have? Of course this sub would take up for MSPs doing illegal shit lmao.
Not a job for the IT janitor, it’s a job for your legal team or legal counsel.
Put them on blast. If you're not going to fire & then sue them, you need to make sure every client they have leaves.
not a good idea if they want to pursue legal action.
I’m in BC (Fraser valley) if you’re local and end up needing help on this drop me a message. Also curious what the outgoing MSP is, as we’ve had some nasty experiences with a few players in this area…
I was going to say the same. Also very curious as to who the MSP may be, but fully understand not posting it publicly especially with legal actions in progress.
MSPs are paid to manage the services and should not be accessing particulars of tenants except to provide specific tasks. IE, you may approach them to create a new mailbox or perform an e-discovery. If they are accessing your data without knowledge or consent of your companies executives, that could constitute a data breach that your companies executives may need to report to authorities. Either way, this matter is a Legal matter now, not a technical matter.
Is there an NDA clause in your contract with your MSP? Contact a lawyer, fire your MSP, and listen to your lawyer.
I’d lawyer up and ask for discovery on the other clients involved. If they’re all unaware their emails were ex filtrated without explicit permission, this MSP may find out how extensive their Professional Indemnity insurance is, and how badly their reputation will suffer when this comes out. Reputation is often a factor in choosing an MSP. A checkup can be argued as not maintenance, and therefore not breaking the likely customer non-compete clause in the ex-employee’s contract, but that’s for them to fight
You have cause to switch msps without etf.
I don't know what contract laws is like in Canada, but it sounds like every one of the players broke the law... so this is a mess.
Any chance you'd be willing to at least give the initials of the MSP so others can know to avoid them/terminate their contracts with them?
Look at your contract. You are signing away a lot of your rights when you have an MSP manage your data. Are they supposed to do it? No. Do they have the power and control of ALL your accounts to do so? Yes. What if you had to pay them to find data, restore emails, or search ect.... add or remove users. You sign away all that when someone else manages your data. You may be able to build a case since there was a suit involved on it without your permission and used in public. But they may also have a clause in their contract. Report it to a lawyer or police, but it would be misuse of data and essentially fraud since they are using your data in the claim you were ok with it. There should be in your emails this is confidential in the footer like all decent MSP's and every company in the world started. Which means they can't use the data without permissions outside of normal communications. Now if you don't have the confidential statement and other items or there is a contract. Yea welcome to someone else owning your data that you pay them for.
Before you fire the MSP make sure you have admin access to the portals that belong to you. Particularly M365.
Were the e-mails to the “old employee” sent to the their MSP email account, or a separate e-mail domain?
Can you dm the msp name so we don’t use it?
Onboarded several companies where the previous MSP has given themselves delegated access to users mailboxes, usually directors and managers so blatantly targeting decision makers emails. Makes for a difficult email at the very earliest stage of taking on a new customer but an important one. I’ve seen it approximately in 10% of companies we have onboarded. It’s a significant betrayal of trust, completely unacceptable on a professional level. But wider, what if such an MSP stumbled across illegal content, a crime. How do they have an open and honest conversation with their client having read their emails. But there are reasons why we need to see data, restoring a backup, confirming a sample set of files open without reading or comprehending the data within. MSPs who abuse their power will make supporting and managing our clients data difficult. I can see a time where cloud providers alert users to delegated permissions.
Delegated access to the mailboxes? Really? Do these MSPs just have 0 technical knowledge? There's a much better way to do this that doesn't require delegated access to a whole mailbox. There are a few cases where I can see a MSP needing to get emails directed to a specific customer mailbox. That would be the inbox where the internal IT tickets come through (if they've fully delegated their IT to you), and the inboxes where security alerts arrive or domain renewal notices arrive. But it's just plain disgusting to grant yourself access to inboxes of company leadership as those should not have anything you as an IT provider need to have access to.
You carve them out immediately after issuing a cease and desist alongside a report to the police and serving them notice. INAL. I worked alongside *** Solu***s, who attempted this type of shit, making bold statements like "you can't have more than one static IP at a location, that's not how the internet works" alongside technicians flippantly using lax security on the VPN. Installing a mini PC to maintain VPN connectivity because they screwed up the configs. And best yet was the techs that didn't understand port forwarding telling me, that's not something you can do, that's not how that works... More recently I had an encounter with a vendor who was attempting to implement SMTP, I gave them the required information, and was met with "we need admin access", tha fuck you do. The dev couldn't get a standard MS SMTP account configured, I used 5 minutes and chatgpt to write a quick script that sent emails with the account... People need to embrace "I don't know" a whole lot more.
Pretty nice of that MSP to give you cause to immediately sever the relationship. Get a competent attorney who had handled situations like this before.
Contact an attorney, not reddit. If needed, treat it as a cyberattack and work with a vendor specializing in emergency data recovery and breach services
Are you able to DM the MSP?
I would be contacting other MSPs and looking to get away from them ASAP. Why aren't you doing that?
Wait, so the customer approached the MSP’s former employee, he gave them a free assessment and found they were being overcharged on licenses then got sued for it? Who won the case? North American MSP is absolutely wild.
Let’s not skip the facts and forget the origin. You vetted one of the MSP’s employees which is no no with the intent to get like always, receive a “free” spot check. If you felt you were being over billed and under serviced you should have contacted the MSP and discussed it. If indeed you wanted to verify services being rendered, you should have hired a 3rd party or another MSP not someone with ties to the current MSP. I get it “free” is what caught your attention. As for the MSP getting your data, if they are backing up your mailboxes, they could have restored the emails to a different mailbox to get the emails unless they know all the passwords to all the emails accounts but if MFA was enabled then it is not easy to just access email accounts. Ok with that out of they way, yes the MSP should not have used your emails to gather the evidence to prove you solicited an employee because it is probably in the contract you signed. This is going to be tough for sure and will require speaking with a lawyer to figure out your options and chances of success based on your goal however, they file first so you are already at a losing pace.
Insourcing... hire your own IT&C department instead of outsourcing. You can even start with the old MSP employee if you trust him.
Psst, hey buddy... this is /r/msp
I mean to be fair, it's not that MSPs are against insourcing but consider, it's hard to get SMBs to even pay MSP rates for IT stuff, if you can convince them to spend like 2-5x that for a proper internal IT department, good for you man get it done.
I miss privacy. I hope you win some compensation money because there are tons of companies that sell your data. After the January 6th "insurrection" companies voluntarily forwarded travel itineraries, credit card usage and cell phone tower usage. If you used your credit card near XYZ coordinates between Jan 1-jan 7 your name was on a list. It's outrageous, I wish more people took privacy seriously.
"I wish I had privacy to break the law" Buddy, what? Those records were likely granted via subpoena while investigating a criminal offense. Not even remotely close to trying to see if a barely enforceable non-compete clause was broken.
In a totalitarian society EVERYONE is guilty of breaking a law. It's not court ordered subpoenas that I'm worried about. I like those. I'm talking about "narcs as a service" that bypass the rule of law for privacy. Law Enforcement doesn't need a warrant to search your ring door bell videos. I don't object to cooperating with an investigation, but I do object to using my house as part of surveillance state.
Try again. Not only can they not access it at will, they can't even access it by request without a warrant. They have to directly asking the owner face to face or with a warrant: As of January 2024, Ring, an Amazon-owned company, no longer allows police to request doorbell camera footage from customers through its app. Ring removed the "Request for Assistance" tool from its Neighbors app, which allowed law enforcement agencies to request and receive video captured by Ring's doorbell cameras. Ring did not provide a reason for the change, but privacy concerns have been growing. The change gives Ring customers more control over their footage and how it's used. However, officers can still ask Ring camera owners for their video, and law enforcement agencies can still access videos using a search warrant in a small number of circumstances. Now back to the subject at hand.
Hey! That's great news and I'm glad to be wrong.