Navigating IT Liability in 2025: Strategies for Mitigating RisksNavigating IT Liability in 2025: Strategies for Mitigating Risks

By Robert Scott, Monjur

IT liability is an issue companies must carefully consider as they enter 2025. The threat landscape is evolving rapidly, with cyberattacks becoming more sophisticated and effective every day. In addition, data privacy laws also place more responsibility on companies that gather and store information related to customer identity and activity.

To minimize risk and maximize security, every company should take steps to address the following key IT liability concerns:

Third-Party Audited Controls

For companies that manage sensitive information or outsource management, third-party auditing of controls is a prudent investment. By establishing a control framework-based third-party attestation that shows compliance with best practices, companies communicate a strong level of commitment to keeping data secure.

Relying on third-party auditors also helps companies ensure they operate based on the most up-to-date insights on security and efficiency. Third-party auditors provide the expertise needed to stay ahead of hackers and satisfy regulators.

Insurance

Client IT issues can quickly turn into allegations of negligence, errors, or omissions. Insurance protects companies from the financial loss that can result from those claims. Investing in insurance can provide protection against claims relating to negligent advice, breach of contract, copyright infringement, or misrepresentation of services or qualifications.

Related:ITPro Today’s 2024 IT Priorities Report

Companies providing IT products or services should have professional errors and omissions insurance, which typically covers damages and legal costs. Companies that utilize third-party providers to store sensitive customer data should have first-party cyber insurance, which covers the financial ramifications of a data breach.

Master Service Agreements

Master service agreements (MSAs) are central to addressing a company's IT liability exposure. They serve as legal contracts that outline the general terms and conditions of the business relationship, including payment terms, confidentiality, and the allocation of risk and responsibility when damages or losses occur. MSAs also address risk-balancing elements, such as indemnity, insurance, and limitations of liability.

For companies engaging in long-term relationships that may involve multiple projects or deliverables, MSAs streamline the contract process by establishing a comprehensive framework. They ensure both parties understand and address key liability elements from the beginning, cutting down on the time needed for negotiations and legal examination.

Related:What Is IT Risk Management?

Service Attachments

Whereas MSAs address IT liability in broad strokes, service attachments address specific details for particular projects. They are supplemental documents that protect against liability gaps, clearly documenting customer obligations and exclusions applicable to each new offering.

Service attachments can address the scope of work for a project, establishing responsibilities and limiting liability to clearly agreed-upon projects or services. They can include clauses that define liability boundaries, specifying responsibilities for events such as data breaches or system failures. Service attachments can also outline indemnification clauses and stipulate insurance requirements.

For IT companies relying on subcontractors to deliver elements of a project or to manage components of a platform, service attachments should include specific waivers disclaiming liability for third-party providers. The waivers are a common practice that address risk allocation and articulate control limitations when third parties are involved.

Service attachments can also address criminal liability. Specifically, they can exclude IT companies from responsibility for criminal acts perpetrated by third-party vendors, such as the insertion of ransomware or other malicious code in product programming.

The overarching goal of a service agreement should be to reduce ambiguity, mitigate risk, and improve the business relationship by providing a clear and transparent agreement.

Agreements Specific to AI Services

Artificial intelligence has significantly improved the capability of IT platforms while also significantly increasing the complexity of liability risks. AI introduces new levels of unpredictability to the IT world, exposing companies that use it to the risks of AI hallucinations and other unforeseeable consequences. To address those risks, companies should update MSAs and adopt new service agreements specific to AI services.

One issue to address is liability concerns related to algorithmic bias. Companies should establish safeguards to protect them from liability related to discriminatory outcomes and ensure they are protected from liabilities related to security breaches that expose the data used to train AI.

It is also critical that companies invest in processes to track developments in the legal and regulatory fields affecting AI-related liability and update contracts and agreements as soon as possible to address those developments.

Data Processing Terms

Companies seeking to address their IT liability must ensure agreements and contracts include the proper terminology defined by applicable privacy and security laws. In the area of data protection, for example, companies can be subject to the requirements of the European Union's General Data Protection Regulation and the California Consumer Privacy Act, which define key terms like "personal data," "processing," and "right to know." When IT services are applied to healthcare providers, the requirements of the Health Insurance Portability and Accountability Act can come into play.

When IT contracts and agreements are not comprehensive, they expose companies to unnecessary risks. To avoid those risks, companies must consider, understand, and address all their vulnerabilities, updating and adapting their legal agreements as the business landscape evolves.

About the author:

Robert Scott is the CEO and co-founder of Monjur, Inc., a pioneering legal technology platform that is transforming contract management and compliance for small businesses. A seasoned attorney with a deep background in litigation and technology law, Rob has been recognized as Technology Attorney of the Year by Finance Monthly and named a Top Entrepreneur to Watch by USA Today.

Before launching Monjur, Rob built a distinguished career as a trial attorney, representing businesses and technology companies in complex litigation. He holds an AV Preeminent® Rating from Martindale-Hubbell, the highest peer rating standard, reflecting his exceptional legal expertise and ethical standards. Under Rob's leadership, Monjur has rapidly scaled, now serving nearly 600 businesses, providing them with innovative legal solutions that streamline contract workflows and ensure compliance.

Rob is also the host of Talk Tech with Rob Scott, a podcast where he explores the latest developments in legal tech, risk management, and entrepreneurship with industry leaders and innovators. A recognized thought leader, Rob regularly contributes to industry publications, sharing insights on the future of legal automation, business risk mitigation, and technology-driven legal strategies.