You ever watch someone walk straight into oncoming traffic?
That’s what it feels like watching MSPs ignore their compliance obligations.
They think because their clients are the ones with HIPAA or FTC Safeguards rules on their backs, they’re safe. Like HIPAA only applies to hospitals and the FTC only cares about B2C companies.
Let me clear that up: If your client is regulated, so are you.
Your Client’s Risk Is Your Risk. Period.
When you sign that service agreement, you’re not just promising to fix printers and reset passwords.
You’re promising to be the adult in the room. The one who knows what “reasonable security” means. The one who reads the policies. The one who builds the stack to prevent a lawsuit—not cause one.
But here’s the kicker: your client assumes you’re already doing the right thing.
- They assume you follow HIPAA if they’re in healthcare.
- They assume you follow FTC Safeguards if they’re collecting consumer data.
- They assume you’re managing compliance for them and for you.
If you’re not?
You’re not just failing a client. You’re exposing your own business to catastrophic risk.
Let Me Tell You a Little Story: MTL v. Ntirety
In April 2025, a HIPAA-covered lab called Molecular Testing Labs sued their managed services provider, Ntirety .
Why?
Because Ntirety got breached. Their systems—which were hosting MTL’s patient health information—got popped by a ransomware gang. And just like that, patient data was on the line. Lives were potentially at stake.
Here’s the part that should make you sweat:
- Ntirety had a Business Associate Agreement with MTL.
- That BAA required them to implement reasonable security controls, comply with the HIPAA Security Rule, and indemnify MTL if anything went wrong.
What went wrong?
Everything.
Ntirety allegedly failed to maintain proper safeguards, delayed their response, and even tried to bill the client for breach support.
Now they’re being sued for the cost of the breach, credit monitoring, legal fees, and damage to reputation. And let’s be clear: there’s no cap on this kind of liability.
Compliance Isn’t a Suggestion—It’s a Legal Obligation
If you’re supporting clients who fall under HIPAA, the FTC Safeguards Rule, GLBA, CMMC, whatever—you are a business associate.
That means you don’t get to opt out of compliance. You are legally on the hook.
And if your internal stack is garbage? If your policies are outdated? If you think compliance means “hoping nothing goes wrong”?
You’re playing Russian roulette—with your company’s future.
“Always Do the Right Thing” Isn’t a Slogan. It’s Your Defense Strategy.
At Galactic, we live by one principle: Always do the right thing.
That includes aligning our MSP’s internal policies with those of our clients.
If our client needs to follow HIPAA, so do we. If they’re held to the FTC Safeguards Rule, our tools, documentation, and evidence need to be up to spec.
Because if a breach happens—and let’s be honest, it will—we want the ability to prove, beyond a doubt, that we did our job.
Evidence isn’t a nice-to-have. It’s your only defense.
“I Didn’t Know” Isn’t a Defense—It’s an Admission of Guilt
You’re not going to lose your business because your firewall failed. You’re going to lose it because:
- You didn’t follow compliance yourself.
- You didn’t track or document decisions.
- You couldn’t prove what you did—or what your client refused to do.
And let’s make one thing crystal clear:
In the eyes of regulators, insurers, and the courts—ignorance isn’t innocence.
Saying “I didn’t know” won’t get you off the hook. It won’t reduce the damages. It won’t stop your client’s attorney from tearing your business apart.
Not knowing is the first thing they’ll use to prove negligence.
If you’re supporting regulated clients but haven’t aligned your own operations with the same standards, you’re not just uninformed—you’re exposed.
This is the line MSPs cross every day without realizing it. And when the breach happens, and the subpoenas hit your inbox, there’s only one question that matters:
Can you prove you did the right thing?
Because if you can’t, it won’t matter what you meant to do.
