Data Privacy Primer: Why Your Business Could Need a WISP (short for a “Written Information Security Program”)
What is a WISP and why does your business need one? A WISP, or Written Information Security Program, is a document that outlines the specific safeguards and policies that an entity has in place to ensure the privacy of its customers with whatever personal information it stores or interacts with. Sometimes, it is required by law. Having a WISP demonstrates to regulators as well as to existing and potential customers that your business has reasonable security measures in place.
The point of this is not to just tell you why you need a WISP. An increasing number of state laws mandate a WISP, so aside from being good practice, there is no question that having a WISP is in the best interest of businesses.
To illustrate this, let’s take a look at Massachusetts. With some of the most stringent and detailed state-level data security requirements, Massachusetts (201 Code Mass Regs. 17.01 to 17.05) was the first state to enact this type of data privacy regulation. It requires every legal person (which includes business entities) that owns or licenses personal information about a Massachusetts resident to develop, implement, and maintain a comprehensive written information security program that contains administrative, technical, and physical safeguards that are appropriate to:
- The size, scope, and type of the person’s business.
- The person’s available resources.
- The amount of stored data.
- The need for security and confidentiality of both consumer and employee information.
The specifics of the the Massachusetts Regulation requires that every comprehensive WISP include:
- Program Oversight → one or more employees designated as the data security coordinator or coordinators to maintain the WISP
- Identifying and Minimizing Reasonably Foreseeable Internal and External Risks → common risks include inadequate personnel training, unencrypted personal information, personal information in paper format, lack of control over portable devices
- Third-Party Service Providers → oversight of third-party service providers to implement and maintain appropriate measures for protecting personal information
- Massachusetts Regulation: Computer System Security Requirements → If an organization stores or transmits personal information electronically, its WISP must include establishing and maintaining a security system that covers its computers, including any wireless system.
- Meaning of Technically Feasible → Technically feasible means that if there is a reasonable means through technology to accomplish a required result, the organization must use it.
- Encryption → the transformation of data into an unreadable form where meaning cannot be assigned without the use of a confidential process or key
Given the Massachusetts Regulation requirements, a comprehensive WISP reflects best practices and can help eliminate or reduce liability of your business by demonstrating that it takes reasonable steps to protect personal information. Additionally, the Federal Trade Commission (FTC) has its own reasonableness standard for data security so having a WISP provides the benefit of being able to show the FTC your preparedness, especially in the event of a security incident where litigation or enforcement action could occur. Put simply, this is a better to be safe than sorry kind of situation.
Some cautionary tales already exist:
- Exhibiting the state’s intent to pursue cross-border enforcement of the Massachusetts Regulation and HIPAA, the Women and Infants Hospital in Rhode Island agreed to pay $150,000 and take specific compliance steps to resolve allegations that it failed to secure and report the loss of more than 12,000 Massachusetts residents’ personal information and protected health information on 19 lost unencrypted backup tapes.
- Another demonstration of enforcement was when Neiman Marcus failed to report a 2013 data breach, which resulted in a multistate $1.5 million settlement.
Take these stories as learning lessons. Failing to comply with the law in addition to compromising the security of personal data is not a good look to say the least. By having a WISP, you take the first steps to avoid making the same mistakes they did while protecting your business and its reputation. Even where WISPs are not legally required, they are a good business practice for any organization that collects, uses, stores, transfers, or disposes of personal information.
Several state and federal agencies have issued guidance documents to assist business and other organizations in performing risk assessments and developing, implementing, and maintaining their information security programs.
- For instance, the FTC’s Protecting Personal Information: A Guide for Business provides a five-principle approach to building an information security plan.
- Another resource is their Start with Security: A Guide for Business, which offers ten lessons learned from its data security enforcement actions, with practical guidance on how to reduce risks for all businesses.
- In addition, the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity (NIST Framework) organizes various globally recognized industry standards and best practices into a model that any organization can adjust to their own needs and use to identify risks and build an information security program. The recommendations from these resources are comparable to the Massachusetts Data Security Regulation’s requirements and other similar state and federal laws and give helpful technical guidance in an accessible form.
The moral of the story is that a WISP is a must-have for any business. Whether you run a large or small-sized business, handling personal information is practically unavoidable at this day in age, which is why maintaining security and seeking protection is so important. With an increasing number of states passing data security laws alongside a continual rise of cybersecurity threats, we want your business to not only comply with the law but to also exhibit best practices to the public.