What's In Your WISP?

Colin Coleman, John Ottaviani, Brian Reilly
Partridge Snow & Hahn LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Partridge Snow & Hahn LLP

We routinely recommend to clients that they develop a written information security program (“WISP”), to safeguard sensitive information on a day-to-day basis. In fact, businesses (wherever located) that collect, store or use personal information about a Massachusetts or Rhode Island resident are required legally to develop and maintain a WISP. For purposes of these legal requirements, personal information can be as little as a first name, last name, and the last four digits of a social security number, credit card account number, or bank account number.

Business leaders need to understand that the WISP is a “program,” not a “policy.” A WISP should describe a system by which one runs the business on a day-to-day basis to safeguard sensitive information. Some clients treat WISPs as policies that they can have drafted, only to then be set aside and never reviewed again. Some businesses have copied a WISP from a form found on the Internet, or a form provided by another company, but have not taken the time to customize it for their business. Other companies want to say they have a WISP, but do not actually make any operational changes to implement the purported security programs described in the WISP. Recent amendments to Massachusetts law make these practices, as well as not having a WISP at all, much more risky.

Using the Massachusetts rules as an example, there are specific requirements for what your company’s WISP should cover. Some of these include:

  • The scope of the WISP as to what business and what employees (typically all) the WISP applies, and what personal information is collected by the business
  • The identity of the information security coordinator for the company and his or her responsibilities for implementing the WISP, training and reporting to management
  • The company’s information security policies and procedures (the WISP can reference existing policies HR and IP policies, as applicable, and identify any additional policies )
  • The administrative, technical and physical safeguards that the Company has implemented to protect personal information
  • The procedures the Company has implemented to oversee vendors that have access to personal information on the Company’s behalf
  • The penalties/disciplinary actions for violating the WISP
  • The schedule for reviewing and updating the WISP and security measures (at least annually)
Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Partridge Snow & Hahn LLP | Attorney Advertising

Written by:

Partridge Snow & Hahn LLP
Partridge Snow & Hahn LLP
Contact
more
less

Partridge Snow & Hahn LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide