WISP is the acronym for Written Information Security Policy. The information at issue is an individual’s personal information and identifiers, such as a Social Security number, driver’s license number, credit or debit card or bank account number, or passport number.
Given the problem of identity theft, and the recent news headlines of massive hacking of personnel records of present and former government employees, Connecticut employers should remember that they possess sensitive personal information of their employees, simply by virtue of obtaining a W-4 form with Social Security number at the time of hire, and often a bank account number for direct deposit. Under Connecticut statutes, employers have a legal duty to protect this information, and to safeguard the computer files and documents which contain such information.
In particular, General Statute section 42-471 requires businesses which collect Social Security numbers to create a privacy protection policy which will protect the confidentiality of Social Security numbers, limit access and prohibit unlawful disclosure; in short, to have a WISP. Moreover, employers must publish or publicly display the WISP, such as in a policy statement or employee handbook. The statute specifically allows for publication of the WISP by posting on an Internet web page.
Of course, a policy cannot just be created and published, it must also be enforced. But compliance with the statutory requirement to publish or display the WISP is the first step, and provides the basis for training and supervision to ensure that the policy is carried out.