Everyone knows, or at least has heard about, Data Privacy Policies as they relate to websites and data collection. But did you know that Massachusetts has a law (MGL Chapter 93H) and regulation (201 CMR 17) about Data Collected offline that went into effect in 2010?
Part of that regulation requires your business to have a WISP.
When the law was passed and regulation implemented, there was a flurry of articles about WISP, so if you’ve been in a business for a while, you likely already have one (or you should), but if you’re new to your business you may not even be aware you need one!
So what’s a WISP?
WISP stands for Written Information Security Program that applies to all records containing personal information (PI) about a resident of Massachusetts, whether in digital or written format.
Well, what is PI?
PI is a resident’s first name (or first initial) and last name PLUS one or more of the following: SSN, driver’s license or state-issued ID number, financial account number, or credit or debit card number.
MGL 93H was amended not too long ago, with compliance required by April 10, 2019. MGL 93H sets the duty and standard by which people or businesses who own or license PI must meet to safeguard such PI. This includes a standard for computer security system requirements, a duty to report a known security breach, a duty to cooperate with law enforcement, and the requirement of a WISP.
The amendment, Section 3A, specifically addresses additional requirements and duties when the breach involves a MA resident’s PI that includes their SSN.
There is no “standard” form for a WISP, but a WISP typically will include (but this list is not exhaustive):
- Someone designated to maintain and review and update it
- A risk assessment
- Develop security policies
- Address access controls and termination of access rights
- Implement a vendor management program and include compliance with the data security regulations in contracts with vendors which have access to personal information
- Restrict physical access to personal information
- Monitor the program so it stays relevant and up to date with new technology and risks
- Review the program at least annually
- Educate employees on the content of the program
What happens if you don’t have a WISP?
If you have a breach and don’t have a WISP MGL Chapter 93 allows the Attorney General to assess a civil penalty of $5,000 per violation plus reasonable legal fees and/or $100 per data subject concerning improper disposal with a maximum of $50,000 for each instance of improper disposal.
Need a Cyber Insurance Policy? You’ll more than likely need a WISP.
Massachusetts isn’t the only state that has a WISP requirement (there are more than 25 that do), so you’re subject to other states’ data protection laws if you have PI of their residents, too. Since the MA law and regulation are the most stringent, compliance here means you are more than likely covered in other states, too.
