If you own or operate a business in Massachusetts you must be aware of and comply with MGL Chapter 93H and 201 CMR 17.00, law and regulation which require you to protect the data of Massachusetts residents. Read my article, “Protect Your Massachusetts Business from Data Breach Liability” for more information on the substance of these laws and regulation.
But, generally, a WISP policy is a policy that your business implements, trains employees annually on, for the purpose of providing maximum protection from identify theft and other activity of personal information of a Massachusetts resident. Failing to have a valid WISP policy opens a Massachusetts business up to significant public exposure and liability exposure.
The Anatomy of a WISP Policy
Identifying Risks to Personal Information
Your WISP policy should state a clear method that your organization uses to identify risks to data held by the business. For example, if your business takes clients personal information through an intake form on a website, do you know that the company that has created the website widget is reliable? Does that company have a compliance document that explains what security measures it utilizes that is available to you? How does data from the online form get processed by your employees?
By looking closely at the process that you use to access and record information you should be able to quickly identify areas of risk associated with that process. Put the process that you will use for identifying risks in writing and then put that process into practice in your business.
Safeguarding Data
Encryption
How does your business keep data safe? The WISP Policy used by your business should clearly state the methods used to keep data protected. For example, are you using encryption where sending this type of data by email to clients, vendors, or employees. Do you have a method of identifying whether the data needs to be safeguarded in the first place. Massachusetts law and regulation does not require certain data to be protected, per se, only data that includes a specific set of information which must be safeguarded and identifying which data meets this criteria is crucial.
Access to Data
Your WISP Policy should describe how data can be accessed. Where passwords and other login information is to be stored. Who has access to the stored password information. How access points are handled once an employee has been terminated or transferred to another location, etc.
Storage of Sensitive Data
The WISP policy must also indicate how sensitive personal data of Massachusetts residents is stored. Ideally, you will have a secured server or cloud server. If you use a cloud based storage method, does the storage provider offer some policy as to how records are kept safe? Such provider policy should be kept on file at your business location to demonstrate your review of the compliance with industry standards of your storage provider.
The WISP should also outline how data can be stored on flashdrives or other portable memory equipment.
Guarding the Computer System Itself
The WISP policy must contain information as to how your business follows industry standards to maintain confidentiality, integrity and availability of data stored by the business. How and who is responsible for maintaining firewall protection, ensuring the operating system security is adequate and protecting from malware attacks? How often are these polices updated?
If personal data is stored in paper form, the WISP should answer how long this information is kept and how it is destroyed.
Passwords
In addition to the storage and availability to employees of passwords, the WISP should detail exactly the requirements of passwords according to current industry standards.
Working with a Third-Party
Vendors, particularly software vendors, will likely have access to personal data of the type that Massachusetts law and regulation is trying to protect. Does your WISP policy address a requirement that all third party vendors share their policy for safeguarding personal data? If it does not, you will want to add this requirement and follow through with it.
Remember to Train
While this step in the WISP is fairly non-burdensome, it can easily be overlooked. At least annually, and definitely along the time frame established in the WISP used by your business, train your employees on the WISP.
Report, Report, Report.
Should an incident occur make sure your WISP policy clearly identifies whether the information that was breached is unlicensed or licensed data, and that it is reported to the appropriate individual or government agencies as a result. Since liability in Massachusetts is predicated on a failure to report a breach of personal data of a Massachusetts resident, do not allow your organization to fall short of this final and most important step.
DISCLAIMER:
The information provided in the pages and posts of this website are for general informational purposes only. The information presented on this site is not legal advice, and no attorney-client relationship is formed by the use of this site.
