Although federal law only requires that financial institutions and health care providers maintain a written information security policy or “WISP,” approximately thirty four states have enacted legislation that requires organizations in other industries to take steps to keep certain forms of personal information safe. These statutes are broadly referred to as “safeguards” legislation. In some states safeguards legislation requires that organizations adopt certain security-oriented practices such as encrypting highly sensitive personal information or irrevocably destroying sensitive documents. In other states safeguards legislation requires the adoption of a comprehensive written information security policy. The following provides a snapshot of information concerning safeguards legislation.


Number of states that require that some, or all, of the security program be memorialized in writing.1


Number of states that require that an employee be designated to maintain the security program.2


Number of states that require that a security provision be included in contracts with service providers.3

$100 - $500,000

Range of State Safeguard Law Penalties4

The following are the most popular types of personal information protected by state statutes:5


Social Security Numbers


Financial Account Number


Driver’s License Number


Health records


Federal, State, or Local Tax Returns


Biometric data

Top 10 sections typically included in a WISP:

  1. Designated employee responsible for overseeing security program.
  2. Procedures for appropriately destroying documents with sensitive information.
  3. Encryption standards for mobile devices.
  4. Encryption standards for transmitting sensitive information.
  5. Employee training.
  6. Data breach incident response.
  7. Vendor management.
  8. Process for provisioning user access.
  9. Process for de-provisioning user access.
  10. Disciplinary measures for security violations.