Although the Massachusetts Data Security Regulations went into effect March 1, 2010, I still find that many companies have not implemented a Written Information Security Program (WISP) and don’t know that they are required to do so.
According to the regulations, any companies or persons who store or use personal information of a Massachusetts resident must develop and implement a WISP that outlines the measures the company is taking to protect the personal information of Massachusetts residents. Personal information is defined as a Massachusetts resident’s first and last name or first initial and last name in combination with 1) a Social Security number; 2) a driver’s license number or state-issued identification card number; or 3) financial account number, or credit or debit card number with or without a required security code, access code, personal identification number or password that would permit access to the account.
This basically means that if a company or person has an employee or customer or vendor, or takes credit cards or debit cards for payment must have a WISP in place. The law is very broad in its reach, and the purpose is to protect consumers from identity theft and fraud.
The statute has very specific requirements about what has to be included in the WISP, including (this is not an exhaustive list):
- Someone designated to maintain and review and update it
- A risk assessment
- Develop security policies
- Address access controls and termination of access rights
- Implement a vendor management program and include compliance with the data security regulations in contracts with vendors which have access to personal information
- Restrict physical access to personal information
- Monitor the program so it stays relevant and up to date with new technology and risks
- Review the program at least annually
- Educate employees on the content of the program
Where we find clients struggle with developing and implementing the WISP is that once it is approved and in place, companies don’t include it in security education and awareness, which is required, don’t update it as internal processes change, and don’t review it annually. They forget about it until the Massachusetts Attorney General asks for it, which is common following a reportable data breach.
So check to see if you have a WISP and if not, let’s get one in place. Then determine next steps on how to comply with it, educate your employees on the content, determine which vendor contracts may need to be amended or updated to include the requirement for vendors to certify that they comply with the regulations, and set up a process to review it annually.
We used the Massachusetts regulations as an example because they were the first to be implemented, but other states have and will follow, as well as other specific industry requirements, so all companies should review whether a WISP may be an appropriate part of your enterprise-wide privacy and security plan.