A WISP is a Written Information Security Plan. Under the new Massachusetts law (chapter 93H) and its regulations (201 CMR 17.00) everyone who handles Massachusetts Residents’ Personal Information must develop and implement a WISP. Personal Information, or PI, is the last name and either first initial or first name of a person, along with a social security number; driver’s license number; or financial, credit, or debit card number. This new law goes into effect March 1, 2010, and applies to just about every business since most will hold or transmit PI.

            Besides requiring a WISP, the law also requires you to notify the state and the affected consumers if you have a security breach. If you have a breach and don’t have or follow your WISP, you could be subject to stiff penalties. So, the best course of action for every business is to develop a WISP and implement it immediately.

            So, how do you get started? The first step is to conduct an audit of your business practices. Be sure to document the audit so you can demonstrate that you did it. One way to start is to think of all the different kinds of PI you business has access to. For instance, your employment records likely will contain PI. You may ask customers to provide you with their bank account numbers when applying for credit, or you may have copies of credit card receipts with customers’ names and account numbers.

            The next step is to list all the ways that your company stores or transmits that information. Do you have paper files? Do you store the data on computers or servers? On laptops? Do you backup your data and take it off-site, or use an online backup service? Do you email PI to vendors or within your company? Do you fax or mail PI?

            Now, list all the people and companies who may have access to PI. Your employees, independent contractors, interns, visitors, vendors. Your goal is to make sure that access to PI is appropriately limited among all of these people, and protected against theft by outsiders.

            Think about how you protect PI right now. Do you secure written PI in locked filing cabinets? Who has access to those keys? Can visitors easily access PI when left alone? Do you encrypt emails containing PI? Are your computers, servers, and backup devices encrypted? Do all of your employees have unlimited access to PI, even if they don’t need it? Is your wireless network encrypted? Do your employees have their own, strong passwords, and are they changed regularly? Have you changed the passwords on your electronic devices from the factory settings?

            The new law also requires you to train your employees on your WISP, certify their attendance to the training and that they understand the terms of your WISP. You must also ensure your vendors and contractors have a WISP or are in compliance with yours. You will also need to designate a person responsible for monitoring and updating your WISP.    

When developing your WISP, you will want to address potential breaches to PI security and create a plan that is feasible and effective for your business. There is no one-size-fits-all answer, but you should take a proactive approach to this new law. Get your WISP in order and implemented by March 1^st.

            I recommend reading the law and regulations. Get started at the MA Office of Consumer Affairs and Business Regulation (OCABR) Identity Theft page: http://www.mass.gov/?pageID=ocatopic&L=3&L0=Home&L1=Business&L2=Identity+Theft&sid=Eoca