Massachusetts data security regulations went into effect in 2010 requiring every company that owns or licenses “personal information” about Massachusetts residents to develop, implement, and maintain a Written Information Security Program known as a WISP. Your WISP must contain certain minimum administrative, technical, and physical safeguards to protect “personal information”. Despite this requirement, many companies, particularly those not physically located in Massachusetts, have not done so. Historically, the absence of a WISP is something that went unnoticed, but that may no longer be the case due to a recent change in the Massachusetts breach notification law. Massachusetts has amended its data breach notification law to require organizations that experience a data security incident to notify the Massachusetts Attorney General and the Massachusetts Director of Consumer Affairs & Business Regulation whether the organization implemented a WISP. This new reporting requirement highlights both the legal and practical need to implement a WISP. What changed? Jason Wong @jasonhk1920 Effective as of April 11, 2019, organizations that experience a…