Massachusetts data security regulations went into effect in 2010 requiring every company that owns or licenses “personal information” about Massachusetts residents to develop, implement, and maintain a Written Information Security Program known as a WISP. Your WISP must contain certain minimum administrative, technical, and physical safeguards to protect “personal information”.
Despite this requirement, many companies, particularly those not physically located in Massachusetts, have not done so. Historically, the absence of a WISP is something that went unnoticed, but that may no longer be the case due to a recent change in the Massachusetts breach notification law.
Massachusetts has amended its data breach notification law to require organizations that experience a data security incident to notify the Massachusetts Attorney General and the Massachusetts Director of Consumer Affairs & Business Regulation whether the organization implemented a WISP.
This new reporting requirement highlights both the legal and practical need to implement a WISP.
What changed?
Effective as of April 11, 2019, organizations that experience a data breach that exposes the personal information of Massachusetts residents will have new responsibilities under Massachusetts law. In addition to the preexisting requirements that organizations notify the Massachusetts Attorney General and the Massachusetts Director of Consumer Affairs and Business Regulation regarding the nature of the breach, the number of impacted Massachusetts residents, and the steps taken related to the incident, organizations must now also expressly state whether the organization implemented a WISP.
Organizations must continue to notify impacted Massachusetts residents of the data breach and must now notify the residents that there is no charge to institute a security freeze or credit freeze. If the breach disclosed the Social Security Number of Massachusetts residents, the organization must now provide a minimum of 18 months of credit monitoring services, or 42 months if the organization is a consumer reporting agency.
Related to this requirement, the organization may not require Massachusetts residents to waive their right to file a lawsuit in exchange for the credit monitoring services.
What is a WISP?
A WISP is designed to develop and document the systems and processes that protect the customer and employee personal information stored by an organization.
Under Massachusetts law, a WISP must address specific areas, including:
• Designating employees responsible for the security program;
• Identifying and assessing security risks;
• Developing policies for the storage, access, and transportation of personal information;
• Imposing disciplinary measures for violations of the WISP;
• Limiting access by terminated employees;
• Overseeing the practices of third-party vendors;
• Restricting physical access to records;
• Monitoring and reviewing the scope and effectiveness of the WISP; and
• Documenting steps taken in response to data security incidents.
A WISP must also establish specific computer system security standards when technically feasible, including:
• Securing user credentials;
• Restricting access to personal information on a need-to-know basis;
• Encrypting the transmission and storage of personal information;
• Monitoring of security systems;
• Updating firewalls, security patches, anti-virus, and anti-malware software; and
• Training employees on the proper use of computer security systems.
Written information security plans are required for those organizations that collect personal information from Massachusetts residents and Massachusetts is taking steps to ensure organizations comply with that requirement. Apart from this legal obligation, all organizations should strongly consider implementing and documenting their processes for protecting personal information and for responding to a data security incident. Proactively assessing and addressing information security risks will not only fulfill the organization’s requirements under Massachusetts law, but will allow the organization to reduce its risk of a data security incident and be prepared to respond quickly in the event an incident does take place.
How can I get started?
Download your free template.