Newsroom > In Our Words > What Is a WISP and...
August 5, 2022

What Is a WISP and Should My Organization Have One?

Written By

August 5, 2022

By

Lynn H. Wangerin
Member, Stoll Keenon Ogden PLLC
(502) 560-4283
lynn.wangerin@skofirm.com

What is a WISP?

A “WISP” is a Written Information Security Program which documents the measures that an organization takes to secure and protect the confidentiality and integrity of the personal information or other sensitive information (“protected information”) that the organization collects, processes, creates, uses and stores.  The WISP typically outlines the objectives of the program and includes information about  the  implementation and maintenance of administrative, technical and physical safeguards to protect protected information the organization possesses, receives or uses.  A WISP generally provides information, but not specific detail (which is left for the underlying policies).  Because it is more of an overarching policy as opposed to a description of specific measures, a WISP is often something that is shared with outsiders, such as data subjects and customers, especially if the organization is expected to have access to or process protected information of its customers.  Most organizations have more information than they might think – such as employee information and information collected through the analytics/backend of most websites. 

Is My Organization Required to Have a WISP?

Maybe.  Whether a particular organization is required to have a WISP will depend on the nature and scope of the organization’s collection, use and storage of protected information – what type of protected information is being collected and how it is being used.  Most organizations will have some sort of protected information – think information about employees for example.  Customers may require that an organization have in place an information security program.  If the organization is purchasing cybersecurity insurance, the insurer may require it.

Depending on the type and size of the business and the scope of data collection and location of the operations, various laws may require that an organization maintain a WISP.  For example, the Gramm-Leach-Bliley Act, which applies to financial institutions, as well as entities that perform certain functions of financial institutions (such as car dealerships that offer loans or loan sourcing), requires organizations that collect consumers’ protected information to have in place certain safeguards such as a WISP.  The Health Insurance Portability and Accountability Act contains similar obligations.  Certain state laws also contain WISP requirements. Massachusetts’ law contains detailed WISP requirements and applies to any business that collects personal information of residents of Massachusetts regardless of where the business collecting the information is located.

Should my organization have a WISP?

Whether or not there is a legal or contractual requirement to maintain a WISP, having a WISP in place can serve as evidence of an organization’s implementation of reasonable security measures which can help manage exposure in the event of a data breach (as well as perhaps preventing the data breach altogether).  To serve this purpose, the WISP must be accurate and the actions required to implement and maintain the described program properly executed.  The WISP in place should be tailored for the organization.  An organization that collects only a small amount of protected information which is not particularly sensitive would not need to take as extensive security measures as an organization that collects health or financial information of  individuals.  Note though that almost all organizations will have some protected information that is sensitive such as information about employees.

Even if not legally required for your organization, developing and following a WISP may provide benefits, including:

***

Please let us know if you would like more information about WISPs.  The firm’s Privacy & Information Security practice helps its clients identify risks and mitigate their exposure and liability in connection with the collection, maintenance and processing of information relating to individuals. When collecting, maintaining or processing information of an individual, there may be additional risk in the event of a data breach, and it’s imperative to show reasonable steps were taken to protect data.

Related Articles

View More
November 27, 2023
Smarter Projects in a Smart World: Emerging Tech and Environmental Concerns in the Construction Industry
November 27, 2023 By Cassandra A. Nielsen Of Counsel, Stoll Keenon Ogden PLLC317.396.2553cassie.nielsen@skofirm.com The $1.2 trillion American Infrastructure Investment and Jobs Act, the $280 billion CHIPS and Science Act of 2022, and the $900 billion NextGeneration EU fund in Europe are each ushering in a new era of construction—one focused on an increased investment in […]
August 22, 2023
The EEOC Issues Proposed Regulations to Implement the Pregnant Workers Fairness Act
August 23, 2023 By Jeffrey A. Calabrese Member, Stoll Keenon Ogden PLLC 502.568.5448 jeff.calabrese@skofirm.com and Kirby A. Black Associate, Stoll Keenon Ogden PLLC 502.568.5479 kirby.black@skofirm.com On August 7, 2023, the U.S. Equal Employment Opportunity Commission (EEOC) issued a Notice of Proposed Rulemaking (“Notice”) to implement the new federal Pregnant Workers Fairness Act (“PWFA”).  The PWFA […]
August 10, 2023
Employers Beware: NLRB Overrules Precedent to Adopt Standard Critical of Employer Workplace Rules
August 11, 2023 By Amy L Miles Member, Stoll Keenon Ogden PLLC 502.568.5751 amy.miles@skofirm.com and Macy Young Law Clerk, Stoll Keenon Ogden PLLC 859.231.3925 macy.young@skofirm.com On August 2, 2023, the National Labor Relations Board (“NLRB” or “Board”) issued a landmark ruling that overturned precedent and adopted a new burden-shifting standard for determining the lawfulness of […]