August 5, 2022
Lynn H. Wangerin
Member, Stoll Keenon Ogden PLLC
What is a WISP?
A “WISP” is a Written Information Security Program which documents the measures that an organization takes to secure and protect the confidentiality and integrity of the personal information or other sensitive information (“protected information”) that the organization collects, processes, creates, uses and stores. The WISP typically outlines the objectives of the program and includes information about the implementation and maintenance of administrative, technical and physical safeguards to protect protected information the organization possesses, receives or uses. A WISP generally provides information, but not specific detail (which is left for the underlying policies). Because it is more of an overarching policy as opposed to a description of specific measures, a WISP is often something that is shared with outsiders, such as data subjects and customers, especially if the organization is expected to have access to or process protected information of its customers. Most organizations have more information than they might think – such as employee information and information collected through the analytics/backend of most websites.
Is My Organization Required to Have a WISP?
Maybe. Whether a particular organization is required to have a WISP will depend on the nature and scope of the organization’s collection, use and storage of protected information – what type of protected information is being collected and how it is being used. Most organizations will have some sort of protected information – think information about employees for example. Customers may require that an organization have in place an information security program. If the organization is purchasing cybersecurity insurance, the insurer may require it.
Depending on the type and size of the business and the scope of data collection and location of the operations, various laws may require that an organization maintain a WISP. For example, the Gramm-Leach-Bliley Act, which applies to financial institutions, as well as entities that perform certain functions of financial institutions (such as car dealerships that offer loans or loan sourcing), requires organizations that collect consumers’ protected information to have in place certain safeguards such as a WISP. The Health Insurance Portability and Accountability Act contains similar obligations. Certain state laws also contain WISP requirements. Massachusetts’ law contains detailed WISP requirements and applies to any business that collects personal information of residents of Massachusetts regardless of where the business collecting the information is located.
Should my organization have a WISP?
Whether or not there is a legal or contractual requirement to maintain a WISP, having a WISP in place can serve as evidence of an organization’s implementation of reasonable security measures which can help manage exposure in the event of a data breach (as well as perhaps preventing the data breach altogether). To serve this purpose, the WISP must be accurate and the actions required to implement and maintain the described program properly executed. The WISP in place should be tailored for the organization. An organization that collects only a small amount of protected information which is not particularly sensitive would not need to take as extensive security measures as an organization that collects health or financial information of individuals. Note though that almost all organizations will have some protected information that is sensitive such as information about employees.
Even if not legally required for your organization, developing and following a WISP may provide benefits, including:
Please let us know if you would like more information about WISPs. The firm’s Privacy & Information Security practice helps its clients identify risks and mitigate their exposure and liability in connection with the collection, maintenance and processing of information relating to individuals. When collecting, maintaining or processing information of an individual, there may be additional risk in the event of a data breach, and it’s imperative to show reasonable steps were taken to protect data.