WRITTEN INFORMATION SECURITY PROGRAM (“WISP”)

Many of you saw the email that went out regarding the Written Information Security Program (“WISP”) project. I am working in collaboration with Brian Kilcoyne of H & K Insurance and David Levenson of Creative Computer Consulting to provide a comprehensive plan to protect your company with its data security.

Massachusetts data security regulations (201 CMR 17.00) require all businesses that deal with paper and electronic personal information to implement a WISP to safeguard that information. Not only must you have the plan in place, but it must also be reviewed annually (or whenever there is a change in business conditions). The Massachusetts Office of Consumer Affairs and Business Regulations has a compliance checklist that sets out some requirements.

Failure to comply with 201 CMR 17.00 leads to fines and penalties, plus private litigation involving your business. The Attorney General can seek action against your company under the Massachusetts Consumer Protection Law (Chapter 93A). If a court finds you knew, or should have known that the company’s actions constituted a violation, it can impose a fine of up to $5,000, plus costs and attorney’s fees for each breach.

If your company has no WISP in place, or you have updated it recently, now is the time to contact my team and me. Not only is it a good idea, but it’s also the law.