Enter to open, tab to navigate, enter to select
Written Information Security Programs
Practical Law Legal Update 6-547-1431 (Approx. 3 pages)
Written Information Security Programs
by Practical Law Intellectual Property & Technology
| Published on 29 Oct 2013 • USA (National/Federal) |
A discussion of preliminary considerations for creating a written information security program (WISP) with links to more detailed resources addressing the specific requirements for WISPs under the Massachusetts data security regulation (Mass. Regs. Code tit. 201 § 17.00).
Effective since March 2010, the Massachusetts data security regulation contains the most stringent data security requirements for organizations by a state to date (Mass. Regs. Code tit. 201 § 17.01-05). It requires covered organizations to adopt a comprehensive written information security program (WISP) incorporating specific security measures. The regulation has extensive reach, purporting to cover every organization, wherever located, that owns or licenses personal information of Massachusetts residents. However, even where WISPs are not legally required, they are a good business practice for any organization that collects, uses, stores, transfers or disposes of personal information.
Preliminary considerations in developing and implementing a WISP include:
- Identifying reasons for adopting the WISP and its objectives.
- Determining and evaluating the requirements of the Massachusetts regulation and all other applicable laws, guidance from governmental authorities, enforcement actions and industry standards, including identifying any conflicting requirements.
- Gathering all relevant information concerning the personal information the organization collects, uses, stores and shares. This includes identifying:
- the categories and types of personal information;
- how the organization collects, uses, stores, transfers and destroys the personal information, and the systems and technologies the organization uses for these purposes;
- the state (and if not the US, country) residences of the individuals whose personal information the organization has;
- the organization’s third-party service providers and other business partners that have or may have access to personal information the organization;
- the organization's current information security procedures practices and policies; and
- the employees within the organization who are responsible for developing, implementing and enforcing the WISP.
The scope and complexity of a WISP will vary depending on each organization's specific circumstances. For example, the Massachusetts regulation generally requires that the WISP contain administrative, technical and physical safeguards that are appropriate to:
- The size, scope and type of the person's business.
- The person's available resources.
- The amount of stored data.
- The need for security and confidentiality of both consumer and employee information.
However, the Massachusetts regulation also includes a set of specific minimum requirements for written information security programs, including designating an employee to oversee the security program, identifying and minimizing reasonably foreseeable internal and external risks, and implementing certain computer system security requirements for organizations that electronically store or transmit personal information. For a deeper review of the Massachusetts requirements and additional considerations, see Practice Note, Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation. This Practice Note was contributed by Melissa J. Krasnow at Dorsey & Whitney LLP and discusses:
- Considerations concerning the scope of the WISP.
- The Massachusetts Regulation's specific requirements.
- Additional relevant US laws, guidance and industry standards.
- Massachusetts Attorney General Enforcement Actions.