A WISP is one of the most important documents for any company doing business over the Internet—which, in this day and age, is pretty much everybody. Who’s responsible for drafting and maintaining your company’s WISP? Or are you even sure what a WISP is? If not, your company is already at serious risk for additional legal action—lawsuits and punitive fines—following a data breach, whether the result of external hacking or internal human error.
WISP stands for Written Information Security Program—essentially your company’s formal road map for safeguarding the privacy of customers’ Personally Identifiable Information (PII), as well as a response plan after a data breach—including customer notification.
WISPs are already required for companies dealing in financial services (the Gramm–Leach–Bliley Act) or medical health records (HIPAA). Additionally, most states now have their own laws governing data privacy standards for businesses.
Here in California, the California Data Protection Act (Civil Code Section 1798.80-1798.84) requires businesses to “implement and maintain reasonable security procedures” to ensure the electronic privacy of customers’ personal information—their names combined with any of the following:
- Usernames/passwords for online accounts
- Social Security/Driver’s License numbers
- Credit/debit card numbers
- Medical history/health insurance records
How Much Is “Reasonable”?
The tricky thing here is that the California law doesn’t define what “reasonable security procedures” really are. And if even one of your customers resides out of state, your company is likewise bound by the corresponding data protection laws in that state—such as Massachusetts, where a WISP is a legal business requirement. At a time when new corporate data breaches seem to grab headlines every month, a formal WISP program for any company—large or small—is just good common sense.
Cover All the Bases
What are the elements of a comprehensive, iron-clad WISP? Here are the essential points to cover:
- The designated person(s) to administrate the WISP
- An assessment of reasonably foreseeable risks to security/confidentiality of protected PII data
- Locations where personal information is stored (electronic or hard copies, as well as access from portable devices)
- Specific measures to safeguard confidential data (encryption, firewalls, security patches, or more)
- Ongoing employee data security training, with disciplinary policy for WISP violations
- Monitoring and review of the program’s effectiveness, annually or as necessary
- Your company’s official breach response plan
The Commonwealth of Massachusetts offers a good WISP template for small businesses here.
Most importantly, if your company is partnered with a managed service provider or other third-party IT services, make sure they’re on board with your WISP program—that they’ll take time to assist in crafting your initial policy in addition to providing regular enforcement and documentation. We certainly will.
Tags: Bay Area, California Data Protection Act, cyber security, Data breach, data protection, data security, electronic privacy, hacking, HIPAA, identity theft, IT Managed Services, IT security, Small business, WISP, Written Information Security Program