Part 1 – DO I NEED A WISP AND WHAT IS A WISP? Deadline Approaching for yours

Posted on February 22, 2012 by Travis Crabtree

A WISP is a Written Information Security Plan.  The State of Massachusetts is requiring every business that owns or licenses the Personal Information (more on the definitions below) of Massachusetts residents to have such a plan.

                   v.                 

I know what you’re thinking.  Dagnabbit, I’m in Texas.  I don’t need to follow some crazy law passed by a bunch of yella-belly East Coast lib’rls.  (We don’t really talk like this.  A lot of people think like this sometimes, but we don’t talk like this).

My reaction was initially the same.  This law applies to credit card processors and e-commerce sites in Boston.  Then, I read the definitions.  Unfortunately, if you are doing business online, or helping others do business online, you probably do business with a Massachusetts consumer and should consider developing your own WISP.

Background on the law

Massachusetts passed the law in 2007, Chapter 93H, that applies to applies to “any person that owns or licenses personal information about a resident” of Massachusetts.

To see if you need to read more, you need to know if you “own or license” “personal information.” 

Personal Information is defined as a consumer’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident:  (a) Social Security number; (b) driver’s license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account.

Before you click away and think I just build websites or do some basic internet marketing, think closely as to whether you “own or license” this information. 

Own or license means “receives, stores, maintains, processes, or otherwise has access to personal information.”  This definition greatly expands the scope of this law.  Do you do any customer service for an online business?  Do you do any hosting where transactions are simply processed or that gives you access to this information?  You may own or license personal information.  Therefore, you may need a WISP.

So when do I need one?

The law went into effect on January 1, 2010, but it hasn’t gotten a lot of attention outside of Massachusetts.  It’s not very long.  You can read four pages of 201 CMR 17.00.   

If you are a vendor, you may be asked soon to show your WISP.  The law requires third-party service providers (possibly internet marketers, hosting companies) by contract to implement and maintain such their own WISP by March 1, 2012.  People in Massachusetts may be asking to see yours soon.

In our next post, we’ll discuss what needs to be in your WISP.