Massachusetts statutory law requires all businesses that maintain an individual’s personal information to implement and follow a Written Information Security Plan (WISP). Personal information is defined as a resident’s full name in addition to a data element like a Social Security number, driver’s license number or financial account number. 201 CMR 17.002. WISPs are required to establish policies and procedures for maintaining both physically and electronically stored private information and protecting them against unauthorized access. Here are some key elements to consider when you are creating a WISP for your business.
Assign Responsibility
All WISPs are required to delegate responsibility for maintaining compliance to an individual staff member. Choose a staff member who manages your administrative team or one works closely with your IT department or provider.
Create Protocols for Physically Stored Data
A comprehensive WISP needs to provide for the storage and disposal of physically stored data. Personal information that is maintained in paper files or discarded with trash must be done so securely. When you use a professional service for paper document recycling Boston MA, you need to select a service provider who follows security procedures that will comply with your company’s WISP. The best course of action is to keep sensitive documentation in secure containers that a professional shredding company can come and pick up to shred onsite.
Establish Safeguards Against Unauthorized Access to Electronic Records
Your WISP needs to describe what security programs and protocols your business will use to prevent data breaches. Login restrictions, firewalls, and scanning for intrusions are examples of important safeguards.
If your company experiences a data breach of any kind, having a WISP may help protect you. Under the WISP statute, being able to demonstrate that you have a current and compliant WISP and you did not violate it in any way will shield your company from exposure to potentially significant liability.