By Paula Cuozzo
If you’re doing business in Massachusetts, you’re bound by law to protect the personal information of your employees, your customers and any other people your company comes into contact with. That goes for small businesses, including the self-employed.
Part of the compliance process is setting up a “WISP,” or a Written Information Security Program. This program outlines how you’ll go about accessing, collecting, storing, using, transmitting and protecting personal information that connect names to things like Social Security numbers or financial accounts.
The reasons for setting up a WISP are simple enough. Nobody wants to be the next Equifax, breached by hackers to expose personal information of customers, partners or business contacts. It’s bad business, and it can leave the company exposed on a variety of fronts. WISPs are important for your company's IT security.
The processes for setting up a WISP are a little more complicated, but they’re doable. Here is a primer for creating such a program and making it work.
Read the Literature
The state’s Office of Consumer Affairs and Business Regulation has created a couple of useful documents that will help in the creation of an information security program. One is a summary of the actual law – 201 CMR 17 – governing the standards for the protection of personal information. The other is a Small Business Guide that provides advice about key facets of a comprehensive WISP.
These documents spell out the basic areas that a WISP should cover and offer tips about issues to watch out for. A standard WISP process should start with the following:
Put Somebody in Charge
It’s important to have a program, of course, but it’s just as important that somebody in the organization is responsible for enforcing the program. This is the Data Security Coordinator. This person will be in charge of all things dealing with the WISP – including rolling out the initial document, training employees on the finer points, doing regular testing of the new safeguards, interfacing with third-party vendors about their adherence to your WISP rules, doing annual reviews of security measures and conducting regular training sessions for all stakeholders in the process.
Target Internal Risks
No one wants to think about the possibility that employees working inside the organization poses any kind of threat. But we hear about situations every day where workers intentionally or unintentionally expose their colleagues’ information. Somebody might have an axe to grind with a co-worker who’s competing for the same promotion. Or somebody might just be sloppy about circulating documents outside the firm.
Either way, it’s essential to the WISP process that a series of steps be followed inside the organization to protect personal information. These steps include:
Target External Risks
External threats come in many forms – and your WISP needs to deal with each one of them. There are the obvious threats such as hackers bent on doing damage to your business. Then there are the less obvious threats, possibly from third parties (vendors, customers, suppliers, partners, building owners, etc.). They likely won’t compromise personal information on purpose, but they may have slipshod practices of their own. You’re responsible for their behavior, so you need to put safeguards in place to protect your own information.
Protecting against hackers is something you’ll want to do anyway; the law requires that you document how you’re keeping these threats away from your personal information. Guidelines require that firewall protection is up to date, information on laptops is protected and in certain cases encrypted, and computers are monitored regularly for unauthorized use of personal information.
Another way to protect your organization's information is through use of a "Bring Your Own Device" (BYOD) policy, which we've provided for you here.