Sep 24, 2020



With the rapid rise in cybercrime, regulations have become more stringent across the entire country. These rules are particularly strong in Massachusetts, and the Massachusetts Data Security Regulations, 201 CMR 17.00, states the following:

“Every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards.”

This statement is very clear on a key fact - even if your organization is not based in Massachusetts, if you do business with or employ anyone who lives in the state and you collect PII (personally identifiable information) on them, you are subject to this regulation. This means that you must legally have a Written Information Security Plan. It is not optional for you, and if you do suffer a breach of some kind and personal data is impacted, a lack of a WISP will make your problems that much worse.

What is Considered PII?

Personally Identifiable Information is any data that could potentially identify a specific individual. In MA, “personal information” is defined as a MA resident’s first and last name (or first initial and last name), combined with at least one of the following:

  • Social Security Number
  • Driver’s License Number/State-Issued ID Card Number
  • Financial Account Number/Credit or Debit Card Number

While information like social security numbers and credit cards is obviously sensitive, the reality is that even seemingly less sensitive information, such as a mailing address or a birthdate, can also be used to identify a person. Thus, even if you are not collecting financial information from someone, if you have any data on a MA resident, you and your business may be impacted by this regulation.

Why is a WISP Important?

Besides the legal requirements detailed above, a WISP is critically important to your company’s security because it much more than a written document with security guidelines. Rather, a WISP serves as a dynamic framework for your organization’s entire cybersecurity strategy, establishing specific protocol and roles for your company’s unique position. A comprehensive Written Information Security Program will not only establish what to do in the case of a breach, but also how to remediate the situation, and who in the organization is responsible for carrying out those steps. In addition to defining key action steps to take during and after a security incident, a well-designed WISP will also dictate processes for decreasing the risk of a breach occurring in the first place.

What Else Do You Need to Know?

Massachusetts regulations not only include clear WISP requirements; they also require impacted organizations to notify Massachusetts residents that may have been part of a breach that they will not be charged to institute a security or credit freeze.

If the security incident involved the disclosure of Social Security Numbers, the organization must also provide a minimum of 18 months of credit monitoring services to the affected residents. If the organization is a consumer reporting agency, that credit monitoring requirement is increased to 42 months.

Do You Do Business with MA Residents? Then You Need a WISP. We Can Help.

The bottom line is that if you are engaged with MA residents as customers or employees of your business, you need a WISP. If you need help establishing a Written Information Security Program at your company, contact the Envision team today. Our security experts have worked with companies of all sizes across a variety of verticals, and we can help you secure your company and ensure that you are compliant with Massachusetts’ and other security regulations.

Explore our cybersecurity services to find out how you can further protect your organization and its people.