In Brief

Featured Posts

DPO Management

Public Policy

Privacy News

Home » Massachusetts, New Massachusetts Regulations, North America, Proposed Legislation, USA

New Massachusetts Privacy Laws – The WISP

Submitted by Steve Meltzer on March 5, 2009 – 7:22 pmComments

[Updated October 15, 2009 for compliance with new amendments to the regulations]

by Stephen E. Meltzer, Esq., CIPP

The Comprehensive Written Information Security Program

Any business that owns or licenses personal information must “develop, implement, and maintain a comprehensive information security program” to secure and protect records containing personal information that is written in one or more readily accessible parts (a “CWISP”).

The program must be “consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns or licenses such information may be regulated.”  The program must “contain administrative, technical, and physical safeguards that are appropriate to” (a) the size, scope, and type of the business, (b) the resources available to the business, (c) the amount of stored information, and (d) the need for security and confidentiality of both consumer and employee information. Every program, however, must incorporate at least the following components:

(a)    Designate an employee to maintain the WISP.

(b)    Identify and assess reasonably foreseeable risks (Internal and external).

(c)    Develop security policies for keeping, accessing and transporting records.

(d)    Impose disciplinary measures for violations of the program.

(e)    Prevent access by terminated employees.

(f)    Oversee service providers and contractually ensure compliance.

(g)    Restrict physical access to records.

(h)    Monitor security practices to ensure effectiveness and make changes if warranted.

(i)    Review the program at least annually.

(j)    Document responsive actions to breaches.

Popularity: 100% [?]

Share and Enjoy:
  • RSS
  • Twitter
  • Facebook
  • LinkedIn
  • E-mail this story to a friend!
  • Print this article!
  • Digg
  • del.icio.us
  • StumbleUpon
  • FriendFeed

Related posts:

  1. New Massachusetts Privacy Laws – Who is Regulated [Updated October 15, 2009 for compliance with new amendments to the regulations]...
  2. New Massachusetts Privacy Laws – Computer Security [Updated October 15, 2009 for compliance with new amendments to the regulations]...
  3. Introduction to the New Massachusetts Privacy Laws [Updated October 15, 2009 for compliance with new amendments to the regulations]...
  4. New Massachusetts Privacy Laws – Data Destruction [Updated October 15, 2009 for compliance with new amendments to the regulations]...
  5. New Massachusetts Privacy Laws – Breach Notification Requirements [Updated October 15, 2009 for compliance with new amendments to the regulations]...
  6. More tweaks to the Massachusetts data privacy regulations on the way Update: More information on the Foley, Hoag site. According to the Hunton...

  • Al Chatman
    Steve,

    How many hours have you typically spent or the range of hours in creating a WISP for small to medium sized companies?

    Thanks
    Al
  • Hi Al:

    Define small to medium. Also, there is great variation among types of businesses and their use and control of personal information. The least amount of time I have spent (or, I should say, was spent by me and a board member combined) was probably about 3 hours for a small fully volunteer non-profit organization with a few small fundraisers each year.

    On the other hand, 20 to 25 hours were needed to draft a plan for a small law firm (3 lawyers and 2 staff) and for a small CPA firm (4 CPA's and 5 staff) - both with extensive electronic and paper data processes and storage.

    Two-thirds to three-quarters of the time spent was in the assessment phase.

    The best answer, therefore, is "it depends."
  • Al
    Thanks Steve. For me small would be 100 employees PI just in HR dept. employee data well control. Medium would be small college 1,500 students and faculity, PI in various depts.

    Al
  • Al,

    Have you done a complete assessment or are you relying on someone else's analysis of where there is PI? Are you approaching this from a "digital asset" approach only or are you looking at all of the business processes and assets?

    The reason I ask these questions is because I find that IT folks seem to focus on information technology only and fail to see (or even look for) personal information and/or highly sensitive information in processes and information flow if it falls outside of information technology assets. (I do not even know your perspective). I would be very careful to completely understand all of the the functions of the organization before determining too quickly that the PI is only in HR and that it is locked down. Privacy protection is more of a human challenge than it is a technology challenge - don't let technical security cloud a true assessment of information vulnerability. Sorry but I feel preachy tonight.

    The planning and implementation for a proper ISMS for the 1,500 employee college would probably involve hundreds of hours of work between HR, IT and legal.
blog comments powered by Disqus