Will of the WISP

I’ve just posted a copy of my WISP to my web site. If your company does business in Massachusetts and you have no idea what I’m talking about, you might want to read the rest of this post, which I created as a guide for small business IT consultants like myself.

How to Help a Small Business Comply with the 2010 Massachusetts Privacy Law

Background

In 2007, Chapter 93H was added to the General Laws of the Commonwealth of Massachusetts. The law establishes rules for preventing and reporting data security breaches, and it applies to "any person that owns or licenses personal information about a resident" of Massachusetts. (By regulation, the rules also apply to any person that “receives, stores, maintains, processes, or otherwise has access to such personal information.”) That means it applies to virtually all businesses and nonprofit corporations in the Commonwealth.

The law directs the Office of Consumer Affairs and Business Regulation to promulgate specific regulations relative to Chapter 93H. These regulations are contained in 201 CMR 17.00, which go into effect on January 1, 2010. Once effective, the regulations will be enforced by the Attorney General.

The law and regulations cover both written and electronic information. From a small business’s perspective, the key passages of 201 CMR 17.00 are as follows:

Personal information [is defined as] a Massachusetts resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident:

1. Social Security number;
2. driver’s license number or state-issued identification card number; or
3. financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that "Personal information" shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.

[All businesses] shall develop, implement, and maintain a comprehensive [written] information security program (CWISP, or WISP) that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to:

1. the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program;
2. the amount of resources available to such person;
3. the amount of stored data; and
4. the need for security and confidentiality of both consumer and employee information.

The safeguards … must be consistent with the safeguards [required by similar state or federal regulations that may be applicable].

[E]very WISP shall include, but shall not be limited to:

1. Designating one or more employees to maintain the WISP;
2. Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, including but not limited to:
   1. ongoing employee (including temporary and contract employee) training;
   2. employee compliance with policies and procedures; and
   3. means for detecting and preventing security system failures.
3. Developing security policies for employees that take into account whether and how employees should be allowed to keep, access and transport records containing personal information outside of business premises.
4. Imposing disciplinary measures for violations of the WISP rules.
5. Preventing terminated employees from accessing records containing personal information.
6. Oversee[ing] service providers by
   1. Taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information …;
   2. Requiring such third-party service providers by contract to implement and maintain such appropriate security measures for personal information; provided, however, that until March 1, 2012, a contract a person has entered into with a third party service provider [before March 1, 2010] … satisfies the provisions … even if the contract does not include a [specific requirement regarding information safeguards].
7. Reasonable restrictions upon physical access to records containing personal information, and storage of such records and data in locked facilities, storage areas or containers.
8. Regular monitoring to ensure that the WISP is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and upgrading information safeguards as necessary to limit risks.
9. Reviewing the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information.
10. Documenting responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information.

Every [business] shall include in its written WISP the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, shall have the following elements:

1. Secure user authentication protocols including:
   1. control of user IDs and other identifiers;
   2. a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;
   3. control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;
   4. restricting access to active users and active user accounts only; and
   5. blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;
2. Secure access control measures that:
   1. restrict access to records and files containing personal information to those who need such information to perform their job duties; and
   2. assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;
3. Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.
4. Reasonable monitoring of systems, for unauthorized use of or access to personal information;
5. Encryption of all personal information stored on laptops or other portable devices;
6. For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information.
7. Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.
8. Education and training of employees on the proper use of the computer security system and the importance of personal information security.

The IT Consultant’s Responsibility

An IT consultant cannot be solely responsible for determining whether or not a small business is in compliance with the regulations. Ultimately, that decision is up to the Attorney General and the judicial process. Therefore, all businesses should seek legal counsel when evaluating whether or not they are compliant. Nevertheless, because of the regulations’ focus on specific technical requirements and procedures, IT consultants can (and should) offer advice on how their clients can best prepare for and follow the new rules.

The Compliance Review Process

IT consultants should provide the following services to their clients:

1. Education. Ensure that the chief executive is aware of the regulations and obtain his or her approval to implement a compliance plan. It is probably a good idea to identify who will act as the business’s Information Security Manager at this point and to involve the ISM in every subsequent step of the process. It is NOT recommended that the IT consultant serve as the ISM.
2. Inventory. Identify all instances of personal information that are being used by the business in paper or electronic form. (At this stage, do not worry about whether the personal information is “received, stored, maintained, processed, or otherwise accessed” by the business.) This process should involve discussions with people responsible for multiple aspects of the business, including but not necessarily limited to:
   • Human resources / benefits
   • Payroll
   • Sales (for nonprofit organizations, this may translate to Membership)
   • Accounting
   • Operations (to see if employees’ driver’s licenses are kept on file)
   • Client or Customer Service

   The consultant may find it worthwhile to conduct a survey of all employees, providing the definition of personal information and asking whether they have come in contact with such information. It is especially critical to identify any personal information that may be stored outside the business’s office, such as on laptop computers, as there are special encryption requirements for this information. It is also critical to identify any business processes that cause personal information to be sent across wireless networks or the Internet.
   At this point, generate a list of all contractors that may use personal information on your behalf. The contracts you have with them will need to be reviewed for compliance as well.

3. Scope Assessment. After identifying the extent to which personal information is used at the business, discuss with the chief executive whether personal information is a relatively small and contained piece of the business’s information or whether personal information permeates the entire business. For example, an automobile insurance agency, a certified public accountant, or a temporary employment services agency might decide that personal information is so pervasive in the organization that all information should be handled as if it is subject to the regulations, whether or not each bit of information actually is covered.
4. WISP drafting. A draft can be prepared by either the business’s ISM or the IT consultant. Although it is possible to start the draft from scratch, most businesses will probably want to start with a template that they can adapt for their specific needs. A free template is available from the Office of Consumer Affairs and Business Regulation. It is also possible to buy plan-creation tools. For example, a Boston-area consultant is offering workshops and templates at www.201cmr17.com. Businesses would be well advised to seek reviews of these products before investing significant amounts in them. To find other commercial templates, do an Internet search for terms such as 201 CMR 17 sample policy. During the drafting of the WISP, it may become evident that some existing procedures are not compliant with the regulations. These areas should be clearly flagged in the WISP with notes such as “IS THIS OK?” or “NEED TO FIX THIS”
5. WISP review and revision. The first draft of the WISP should be reviewed by whoever did not write it (i.e., either the ISM or the IT consultant). The reviewer should seek clarification of any section of the WISP that seems confusing, incorrect, or incomplete. As in the previous step, any potential non-compliance should be flagged.
6. Checklist review. Go through the 201 CMR 17 compliance checklist to identify additional potential areas of non-compliance.
7. System changes. Using comments from the draft WISP and the 201 CMR 17 compliance checklist, identify and implement the necessary organizational changes. This will be likely be the most technically challenging stage in the process.
8. WISP completion. Once the WISP is final, obtain a sign-off from the chief executive.
9. Implement and train. Because employee training is a necessary component of the WISP, implementing the WISP will not be complete after step 7 above. The training should be led by the ISM, with assistance from the IT consultant as necessary.
10. Schedule review. The WISP should be reviewed annually. Ensure that this review is placed on the company calendar for the following year.