Compliance
Massachusetts WISP Requirements
Massachusetts law requires every business that handles personal information of MA residents to maintain a Written Information Security Program (WISP). It's not optional β it's the law. Power Up Boston helps South Shore businesses create, implement, and maintain compliant WISPs.
201 CMR 17.00
What MA Law Requires
Under 201 CMR 17.00, your WISP must address these key areas:
Security Coordinator
Designate a responsible person to maintain and enforce the WISP.
Risk Assessment
Identify and evaluate internal and external risks to personal information.
Employee Training
Regular security awareness training for all employees with data access.
Access Controls
Restrict access to personal data on a need-to-know basis.
Encryption
Encrypt all personal information transmitted across public networks and on portable devices.
Incident Response
Documented procedures for responding to security breaches.
Terminated Employees
Immediate revocation of access for departing employees.
Computer Security
Firewall, antivirus, patching, and secure authentication.
Monitoring
Regular monitoring for unauthorized access or use of personal information.
FAQ
WISP FAQ
What is a WISP?
A Written Information Security Program (WISP) is a documented set of policies and procedures for protecting personal information. Massachusetts law (201 CMR 17.00) requires every business that owns or licenses personal information of MA residents to maintain a comprehensive WISP.
Does my business need a WISP?
If your business collects, stores, or has access to personal information of Massachusetts residents β including names combined with Social Security numbers, driver's license numbers, or financial account numbers β you are legally required to have a WISP. This applies to businesses of all sizes, even sole proprietors.
What must a WISP include?
A WISP must include: designation of a security coordinator, risk assessment procedures, employee training policies, access control measures, encryption requirements for transmitted data, monitoring procedures, incident response plans, and policies for terminated employees. The specifics scale based on your business size and the volume of data you handle.
What are the penalties for not having a WISP?
Massachusetts can impose fines of up to $5,000 per violation under the consumer protection act (Chapter 93A). If a data breach occurs and you don't have a WISP, you face additional liability including the cost of breach notification, credit monitoring for affected individuals, and potential lawsuits.
How often should a WISP be updated?
Your WISP should be reviewed and updated at least annually, or whenever there's a significant change to your business operations, technology, or the threat landscape. We handle annual reviews as part of our managed IT services.
Can Power Up Boston create a WISP for my business?
Yes. We create customized WISPs tailored to your specific business, industry, and data handling practices. We don't use generic templates β your WISP will reflect how your business actually operates. We also implement the technical controls documented in the WISP.
Need a WISP for Your Business?
We create customized Written Information Security Programs for Massachusetts businesses. Free consultation β let's make sure you're compliant.
On-site visits available Β· Plymouth & South Shore