Data protection: How to create a written information security policy (WISP)

The implementation of the General Data Protection Regulation (GDPR) in Europe served as a wake-up call for several U.S. states. While several introduced legislation, New York and California, in particular, have enacted similar although not identical statutes intended to protect the personal information of individuals: the SHIELD Act, and the California Consumer Privacy Act (CCPA), In both cases, the new legislation builds on existing laws in an attempt to fully modernize in our digital age. The CCPA is the more substantial in terms of new or additional requirements, placing restrictions on business while affording new rights to individuals. In comparison, the SHIELD Act is limited to protecting personal information owned or used by businesses and individuals, and is intended to deal with data breaches.

The value of a WISP

Both pieces of legislation demonstrate the vital need for a written information security policy, or WISP, within businesses across the U.S. It’s advisable to do this even if there is no express legal requirement for it within the state where the business is based. Should your business face litigation following a data breach, having a good-quality, consistently implemented, and followed WISP is likely to be key to constructing a defense. The value of a WISP is found also in its creation, because it prompts the business to assess risks in relation to consumer data and implement appropriate protective measures. It can also educate employees and others inside or outside the business about data protection measures. You may find creating a WISP to be a task that requires external help, and this is a route many businesses take. Data protection consultants can be found easily online, but try to find recommendations from businesses similar to your own. Often the perspective of an outsider can be invaluable in identifying data protection issues within your business.

How to create a WISP

Creating a high-quality WISP is likely to involve examination of all parts of a business, because there are very few functions and employees that do not handle data in some fashion. In this regard, it’s worth remembering that legislation such as the CCPA covers not just computer data but also written data. Start by assigning an owner. All plans need a single point of contact; a single person owns the plan and can delegate. This needn’t necessarily be a senior member of staff. However, employees and external stakeholders need to know who it is. This person should be the key sense-checker for the WISP—the person who ensures the program makes sense, and that nothing has been assumed. Invite input from all sources. Information should be gathered from all functions, departments, employees and other individuals. The question asked of each should simply be: What data do you handle, and how sensitive is it? Note that some departments or individuals may not actively deal with data, but may store historic data within their remit. You should ensure no department us excluded, either accidentally or deliberately. All sources should also identify what legislation covers their specific function or roles, or notify you if there is a need to seek legal counsel if they are unsure or simply do not know. Compliance with this should then be built into the program. Risk assessment should also be part of this planning and outlining stage. This can be an extensive process to undertake and is one area in particular where you might require external guidance from a data protection expert. You should consider your entire ecosystem—internally and externally, from supplier to customer (or client). Your program may include specific plans detailing how to deal with individual suppliers or customer/clients, especially those that present data protection challenges, such as businesses you buy/sell data with, or those who require you to share data.

Ensuring legal compliance

The International Association of Privacy Professionals has produced a Model Written Information Security Program, that can form the basis for your own WISP. Their model program document addresses the requirements of the following state laws, and if you are creating a WISP from scratch then it’s advisable your program does the same:

• Massachusetts’s Data Security Regulation (201 Code Mass. Regs. 17.01 to 17.05).
• Similar state laws, such as those of Oregon and Rhode Island (Or. Rev. Stat. §646A.622; R.I. Gen. Laws §11-49.3-3(a)(8)).
• The Gramm-Leach-Bliley Act (GLBA) Safeguards Rule (16 C.F.R. §§314.1 to 314.5).
• State insurance data security laws based on the National Association of Insurance Commissioners (NAIC) Model Insurance Data Security Law (MDL-668).

While creating a single WISP that acknowledges all state and federal data protection requirements is a challenge, it is certainly possible—and should be considered a minimum for whatever you create. Note that your WISP needs to be specific to your own business and circumstances. While a model WISP is a good starting point for drafting, you must customize it to address the unique risks and practices of your own business.

Implementing your WISP

Once the WISP has been created it should be considered a living document, with periodic reviews required to update the program according to changes or updates in occurrences such as new or modified state or federal laws, or to take into account changes within the business that mean data is handled in a new or different way. When scheduling your periodic reviews of your WISP, bear in mind any statutory requirements, as well as how fast-paced your business is and how often you implement changes in company systems that hold personal information. Your periodic reviews and updates of your WISP should keep up with the pace of change in your business, such that there is no significant lag between a change in relevant circumstances and a change in your WISP. The WISP should be communicated to all stakeholders—from employees, to suppliers, to customers/clients. This could involve putting it online with a link from your home page, or even producing a printed document that you distribute. You should ensure that you get and keep acknowledgements from these people or organizations. All newly hired employees should also receive a copy and provide an acknowledgement. Consider whether any consultants of your business have access to personal data and need to be informed of relevant provisions of your WISP as well. Training might be required to implement your WISP. If so, you should keep records of who attended, whether they completed the training, and any receipts that might help prove that the training occurred should there be a need to prove this in future.