The Importance of Written Information Security Policies in Data Governance

by Christopher E. Hart

Legal Analysis

A critical component of data governance is the written information security program or policy, or “WISP” for short.  WISPs are important for three reasons:  first, they are often required by specific statutes or regulations.  Second, their drafting and maintenance often force organizations to consider more closely the adequacy of their security practices.  Third, they can be excellent defenses against liability in the event of a data security incident.  Yet organizations often find themselves caught by surprise when they learn that they are either legally required to have a WISP, or ought to have one as a best practice or risk mitigator.

This article discusses what a WISP is, when they are required, what they are good for, why organizations should consider creating and maintaining them, and what the future holds.  In the end, you will hopefully consider the WISP to be a critically important component of your or your client’s overall data governance strategy.

What is a WISP?

A WISP is a set of organizational practices relating to certain information, normally personally identifiable information (PII) that the organization maintains (such as a person’s name, email, password, social security number, and credit card information), memorialized in an inward-facing document.^[1]  While the WISP really refers to the practices or program of information security, the memorialized document is often what people are referring to when they think of WISPs.  A WISP is inward-facing in the sense that it is meant to be used internally by an organization, both as a reference and as a memorialization of practices, and not necessarily meant for consumption by consumers or the general public.  (In contrast, privacy policies tend to be outward-facing documents, meant to notify potential consumers about an organization’s data use and security practices at or before the point that data is provided.)

To illustrate, one of the most important laws relating to WISPs, the Massachusetts regulations on Standards for the Protection of Personal Information of Residents of the Commonwealth, requires that “[e]very person that owns or licenses personal information” about a Massachusetts resident must “develop, implement, and maintain a comprehensive information security program that is written in one or more accessible parts.”  201 CMR 17.03(1).

What Does a WISP Require?

The purpose of the WISP is to “[i]nsure the security and confidentiality of customer information,” “protect against any anticipated threats or hazards to the security or integrity of such information,” and “[p]rotect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.”  201 CMR 17.01(1).  The WISP is a security requirement, not a privacy requirement: it mandates certain technical and administrative safeguards relating to specific kinds of information.  To accomplish these objectives, regulations mandating WISPs focus on a number of common elements:

1. Risk Assessment. WISPs generally require that organizations implement practices that are commensurate with the sensitivity and volume of data the organization has, and the resources the organization can bring to bear to protect that data.
2. Minimum Technical Security. WISPs will carry requirements that computer systems have adequate encryption, anti-malware software, and other perimeter and internal defenses.
3. Third-Party Contracts. Central to a WISP is the concept that organizations that collect information but contract with vendors or other organizations to handle data ensure that those third parties protect the data at least as adequately as the collecting organization, requiring both that vendors be adequately vetted and that assurances regarding security programs by third parties are placed into contracts as specific obligations.
4. Specific Accountability. WISPs normally require that a specific individual be held out as having responsibility for implementation of the security program.
5. Regular Auditing. WISPs, and the specific requirements within them (such as risk assessments), must normally be reevaluated on at least an annual basis.
6. Employee Training. Employees must be trained on the organization’s security requirements, and must be knowledgeable of the WISP, in order for the WISP to be a useful instrument.

As these requirements make clear, a WISP is best seen as a bundle of living practices, rather than merely a document that allows an organization to paper its liability.

When is a WISP Required?

As creatures of statute or regulation, WISPs are legally required if an entity falls within the jurisdictional scope of a regulatory regime.  So, for example, the Gramm-Leach-Bliley Act, or GLBA, will only apply to those entities that fall under the definition of a “financial institution” as defined by the statute.  See 15 U.S.C. § 6809(3) (“The term ‘financial institution’ means any institution the business of which is engaged in financial activities as described in section 1843(k) of title 12”).  On the state level, states such as Pennsylvania, New Hampshire, and South Carolina have a WISP requirement for certain insurers as defined by the state’s insurance code.   See, e.g., 31 Pa. Code § 146c.3 (“A licensee shall implement a comprehensive written information security program that includes administrative, technical, and physical safeguards for the protection of customer information.”).

Given the relatively narrow scope of many of these WISP requirements, the Massachusetts regulations stand out as particularly broad.  Far from being cabined to entities within a particular industry, the Massachusetts regulations do not limit their application to entities that are domiciled or headquartered in Massachusetts, or even that specifically do business in Massachusetts.  Rather, they apply to “all persons [that is, natural person, corporation, other legal entity, etc.] that own or license personal information about a resident of the Commonwealth.”  201 CMR 17.01(2).  In other words, if a business “owns or licenses” the personal information about a single resident of Massachusetts, the regulations (and thus the requirement to develop a WISP) will apply.^[2]  This is true even if an organization is already regulated by some other regulatory scheme, such as HIPAA.  See Commonwealth v. Milton Pathology Assocs., P.C., Civ. A. No. 12-4568 H, 2012 Mass. Super. LEXIS 2902 (Super. Ct. Dec. 20, 2012) (requiring a HIPAA-covered entity to maintain a WISP).

Why Should You Have a WISP?

The first reason to have a WISP is because the law might require it, and being out of compliance can prove to be an expensive and embarrassing risk.  The Commonwealth of Massachusetts has entered into consent judgments with parties in part (if not exclusively) to bring them into compliance with this requirement.  The Attorney General of Massachusetts is an avid enforcer of the WISP requirement.  See, e.g., Commonwealth v. Briar Grp., LLC, Civ. A. No. 11-1185 B, 2011 Mass. Super. LEXIS 2939 (Mass. Super. Ct. March 28, 2011) (requiring implementation of a WISP against a restaurant group accused of “failing to take reasonable steps to protect the personal information obtained from its patrons” in point of sale credit and debit card transactions); Commonwealth v. Haney, Civ. S. No. 16-00183m 2016 Mass. Super. LEXIS 915 (Super. Ct. January 14, 2016) (requiring a solo real estate practitioner to implement a WISP after allegedly failing to notify clients of a data breach); Milton Pathology Assocs., P.C., 2012 Mass. Super. LEXIS 2902.  So is the Federal Trade Commission with regard to the WISP requirement in the GLBA’s Safeguards Rule.  See In the Matter of Paypal, Inc., 162-3102, ¶ 40a (Fed. Trade Commission, 2017) (bringing a complaint against Venmo for failing to have a WISP through “at least August 2014”).

Having a good WISP might be as important as simply having one at all.  In the wake of the 2017 Equifax breach affecting millions of individuals, the Attorney General of Massachusetts (among countless others) sued Equifax.  Among the claims made by the Attorney General was that Equifax had violated the Massachusetts Data Security Regulations by having an insufficient WISP:  “Equifax failed to develop, implement, and maintain an adequate written information security program . . . and . . . this failure made the data breach possible.”  Commonwealth v. Equifax, Inc., Opinion No. 139895; 2018 Mass. Super. LEXIS 66 at *2 (Mass. Super Ct. April 3, 2018) (emphasis supplied).  Specifically, the Commonwealth alleged that “Equifax knew or should have known” that there was “a serious security vulnerability” in Equifax’s systems; that Equifax “failed to patch or upgrade its software to eliminate this vulnerability,” and that “Equifax did not even take reasonable steps to determine whether unauthorized parties were infiltrating its computer systems.”  Id.  Considering the issue at the motion to dismiss stage, the court concluded that the Commonwealth stated a claim and denied the motion to dismiss.  Id. at *3.  Critically, the Commonwealth used the WISP requirements as a basis for a series of allegations that Equifax did not take reasonable measures to prevent or mitigate the breach—emphasizing that it is not the mere existence of the document, but the adequacy of the practices, that the regulations are intended to control.

In  fact, in Massachusetts, the data protection statute authorizing the regulations that require the WISP has itself recently changed, requiring that in the event of a breach triggering notification to the Attorney General and the Office of Consumer Affairs and Business Regulations, the company notify these agencies whether a WISP was  in place at the time of the breach.  See G.L. c. 93H § 3(b).  The clear intent of this change to the statute is to (1) create an in terrorem motivation to put a WISP in place if one has not yet been developed, and (2) to make it easier for the Commonwealth to prosecute cases in which a breach occurred without adequate safeguards.

The second reason to have a WISP is that it can provide a defense to liability.  Data breaches are, unfortunately, ubiquitous.  So long as the data breach looms large, so too does the follow-on lawsuit.  But data breaches are notoriously difficult events for which to hold companies liable.  In federal court, simply getting through the hurdle of Article III standing can be impossible.  See, e.g., Clapper v. Amnesty International, 133 S. Ct. 1138 (2013) (holding that, in order for a plaintiff who alleges future harm to have the necessary Article III standing to sue in federal court, the plaintiff must demonstrate that the harm is “certainly impending”); Carlsen v. GameStop, Inc., 112 F. Supp. 3d 855 (D. Minn. 2015) (applying Clapper to hold that there was no actual injury arising from the defendant’s alleged use of Facebook to share personally identifiable information in violation of the company’s privacy policy).  But see Remijas v. Neiman Marcus Group LLC, 794 F.3d 688 (7th Cir. 2015) (“Clapper does not . . . foreclose any use whatsoever of future injuries to support Article III standing” in the case of a data breach).  When the cause of action is a state-based tort claim, such as negligence, the presence of a WISP can also make it difficult for a plaintiff to survive a motion to dismiss.  See Guin v. Brazos Higher Educ. Serv. Corp., Civ. No. 05-668 (RHK/JSM), 2006 U.S. Dist. LEXIS 4846 *12 (D. Minn. Feb. 7, 2006) (noting that, while defendant conceded owing plaintiff a duty of care pursuant to the GLBA’s requirement of maintaining a WISP, the fact that the defendant indeed maintained a WISP was evidence of reasonable care); Warren v. Rodriguez-Hernandez, Civ. A. No. 5:10CV25, 2010 U.S. Dist. LEXIS 96121 at *15 (N.D.W.V. Sept. 15, 2010) (noting that plaintiffs could offer no evidence that their information had not been adequately protected given that, among other things, defendants maintained a WISP).

Conversely, failing to have a WISP can potentially be evidence of negligence.  When in search of a working theory of liability for a claim against an organization suffering a data breach, plaintiffs can turn to WISP requirements as evidence of a duty, and thus bring a claim sounding in negligence (whether or not it succeeds).  See Baum v. Keystone Mercy Health Plan, 826 F. Supp. 2d 718, 721 (E.D. Pa. 2011) (remanding a removal case to state court when the state statute requiring a “comprehensive” WISP potentially allowed for a negligence per se claim even though HIPAA did not provide a private right of action); Rebello v. Lender Processing Servs., 30 N.E. 3d 999, 1016 (Ohio App. 2015) (holding that the GLBA “manifests a clear public policy against the unauthorized access and disclosure of the nonpublic personal information of consumers” applicable to plaintiff in an unlawful termination suit, as manifested in part through the WISP requirement, and allowing the claim to proceed).

The third reason to have a WISP is that it is simply good practice.  While having a WISP can help an organization avoid compliance and litigation risk, having a WISP—that is, having actual practices to safeguard PII, memorialized in a document read and understood by those who handle such data—can, before any discussion of liability, help avoid a data breach or minimize the fallout from a data breach if it occurs.  In the end, isn’t that the point?

What Does the Future Hold?

The WISP is not only here to stay; it stands a good chance of becoming a universal instrument in a complete data management tool kit, both as a matter of good practice and a matter of law.  For example, the EU’s General Data Protection Regulation, or GDPR, does not specifically require a WISP.  But the law has a host of requirements suggesting something like a WISP is prudent, if not required.  See, e.g., GDPR Art. 5(2) (noting that the controller of personal data “shall be responsible for, and able to demonstrate compliance with” the requirement that personal data be processed lawfully, which includes processing with adequate security); id., Art. 25(2) (“The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.”).  Given the GDPR’s potentially global territorial scope, something like a WISP is almost certainly going to become a legal norm.

In short, the WISP is a deeply important instrument for organizations in their privacy and security programs.  While sometimes overlooked, it is both an increasingly important and ubiquitous regulatory requirement and a critical tool for creating robust security practices in an organization.

[1] For purposes of this article, unless otherwise indicated I will use “PII” to refer to the kind of information the practices outlined in WISPs are intended to safeguard.  However, protected information can often be referred to by other terms of art, depending on the regulatory scheme:  non-public financial information (the Gramm-Leach-Bliley Act); protected health information (the Health Insurance Portability and Accountability Act); and personal data (the European General Data Protection Regulation), to name three.

[2] A deep dive into the regulations reveals just how broad their scope is.  A “person” can be a natural person or any legal entity; “owns or licenses” can mean, simply to “process” or simply “have access to” the personal information of a Massachusetts resident.  201 CMR 17.02.

Chris is Counsel and Partner-Elect in Foley Hoag’s Litigation Department, and an active member of the firm’s Data Privacy and Security Group.  Chris has an active practice assisting organizations with their privacy compliance, data breach response, and government defense and litigation needs.  In addition, Chris teaches data privacy compliance as a Part-Time Lecturer at Northeastern University School of Law.