Businesses are increasingly operating online and, as a result, are collecting more personal and confidential information.
Because of this, it is more important than ever for businesses to be aware of their cybersecurity risks.
Developing a Written Information Security Plan (WISP) can prompt an organization to assess their cybersecurity risks and implement measures to protect sensitive information. A WISP can also help an organization show that they take privacy and security seriously, a plus for prospective clients and employees. Communicating expectations and practices to employees, customers, and regulators is made simple with a well thought out plan.
A WISP may also be required for businesses that handle nonpublic personal information. For example, Massachusetts has detailed WISP requirements for businesses that collect personal information from their residents, regardless of where the business is located. Financial institutions that collect nonpublic personal information subject to the Gramm-Leech-Bliley act are required to have safeguards in place to protect that personal information and require their contractors to have similar guidance in place. Entities subject to HIPAA also must implement and maintain safeguards which can be organized in a WISP.
Even if your jurisdiction does not require implementation of a WISP, businesses that collect, store, or handle sensitive information should maintain a WISP as a matter of best practice. The Information and Business Technology group at Metz Lewis has years of experience in data privacy and security matters and is ready to have a conversation about the needs of your business.
This post was written by Matthew Borges
