Who needs a WISP?

• Businesses handling personal information. Any business that collects, stores, or processes personal information.
• Regulated industries. Sectors such as health care, insurance, finance, and education have additional federal and state regulations mandating robust information security measures.  For example, effective January 1, 2026, Alaska will require insurers licensed in that state to develop, implement, and maintain WISPs as part of their required risk assessment programs.
• Entities reporting data breaches. In states like Massachusetts, entities must have a WISP on file when reporting a data security incident.

Why is a WISP important?

• Legal and regulatory compliance. In jurisdictions where a WISP is required, the WISP can help entities avoid penalties and reduce liability by adhering to state and federal laws.
• Risk management. A WISP can help the entity identify and mitigate potential security risks through regular assessments.
• Incident response. A WISP will help to ensure that the entity has a clear plan for responding to data security incidents, as well as notification obligations that may arise from an incident.
• Organizational alignment. A WISP will provide consistency across an organization’s departments on security protocols and responsibilities.

Checklist for developing a WISP

• Oversight. Designate an information security officer or similarly qualified individual to oversee and coordinate a program that makes sense for your organization based on its size and the complexity of your business.
• Risk Assessment. Identify potential internal and external threats and vulnerabilities in each of your organization’s operations that could result in unauthorized access, disclosure, misuse, alteration or destruction of sensitive data in the possession of your organization and the possession of your third-party vendors.
• Documentation. Record the threats identified in your organization’s risk assessment in such areas as the security and confidentiality of sensitive information in its possession, employee training and management, data classification, vendor security, network design, and data storage. You should also record the safeguards that your organization has in place to manage, detect, prevent, and respond to security incidents. Develop and reference specific policies for each of these areas of concern.
• Legal requirements. Consult with counsel to determine which laws and regulations apply to your organization, including your obligations in the event of a data security incident, so that your WISP complies with those requirements. You should also be aware of the consequences of non-compliance at both state and federal levels.

If you need assistance in developing a WISP, please contact any of the members of our Cybersecurity Team.

The Constangy Cyber Team regularly counsels businesses of all sizes and industries on how to comply with the growing number of data privacy laws and regulations. If you would like additional information on how to prepare your organization, please contact us at cyber@constangy.com.

*Edwin Jones is a paralegal in the Cybersecurity Practice Group.