August 9, 2022

Volume XII, Number 221


August 08, 2022

Subscribe to Latest Legal News and Analysis

Change in Massachusetts Data Breach Notification Law Highlights Requirement That Organizations Implement a Written Information Security Program (WISP)


Since 2010, Massachusetts has required organizations that collect personal data about Massachusetts residents to implement a comprehensive written information security program (“WISP”) designed to avoid and respond to data security incidents.

Despite this requirement, many companies, particularly those not physically located in Massachusetts, have not done so. Historically, the absence of a WISP is something that went unnoticed, but that may no longer be the case due to a recent change in the Massachusetts breach notification law.

Specifically, Massachusetts has amended its data breach notification law to require organizations that experience a data security incident to notify the Massachusetts Attorney General and the Massachusetts Director of Consumer Affairs and Business Regulation whether the organization implemented a WISP. This new reporting requirement highlights both the legal and practical need to implement a WISP.

Change in the Law

Effective April 11, 2019, organizations that experience a data breach that exposes the personal information of Massachusetts residents will have new responsibilities under Massachusetts law. In addition to the preexisting requirements that organizations notify the Massachusetts Attorney General and the Massachusetts Director of Consumer Affairs and Business Regulation regarding the nature of the breach, the number of impacted Massachusetts residents, and the steps taken related to the incident, organizations must now also expressly state whether the organization implemented a WISP. Organizations must also state whether they have updated their WISP after the data incident. While this new requirement does not formally go into effect until April 11, 2019, the Office of Consumer Affairs and Business Regulation has already updated its notification form to ask whether the organization implemented a WISP.

Organizations must also continue to notify impacted Massachusetts residents of the data breach and must now notify the residents that there is no charge to institute a security freeze or credit freeze. If the breach disclosed the Social Security Number of Massachusetts residents, the organization must now provide a minimum of 18 months of credit monitoring services, or 42 months if the organization is a consumer reporting agency. Related to this requirement, the organization may not require Massachusetts residents to waive their right to file a lawsuit in exchange for the credit monitoring services.

What is a Written Information Security Program?

A WISP is designed to develop and document the systems and processes that protect the customer and employee personal information stored by an organization. Under Massachusetts law, a WISP must address certain areas, including:

1)      designating employees responsible for the security program;

2)      identifying and assessing security risks;

3)      developing policies for the storage, access, and transportation of personal information;

4)      imposing disciplinary measures for violations of the WISP;

5)      limiting access by terminated employees;

6)      overseeing the practices of third-party vendors;

7)      restricting physical access to records;

8)      monitoring and reviewing the scope and effectiveness of the WISP; and

9)      documenting steps taken in response to data security incidents.

A WISP must also establish certain computer system security standards when technically feasible, including:

1)      securing user credentials;

2)      restricting access to personal information on a need-to-know basis;

3)      encrypting the transmission and storage of personal information;

4)      monitoring of security systems;

5)      updating firewalls, security patches, anti-virus, and anti-malware software; and

6)      training employees on the proper use of the computer security systems.

The Takeaway

Written information security plans are required for those organizations that collect personal information from Massachusetts residents and Massachusetts is taking steps to ensure organizations comply with that requirement. Apart from this legal obligation, all organizations should strongly consider implementing and documenting their processes for protecting personal information and for responding to a data security incident. Proactively assessing and addressing information security risks will not only fulfill the organization’s requirements under Massachusetts law, but will allow the organization to reduce its risk of a data security incident and be prepared to quickly respond in the event an incident does take place.

© Polsinelli PC, Polsinelli LLP in CaliforniaNational Law Review, Volume IX, Number 103

About this Author

Michael Waters Polsinelli litigation lawyer

Michael Waters is an experienced litigator and member of the Tech Transactions & Data Privacy practice.  He handled one of the first data breach matters shortly after California passed its breach notification law in 2003 and has since counseled clients across industries through nearly every conceivable type of breach, from system-wide network intrusions and ransomware attacks to situations involving cyber extortion, stolen laptops and computer hardware, email compromises, wire fraud and employee wrongdoing.

Michael regularly assists companies in investigations...

Alex Boyd data privacy lawyer Polsinelli

Alexander D. Boyd is an associate in the Technology Transactions and Data Privacy practice. Working with Polsinelli attorneys in the Intellectual Property Department, he advises clients on data privacy compliance, cybersecurity, and best practices for internet-based businesses. Alex uses his experience as a Certified Information Privacy Professional (CIPP/US) and as a litigator to provide his clients practical advice regarding domestic and international privacy and cybersecurity regulations, data privacy audits, Federal Trade Commission compliance, GDPR compliance,...