Businesses are now required by law to develop a Written Information Security Program (WISP). The Federal “Red Flag Act,” signed into law in December 2010, and the Massachusetts Privacy Law (Mass. General Law Ch. 93), are wake-up calls for businesses nationally. WISP plans are not a one-size-fits-all solution and is not a binder that sits on a shelf collecting dust. It is not a self administered survey.
The purpose of this legislation is to require companies to maintain a documented plan of action to protect against data breaches and also to have a plan of action after a breach has occurred. WISP plans must include administrative, technical and physical safeguards that are designed to meet the requirements of the regulations. The plan must reflect a risk-based approach that is appropriate to the size, scope and type of business handling the information, the amount of resources available to the business; the amount of stored data and the need for security and confidentiality of both consumer and employee information.
What will the effect on your business be if compliance failure results in a data breach or theft of private information? How will you mange the heavy fines, regulator presence and losing the ability to accept credit/debit payments at all.