State Laws Require Businesses to Will o' WISP

In 2018, Michigan enacted its Data Security Act which applies to persons and entities with licenses from its Department of Insurance and Financial Services.


In order to comply with the act it is necessary to :


1. Prepare a Written Information Security Program (WISP).

2. File a certificate of compliance with the Department each year.

3. Report breaches to the Department within 10 days after discovery.


Massachusetts also has cybersecurity regulations which require that a WISP be filed. A template of a WISP that complies with Massachusetts law and the Gramm-Leach-Bliley Act has been prepared by Thomson Reuters and is available here on the website of the International Association of Privacy Professionals (IAPP). A WISP should cover the following:


1. Define personal information and sensitive information.

2. Designate a person responsible for implementing the WISP.

3. Provide for regular risk assessments.

4. Direct the distribution of information security policies within the organization.

5. Monitor service providers to ensure they comply with WISP.

6. Establish Incident response procedures.