Massachusetts & the Written Information Security Policy (WISP) Requirements: Updating Your WISP to Reflect the New “Normal” of Work

By Michael Simon

Are your employees coming back to the office?  Then it’s time to update your written information security policy (WISP). 

Since 2010, Massachusetts Mass. Gen. L. 93H has required organizations that collect “Personal Information” to implement a comprehensive written information security policy (WISP).  Massachusetts amended chapter 93H effective April 11, 2019 to reaffirm the need for a WISP further, including a requirement that in the breach notice to the Attorney General that the organization confirm “whether the person or agency maintains a written information security program” and to identify any steps taken or to take relating to the incident, “including updating the written information security plan.” 

Thus, if you are a Massachusetts-based organization, or if you do any business with Massachusetts residents, you should have made sure to update your WISP when your employees started working remotely. After many months of remote work in many parts of the United States, employers are starting to bring at least some employees back into the workplace. CNBC surveys of senior executives indicate that many companies expect 50% or more of their employees to return to the office by September. Those returning employees will be bringing not just themselves back to the workplace, but their connected devices, from home environments, described by more than half of the respondents in corporate surveys as “mildly to severely less secure than the office.” 

So even if you did update your WISP ASAP for WFH issues, it’s time to update it once again, to reflect the concerns over what those employees might be bringing back to the office.

Home may well be “where your heart is” but it’s home to an awful lot of security issues too

The inescapable truth for remote workers is that they leave your cybersecurity hardened environment behind when they work from home. The security protection for your at-home workers is only as good as their at-home environment – and unfortunately, that’s not often very good at all. A recent report found that remote office networks:

  • Were “3.5x more likely than corporate networks to have at least one family of malware”;
  •  Were “7.5x more likely to have at least five distinct families of malware”; and
  • Had “more than 25% of all devices have one or more services exposed on the internet”.

Other experts point out that “”Thousands of people, at the very least, are using their personal computers for work,” and that “they might even have already been compromised by malware and other exploits.” These experts recommend strict return-to-work measures such as “a quarantine network away from the production network and use that to triage devices to ensure they are patched, use only company approved software, and are configured properly.”

These security flaws extend to even the most fundamental level; a recent study of 127 different home router models showed that “there is no router without flaws” and that “many routers are affected by hundreds of known vulnerabilities.”  As the study goes on to note: “what makes matters even worse . . . some routers have easy crackable or even well known passwords that cannot be changed by the user.”  And yet, even this bad news gets worse, as one security expert who reviewed the study was “absolutely stunned” at the few router brands that the study picked out as doing “a better job than others” had models in the test that were out of support for years.

Some mobile apps pose troubling security problems as well, as they can access the “universal clipboard” on iPhones and iPads, even on different devices within Bluetooth range.  The data on this clipboard could include passwords, account-reset links, and personal messages.  One major law firm recently made headlines by mandating, reportedly after a client request, that all associates delete TikTok from their smartphones.  As famous (infamous?) as TikTok might be, it’s far from the only problematic app; computer news site ARS Technica provided a list that included apps from NPR, New York Times, FoxNews, The Wall Street Journal, Accuweather,, and even Fruit Ninja (is that even still a thing?). 

Now is the time to reassess and perhaps even rewrite your information security policies

Corporate surveys show that “almost half” of companies do not mandate wireless encryption for at-home employees, over one third do not require device encryption and – stunningly – more than 10% “allow employees to bring their own devices with no restrictions on use by others in the household.”  Comprehensive employee training could help make up for some of these policy gaps, yet, according to these same surveys, corporations report that “more than 70% of employees have not received training on mandatory standards for work-at-home security.”  It is for exactly this reason that experts worry: “If I’m working from home, my kids might be on that same computer, my spouse. Who knows who is using these devices?”

Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) 201 CMR 17.00 contains the minimum standards for Chapter 93.  201 CMR 17.03(i) requires that every WISP include provisions for:

“Reviewing the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information.”

OCABR’s 201 CMR 17.00 Compliance Checklist further reiterates the need to keep your WISP updated:

“Have you instituted a procedure for regularly monitoring to ensure that the WISP is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of PI; and for upgrading it as necessary?”

Need help?  XPAN can help

Unlike many other state privacy laws, Massachusetts does not provide a “small business exception”; as the OCABR FAQs for 201 CMR 17.00 make clear all organizations of any size are potentially covered.  As well, there is no exception for the size of the data breach; the Attorney General’s annual report of data breach notifications is filled with breaches listed as affecting only one or two residents.

If your company is doing business in Massachusetts, you need a WISP.  The recent events that lead to an unprecedented number of employees working remotely would almost certainly constitute a “change in business practices that may reasonably implicate the security or integrity of records containing personal information.”  Likewise, the return of those employees from their “mildly to severely less secure” home network environments to the office would also be a similar “change in business practices.”

If you find yourself needing help in getting your procedures, training and particularly your WISP updated – or if you didn’t update it to reflect employees working from home in the first place, feel free to reach out to us.  We can help get you compliant as quickly as possible, before you find that your employees have brought back more from home than you bargained for. And, remember, luck favors the prepared!

* * * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.