Written Data Security Plan

Are you a Massachusetts small business owner without a written Data Security Plan (WISP) in place? You may be violating Massachusetts law. Also Cyber security should never begin after an attack occurs.Data Protection Law Attorney Massachusetts

As hackers become ever more sophisticated, confidential data breaches and identity theft are going to become more frequent. Massachusetts is on the forefront of consumer protection for its residents and the area of data security is no exception. In 2007 Massachusetts enacted a comprehensive data security law, requiring that covered entities notify the attorney general’s office and the affected individual of any unauthorized acquisition or use of a Massachusetts residents’ personal information and prescribing the manner in which such personal information must be discarded or destroyed. The Massachusetts’ Office of Consumer Affairs and Business Regulation promulgated regulations that went into effect in 2010 requiring business owners develop and implement written data security programs (WISP) and comply with requirements for safeguarding and disposing of personal information.

These data security regulations apply to individuals and businesses including corporations, partnerships and LLCs (as well as government agencies) that store or maintain personal information.

What Constitutes Personal Information?

Personal information is a combination of:

–           A Massachusetts’ resident’s first name (or initial) and last name plus their

–           Social Security number

–           Driver’s license number

–           State-issued identification card or state-school student identification card

–           Credit card number or financial account number

A financial account is any account that may lose money, credit or assets upon unauthorized access. This includes credit and debit accounts, checking and savings accounts and investment fund accounts.

This means that if you are a small business owner who does just two things – 1) records the names of your customers on invoices and 2) processes credit card or check payments for those customers – or you are a small business owner with even just one employee who is a Massachusetts resident who has filled out tax withholding or direct deposit forms, your business is required to have a written data security program (WISP) and to comply with Massachusetts law on handling and disposing of confidential personal information.


The regulations require that businesses assess their current policies and systems for handling personal information, adopt a written program that uses physical, administrative and technological means to protect the information and appoint a security coordinator to run the program. These regulations also require businesses use specific methods for the destruction of personal information which prevent the contents from being read or reconstructed, and to report breaches and unauthorized use or acquisition of personal information to the Massachusetts Attorney General and the affected individuals as soon as practicable and without delay.

Fines & Violations

Violations of the data destruction law can lead to fines of up to $50,000 for each instance of improper disposal. More ominous for small business owners is that the law explicitly provides that violators may also be liable under Massachusetts’ consumer protection statute, Chapter 93A, which could lead to very severe financial penalties.

Conlon Law can assess your current data security policies, or create a custom data security program tailored to your small business based on your size, scope, type of business and resources and help you minimize your risk.

Contact Conlon Law for information on how to create a WISP for your small business. Call us today. 978-341-4400