January 2026
The term “WISP” stands for a Written Information Security Plan. WISPs are governed by Massachusetts General Laws, chapter 93H and the regulations promulgated under that chapter. You need a WISP if you are an employer, retailer, or otherwise possess or store the “Personal Information” of Massachusetts residents. “Personal Information” is defined as the name of the Massachusetts resident, in combination with any of the following:
- Social Security number or tax identification number
- Driver’s license number
- Financial account number (such as a credit card or debit card number) with or without the password or security code.
- Biometric indicator (such as a fingerprint or DNA)
This law is one of a plethora of federal and state laws intended to mitigate the risks of identity theft. Others include HIPAA, the Gramm-Leach-Bliley Act, SEC requirements, and the so-called “Red Flag” Regulations of the Federal Trade Commission.
Although MGL chapter 93H has been in place for over a decade, it is often honored in its abuse. A surprising number of entities subject to the law – in particular, closely held companies – do not have WISPs. Enforcement of chapter 93H is the responsibility of the Office of the Massachusetts Attorney General, which can impose sanctions including civil fines of up to $5,000, plus the cost of any investigation and litigation, including attorneys’ fees. In the event of litigation, the courts have the authority to order security upgrades and operational changes. Finally, injured parties may bring private suits to recover their damages.
Under MGL chapter 93I, improper disposal of records containing personal information permit civil fines up to $50,000, making the potential costs of non-compliance significant.
If we can provide any additional information, please contact Bill Miller at wmiller@bizlawma.com.
This memorandum is intended to provide general information of potential interest to clients and others. It does not constitute legal advice. The receipt of this memorandum by any party who is not a current client of the Business Law Group does not create an attorney-client relationship between the recipient and the firm. Under certain circumstances, this memorandum may constitute advertising under the Rules of the Massachusetts Supreme Judicial Court and the bar associations of other states.