Security Assessment Resource — jitai.co/security-assessment/wisp-guide
Which States Require a WISP? A Nationwide Guide to Written Information Security Programs
A WISP (Written Information Security Program) is a written internal policy describing how your business identifies risks to the personal information it holds, what controls protect that information, and what you do when something goes wrong. Massachusetts is the state that requires the document by name, but many US states now require a written or reasonable information security program that does the same job. Because these laws follow where your customers and employees live, a business selling across the country is often covered by several at once.
Quick Answer
If your business holds personal information -- a name plus a Social Security number, driver’s license or state ID number, or a financial account number -- about residents of most US states, you are expected to maintain a written or reasonable information security program. Massachusetts requires it by name (a WISP) with no size exemption. Others require a functionally equivalent written program. The practical answer for a nationwide seller: assume you need one, and build it once to cover the strictest requirements you are subject to.
This page is educational information, not legal advice. Data-security laws vary by state, change frequently, and their application depends on your specific facts. Confirm your obligations with qualified legal counsel.
Which States Require a WISP or Written Information Security Program?
Massachusetts is the clearest example because it names the WISP in regulation. Many other states require a written or reasonable information security program that serves the same purpose. The list below is a representative, educational summary -- not a complete legal register, and not legal advice. Requirements change; verify current law for the states where your customers and employees live.
Massachusetts
201 CMR 17.00 (opens official source in a new tab)Explicitly requires a Written Information Security Program (WISP) for anyone holding personal information about a MA resident. No size or revenue exemption.
Requires a risk-based written information security program to protect personal information.
Requires reasonable safeguards, including a documented security program, for businesses that hold consumer personal information.
Requires reasonable administrative, technical, and physical safeguards. Small businesses may scale the program to their size and complexity (see exceptions below).
Requires reasonable security procedures to protect personal information; sector rules add written-program expectations.
Requires reasonable security procedures and practices appropriate to the nature of the personal information held.
Texas, Utah, and others
State data-security statutes (opens official source in a new tab)A growing number of states require reasonable security measures for businesses that hold residents' personal data.
Beyond the states themselves, a majority of US states have enacted general reasonable-security or data-protection statutes, and federal or sector rules can apply on top of state law regardless of where you operate:
GLBA Safeguards Rule (opens official source in a new tab)
Applies to: Financial institutions (broadly defined -- includes many businesses offering financial products or services)
Requires a written information security program and a qualified individual to oversee it, with some scaled provisions for smaller data holders.
HIPAA Security Rule (opens official source in a new tab)
Applies to: Healthcare providers, plans, and their business associates handling protected health information
Requires documented administrative, physical, and technical safeguards -- effectively a WISP for PHI.
FTC Act / FTC Safeguards (opens official source in a new tab)
Applies to: Most businesses handling consumer data
The FTC treats a failure to maintain reasonable, documented security as an unfair practice.
Are There Exceptions for Company Size or Revenue?
This is the most common question from small businesses, so here is the direct answer: exceptions are narrow, and most of them scale the requirement rather than remove it.
- Massachusetts (201 CMR 17): no exemption. There is no threshold for size, employee count, or revenue. A solo practitioner with one Massachusetts client is covered the same as a 500-person firm. If you hold covered MA-resident personal information, you need a WISP.
- New York (SHIELD Act): scaled, not exempt. Small businesses -- generally those under thresholds for employee count, gross revenue, and year-end assets -- must still maintain reasonable safeguards, but the program may be appropriate to the size and complexity of the business. That is an accommodation on depth, not a pass on having a program.
- GLBA Safeguards Rule: scaled for smaller data holders. Financial institutions must maintain a written program; some elements are scaled for those that maintain information on fewer consumers. It applies based on your activities, not your size.
- Most state reasonable-security laws: data-based, not size-based. These laws apply because of the personal data you hold, not how big you are. A true “we are too small to need anything” exemption is rare.
Bottom line: if you hold personal data, plan on needing a written program of some kind. The size of your business usually affects how detailed it must be, not whether you need one. Confirm the specifics for your situation with qualified legal counsel.
What a WISP Must Include
Whatever the state, a written program is expected to address the same core elements. Building to this set generally satisfies Massachusetts and the reasonable-security expectations of other states:
- 1
Scope and ownership
Who is responsible for the security program? What systems, locations, people, and data does the WISP cover? Name a person or role accountable for maintaining the program.
- 2
Risk identification and assessment
A documented process for identifying internal and external threats to personal data -- not just awareness that risks exist.
- 3
Access controls
Who can access personal data and how that access is controlled: authentication (including multi-factor), least-privilege roles, and revocation when people leave or change roles.
- 4
Employee training and awareness
How you train employees to handle personal data and recognize threats. Training must happen and be documented -- who attended, what was covered, when.
- 5
Physical safeguards
Securing physical locations where personal data is stored or accessed: locked storage, clean-desk practices, and visitor access controls.
- 6
Technical safeguards
Encryption of personal data on portable devices and over public networks, up-to-date security software, secure authentication, monitoring for unauthorized access, and current security patches.
- 7
Vendor and third-party management
How you select, contract with, and monitor vendors who handle personal data on your behalf -- payroll, cloud, IT support, accounting. Contracts must require appropriate vendor safeguards.
- 8
Incident response and breach notification
What you do when a breach occurs or is suspected: who decides a breach occurred, who is notified, and in what timeframe. State breach-notification laws set specific deadlines.
- 9
Periodic review
The program is reviewed and updated at least annually and whenever there is a material change in practices, technology, or key personnel.
Common Gaps
These are the most frequent failures when businesses examine their current state:
No written document at all.
Many businesses have informal security practices but nothing documented. Good practices without documentation are not a WISP. This is the most common gap.
Program exists but was never updated.
A program written years ago that references systems long retired is not adequate. Periodic review is a requirement, not a suggestion.
Missing vendor agreements.
Strong internal controls often overlook contractual security requirements for vendors who handle personal data.
Training is not documented.
If you train employees but keep no records of who was trained and when, you cannot demonstrate the program is real.
Access revocation gaps.
Disabling email when someone leaves but missing other systems where they had access to personal data. Define an offboarding checklist covering all relevant systems.
Program does not match actual practice.
A document describing a program you do not actually operate is its own risk. The written program must reflect reality.
How Just In Time AI Helps
Just In Time AI, headquartered in Berkley, MA, helps businesses across the United States understand their security posture and build written programs that hold up to state and sector requirements.
The starting point is the free security self-assessment at jitai.co/security-assessment. It is a self-attested posture indicator -- not an audit or certification, and not a substitute for legal review. You answer 18 questions across the same control domains a WISP must cover: written policy, access controls, data protection, backup and recovery, detection and response, and vendor management.
From there, a paid gap assessment maps your current state against the requirements that apply to you and the relevant NIST controls. We work with frameworks including NIST 800-171, NIST 800-53, NIST CSF, SOC 2, ISO 27001, and state WISP requirements. Consult your legal counsel for determination of your specific legal obligations.
Key Takeaways
- ✓Massachusetts requires a WISP by name (201 CMR 17); many other states require a written or reasonable information security program that does the same job.
- ✓State laws follow your customers and employees, so a nationwide seller is usually subject to several at once -- build once to the strictest.
- ✓Massachusetts has no size or revenue exemption. Other laws mostly scale the requirement to your size rather than remove it.
- ✓A written program should cover risk assessment, access controls, training, physical and technical safeguards, vendor management, incident response, and periodic review.
- ✓Federal and sector rules (GLBA, HIPAA, FTC) can apply on top of state law.
- ✓A self-attested posture indicator shows where your gaps are before you invest in remediation. It is not legal advice.
Frequently Asked Questions
Which states require a WISP?+
Are there exceptions to needing a WISP based on company size or revenue?+
What does WISP stand for?+
Does a business outside Massachusetts need a WISP?+
What must a WISP include?+
How often does a WISP need to be reviewed?+
Is a WISP the same as a cybersecurity policy?+
How do I know if my current program is adequate?+
Start With a Free Self-Assessment
Not sure where your security program stands? The Just In Time AI free security self-assessment walks you through 18 questions across the same domains a WISP must cover. You get an instant on-page posture view and an emailed summary -- no sales call required.
This is a self-attested posture indicator, not an audit or certification. It does not substitute for legal review or a professional gap assessment.
Just In Time AI — jitai.co — Berkley, MA — serving businesses nationwide
