(508) 947-1478
Just In Time AI

Security Assessment Resource — jitai.co/security-assessment/wisp-guide

Which States Require a WISP? A Nationwide Guide to Written Information Security Programs

A WISP (Written Information Security Program) is a written internal policy describing how your business identifies risks to the personal information it holds, what controls protect that information, and what you do when something goes wrong. Massachusetts is the state that requires the document by name, but many US states now require a written or reasonable information security program that does the same job. Because these laws follow where your customers and employees live, a business selling across the country is often covered by several at once.

Quick Answer

If your business holds personal information -- a name plus a Social Security number, driver’s license or state ID number, or a financial account number -- about residents of most US states, you are expected to maintain a written or reasonable information security program. Massachusetts requires it by name (a WISP) with no size exemption. Others require a functionally equivalent written program. The practical answer for a nationwide seller: assume you need one, and build it once to cover the strictest requirements you are subject to.

This page is educational information, not legal advice. Data-security laws vary by state, change frequently, and their application depends on your specific facts. Confirm your obligations with qualified legal counsel.

Which States Require a WISP or Written Information Security Program?

Massachusetts is the clearest example because it names the WISP in regulation. Many other states require a written or reasonable information security program that serves the same purpose. The list below is a representative, educational summary -- not a complete legal register, and not legal advice. Requirements change; verify current law for the states where your customers and employees live.

Explicitly requires a Written Information Security Program (WISP) for anyone holding personal information about a MA resident. No size or revenue exemption.

Requires a risk-based written information security program to protect personal information.

Requires reasonable safeguards, including a documented security program, for businesses that hold consumer personal information.

Requires reasonable administrative, technical, and physical safeguards. Small businesses may scale the program to their size and complexity (see exceptions below).

Requires reasonable security procedures to protect personal information; sector rules add written-program expectations.

Requires reasonable security procedures and practices appropriate to the nature of the personal information held.

A growing number of states require reasonable security measures for businesses that hold residents' personal data.

Beyond the states themselves, a majority of US states have enacted general reasonable-security or data-protection statutes, and federal or sector rules can apply on top of state law regardless of where you operate:

GLBA Safeguards Rule (opens official source in a new tab)

Applies to: Financial institutions (broadly defined -- includes many businesses offering financial products or services)

Requires a written information security program and a qualified individual to oversee it, with some scaled provisions for smaller data holders.

HIPAA Security Rule (opens official source in a new tab)

Applies to: Healthcare providers, plans, and their business associates handling protected health information

Requires documented administrative, physical, and technical safeguards -- effectively a WISP for PHI.

FTC Act / FTC Safeguards (opens official source in a new tab)

Applies to: Most businesses handling consumer data

The FTC treats a failure to maintain reasonable, documented security as an unfair practice.

Are There Exceptions for Company Size or Revenue?

This is the most common question from small businesses, so here is the direct answer: exceptions are narrow, and most of them scale the requirement rather than remove it.

  • Massachusetts (201 CMR 17): no exemption. There is no threshold for size, employee count, or revenue. A solo practitioner with one Massachusetts client is covered the same as a 500-person firm. If you hold covered MA-resident personal information, you need a WISP.
  • New York (SHIELD Act): scaled, not exempt. Small businesses -- generally those under thresholds for employee count, gross revenue, and year-end assets -- must still maintain reasonable safeguards, but the program may be appropriate to the size and complexity of the business. That is an accommodation on depth, not a pass on having a program.
  • GLBA Safeguards Rule: scaled for smaller data holders. Financial institutions must maintain a written program; some elements are scaled for those that maintain information on fewer consumers. It applies based on your activities, not your size.
  • Most state reasonable-security laws: data-based, not size-based. These laws apply because of the personal data you hold, not how big you are. A true “we are too small to need anything” exemption is rare.

Bottom line: if you hold personal data, plan on needing a written program of some kind. The size of your business usually affects how detailed it must be, not whether you need one. Confirm the specifics for your situation with qualified legal counsel.

What a WISP Must Include

Whatever the state, a written program is expected to address the same core elements. Building to this set generally satisfies Massachusetts and the reasonable-security expectations of other states:

  1. 1

    Scope and ownership

    Who is responsible for the security program? What systems, locations, people, and data does the WISP cover? Name a person or role accountable for maintaining the program.

  2. 2

    Risk identification and assessment

    A documented process for identifying internal and external threats to personal data -- not just awareness that risks exist.

  3. 3

    Access controls

    Who can access personal data and how that access is controlled: authentication (including multi-factor), least-privilege roles, and revocation when people leave or change roles.

  4. 4

    Employee training and awareness

    How you train employees to handle personal data and recognize threats. Training must happen and be documented -- who attended, what was covered, when.

  5. 5

    Physical safeguards

    Securing physical locations where personal data is stored or accessed: locked storage, clean-desk practices, and visitor access controls.

  6. 6

    Technical safeguards

    Encryption of personal data on portable devices and over public networks, up-to-date security software, secure authentication, monitoring for unauthorized access, and current security patches.

  7. 7

    Vendor and third-party management

    How you select, contract with, and monitor vendors who handle personal data on your behalf -- payroll, cloud, IT support, accounting. Contracts must require appropriate vendor safeguards.

  8. 8

    Incident response and breach notification

    What you do when a breach occurs or is suspected: who decides a breach occurred, who is notified, and in what timeframe. State breach-notification laws set specific deadlines.

  9. 9

    Periodic review

    The program is reviewed and updated at least annually and whenever there is a material change in practices, technology, or key personnel.

Common Gaps

These are the most frequent failures when businesses examine their current state:

No written document at all.

Many businesses have informal security practices but nothing documented. Good practices without documentation are not a WISP. This is the most common gap.

Program exists but was never updated.

A program written years ago that references systems long retired is not adequate. Periodic review is a requirement, not a suggestion.

Missing vendor agreements.

Strong internal controls often overlook contractual security requirements for vendors who handle personal data.

Training is not documented.

If you train employees but keep no records of who was trained and when, you cannot demonstrate the program is real.

Access revocation gaps.

Disabling email when someone leaves but missing other systems where they had access to personal data. Define an offboarding checklist covering all relevant systems.

Program does not match actual practice.

A document describing a program you do not actually operate is its own risk. The written program must reflect reality.

How Just In Time AI Helps

Just In Time AI, headquartered in Berkley, MA, helps businesses across the United States understand their security posture and build written programs that hold up to state and sector requirements.

The starting point is the free security self-assessment at jitai.co/security-assessment. It is a self-attested posture indicator -- not an audit or certification, and not a substitute for legal review. You answer 18 questions across the same control domains a WISP must cover: written policy, access controls, data protection, backup and recovery, detection and response, and vendor management.

From there, a paid gap assessment maps your current state against the requirements that apply to you and the relevant NIST controls. We work with frameworks including NIST 800-171, NIST 800-53, NIST CSF, SOC 2, ISO 27001, and state WISP requirements. Consult your legal counsel for determination of your specific legal obligations.

Key Takeaways

  • Massachusetts requires a WISP by name (201 CMR 17); many other states require a written or reasonable information security program that does the same job.
  • State laws follow your customers and employees, so a nationwide seller is usually subject to several at once -- build once to the strictest.
  • Massachusetts has no size or revenue exemption. Other laws mostly scale the requirement to your size rather than remove it.
  • A written program should cover risk assessment, access controls, training, physical and technical safeguards, vendor management, incident response, and periodic review.
  • Federal and sector rules (GLBA, HIPAA, FTC) can apply on top of state law.
  • A self-attested posture indicator shows where your gaps are before you invest in remediation. It is not legal advice.

Frequently Asked Questions

Which states require a WISP?+
Massachusetts is the state that explicitly requires a document called a Written Information Security Program (WISP) under 201 CMR 17. Many other states -- including Rhode Island, Oregon, New York, Connecticut, and California -- require businesses that hold personal data to maintain a written or reasonable information security program that functions as a WISP, even if the statute uses different words. Because state laws apply based on where your customers and employees live rather than where your business is located, a company selling across the US is often subject to several of them at once. This is educational information, not legal advice; verify your obligations with qualified counsel.
Are there exceptions to needing a WISP based on company size or revenue?+
For Massachusetts 201 CMR 17 there is no exemption based on company size, employee count, or revenue -- if you hold covered personal information about a Massachusetts resident, you need a WISP. Some other laws scale rather than remove the requirement: New York's SHIELD Act still requires reasonable safeguards for small businesses but allows the program to be appropriate to the business's size and complexity. Sector rules like the federal GLBA Safeguards Rule apply to financial institutions with some scaled provisions for smaller data holders. In general, most state reasonable-security laws apply based on the data you hold, not your size, so a true 'we are too small' exemption is rare. Verify with counsel.
What does WISP stand for?+
WISP stands for Written Information Security Program. It is a documented, internal policy describing how a business identifies risks to the personal information it holds, what controls protect that information, and what happens when something goes wrong. Massachusetts 201 CMR 17 is where the exact term is defined in law, but the same document satisfies written and reasonable information security program requirements in many other states.
Does a business outside Massachusetts need a WISP?+
Yes, if it holds covered personal information about residents of a state that requires one. Massachusetts law applies to any business anywhere that handles personal information about Massachusetts residents. Other states apply their own reasonable-security requirements to businesses that hold their residents' data. A company selling nationwide typically holds data about residents of many states and should assume multiple state requirements apply. This content is educational, not legal advice.
What must a WISP include?+
A well-built WISP addresses: the scope of the program and who owns it, a risk identification and assessment process, access controls, employee training, physical safeguards, technical safeguards including encryption, vendor management, incident response and breach notification, and a periodic (at least annual) review. These map closely to the elements most state reasonable-security laws and frameworks like NIST expect.
How often does a WISP need to be reviewed?+
At least annually, and whenever there is a material change in business practices, technology, or the personnel responsible for the program. A program that no longer matches how you operate is treated as a gap.
Is a WISP the same as a cybersecurity policy?+
They overlap but are not identical. A WISP is specifically focused on protecting personal information and is the document these data-security laws expect. A broader cybersecurity policy may also cover operational continuity, intellectual property, and systems that do not involve personal data. For data-security compliance purposes, the WISP is the required document.
How do I know if my current program is adequate?+
Check whether your written document covers the core elements -- scope and ownership, risk assessment, access controls, training, physical and technical safeguards, vendor management, incident response, and periodic review -- and whether it accurately reflects your current systems and practices. The free self-assessment at jitai.co/security-assessment gives you a posture view based on your own answers. It is a self-attested indicator, not a compliance determination or legal review.

Start With a Free Self-Assessment

Not sure where your security program stands? The Just In Time AI free security self-assessment walks you through 18 questions across the same domains a WISP must cover. You get an instant on-page posture view and an emailed summary -- no sales call required.

This is a self-attested posture indicator, not an audit or certification. It does not substitute for legal review or a professional gap assessment.

Just In Time AI — jitai.co — Berkley, MA — serving businesses nationwide